Facebook's privacy problems are like a centipede with footwear issues. "Other" shoes keep dropping, and there seems to be no end of them.
Lately Facebook's problems have been fueled by Wall Street Journal reporters peeking under the sheets to see what kind of shenanigans Facebook has been up to. That's how we learned Facebook apps have been inadvertently sharing user identities with advertisers, and the personal profiles culled from Facebook data by companies like Rapleaf can get very specific -- including names, locations, politics, and religious beliefs.
[ Want to cash in on your IT experiences? InfoWorld is looking for stories of an amazing or amusing IT adventure, lesson learned, or war tale from the trenches. Send your story to email@example.com. If we publish it, we'll keep you anonymous and send you a $50 American Express gift cheque. ]
Imagine our surprise, then, when we turned to the InterWebs this morning and discovered that not only were Facebook apps sharing user identities (UIDs) inadvertently, but that some were also doing it advertently -- which is to say deliberately, on purpose, for money. Worse, app makers were selling user information to data brokers, which is a little like Charlie Sheen offering up his most intimate secrets to Perez Hilton. It won't stay in one place for long.
Once again, Facebook turned to blogger Mike Vernal to reveal the news. Vernal might be the most boring blogger on the planet; he's certainly one of the most obtuse, which is probably why they gave him the job. It takes him six paragraphs to get to the meat of the matter:
As we examined the circumstances of inadvertent UID transfers, we discovered some instances where a data broker was paying developers for UIDs. While we determined that no private user data was sold and confirmed that transfer of these UIDs did not give access to any private data, this violation of our policy is something we take seriously. As such, we are taking action against these developers by instituting a 6-month full moratorium on their access to Facebook communication channels, and we will require these developers to submit their data practices to an audit in the future to confirm that they are in compliance with our policies. This impacts fewer than a dozen, mostly small developers, none of which are in the top 10 applications on Facebook Platform.
We have also reached an agreement with Rapleaf, the data broker who came forward to work with us on this situation. Rapleaf has agreed to delete all UIDs in its possession, and they have agreed not to conduct any activities on the Facebook Platform (either directly or indirectly) going forward.
OK, a handful of app developers sold user identities to data brokers -- not good, but not the end of the world. If data brokers really wanted to, they could cull these same IDs manually by trolling through Facebook and collecting them. (Of course it's a lot faster and easier to simply buy them.)
Give Facebook points for bringing this to public attention before the media got to it first. Now subtract those points for giving us as little information about this matter as humanly possible.
Here's what I want to know:
* Facebook has in the neighborhood of 550,000 apps. Has the company really checked the data-sharing habits of all of them? If not, how many apps have been vetted? The top 100? 200? 1,000? Which ones have been vetted, and how would anyone else know?
* Which apps are guilty? Telling us that "fewer than a dozen" developers were involved, without telling us which ones, merely protects the guilty -- and does nothing for the people who've installed those apps and have a right to know. Even other app developers are calling for this information to be made public, because otherwise they're guilty by association.
* What data brokers bought this information? To whom did they sell it? Are people getting targeted ads (or spam, junk mail, and telemarketing calls) as a result?
* What does that "6-month full moratorium on their access to Facebook communication channels" mean exactly? That they will disappear from the Facebook apps pages? That they will go dark? And why six months? It's like Facebook is sending them to bed without dinner.
* Will Rapleaf continue to scrape data from Facebook pages and include it in its profiles? Will it continue to share its data with Facebook advertisers? How cozy were Rapleaf and Facebook in the first place?
* Where does this end? (See centipede, shoes above.)
Now contrast Vernal's statement with one of the comments attached to his blog post, which accuses an unnamed app developer of actively trying to sell Facebook users' private information to the Washington Times:
Please check in with the Washington Times about the developer who was approaching in them [sic] in early 2008 to resell Facebook user data. I ended up at a table at a conference, as this facebook app developer was trying to sell them a contract for data. I never got his name or the app---but the Washington Times' web/media team might remember him. He was specifically selling demographic information and IP addresses/locations of users to media companies so they could correlate age/sex/demographic/location for their advertisers.
This is the real issue. Is this a common practice? Does Facebook even know about this incident?
This is why I don't use Facebook apps and discourage others from doing so. I've seen too many that seem designed entirely for this purpose -- regardless of Facebook's written policies and pious statements to the contrary. I don't think the company has a clue of what's going on. For a service that claims 500 million+ members and wants to change the very nature of the Web, it's well past time Facebook got one.
Does Facebook have a clue? E-mail me: firstname.lastname@example.org.
This story, "Surprise! Your Facebook Data Is for Sale" was originally published by InfoWorld.