Facebook is cracking down on several application developers caught selling Facebook user IDs to data brokers.
The crackdown was prompted by revelations last month that some applications on the site were passing user IDs (UIDs) in violation of Facebook policy. In a blog post, Facebook engineer Mike Vernal wrote the site was "instituting a 6-month full moratorium on (the developers) to Facebook communication channels, and we will require these developers to submit their data practices to an audit in the future to confirm that they are in compliance with our policies."
While Facebook did not name the guilty parties, Vernal wrote that fewer than a dozen developers were impacted and none of them was responsible for any of the top 10 apps on the site.
"While we determined that no private user data was sold and confirmed that transfer of these UIDs did not give access to any private data, this violation of our policy is something we take seriously," he blogged.
Facebook also reached an agreement with Rapleaf, which has agreed to delete all UIDs in its possession and to not "conduct any activities on the Facebook Platform (either directly or indirectly) going forward," Vernal noted. Rapleaf has said that it immediately implemented "a solution to cease the transmissions" once it was discovered Facebook UIDs were being passed to ad networks by applications the company works with.
UID data can potentially be used to look up any information users have made public on their profile. According to Facebook, the situation affected iframe-based canvas applications.
"Our policy has always stated that data received from Facebook, including UIDs, cannot be shared with data brokers and ad networks," Vernal blogged. "Moving forward, our policy will state that UIDs cannot leave your application or any of the infrastructure, code, and services you need to build and run your application. ...We realize that developers may sometimes need a way to share a unique identifier outside of their application with permitted third parties, such as content partners, advertisers or other service providers. We are adding a mechanism that developers must use to share anonymous identifiers for this purpose. We will release this functionality (available via the Graph API and FQL) early next week. We encourage developers to move to this mechanism quickly and will require it on January 1, 2011."
In addition, ad networks on Facebook must delete any Facebook UIDs regardless of how they were obtained as a "precondition to continuing to serve ads on Facebook Platform," Vernal wrote.