Header graphic for print
Privacy Compliance & Data Security Information on Data Breach Prevention and the Appropriate Response

Facebook Again In the Spotlight for Privacy Blunders

Posted in Privacy Policy

The Wall Street Journal wrote a series of articles on Monday about Facebook and other meda-social media sites passing User Identifications (UIDs) to its advertisers.  The article has generated a huge amount of attention, begging the question whether the Wall Street Journal is exposing a significant privacy problem, or making something of nothing in the pursuit of web page impressions.

The UID for users can be used to look up all of the public information of Facebook (for example) users, but does not allow access to information that the user has chosen to make private through privacy controls.  Basically, if you are a Facebook user you cannot hide your name and gender, but everything else can be hidden.  The hidden information is not a risk.  The UID unlocks the public information.

To be clear, there should be no confusion that we are not talking about disclosure of personally identifiable information in the sense of a data breach (i.e., name with SSN, bank information, health information or the like).  This is all information that users know is to be made public.

But because of a web protocol deficiency (this is a technology issue, not a Facebook issue), the UID is transmitted as part of the "referrer" when the user clicks on an application in Facebook.  Basically, almost any web page that you browse to can learn from what page you just left.  In this case, the "referrer" told the application maker your UID because it is coded into the "referrer."

At that point, privacy red flags go up.

Many of us do not know it, but there are companies that have vast databases because these companies collect as much information about users as possible.  Many web users have profiles about themselves, some with more detailed information than others.  It is best not to think about how much information is really out there about you in these databases.

The value of these databases is huge, because if a data aggregator knows that I like baseball, that small nugget of information is very valuable to advertisers.  When Facebook basically lays the path for data aggregators to this information about me, you have potential privacy issues.

But what has Facebook done that is wrong?  The Facebook Privacy Policy clearly says that it will not sell its users’ information to advertisers without consent, and arguably has not violated that promise.  In the same Privacy Policy, users are told that application providers will be provided with users name and other information that the user makes public.  Sounds in compliance so far. 

The breakdown is that the application makers (think Farmville) allow the user information to get to advertisers, which is apparently a breach of Facebook’s terms with its application providers.

Facebook responded and has shut down the violating application makers.  That is a great first step.  Facebook has also said that it was unaware of the UID transmission and that most application makers probably had no idea the UIDs were transmitted.

But Facebook had this exact problem in May with its advertisers, another issue uncovered by the Wall Street Journal.

Some people get upset at anything having to do with Facebook and privacy.  Others are horrified to learn what aggregators collect and know.  Some consider the tradeoff as currency for free web services.  This one appears to fall in the middle, but should not be called a significant privacy breach.