Facebook's privacy issues are like a centipede with countless shoes dropping. There seems to be no end to them. Recently, the Wall Street Journal reporters revealed that Facebook apps have been inadvertently sharing user identities with advertisers. Companies like Rapleaf use Facebook data to create detailed personal profiles, including names, locations, politics, and religious beliefs.

This morning, we found out that not only were Facebook apps inadvertently sharing user identities (UIDs), but some were also doing it deliberately, for money. App makers were selling user information to data brokers. This is like Charlie Sheen sharing his secrets with Perez Hilton—it won’t stay private for long.

Facebook’s blogger Mike Vernal disclosed the news. Vernal's blogging style is rather dry and dense, which might be why he got the job. It took him six paragraphs to explain the situation:

"As we examined the circumstances of inadvertent UID transfers, we discovered some instances where a data broker was paying developers for UIDs. While we determined that no private user data was sold and confirmed that transfer of these UIDs did not give access to any private data, this violation of our policy is something we take seriously. As such, we are taking action against these developers by instituting a 6-month full moratorium on their access to Facebook communication channels, and we will require these developers to submit their data practices to an audit in the future to confirm that they are in compliance with our policies. This impacts fewer than a dozen, mostly small developers, none of which are in the top 10 applications on Facebook Platform.

We have also reached an agreement with Rapleaf, the data broker who came forward to work with us on this situation. Rapleaf has agreed to delete all UIDs in its possession, and they have agreed not to conduct any activities on the Facebook Platform (either directly or indirectly) going forward."

So, a few app developers sold user identities to data brokers—not ideal, but not catastrophic. Data brokers could manually collect these IDs from Facebook anyway, though it’s easier to buy them.

Credit to Facebook for bringing this to light before the media did. But they lose points for providing minimal information.

Here’s what we need to know:

  1. App Vetting: Facebook has about 550,000 apps. Has the company checked all of them? If not, how many? The top 100? 200? 1,000? Which ones are vetted, and how can anyone else know?

  2. Guilty Apps: Saying "fewer than a dozen" developers were involved without naming them only protects the guilty. Users have a right to know if they’ve installed those apps. Even other developers are asking for this information to be made public.

  3. Data Brokers: Which data brokers bought this information? Who did they sell it to? Are people getting targeted ads, spam, junk mail, or telemarketing calls because of this?

  4. Moratorium Details: What does a "6-month full moratorium on their access to Facebook communication channels" mean? Will these apps disappear from Facebook? Why just six months? It’s like Facebook is giving them a minor punishment.

  5. Rapleaf's Role: Will Rapleaf continue to scrape data from Facebook pages? Will it keep sharing its data with Facebook advertisers? How close were Rapleaf and Facebook initially?

  6. Endgame: Where does this end? (Refer to the centipede and shoes metaphor above.)

Contrasting Vernal’s statement, a comment on his blog post accuses an unnamed app developer of trying to sell Facebook users' private information to the Washington Times:

"Please check in with the Washington Times about the developer who was approaching them in early 2008 to resell Facebook user data. I ended up at a table at a conference, as this Facebook app developer was trying to sell them a contract for data. I never got his name or the app—but the Washington Times' web/media team might remember him. He was specifically selling demographic information and IP addresses/locations of users to media companies so they could correlate age/sex/demographic/location for their advertisers."

This is the real issue. Is this common? Does Facebook even know about it?

This is why I don’t use Facebook apps and discourage others from doing so. Too many seem designed to exploit users, despite Facebook's policies and statements. For a service with over 500 million members aiming to change the web, it’s high time Facebook gets a clue.


Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.