The apps in question have a huge combined userbase. The Wall Street Journal reports that all of the 10 most popular Facebook apps are guilty of giving away user IDs to third parties, specifically Internet research and advertising companies.
Facebook confirmed some of the issues in a blog post, claiming most of the apps in question shared the user IDs inadvertently, due to “technical details.”
“Our policy is very clear about protecting user data, ensuring that no one can access private user information without explicit user consent (…) Recently, it has come to our attention that several applications built on Facebook Platform were passing the User ID (UID), an identifier that we use within our APIs, in a manner that violated this policy. In most cases, developers did not intend to pass this information, but did so because of the technical details of how browsers work,” the post said.
Earlier this weekend, Facebook blocked LOLapps, one of the biggest social games providers on the Facebook platform, due to “violations of Facebook’s terms.” The WSJ claims that some of the apps created by LOLapps were also transmitting user info to third parties. LOLapps (whose apps have now been reinstated on Facebook) has confirmed this was the case in a blog post, claiming it shared the info inadvertently.
Facebook also said that “knowledge of a UID does not enable anyone to access private user information without explicit user consent.”
This is true, but Facebook UID can be very revealing, depending on the user’s privacy settings. Knowing the ID of a Facebook user who shares information with “Everyone” can potentially give you access to his/her name, phone number, e-mail, photos and other personal info. Even if a user has set the strictest possible privacy settings on his/her account on Facebook, the ID may still reveal his/her name and Facebook friends.
And then there’s the issue of scale. If an application with tens of millions of users shares Facebook UIDs with an advertising company, that’s a lot of data. Depending on your privacy settings on Facebook, this particular advertising company now may only know your name and the names of your friends or much more. But the real question is one of trust: Have you agreed to any of this, and do you want to be in this company’s database?This is another in a long line of Facebook’s privacy missteps. Although Facebook has claimed time and time again that it’s doing everything it can to preserve its users’ privacy, this latest incident won’t do much to convince its users that this is really the case.