Report: Facebook Apps Transmit Personal Data
MELISSA BLOCK, host:
There's new evidence that popular Facebook applications, such as the game Farmville, could compromise users' privacy. The Wall Street Journal reports that advertisers and data-collection companies have been using these apps to collect the indentifying information from Facebook users.
Farmville and other apps are made by third-party companies, and Facebook forbids them from sharing users' IDs with others. But as NPR's Martin Kaste reports, Facebook's privacy rules are hard to enforce.
MARTIN KASTE: Harlan Yu is a computer science grad student at Princeton, and when he heard last night that Facebook apps might be leaking personal information, he decided to check it out for himself.
Mr. HARLAN YU (Student, Princeton University): So I hooked up my browser to Farmville.
KASTE: He ran a special program that let him see all the information leaving his Facebook account, all those packets of data that you and I never see. And he looked especially closely at the data that Farmville was sending to other companies.
Mr. YU: So I could look at requests from Farmville.com to, say, doubleclick.net, which is Google's advertising company, and it's clear that my Facebook user ID is embedded in those requests.
KASTE: Now, you may say: Who cares if some advertising company knows that I play Farmville? And the answer is nobody. But that's not the data that Chris Soghoian is worried about.
Mr. CHRIS SOGHOIAN (Research Fellow, Center for Applied Cyber Security Research, Indiana University): What's being given away is your name.
KASTE: Soghoian is a fellow at the Center for Applied Cyber Security Research at Indiana University. And he says the problem is, your name is being linked to a lot of formerly-anonymous data.
Think of it this way: for years, data companies have been collecting information about an anonymous person who happens to sit at your computer: They have a virtual folder full of data about that person's habits, his purchases, and so on. But once you play Farmville, and it passes along your Facebook ID, advertisers can finally take that fat folder of market research and put your name on it. But Chris Soghoian doesn't really blame Facebook for this.
Mr. SOGHOIAN: This is not about Facebook's screw-up. Facebook had a screw-up similar to this in May, but this particular instance is about the Facebook app developers like Zynga and a few of the others. And they could have taken proactive steps to protect user data, to product the user ID from being inadvertently or advertently leaked.
KASTE: In fact, Soghoian says this is a potential problem outside the Facebook universe, too. He says other sites, such as Google, could pass on your ID the same way. That's because this information is often contained in the URLs of the websites you visit, that's that long line of data with the web address and other kinds of information. Most people's Web browsers just pass the URL information along.
Mr. SOGHOIAN: It's whatever is in the URL. If the URL contains, you know, personal information, that gets transmitted. If they URL includes your search terms, that gets transmitted. Whatever's in the URL gets transmitted.
KASTE: Facebook did not grant NPR an interview for this story, nor did Zynga, the company that makes Farmville and other Facebook games. On its blog, Facebook says it's working on a technical fix for the ID leaks, but it also says the press has, quote, "exaggerated the leaks' implications."
In an interview with NPR last year, Facebook public policy director Tim Sparapani admitted that someone could create a Facebook application that, quote, "abuses a user's privacy..."
(Soundbite of archived audio)
Mr. TIM SPARAPANI (Public Policy Director, Facebook): But when that happens, we find out about it, and we take action to enforce our terms of service. And then we take legal action to scrape back data that's been unlawfully or inappropriately gathered from our users.
KASTE: Facebook has not yet said whether it will try to scrape back the user data that was leaked in this case.
Martin Kaste, NPR news.