Skip to main content

Facebook warns developers after privacy leak

Doug Gross
Some Facebook apps have been sharing information with advertisers, according to a report.
Some Facebook apps have been sharing information with advertisers, according to a report.
  • Facebook warns developers after leak that let apps share some user data with advertisers
  • Engineer calls reports exaggerated, says developers who leak data can be banned
  • Rapleaf, a company that shared data, says it was a mistake and has been fixed

(CNN) -- Facebook issued a stern warning to independent developers Monday in response to reports that some applications on the site were sharing identifying information about users.

At the same time, a Facebook engineer said media coverage of the leak has exaggerated how much information can be, and has been, shared with third parties.

"Our policy is very clear about protecting user data, ensuring that no one can access private user information without explicit user consent," Facebook engineer Mike Vernal said on a blog used by people who develop apps for the site. "Further, developers cannot disclose user information to ad networks and data brokers.

"We take strong measures to enforce this policy, including suspending and disabling applications that violate it."

A report by The Wall Street Journal found that some of Facebook's most popular apps, including the game FarmVille by social network game company Zynga, were being used to share users' personal information with more than 25 advertisers and online tracking companies.

Video: A personal data security risk?
Video: Facebook leaks user information

According to the Journal, the apps were sharing the unique "Facebook ID" numbers that are assigned to every user on the site and can be used to look up a person's name -- even if that person has set all of his or her Facebook information to be private.

The report said Rapleaf, a data gathering firm, was able to link information from the apps to its database of internet users, which could allow advertisers to create user profiles based on online information about the users.

In a blog post Monday, Rapleaf said sharing personal identifiers was a mistake. When informed of it last week, the company "immediately researched the cause and implemented a solution to cease the transmissions," the post said.

It also stated that as of last week, no user IDs, or UIDs, were being shared via Rapleaf.

"We are committed to working with the industry to fix these issues, and all issues that may emerge in the future from this complex ecosystem," said the post. "Our mission is that everyone can have a personalized experience on the web that is safe and anonymous, and we will continue to work hard to make this a reality."

A user ID is a public part of any Facebook user's profile and can be used by any third party to access information the user has made public. But Rapleaf was linking that ID with other online information their browsers had found about he user, according to the Journal report.

It was unclear whether developers of many of the apps even knew they were sharing the information, the Journal said. Many apps, including Zynga's games, ask for some access to users' networks so that users can share gameplay with their friends.

Zynga did not immediately return an e-mail from seeking comment.

In Facebook's blog post, Vernal emphasized the small amount of data that can be collected simply with the user ID.

"Press reports have exaggerated the implications of sharing a UID," he said. "Knowledge of a UID does not enable anyone to access private user information without explicit user consent.

"Nevertheless, we are committed to ensuring that even the inadvertent passing of UIDs is prevented and all applications are in compliance with our policy."

In the past, Facebook has come under fire for what some users considered invasion of privacy by apps.

The site responded by tightening controls. Apps now must tell Facebook users exactly which information they want to access.

Last week, Facebook added two new security tools: the ability to get a temporary password when using a public computer and the ability to remotely check whether a user's account is being accessed somewhere else.


Most popular Tech stories right now