Facebook announces it is cracking down on application developers caught selling user ID information.
Facebook is cracking down on several application developers caught selling
Facebook user IDs to data brokers.
The crackdown was prompted by revelations last month that
some applications on the site were passing user IDs (UIDs) in violation of
Facebook policy. In a
Facebook engineer Mike Vernal wrote the site was
"instituting a 6-month full moratorium on (the developers) to
Facebook communication channels, and we will require these developers to submit
their data practices to an audit in the future to confirm that they are in
compliance with our policies."
While Facebook did not name the guilty parties, Vernal wrote that fewer
than a dozen developers were impacted and none of them was responsible for
any of the top 10 apps on the site.
"While we determined that no private user data was sold and confirmed
that transfer of these UIDs did not give access to any private data, this
violation of our policy is something
we take seriously
," he blogged.
Facebook also reached an agreement with Rapleaf, which has agreed to delete
all UIDs in its possession and to not "conduct any activities on the
Facebook Platform (either directly or indirectly) going forward," Vernal
noted. Rapleaf has said that it immediately implemented "a solution
to cease the transmissions" once it was discovered Facebook UIDs were being
passed to ad networks by applications the company works with.
UID data can potentially be used to look up any information users have made
public on their profile
. According to Facebook, the situation affected
iframe-based canvas applications.
"Our policy has always stated that data received from Facebook,
including UIDs, cannot be shared with data brokers and ad networks,"
Vernal blogged. "Moving forward, our policy will state that UIDs cannot
leave your application or any of the infrastructure, code, and services you
need to build and run your application. ...We realize that developers may
sometimes need a way to share a unique identifier outside of their application
with permitted third parties, such as content partners, advertisers or other
service providers. We are adding a mechanism that developers must use to share
anonymous identifiers for this purpose. We will release this functionality
(available via the Graph API and FQL) early
next week. We encourage developers to move to this mechanism quickly and will
require it on January 1,
In addition, ad networks on Facebook must delete any Facebook UIDs
regardless of how they were obtained as a "precondition to continuing to
serve ads on Facebook Platform," Vernal wrote.