Why Facebook Applications Expose User IDs

Facebook applications were revealed to be leaking Facebook user IDs. The leak is due to information included in referrer URLs, according to one company.

Facebook has found itself in the middle of another privacy flap.

This time, the Wall Street Journal uncovered that many Facebook applications are sharing user information with advertising networks and other Internet-tracking companies. According to the Journal, some of the most popular applications on Facebook-including Mafia Wars, FarmVille and Texas HoldEm Poker-are transmitting Facebook ID information to outsiders.

The information can be used to look up a Facebook user's name and any other information a user allows to be shared publicly. In some cases, the information also included the Facebook IDs of an application user's friends, the Journal reported.

Among the companies mentioned by the Journal is the business-to-business firm Rapleaf, which said that once it discovered Facebook IDs were being passed to ad networks by applications it works with, the company immediately "implemented a solution to cease the transmissions."

"As of last week, no Facebook [IDs] are being transmitted to ad networks in conjunction with the use of any Rapleaf service," according to the company blog.

Rapleaf was cited by the Journal for linking Facebook user IDs taken from apps to its own database of Internet users-which it sells-as well as sending Facebook IDs it obtained to a dozen other firms. According to the company, the underlying issue is due to the HTTP referrer.

"If you are visiting a site that knows your identity (i.e. any site you're logged into), then this site may receive referrer URLs of other pages on the web that you have visited," according to the Rapleaf blog. "For example, you may visit a web page about a particular medical condition, click a link on that page to a site that knows your identity, and now that site can associate your identity with having visited that particular medical webpage."

Websites need to take care to not include personally identifying information that may get placed in referral URLs when linking to external Websites, according to Rapleaf.

"Secondly, we need to give deeper thought to whether or not the privacy risks associated with referral URLs can be adequately managed," the blog continued. "Referral URLs are used by most web sites for constructive purposes (e.g. link statistics, or preventing hotlink bandwidth theft)."

For its part, Facebook has said the problem has been exaggerated, as no private information belonging to users was revealed.

"Our policy is very clear about protecting user data, ensuring that no one can access private user information without explicit user consent," blogged Facebook engineer Mike Vernal. "Further, developers cannot disclose user information to ad networks and data brokers. We take strong measures to enforce this policy, including suspending and disabling applications that violate it."

In most cases, he added, the developers did not intend to pass the user IDs, but did so because of the "technical details of how browsers work."

The Journal report found the reviewed applications were sending Facebook ID numbers to at least 25 advertising and data firms, including several that build profiles of Internet users by tracking their online activities.

Vernal noted that the company dealt with a similar option uncovered by the Journal in May, "although the technical challenges here are greater." Inthe May incident, it was discovered that in some cases, users' IDs were shared with advertisers on Facebook by the users' browser when they clicked on an ad.

"We are talking with our key partners and the broader Web community about possible solutions," Vernal blogged. "We will have more details over the course of the next few days."