Facebook Apps Leaking User Info to Third Parties

Updated: Some of the most popular Facebook apps — including games such as Zynga’s FarmVille, which has almost 60 million monthly users — have been routinely transmitting information about Facebook users to third parties, including companies such as RapLeaf that are building profiles for sale to advertisers and marketers, according to a report in the Wall Street Journal (s nws). Facebook told the newspaper that it’s planning to introduce new systems that will make it harder for apps to send user data to other companies, something that is a breach of Facebook’s terms of use.

The information some apps allegedly transmit is the Facebook ID number that is unique to each user. According to the Journal, this number gets transmitted by some apps even when the user in question has their account set to “private.” Although user IDs by themselves don’t contain any personal data, if a user has a public Facebook profile, their ID number can be used to pull up whatever information they have there — name, address, date of birth, etc. The Journal said its investigation showed RapLeaf had cross-referenced ID numbers with an existing database of Internet users it sells to advertisers, and had also sent the user ID info to other companies, although RapLeaf said this was inadvertent.

Earlier this year, Facebook came under fire because in some cases user ID numbers were transmitted via a user’s web browser. Most modern browsers send what is called “referrer” information to websites, telling those sites where the user came from, and in the case of someone who clicked an ad on Facebook, that referrer sometimes contained their user ID. In May, the company changed the way the site records user info in the address of each page, so that the user ID doesn’t get sent by the browser, but Facebook is being sued as a result of this earlier data issue.

[inline-pro-content] Altering the way apps function to protect user IDs will take more work, Facebook said. “This is an even more complicated technical challenge,” a spokesman told the Journal, “but one that we are committed to addressing.” Although user IDs aren’t really a privacy issue — since they only reveal information that a user has already said he or she wants to make public — some users are likely to feel uncomfortable knowing that their public profile info might be harvested by companies for marketing purposes. (Companies who received the information from RapLeaf said they didn’t collect it or use it, according to the Journal).

The Journal report said that several of the top 10 Facebook apps, including FarmVille and Texas Hold ‘Em Poker, were sending user IDs to advertisers — sending it in some cases to as many as 25 separate advertising and data-collection firms — and some apps were also sending user data about a player’s friends to those same companies, both of which are a breach of Facebook’s terms of service. A report last week said that a maker of Facebook games called LOLapps has been shut down completely by the social network after it was discovered to be transmitting user information to advertising agencies and marketers (Update: LOLapps says all of its games have been restored to Facebook now.)

What kind of action Facebook will take in terms of sanctioning Zynga or other companies that have been transmitting this kind of information, or blocking their ability to do so in the future, remains to be seen. The social network has come under so much fire from consumer advocates and government representatives — both in the U.S. and internationally — for the way it handles privacy that it is undoubtedly hyper-sensitive to such criticisms now, even if the user ID data being transmitted doesn’t contain any private information. We’ve asked Facebook and Zynga for comment and will update this post if and when we get a response.

Update: In an emailed statement, a Facebook spokesman said that “while knowledge of user ID does not permit access to anyone’s private information on Facebook, we plan to introduce new technical systems that will dramatically limit the sharing of User IDs.” The statement also said that “it is important to note that there is no evidence that any personal information was misused or even collected as a result of this issue. In fact, all of the companies questioned about this issue said publicly that they did not use the user IDs or did not use them to obtain personal info.”

Facebook has also posted about the issue on the Facebook blog. And RapLeaf has a response on its corporate blog as well, discussing the transmission of user IDs (which it says it has stopped doing) and whether there is actually any privacy risk involved.

Related content from GigaOM Pro (sub req’d):

Post and thumbnail photos courtesy of Flickr user Alan Cleaver