Facebook applications were revealed to be leaking Facebook user IDs. The leak is due to information included in referrer URLs, according to one company.
Facebook has found itself in the middle of another privacy flap.
This time, the Wall
Street Journal uncovered
that many Facebook applications are sharing user information
with advertising networks and other Internet-tracking companies. According to
the Journal, some of the most
on Facebook-including Mafia Wars, FarmVille and Texas
HoldEm Poker-are transmitting Facebook ID information to outsiders.
The information can be used to look up a Facebook user's name and any other
information a user allows to be shared publicly. In some cases, the information
also included the Facebook IDs of an application user's friends, the Journal
Among the companies mentioned by the Journal is the business-to-business
firm Rapleaf, which said that once it discovered Facebook IDs were being passed
to ad networks by applications it works with, the company immediately
"implemented a solution to cease the transmissions."
"As of last week, no Facebook [IDs] are being transmitted to ad
networks in conjunction with the use of any Rapleaf service," according to
the company blog
Rapleaf was cited by the Journal for linking Facebook user IDs taken
from apps to its own database of Internet users-which it sells-as well as sending Facebook
IDs it obtained to a dozen other firms. According to the company, the
underlying issue is due to the HTTP referrer.
"If you are visiting a site that knows your identity (i.e. any site you're
logged into), then this site may receive referrer URLs of other pages on the
web that you have visited," according to the Rapleaf blog. "For
example, you may visit a web page about a particular medical condition, click a
link on that page to a site that knows your identity, and now that site can associate
your identity with having visited that particular medical webpage."
Websites need to take care to not include personally identifying
information that may get placed in referral URLs when linking to external
Websites, according to Rapleaf.
"Secondly, we need to give deeper thought to whether or not the privacy
risks associated with referral URLs can be adequately managed," the blog
continued. "Referral URLs are used by most web sites for constructive
purposes (e.g. link statistics, or preventing hotlink bandwidth theft)."
For its part, Facebook has said the problem has been exaggerated, as no
private information belonging to users was revealed.
"Our policy is very clear about protecting user data, ensuring that no
one can access private user information without explicit user consent," blogged Facebook engineer
Vernal. "Further, developers cannot disclose user information to ad
networks and data brokers. We take strong measures to enforce this policy,
including suspending and disabling applications that violate it."
In most cases, he added, the developers did not intend to pass the user IDs,
but did so because of the "technical details of how browsers work."
The Journal report found the reviewed applications were sending
Facebook ID numbers to at least 25 advertising and data firms, including
several that build profiles of Internet users by tracking their online
Vernal noted that the company dealt with a similar option uncovered by the
Journal in May, "although the technical challenges here are greater."
the May incident
, it was discovered that in some cases, users'
IDs were shared with advertisers on Facebook by the users' browser when they
clicked on an ad.
"We are talking with our key partners and the broader Web community
about possible solutions," Vernal blogged. "We will have more details
over the course of the next few days."