Facebook Privacy Breach? More Like a Snafu


facebook_small.jpgADOTAS – Et tu FarmVille? The Wall Street Journal says you’ve been giving my personal information to ad networks! My god, it’s a conspiracy! I knew I couldn’t trust that Zuckerberg! I knew you were a rotten egg Pincus!

Well, maybe it’s not such a nefarious plot — maybe it’s just a loophole in app and browser design… But that’s not nearly as exciting — I demand scandal from my tech news.

As part of its shrieking “What They Know” series, WSJ makes some damning claims this morning: 10 of the most popular Facebook apps leak personal info to advertising and tracking companies, including people’s names and occasionally their friends’ names. On that list is the hottest time-waster in the world, FarmVille, which boasts about 60 million users. Social gaming kingpin Zynga is also held to account for its Texas HoldEm Poker and FrontierVille. Got your privacy settings on high? It doesn’t matter — your name is out there.

The technical side is a bit more complicated. As Facebook’s Mike Vernal explains in a blog post, “several applications built on Facebook Platform were passing the User ID (UID), an identifier that we use within our APIs, in a manner that violated this policy. In most cases, developers did not intend to pass this information, but did so because of the technical details of how browsers work.”

Facebook applications are loaded within iframes — the content inside is controlled by the app developer and is actually located at a different URL than the one the user sees in the address window. This URL may contain the UID — Freedom to Thinker’s Harlan Yu explains, “When your browser goes to fetch the advertisement, it automatically forwards to the third party advertiser ‘referer’ information — that is, the URL of the current page that’s loading the ad.”

Referrers (or referer) are quite handy tools for analytics — publishers want to know where their traffic is coming from. UIDs do not offer access to private user information, but it’s pretty easy to figure out a user’s name from one. With the UID, security and privacy researcher Christopher Soghoian further explains data collectors and ad networks can associate your existing cookies with your real name. If your interests on Facebook are public, they could add those to the profiles that they’re building on all of us!

So who tipped off The Wall Street Journal to this practice? What companies have been collecting user names and compiling them into already established profiles? Who have these miscreants been selling to?

Google’s DoubleClick and Yahoo’s Right Media have apparently been receiving the data — but they say they didn’t realize they had it. Data seller Rapleaf gets called out by name — WSJ says it was sending UIDs right over to its data buyers, but Rapleaf counters that it didn’t known the UIDs were there and it’s now stripping them out. Interestingly Rapleaf CEO Auren Hoffman wrote a long column for AdExchanger explaining why IP tracking is a bad idea.

Wait, there’s not even an anonymous source saying, “Oh yeah, these guys use that info all the time to put names on their profiles”?

The WSJ article right that Facebook was (insignificantly) breaking its privacy policy, but any speculation beyond that is paranoid crap. Although Facebook gets smeared in the headline, the wrongly demonized party actually is online advertising technology companies.

On Twitter, journalism professor and media critic Jeff Jarvis on called it the “continuation of Wall Street Journal’s war against the Internet, and noted that such data is less useful than a copy of the white pages. At the end of July the paper published a laughably hyperbolic screed — it’s hard to get past the title without cracking up: “The New Gold Mine: Your Secrets” — about third-party data collecting that dubbed the practice “spying on Internet users.”

Using a great deal of Ben Edelman’s research WSJ reported on a similar issue with referring URLs in May, subsequently Facebook deleted the offending “ref=profile” URL tags. In its blog response to today’s story, Facebook’s Vernal notes that the situations are similar but the apps case requires a more technical response. However, Yu points out several solutions that are pretty straightfoward. No. 1: developers can stop using UIDs in the HTTP GET arguments or add a hash mark before the UID, which would hide the identifier in the referrer.

Congratulations, WSJ: Mountain constructed from molehill and paranoia enhanced across the Internet. Rupert Murdoch-owned publications never let specifics get in the way of a good headline.



  1. Twitter finally just went to a new API last month that prevents authentication information from flowing freely to 3rd party apps. DO NOT LOGIN TO ANYTHING WITH your facebook account and expect privacy. They have not thought out privacy that well and there are a bunch of problems with their architecture that are criminally negligent… perhaps that’s going to far… but egregious, yes.

  2. I don’t have the facts but it’s hard to believe that Zinga was aware of such breach?

    My suggestion for Zinga and other big players is to invest their efforts in developing in-house optimization solutions to help them target offers in a more effective way to their users. After all, they have the authority to use their users’ data as long as it not going to any other 3 party.

  3. I tried this and it works, its free and you don’t have to depend on Facebook privacy settings. Just ‘CLOAK’ your messages with your own private keyword using the free CloakGuard browser plugin. This garbles your message and only the people you’ve shared your keyword with (and not Facebook) can read your messages.

    Free Cloakguard plugin for Facebook available from:
    Download – https://addons.mozilla.org/en-US/firefox/addon/194385/
    Demo – http://www.youtube.com/watch?v=C4qN3TBqx08

  4. This “privacy breech” news story even got a mention on the local news (Albany, NY), albeit a small one. Facebook should be more careful with the personal data.

    That said, some(perhaps many) don’t care. How many of your Facebook friends have their actual BDay shared in their profile, visible to their Friends, Friends of Friends, etc? I have never been more aware of the birthdays of so many!

    Those that don’t care are probably at the movies, enjoying a showing of Social Network!

  5. The issue is that Facebook has broken its privacy policy, not that privacy has been violated per se. There are no “minor” violations of privacy policy. Once we start grading violations we allow that some violations of stated policy are OK, and it merely becomes an argument of how evil it is OK to be. Apps have to be permitted into FB, so they get in because FB makes it happen. FB has a duty of care to ensure that apps it permits into FB follow the stated privacy policy. FB needs kicking hard and often until they acquire a corporate culture which puts user privacy ahead of profit.

Leave a Reply to Gavin Dunaway Cancel reply

Please enter your comment!
Please enter your name here