"Many of the most popular applications, or "apps," on the social-networking site Facebook Inc. have been transmitting identifying information—in effect, providing access to people's names and, in some cases, their friends' names—to dozens of advertising and Internet tracking companies, a Wall Street Journal investigation has found.Wall Street Journal - Facebook in Privacy Breach; Top-Ranked Applications Transmit Personal IDs, a Journal Investigation Finds
The issue affects tens of millions of Facebook app users, including people who set their profiles to Facebook's strictest privacy settings. The practice breaks Facebook's rules, and renews questions about its ability to keep identifiable information about its users' activities secure.
The problem has ties to the growing field of companies that build detailed databases on people in order to track them online—a practice the Journal has been examining in its What They Know series. It's unclear how long the breach was in place. On Sunday, a Facebook spokesman said it is taking steps to "dramatically limit" the exposure of users' personal information."
The investigation found that all 10 of the top 10 applications on the social networking site, including the popular game Farmville with 59 million users, transmit user IDs to outside companies, for marketing purposes. In some cases, the applications also transmitted personal information.
"According to posts on Facebook's developers blog and the blog of one Web firm critiqued in the WSJ piece, Rapleaf, the apps in question are gathering information through a standard Web feature called the "referer URL."Washington Post - Latest Facebook privacy scare isn't so new
Attentive readers will recall that the same mechanism was blamed in a May WSJ story about privacy issues at Facebook and MySpace. Referers aren't a bad thing by themselves; they're a basic feature of Web links that allows sites to know which sites visitors are coming from.
In most cases, a referer (the misspelling has become common practice) doesn't say anything about who you are -- only which sites you've visited. That's not the case with Facebook profiles, as the company acknowledged in May. But sanitizing referers in a way that works in all browsers is not an easy thing -- see this lengthy explanation from the Facebook engineering blog for the grisly details.
It looks like Facebook's engineers forgot to make sure their referer-laundering works for Facebook apps, too. And, as the WSJ story notes, some companies -- such as Rapleaf -- made further use of this information:
The apps reviewed by the Journal were sending Facebook ID numbers to at least 25 advertising and data firms, several of which build profiles of Internet users by tracking their online activities"
referer issues have been around for a long time. Webmasters (like me) have used them forever to watch where people are coming from. I look at referers in the page counter and tracking software i use on this blog you are reading right now. The
difference is that facebook has a whole crapload of other information that goes with their referers to advertisers. Also, when you visit this site (relatively anonymously), you don't allow me to get access to a list of all your friends and their personal information and their photos...
It always aggravated me when my friends would sign up for Mafia Wars or other games and i would know that their sign-up had just given their game developer access to all my photos and posts. I realise it is all public. I constantly tell everyone I know - as soon as it is off a computer or device you tightly control, consider it "in the wild". That being said... I want to control who has access to my images and information. At minimum, I want to be asked or informed that someone has access.
Picture credit: http://www.fanpop.com/spots/animal-humor/images/7187361/title/want-some-privacy-please-photo