Facebook Admits ‘Inadvertent’ Privacy Breach

Facebook has confirmed that some if its most popular applications transmitted identifying information, such as user names, to advertising and internet-tracking companies.

Facebook admits inadvertent privacy breach

Facebook says it is taking steps to "dramatically limit" the exposure of users' personal information, after a WSJ investigation showed that personal IDs were being transmitted to third parties via Facebook apps. Photo: Facebook

The admission comes after the US newspaper, The Wall Street Journal, uncovered evidence that some popular Facebook apps have shared user data with internet tracking organisations.

The Wall Street Journal said the breach affects tens of millions of Facebook users, including those who have set their profiles to the most secure and robust privacy settings. Facebook insists the breach does not expose any private user information.

The Journal’s investigation found that all 10 of the most popular Facebook apps – including well-known games such as FarmVille, Mafia Wars and Texas Hold’em – transmitted Facebook user identities, known as UIDs, to advertising and internet-tracking companies, in contravention of the social networking site’s rules.

Facebook’s policies state that developers cannot disclose user information to advertising networks or data brokers, and that no one can access private user data without explicit user consent.

User identities are unique numbers assigned to every Facebook user on the site. Facebook IDs are “public”, meaning that users can search for a person using their Facebook ID.

In some instances, profiles will be secured, and so not viewable, but in many cases, searching by user ID brings up photos and information that a user has set to share with “everyone”.

The news raises fresh doubts about Facebook’s privacy policies, and its ability to keep user information secure.

However, Facebook stressed that the passing on of UIDs by developers to third-party organisations was “inadvertent”, and accused the press of exaggerating the scale and significance of the incident.

“In most cases, developers did not intend to pass this information, but did so because of the technical details of how browsers work,” wrote Mike Vernal, a Facebook engineer, on the company blog.

“Press reports have exaggerated the implications of sharing a UID. Knowledge of a UID does not enable anyone to access private user information without explicit user consent.

“Nevertheless, we are committed to ensuring that even the inadvertent passing of UIDs is prevented and all applications are in compliance with our policy.”

Facebook has around 500 million users and a thriving app platform, with millions of people playing social games on the networking site.

The Wall Street Journal found that three of the top 10 apps, including FarmVille, had not only transmitted UIDs to outside companies, but also personal information about users’ friends.

The Journal said that the apps it examined were sending user ID numbers to at least 25 advertising and data firms. One firm, RapLeaf, was found to have linked Facebook user data gleaned from its catalogue of apps to its own database of internet users. RapLeaf said the data breach was unintentional.

Zynga, the company behind FarmVille, said it would work with Facebook to refine web control technologies to better ensure the preservation of personal information.

Some of the apps at the centre of the controversy were offline over the weekend, as developers sought to resolve the issue. [via The Wall Street Journal]

Share this article

We welcome comments that advance the story directly or with relevant tangential information. We try to block comments that use offensive language, all capital letters or appear to be spam, and we review comments frequently to ensure they meet our standards. If you see a comment that you believe is irrelevant or inappropriate, you can flag it to our editors by using the report abuse links. Views expressed in the comments do not represent those of Coinspeaker Ltd.