Network News

X My Profile
View More Activity

Latest Facebook privacy scare isn't so new

If you were looking for another reason to hate FarmVille and all those other games on Facebook, today's report by the Wall Street Journal should make you happy:

Many of the most popular applications, or "apps," on the social-networking site Facebook Inc. have been transmitting identifying information -- in effect, providing access to people's names and, in some cases, their friends' names -- to dozens of advertising and Internet tracking companies, a Wall Street Journal investigation has found.

Thumbnail image for facebook_logo.jpg

But it's important to know that Facebook has been enabling this kind of open access to user information since its inception and that anyone searching for it doesn't need an app to find it.

The "identifying information" noted in the article -- your Facebook username or profile number -- is already public data in most cases. Unless you disable the "public search" feature that Facebook enables for all over-18 users, anybody can see your name and photo by typing in the right address.

And even if you have opted out of public search, any of the 500 million-plus users on Facebook can see what the Palo Alto, Calif., social network defines as public data: name, picture, gender and networks.

Facebook's adjustable default privacy settings will also let strangers see some of your friends.

(Two things to note involving corporate ties: The Wall Street Journal's owner, News Corp., owns Facebook competitor MySpace. And as you've no doubt memorized by now, Post Co. chairman Donald E. Graham sits on Facebook's board of directors, and the paper uses Facebook to market itself.)

According to posts on Facebook's developers blog and the blog of one Web firm critiqued in the WSJ piece, Rapleaf, the apps in question are gathering information through a standard Web feature called the "referer URL."

Attentive readers will recall that the same mechanism was blamed in a May WSJ story about privacy issues at Facebook and MySpace. Referers aren't a bad thing by themselves; they're a basic feature of Web links that allows sites to know which sites visitors are coming from.

In most cases, a referer (the misspelling has become common practice) doesn't say anything about who you are -- only which sites you've visited. That's not the case with Facebook profiles, as the company acknowledged in May. But sanitizing referers in a way that works in all browsers is not an easy thing -- see this lengthy explanation from the Facebook engineering blog for the grisly details.

It looks like Facebook's engineers forgot to make sure their referer-laundering works for Facebook apps, too. And, as the WSJ story notes, some companies -- such as Rapleaf -- made further use of this information:

The apps reviewed by the Journal were sending Facebook ID numbers to at least 25 advertising and data firms, several of which build profiles of Internet users by tracking their online activities.

To me, this whole episode confirms two general principles to remember when thinking about electronic privacy breaches.

1) Data will leak by accident for a variety of benign reasons: Developers used the same technique that worked before; they assumed all their users kept the default settings; they didn't factor in how older software would behave, and so on.

2) Some companies won't resist the temptation to use data they weren't supposed to see.

What can you do about those two possibilities? Know your privacy options, and use them to limit your visibility. Facebook's defaults are too liberal for my taste and should be tightened, as I recommended in June and followed up with advice about its Places check-in feature in August.

Then be picky about adding applications to your account, and note what information they request of you and what they post to your profile. A revision to Facebook's privacy interface introduced last week makes it easier to see and limit the applications' appetites for your data.

But more important, remember the fundamental bargain of any social network: You're trading some of your information for the ability to communicate easily with friends. As one commentary wisely put it: "If you think that social media exists for charitable reasons, think again."

What's your take on this news? Am I letting Facebook off easy in this case?

By Rob Pegoraro  | October 18, 2010; 12:22 PM ET
Categories:  Privacy, Social media  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: PostPoints tip: "Mac" is not an acronym (unless it is)
Next: Microsoft chief software architect Ozzie leaves; Apple breaks sales records


I quit FB ~ year ago after I found the code needed to access any data from ANY account.

Posted by: illogicbuster | October 18, 2010 11:25 AM | Report abuse

How can something so big and so unprofitable not be a government snooping project?

I'd say it is the Trilateral Commission, but I'm holding off on such a benign conclusion until Facebook's user base reaches millions of 666.

Posted by: blasmaic | October 18, 2010 12:07 PM | Report abuse

I don't think Facebook users really care that much about ANY kind of privacy. If they did, they probably wouldn't have joined in the first place. Facebook caters to narcissists and losers trying to make themselves look better online than they do in real life. IMHO, of course. :)

Posted by: josetucson | October 18, 2010 12:07 PM | Report abuse

"know where visitors have come coming from."

Posted by: TheChileanPresidentIsMuchBetterRespondingToDisastersThanObama | October 18, 2010 12:13 PM | Report abuse

Well, sounds like there's nothing to worry about. I don't know why the Wall Street Journal is always trying to get people riled up about stuff. Doing all that reporting must get tiring.

Posted by: HammerThyme | October 18, 2010 12:15 PM | Report abuse

Seeing this came from an organization who owns a competing product make more sense now. This is trivial to do, and an app isn't needed to harvest this information. Try the following URL and simply change the # at the end. You can see how easy it would be to write a script to automate & harvest the information.

Posted by: Security_Sifu | October 18, 2010 12:36 PM | Report abuse

I just stick with Twitter, who's so concerned with user privacy, they encourage users to "tweet" on the go from their cellphones, which can be set to take GPS coordinates and post your exact location right next to a time stamp and, of course, your fascinating update about what you're thinking of having for lunch.

Using Twitter, people voluntarily turn their cellphones into real-time tracking devices accessible to anyone with an Internet connection.

Posted by: ComfortablyDumb | October 18, 2010 12:40 PM | Report abuse

One more reason I don't use Facebook.

Posted by: sarahabc | October 18, 2010 1:11 PM | Report abuse

And yet, the Post allows Facebook to place cookies on our computers. Block them out, folks.

Posted by: clairevb | October 18, 2010 1:32 PM | Report abuse

Facebooks users are as diverse as the growing plethora of data mining apps/games/tricks applied to the site.I like sharing a limited amount of information with a group of friends whom I know, along with an exchange of photos. If the privacy settings are a hoax-then users like me are misled-but quite aware of extent to which our information is 'comprimised'. If users are silly enough to access and give permission for all those ancilliary applications; well DUH, your level of risk has multiplied. A big tip to the clueless is the word "link"-if you don't want that, then don't go there.I'm really surprised at all the attention 'substantive journalism' generates on this non-topic.

Posted by: mseagram1 | October 18, 2010 2:28 PM | Report abuse

Those who spend their lives responding to people trading farm animals and unsolicited emails from hookers are a sad commentary on today's society.

Posted by: areyousaying | October 18, 2010 2:55 PM | Report abuse

It's sort of hopeless to imagine that your name isn't already in a marketing database somewhere. Sending your public information to advertisers is a bit rude, but it's a bit scarier that you have to opt-out from this with your credit card company, bank, etc.

That said HTTP Referrers (funny story about the common misspelling) make most web analytics work and it would be sad to let them go....

Posted by: staticvars | October 18, 2010 3:25 PM | Report abuse

Posted by: anthony_franco | October 18, 2010 5:24 PM | Report abuse

You think Facebook is privacy-free, check out a quote from CBS correspondent Armen Keteyian in an article he wrote regarding copy machines. Talk about lack of privacy. How many people know about this??

"Nearly every digital copier built since 2002 contains a hard drive - like the one on your personal computer - storing an image of every document copied, scanned, or emailed by the machine."

Posted by: jbsanoff | October 18, 2010 7:19 PM | Report abuse

Facebook is doing this on purpose because it is no longer a social networking website. It is only concerned with maximizing profits by selling user information to third parties. its high time we find an alternative and protect our personal data. i read about an alternative which you guys should check out - Mycube - which really seems to be making the right noises.

Posted by: clarkwalker | October 19, 2010 4:46 AM | Report abuse

It's precisely because of crap like this that I have nothing to do with Facebook.

Posted by: nbahn | October 19, 2010 9:36 AM | Report abuse

Post a Comment

We encourage users to analyze, comment on and even challenge's articles, blogs, reviews and multimedia features.

User reviews and comments that include profanity or personal attacks or other inappropriate comments or material will be removed from the site. Additionally, entries that are unsigned or contain "signatures" by someone other than the actual author will be removed. Finally, we will take steps to block users who violate any of our posting standards, terms of use or privacy policies or any other policies governing this site. Please review the full rules governing commentaries and discussions.

characters remaining

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company