THE AMOUNT of private data being passed by social notworking websites to third parties has once again come under scrutiny.
The Wall Street Journal found that many popular applications on Facebook were "transmitting identifying information" to third parties. The information in question was actually Facebook user IDs (UIDs) that are used to identify users on the social notworking website. The practice of passing information to companies breaks Facebook's rules.
The use of HTTP referral headers to track user behaviour is nothing new, with many websites using similar tracking policies to build up user profiles. As the headers being passed include the UID, it is possible to strip away the garnish and be left with a unique identifier on Facebook.
It all boils down to what information is publicly available on profiles that are identified by the UIDs. Obviously those Facebook users who can't be bothered to set up their Facebook accounts properly are likely to give away a whole lot more than just relatively trivial information, but the WSJ is claiming that even with the strictest privacy controls in place marketeers are still able to get their grubby hands on not only the user's details but their friends' data too.
User profiles are extremely valuable when it comes to selling advertising as they allow targeted adverts that have a greater chance of being viewed or clicked. However what is concerning for users is that a simple UID is enough information for the makers of Farmville and other popular Facebook applications to forward to marketeers.
The WSJ reports that one of the data gathering firms, Rapleaf had linked up Facebook UIDs to its own database of Internet users before it sent the UIDs on to a dozen other firms.
Some commentators are calling the WSJ article an "overreaction", claiming that the publication ignored similar privacy concerns on Myspace, which is also owned by Rupert Murdoch's News Corporation. Using that bastion of reliable, well reasoned debate, Twitter, Forbes compiled a short compendium of those who essentially poo-pooed the WSJ's investigation by saying that the transfer of referral headers is common, even trivialising it as a "design flaw on the Internet".
Nevertheless Facebook, increasingly aware of the growing demand for privacy, was quick to try to reassure users. A spokesman said that the firm was taking measures to "dramatically limit" the exposure of private information. Since last week a number of applications have been banned from the website.
Although Facebook does not program many of the applications available to its users, it is not totally blameless in this latest embarrassing breach of privacy. Application developers have to follow the application programming interface (API) that is designed and provided by Facebook in order to operate with the website. It is clear that short-sighted design decisions within the API have made it possible for unscrupulous developers to break Facebook's own rules, siphon off data and pass it on to marketing firms.
Perhaps Facebook will now try to synchronise its operational rules and what its API offers to developers. The problem for the firm is that applications have become an increasing attraction to Facebook for users and a nice little earner for the firm itself. It won't want to destroy a revenue stream by shedding the resemblance of privacy it has, as that could hurt the company's income. Going by previous attempts at dealing with users' privacy complaints, we don't think it will care too much so long as it can ensure money coming in.
It is perhaps the Internet users who should learn the most from the WSJ's investigation. If a simple UID is enough for companies to make money, then imagine what other personal information is worth. µ
Might need to come up with a better name though
There's an app for *that*
American as Apple Spy