Over the weekend, the Wall Street Journal published a story concerning the inadvertent passing of Facebook users’ personal information between popular third-party Facebook applications and several outside marketing agencies and data-gathering firms.
Every Facebook user is assigned a unique, non-identifying, numeric “user ID” that’s used for several purposes within the site. At the most basic level, for instance, numeric IDs can be used to differentiate several users who have the same first and last names. So if there are 100 people named Joe Smith on Facebook, they each have their own user ID.
Facebook can also make use of these IDs for its own marketing purposes. It may not collect the actual personal information of User #12345 but it knows that User #12345 likes to play FarmVille and knows which kinds of ads that user clicks on, so it can target similar ads to that user in the future.
The problem is that the third-party apps like FarmVille also have access to these unique user ID numbers, and the Wall Street Journal contends that not only have these user IDs been passed to outside marketing and data-gathering companies, but the ID numbers themselves can be used to reveal personally identifying information about the users themselves.
According to the article:
“The information being transmitted is one of Facebook’s basic building blocks: the unique ‘Facebook ID’ number assigned to every user on the site. Since a Facebook user ID is a public part of any Facebook profile, anyone can use an ID number to look up a person’s name, using a standard Web browser, even if that person has set all of his or her Facebook information to be private. For other users, the Facebook ID reveals information they have set to share with ‘everyone,’ including age, residence, occupation and photos.
The apps reviewed by the Journal were sending Facebook ID numbers to at least 25 advertising and data firms, several of which build profiles of Internet users by tracking their online activities.”
That’s a pretty serious accusation; that “anyone can use an ID number to look up a person’s name, using a standard Web browser, even if that person has set all of his or her Facebook information to be private.”
Facebook has responded, saying:
“Recently, it has come to our attention that several applications built on Facebook Platform were passing the User ID (UID), an identifier that we use within our APIs, in a manner that violated [Facebook's privacy] policy. In most cases, developers did not intend to pass this information, but did so because of the technical details of how browsers work.
Press reports have exaggerated the implications of sharing a UID. Knowledge of a UID does not enable anyone to access private user information without explicit user consent. Nevertheless, we are committed to ensuring that even the inadvertent passing of UIDs is prevented and all applications are in compliance with our policy.”
However, you may recall an article from a couple months ago about a Facebook bug that returned the photo, full name, and e-mail address of any user when trying to log in to the site using their e-mail address. Even if you got the password wrong, you could see the person’s name and e-mail address and that data could be harvested using an automated script. If something similar is possible with someone’s user ID, it’s pretty troubling.
In the meantime, a Facebook spokesperson told the Journal, “We have taken immediate action to disable all applications that violate our terms,” and the company blog post says, “We are talking with our key partners and the broader Web community about possible solutions.”
More on Techland: