Facebook Takes App Privacy Breaches in Stride
Facebook doesn't seem very disconcerted that its top 10 apps are among those reportedly sharing user IDs with advertisers in clear violation of its privacy policies. The sharing was inadvertent, suggested engineer Mike Vernal, and the press reports exaggerated its importance. Users may be steamed about the breaches and the company's yawning response, but they're not likely to do anything other than complain.
10/18/10 11:27 AM PT
Many of the most popular applications on Facebook have been transmitting identifying information -- names of users and, in some cases, the names of their friends -- to dozens of advertising and Internet tracking companies, according an article published on Sunday in The Wall Street Journal.
No one can access private user information without explicit user consent, said Facebook engineer Mike Vernal, in a response posted to the Facebook blog Sunday night. Developers are not permitted to disclose user information to ad networks and data brokers.
"We take strong measures to enforce this policy, including suspending and disabling applications that violate it," wrote Vernal.
Facebook did not respond to the E-Commerce Times' request for comment by press time.
All of Facebook's top 10 applications were associated with violations of the network's stated privacy policies: Zynga's FarmVille, Texas HoldEm Poker, FrontierVille, Cafe World, Mafia Wars, Treasure Isle, Phrases, Causes, Quiz Planet and iHeart.
At the core of this privacy issue is the Facebook user ID -- a number assigned to each Facebook user. UIDs can be used to look up a user's name, which might also reveal age, location, occupation and photos, depending on the user's privacy settings. Apps reviewed by the Journal were sending UIDs to at least 25 advertising and data firms, several of which build profiles of Internet users by tracking their online activities.
The media have exaggerated the implications of sharing a UID, according to Facebook.
Knowledge of a UID does not enable anyone to access private user information without explicit user consent, insisted Vernal. Nonetheless, Facebook promised to make sure that even the inadvertent passing of UIDs will be prevented in the future.
Facebook will make sure all applications are in compliance with the company's privacy policies, said Vernal.
At a public forum early this year, Facebook CEO Mark Zuckerberg discussed the privacy policies the company put into place in December 2009, revealing his own rather relaxed attitude toward private information on the Internet.
"In the last five or six years, blogging has taken off in a huge way and all these different services that have people sharing all this information," said Zuckerberg. "People have gotten comfortable not only sharing more information and different kinds, but more openly and with more people. That social norm is just something that has evolved over time."
The Impact on Facebook's Image
Not everyone shares the same blase attitude toward private information on the Web.
"Any other company would investigate this and discipline these partners if they are blatantly violating the terms of privacy, but Facebook is too arrogant to address user concerns," Giovanni Gallucci, consultant for social media at You+Dallas, told the E-Commerce Times. "Facebook has a Teflon coating, so they don't worry about people's concerns.
Given Facebook's mammoth position in the market -- it claims 500 million active users -- it's not likely any privacy concerns will prompt a mass exodus from the site.
"People are furious about this," said Gallucci, "but they have nowhere else to go. Twitter doesn't have the functionality, and LinkedIn is just for business."
Is Private Info Really Private?
The use of free applications comes with a price, whether the price is spelled out clearly or not.
"Quite a few free apps are selling user data," Rob Enderle, principal analyst at Enderle Group, told the E-Commerce Times. "You're paying for the free applications with personal information."
The catch is whether the user understands that the sale of personal data is the tradeoff.
"It's like they're pulling money out of your account without telling you when or how much," said Enderle. "One way to clean it up is to provide a stronger opt-in. Then you accept it."