Latest Facebook privacy scare isn't so new
If you were looking for another reason to hate FarmVille and all those other games on Facebook, today's report by the Wall Street Journal should make you happy:
Many of the most popular applications, or "apps," on the social-networking site Facebook Inc. have been transmitting identifying information -- in effect, providing access to people's names and, in some cases, their friends' names -- to dozens of advertising and Internet tracking companies, a Wall Street Journal investigation has found.
But it's important to know that Facebook has been enabling this kind of open access to user information since its inception and that anyone searching for it doesn't need an app to find it.
The "identifying information" noted in the article -- your Facebook username or profile number -- is already public data in most cases. Unless you disable the "public search" feature that Facebook enables for all over-18 users, anybody can see your name and photo by typing in the right address.
And even if you have opted out of public search, any of the 500 million-plus users on Facebook can see what the Palo Alto, Calif., social network defines as public data: name, picture, gender and networks.
Facebook's adjustable default privacy settings will also let strangers see some of your friends.
(Two things to note involving corporate ties: The Wall Street Journal's owner, News Corp., owns Facebook competitor MySpace. And as you've no doubt memorized by now, Post Co. chairman Donald E. Graham sits on Facebook's board of directors, and the paper uses Facebook to market itself.)
According to posts on Facebook's developers blog and the blog of one Web firm critiqued in the WSJ piece, Rapleaf, the apps in question are gathering information through a standard Web feature called the "referer URL."
Attentive readers will recall that the same mechanism was blamed in a May WSJ story about privacy issues at Facebook and MySpace. Referers aren't a bad thing by themselves; they're a basic feature of Web links that allows sites to know which sites visitors are coming from.
In most cases, a referer (the misspelling has become common practice) doesn't say anything about who you are -- only which sites you've visited. That's not the case with Facebook profiles, as the company acknowledged in May. But sanitizing referers in a way that works in all browsers is not an easy thing -- see this lengthy explanation from the Facebook engineering blog for the grisly details.
It looks like Facebook's engineers forgot to make sure their referer-laundering works for Facebook apps, too. And, as the WSJ story notes, some companies -- such as Rapleaf -- made further use of this information:
The apps reviewed by the Journal were sending Facebook ID numbers to at least 25 advertising and data firms, several of which build profiles of Internet users by tracking their online activities.
To me, this whole episode confirms two general principles to remember when thinking about electronic privacy breaches.
1) Data will leak by accident for a variety of benign reasons: Developers used the same technique that worked before; they assumed all their users kept the default settings; they didn't factor in how older software would behave, and so on.
2) Some companies won't resist the temptation to use data they weren't supposed to see.
What can you do about those two possibilities? Know your privacy options, and use them to limit your visibility. Facebook's defaults are too liberal for my taste and should be tightened, as I recommended in June and followed up with advice about its Places check-in feature in August.
Then be picky about adding applications to your account, and note what information they request of you and what they post to your profile. A revision to Facebook's privacy interface introduced last week makes it easier to see and limit the applications' appetites for your data.
But more important, remember the fundamental bargain of any social network: You're trading some of your information for the ability to communicate easily with friends. As one commentary wisely put it: "If you think that social media exists for charitable reasons, think again."
What's your take on this news? Am I letting Facebook off easy in this case?
| October 18, 2010; 12:22 PM ET
Categories: Privacy, Social media
Save & Share: Previous: PostPoints tip: "Mac" is not an acronym (unless it is)
Next: Microsoft chief software architect Ozzie leaves; Apple breaks sales records
Posted by: illogicbuster | October 18, 2010 11:25 AM | Report abuse
Posted by: blasmaic | October 18, 2010 12:07 PM | Report abuse
Posted by: josetucson | October 18, 2010 12:07 PM | Report abuse
Posted by: TheChileanPresidentIsMuchBetterRespondingToDisastersThanObama | October 18, 2010 12:13 PM | Report abuse
Posted by: HammerThyme | October 18, 2010 12:15 PM | Report abuse
Posted by: Security_Sifu | October 18, 2010 12:36 PM | Report abuse
Posted by: ComfortablyDumb | October 18, 2010 12:40 PM | Report abuse
Posted by: sarahabc | October 18, 2010 1:11 PM | Report abuse
Posted by: clairevb | October 18, 2010 1:32 PM | Report abuse
Posted by: mseagram1 | October 18, 2010 2:28 PM | Report abuse
Posted by: areyousaying | October 18, 2010 2:55 PM | Report abuse
Posted by: staticvars | October 18, 2010 3:25 PM | Report abuse
Posted by: anthony_franco | October 18, 2010 5:24 PM | Report abuse
Posted by: jbsanoff | October 18, 2010 7:19 PM | Report abuse
Posted by: clarkwalker | October 19, 2010 4:46 AM | Report abuse
Posted by: nbahn | October 19, 2010 9:36 AM | Report abuse