Facebook applications raise new privacy concerns again

By EDRi · October 20, 2010

This article is also available in:
Deutsch: [Neuerliche Datenschutzprobleme bei Facebook Apps | http://www.unwatched.org/node/2275]

Facebook continues to raise concerns related to the privacy of its users’
personal data. According to an investigation made by Wall Street Journal
(WSJ), Facebook applications such as FarmVille have been supplying
identifying information of its users to several online advertising and
tracking companies.

Already in May 2010 it was revealed that under certain circumstances, when a
user was clicking on an ad, Facebook was transmitting its ID codes that were
used to look up individual profiles, including the user’s real name, age,
hometown and other data. Although Facebook has interrupted the practice, it
has now come Facebook applications were doing the same practice.

The practice affects millions of users including those who have placed their
data under the strictest privacy settings. According to WSJ, at least ten of
the most popular Facebook applications also transmitted personal information
about the user’s friends to external companies.

Two Facebook users from California, David Gould and Mike Robertson, have
filed a federal lawsuit against the social network for allegedly sharing
their real names and other private information with some advertisers,
considering Facebook was thus in direct violation of the federal law that
protects the privacy of electronic communications, the California
computer-crime law as well as the company’s own privacy policy.

“A Facebook user ID may be inadvertently shared by a user’s Internet browser
or by an application,” stated a spokesman from Facebook on 16 October 2010,
who added that the company would introduce new technology to address the
problem.

According to the company, there is no basis for the law suit. As a Facebook
user’s ID is a public part of any Facebook profile, anyone can use this
number to look up a person’s name, by using a standard Web browser, even if
that person has posted Facebook information as private. Facebook IDs reveal
information that the users have set to share with everyone.

Most applications on Facebook are created by independent software developers
and it is not yet clear whether their developers knew that their
applications were transmitting Facebook ID numbers. The applications use a
common Web standard, known as a “referer” which passes on the address of the
last page viewed when a user clicks on a link. On Facebook and other
social-networking sites, referers can expose a user’s identity.

While the supporters of online tracking argue that this kind of surveillance
is benign when being carried out anonymously, WSJ has found out that
RapLeaf, a data-collection firm, had linked Facebook users’ ID information
obtained from applications to its own database of Internet users. The
company is selling its database and has transmitted Facebook IDs to several
other firms.

“We didn’t do it on purpose,” stated Joel Jewitt, vice president of business
development for RapLeaf.

After being contacted by the WSJ, Facebook has changed its system so that
the ID codes are no longer sent to other websites and has apparently also
shut down some applications transmitting user IDs. Since 15 October, the
users having tried to access certain applications have received an error
message being reverted to Facebook’s home screen.
“We have taken immediate action to disable all applications that violate our
terms,” a Facebook spokesman said.

Facebook in Privacy Breach (18.10.2010)
http://online.wsj.com/article/SB10001424052702304772804575558484075236968.html

Facebook apps ‘leaking details to advertisers’ (18.10.2010)
http://www.guardian.co.uk/technology/2010/oct/18/facebook-apps-data-privacy

Facebook Faces Suit Over Earlier Breach (17.10.2010)
http://blogs.wsj.com/digits/2010/10/17/facebook-faces-suit-over-earlier-breach/

EDRi-gram: Facebook under pressure for not observing its privacy principles
(19.05.2010)
http://www.edri.org/edrigram/number8.10/privacy-google-article-29