Wall Street Journal: Privacy breach with Facebook apps

Today the Wall Street Journal reported that “many of the most popular applications, or ‘apps,’ on Facebook have been transmitting users’ Facebook ID numbers to marketers and tracking companies.” It focused on Facebook, but then explained that the privacy breach it was reporting on is a phenomenon as old as Web links that has become a problem with the advent of social networking in general. The phenomenon, a basic standard of the Web, is called “referers.” A referer, a Journal blogger explains is “a piece of information sent whenever a user clicks on a link. Referers let sites know about the page from which the user is arriving. That information – passed discreetly from one server to the next – helps sites analyze the sources of their traffic and customize the information they present.”

The privacy breach the Journal’s reporting on happens when, in social sites with apps, advertisers “are able to connect a user ID to other online identifiers and cookies, which are not normally linked to a user’s identity,” according to the Journal, which does not say this is done intentionally. “In Facebook’s case,” according to the article, “the company’s app platform passes the user ID number to authorized applications to enable them to tap into your Facebook profile. That ID is sometimes passed on to outside firms via referer headers. Figuring out how to avoid doing that is one of the challenges Facebook faces as it introduces new technical systems that will limit the sharing of user IDs.” Facebook says it’s working on a fix to this problem but that knowledge of a user’s ID doesn’t give access to any users’ private information on the site, the Journal reports in a separate article. “The practice breaks Facebook’s rules, and renews questions about its ability to keep identifiable information about its users’ activities secure,” according to the article, which adds that 70% of FB users use apps every month. Though this is an important discovery and any compromise of user privacy like this has to be fixed on FB and all app-hosting sites, it’s not clear that this privacy breach has yet posed a real threat to users of any age, because “it’s not clear if developers of many of the apps transmitting Facebook ID numbers even knew that their apps were doing so,” the Journal reports.

But Rob Pegoraro at the Washington Post explains all this much better than I can and says it just confirms for him that in electronic media, “data will leak by accident for a variety of benign reasons,” and “some companies won’t resist the temptation to use data they weren’t supposed to see.” As for what we can do about it: be picky about what apps we use in social network sites and remember (and help your kids remember) that “you’re trading some of your information for the ability to communicate easily with friends.”

Here’s an earlier investigative piece by the Journal on the use of tracking technology such as “cookies” on children’s Web sites, indicating the potential for a highly targeted kind of advertising against which our friends at Common Sense Media are campaigning. [Disclosure: This blog’s sister project, ConnectSafely.org, is one of a number of non-profit Internet safety organizations that receive financial support from Facebook. And while we’re in disclosure mode, the Wall Street Journal is owned by News Corp., which also owns MySpace, a competitor of Facebook’s.]