Facebook Punishes Developers for Passing on User IDs
Facebook will deny those application developers access to "communication channels" for six months, wrote Mike Vernal, on Facebook's blog, late on Friday. The developers number fewer than a dozen, he said.
The developers were being paid by a data broker for user IDs, unique numerical identifiers assigned to the site's users, which can appear in a URL when they use the site.
As a result, "we will require these developers to submit their data practices to an audit in the future to confirm that they are in compliance with our policies," Vernal wrote. "This impacts fewer than a dozen, mostly small developers, none of which are in the top 10 applications on Facebook Platform."
After an investigation into online privacy by the Wall Street Journal, Facebook said last month that in some cases user IDs were inadvertently being passed on to applications, which is against Facebook's policy. The situation was due to a Web standard called referral URLs that lets a website know where a person was previously browsing.
The user IDs do not contain personal information, but could lead to information that the person has chosen to display publicly. The latest revelation, however, shows that some application developers were then passing those user IDs to a data broker. Those brokers typically compile information to sell to advertising networks so users can be targeted with ads that are related to their personal interests.
"Facebook has never sold and will never sell user information," Vernal said. "We also have zero tolerance for data brokers because they undermine the value that users have come to expect from Facebook."
The brokers claim the information is made anonymous enough so that an individual users can't be identified, but privacy activists often question their methods.
Vernal wrote that Facebook is working on a "technical solution" to prevent inadvertent passing of user IDs, and will also work with browser vendors on the issue.
The technical fix, to be released next week, will allow application developers to share a unique but anonymous identifier with permitted third parties such as content partners, advertisers or service providers, Vernal wrote.
Facebook will also mandate that user IDs can't leave an application. Developers will still be allowed to use services such as Akamai and Amazon Web Services as long as the services keep the user IDs confidential, Vernal wrote.
In another development, Vernal wrote that Facebook has reached an agreement with a data broker called Rapleaf, which was storing user IDs. Rapleaf was one of many companies that stored user IDs that have now said they will delete the information from their databases.
But followinga detailed story in the Wall Street Journal about Rapleaf, Facebook has taken steps further against the company.
Rapleaf has "agreed not to conduct any activities on the Facebook platform (either directly or indirectly) going forward," Vernal wrote.
Rapleaf scans the Web for e-mail addresses and links its findings with publicly available information, including census data, voter registration records and social networking profiles. It creates profiles for people, then takes steps to make those profiles anonymous.
Rapleaf partners with websites to use its system. When people log in to a website that uses Rapleaf, their e-mail addresses are looked up in the Rapleaf database to see whether a profile exists.
Cookies -- small files containing information about a person's interests -- are placed on the users' browsers. The cookies are then examined by advertising networks in order to serve ads based on interests in the users' profiles. The company said there is no personally identifiable information and nothing stored about a user's browsing behavior.