Wall Street Journal
By EMILY STEEL And GEOFFREY A. FOWLER
October 18, 2010
Many of the most popular applications, or "apps," on the social-networking site Facebook Inc. have been transmitting identifying information-in effect, providing access to people's names and, in some cases, their friends' names-to dozens of advertising and Internet tracking companies, a Wall Street Journal investigation has found.
The issue affects tens of millions of Facebook app users, including people who set their profiles to Facebook's strictest privacy settings. The practice breaks Facebook's rules, and renews questions about its ability to keep identifiable information about its users' activities secure.
The problem has ties to the growing field of companies that build detailed databases on people in order to track them online-a practice the Journal has been examining in its What They Know series. It's unclear how long the breach was in place. On Sunday, a Facebook spokesman said it is taking steps to "dramatically limit" the exposure of users' personal information.
"A Facebook user ID may be inadvertently shared by a user's Internet browser or by an application," the spokesman said. Knowledge of an ID "does not permit access to anyone's private information on Facebook," he said, adding that the company would introduce new technology to contain the problem identified by the Journal.
"Our technical systems have always been complemented by strong policy enforcement, and we will continue to rely on both to keep people in control of their information," the Facebook official said.
"Apps" are pieces of software that let Facebook's 500 million users play games or share common interests with one another. The Journal found that all of the 10 most popular apps on Facebook were transmitting users' IDs to outside companies.
The apps, ranked by research company Inside Network Inc. (based on monthly users), include Zynga Game Network Inc.'s FarmVille, with 59 million users, and Texas HoldEm Poker and FrontierVille. Three of the top 10 apps, including FarmVille, also have been transmitting personal information about a user's friends to outside companies.
Most apps aren't made by Facebook, but by independent software developers. Several apps became unavailable to Facebook users after the Journal informed Facebook that the apps were transmitting personal information; the specific reason for their unavailability remains unclear.
The information being transmitted is one of Facebook's basic building blocks: the unique "Facebook ID" number assigned to every user on the site. Since a Facebook user ID is a public part of any Facebook profile, anyone can use an ID number to look up a person's name, using a standard Web browser, even if that person has set all of his or her Facebook information to be private. For other users, the Facebook ID reveals information they have set to share with "everyone," including age, residence, occupation and photos.
The apps reviewed by the Journal were sending Facebook ID numbers to at least 25 advertising and data firms, several of which build profiles of Internet users by tracking their online activities.
Defenders of online tracking argue that this kind of surveillance is benign because it is conducted anonymously. In this case, however, the Journal found that one data-gathering firm, RapLeaf Inc., had linked Facebook user ID information obtained from apps to its own database of Internet users, which it sells. RapLeaf also transmitted the Facebook IDs it obtained to a dozen other firms, the Journal found.
RapLeaf said that transmission was unintentional. "We didn't do it on purpose," said Joel Jewitt, vice president of business development for RapLeaf.
Facebook said it previously has "taken steps ... to significantly limit Rapleaf's ability to use any Facebook-related data."
Facebook prohibits app makers from transferring data about users to outside advertising and data companies, even if a user agrees. The Journal's findings shed light on the challenge of policing those rules for the 550,000 apps on its site.
The Journal's findings are the latest challenge for Facebook, which has been criticized in recent years for modifying its privacy rules to expose more of a user's information. This past spring, the Journal found that Facebook was transmitting the ID numbers to advertising companies, under some circumstances, when a user clicked on an ad. Facebook subsequently discontinued the practice.
"This is an even more complicated technical challenge than a similar issue we successfully addressed last spring on Facebook.com," a Facebook spokesman said, "but one that we are committed to addressing."
The privacy issue follows Facebook's effort just this month to give its users more control over its apps, which privacy activists had cited as a potential hole in users' ability to control who sees their information. On Oct. 6, Facebook created a control panel that lets users see which apps are accessing which categories of information about them. It indicates, for example, when an application accesses a user's "basic information" (including a user ID and name). However, it doesn't detail what information friends' applications have accessed about a user.
Facebook apps transform Facebook into a hub for all kinds of activity, from playing games to setting up a family tree. Apps are considered an important way for Facebook to extend the usefulness of its network. The company says 70% of users use apps each month.
Applications are also a growing source of revenue beyond advertising for Facebook itself, which sells its own virtual currency that can be used to pay for games.
Following an investigation by the Canadian Privacy Commissioner, Facebook in June limited applications to accessing only the public parts of a user's profile, unless the user grants additional permission. (Canadian officials later expressed satisfaction with Facebook's steps.) Previously, applications could tap any data the user had access to, including detailed profiles and information about a user's friends.
It's not clear if developers of many of the apps transmitting Facebook ID numbers even knew that their apps were doing so. The apps were using a common Web standard, known as a "referer," which passes on the address of the last page viewed when a user clicks on a link. On Facebook and other social-networking sites, referers can expose a user's identity.
The company says it has disabled thousands of applications at times for violating its policies. It's unclear how many, if any, of those cases involved passing user information to marketing companies.
Facebook also appeared to have shut down some applications the Journal found to be transmitting user IDs, including several created by LOLapps Media Inc., a San Francisco company backed with $4 million in venture capital. LOLapp's applications include Gift Creator, with 3.5 million monthly active users, Quiz Creator, with 1.4 million monthly active users, Colorful Butterflies and Best Friends Gifts.
Since Friday, users attempting to access those applications received either an error message or were reverted to Facebook's home screen.
"We have taken immediate action to disable all applications that violate our terms," a Facebook spokesman said.
A spokeswoman for LOLapps Media declined to comment.
A Zynga spokeswoman said, "Zynga has a strict policy of not passing personally identifiable information to any third parties. We look forward to working with Facebook to refine how web technologies work to keep people in control of their information."
The most expansive use of Facebook user information uncovered by the Journal involved RapLeaf. The San Francisco company compiles and sells profiles of individuals based in part on their online activities.
The Journal found that some LOLapps applications, as well as the Family Tree application, were transmitting users' Facebook ID numbers to RapLeaf. RapLeaf then linked those ID numbers to dossiers it had previously assembled on those individuals, according to RapLeaf. RapLeaf then embedded that information in an Internet-tracking file known as a "cookie."
RapLeaf says it strips out the user's name when it embeds the information in the cookie and shares that information for ad targeting. However, The Wall Street Journal found that RapLeaf transmitted Facebook user IDs to a dozen other advertising and data firms, including Google Inc.'s Invite Media.
All 12 companies said that they didn't collect, store or use the information.
Ilya Nikolayev, chief executive of Familybuilder, maker of the Family Tree application, said in an email, "It is Familybuilder's corporate policy to keep any actual, potential, current or prior business partnerships, relationships, customer details, and any similar information confidential. As this story relates to a company other than Familybuilder, we have nothing further to contribute."
Learn more about Search Engine Optimization, the most effective form of online advertising.
Search Engine Marketing is the fastest growing advertising medium in the world, projected to become 10x more powerful and influential than traditional media outlets such as: network television, cable television, local television, network radio, local radio, satellite radio, national newspapers, local newspapers, magazines, billboards, direct mail, telemarketing and more.
Discover the most powerful and effective form of advertising, Search Engine Optimization.
An aside for consideration are the segments of Search Engine Optimization. Clarification is required in terms of paid search marketing, sponsored search advertising, pay per click, email marketing (spam), and the foundation of strategic internet marketing: Organic Search Engine Optimization - Organic SEO in some circles also referred to as Natural Search Engine Optimization - Natural SEO.
Key Organic Search Engine Optimization Facts:
- Keyword search is the 2nd most popular online activity, rapidly approaching the popularity of email retrieval.
- 90% of all new website visitors are delivered by a major search engine and/or directory.
- 98% of all keyword search activity results are powered by the big 4 search engines: Google, Yahoo, MSN and AOL.
- Keyword search results on Google, Yahoo, MSN and AOL are all determined by a search engine spider and/or robot crawler.
- Recent internet marketing studies confirm that keyword searchers prefer the organic results at a 6 to 1 ratio vs. pay-per-click sponsored search advertising listings.
Is your corporate website being found early and often on the keywords and keyword phrases that best describe your products, services and industry?
Harness the power that our proven organic search engine optimization technologies can provide...
Contact the Peak Positions Organic SEO consulting specialists today.
Learn more about our client roster, one of the strongest in the SEO industry, and more importantly discover why our client-focused Organic Search Engine Optimization company maintains the highest client retention rate in the SEO industry.
"Our year over year order anniversary flowers revenues are climbing rapidly in a timid economy. If you are looking for an excellent SEO Company, we suggest Peak Positions" ...
SEO Case Study