Facebook battles another privacy firestorm

Report says Facebook apps are secretly transmitting personal user data to advertising and Web monitoring firms

Monday's news that Facebook finds itself in another privacy firestorm is the latest evidence for many users and industry watchers that Facebook isn't working hard enough to protect its users or their personal information.

The Wall Street Journal reported Monday that some of Facebook's most popular applications, such as FarmVille, Texas HoldEm Poker and FrontierVille, have been sending users' personal information to dozens of advertising and Internet monitoring companies.

The report, based on the Journal's own investigation, found that the issue affects tens of millions of users, even those who have set their privacy settings to the strictest levels.

The newspaper's investigation found that 10 of Facebook's most popular apps are leaking the unique "Facebook ID" numbers of users to the third-party companies. The ID numbers can be traced back to individual Facebook users.

The Journal also noted that the highly popular Farmville app, which has some 59 million users, also transmits information about the friends of affected users.

"This builds on an ongoing theme that Facebook can't be trusted, which could do the service serious damage over time," said Rob Enderle, principal analyst at Enderle Group. "We still haven't identified a service that people are likely to switch to, but every time [something like] this happens, the likelihood that one will emerge increases."

Facebook maintains that it takes user privacy very seriously.

"We are dedicated to protecting private user data while letting users enjoy rich experiences with their friends," wrote Mike Vernal, a Facebook engineer, in a blog post Monday.

"Recently, it has come to our attention that several applications built on Facebook Platform were passing the User ID (UID), an identifier that we use within our APIs, in a manner that violated [our] policy. In most cases, developers did not intend to pass this information, but did so because of the technical details of how browsers work," Vernal said.

Vernal added that the media has "exaggerated" the implications of third parties' gaining access to Facebook user IDs. "We are talking with our key partners and the broader Web community about possible solutions," he said, adding that Facebook will provide more information this week.

Many users, though, were not placated.

"Nice. What a pile of crap!," wrote Oyaki Ahanaf, a Facebook user, in response to Vernal's blog post. "So we are expected to believe that these 'developers' had no idea whatsoever that UIDs were being passed to 3rd party advertisers???!!!"

User Aisha Khan wrote, "Each & every step that FB has taken has brought security & privacy back 2 steps." And user Josh Lowen responded to Vernal's blog by writing, "I don't believe you. I think you knew this was going on, and LET IT because you know that's how the companies are making money (and you need them to make money for you to make money.) Sheisters, the lot of you."

On Twitter, someone identified as "clarecoll" offered this comment: "It bothers me that if my FB friends play w/ Apps MY privacy is affected. I'm penalized for having stupid friends." And another Twitter user, BPalmTheGreat, submitted this tweet: "At what point do people get tired of all the facebook privacy violations?" And "ByteGeek" tweeted, "Facebook is exploiting your privacy again."

Dan Olds, an analyst at Gabriel Consulting Group, noted that Facebook has confronted one privacy issue after another this year. And the latest problem could cause more trouble for the social networking company than all the others, he added.

"An above-the-fold story in a major national newspaper with the headline 'Facebook in Privacy Breach' is a substantial blow," said Olds. "I've always thought that the real privacy weakness in Facebook, after they took care of setting up better controls, was related to third-party apps. I don't know if I'd call what happened a privacy breach, because a breach implies that there was some privacy mechanism that was somehow gotten around or penetrated. From what I can tell so far, these companies were just using all the information they had routine access to -- implying that FB never had mechanisms in place to limit the info that apps providers harvested.

Olds added that he's expecting a lot of people to dump many of their Facebook apps because of the latest privacy issue. But Enderle noted that those Facebook users addicted to finding virtual lost sheep and erecting barns on Farmville might not be compelled to leave despite the latest news.

As users mull their next steps, Facebook executives need to come up with a plan to deal with the site's latest problem, analysts said.

"Facebook has to take the responsibility for lax enforcement of its own guidelines," said Hadley Reynolds, an analyst at IDC. "Facebook now needs to make the protection of its users' information and that of their friends more than a matter of contractual ink between it and its partner network. It should re-engineer its APIs to force applications to tell individuals what information they will be collecting and explicitly request permission from individuals for that access."

Olds added that Facebook needs to come up with, and enforce, a stringent policy that requires app makers to disclose what information they're gathering and how they're using it. That disclosure also can't be in tiny print. It needs to be stated upfront and be easy to understand, he added.

"The whole incident is an example of why [CEO Steve] Jobs and Apple have taken a much more controlling approach to the apps that their partners create for the iPod, iPhone and iPad, and why that kind of control may be necessary not only to ensure quality but also to create an environment where users can trust the application providers to observe rigorous privacy protection standards," said Reynolds.

Sharon Gaudin covers the Internet and Web 2.0, emerging technologies, and desktop and laptop chips for Computerworld. Follow Sharon on Twitter at @sgaudin, or subscribe to Sharon's RSS feed . Her e-mail address is sgaudin@computerworld.com.

Join the discussion
Be the first to comment on this article. Our Commenting Policies