涉及此事的应用包括社交游戏开发商Zynga公司旗下的《FarmVille》、《德州扑克牌》（Texas HoldEm Poker）、《拓荒者小镇》（FrontierVille）等游戏。Facebook为每个用户分派了一个Facebook ID号码，每个用户都可以通过该号使用浏览器查询到他人姓名，即便对方已经将其个人资料设为保密状态也不例外。该报记者调查还发现，涉嫌此事的应用至少向25个广告和数据跟踪公司提供了Facebook ID号码，其中之一是RapLeaf公司，该公司通过与Facebook有关应用的链接，将Facebook用户个人资料添加到自己的互联网用户数据库中，然后转手出卖给他人，RapLeaf公司的客户不乏其数。
WSJ reports Facebook apps — including banned LOLapps games — transmitted private user data
The Wall Street Journal reported that its investigation of Facebook apps found that many of the most popular titles have been transmitting identifying user information to dozens of advertising and internet tracking companies.
The issue affects tens of millions of Facebook app users, according to the story that appeared this evening in the lead spot on the Wall Street Journal’s web site (subscription required). The apps are not only transmitting the names of app users to the advertisers, but also the names of their friends in some cases. The problem affects users who have set their profiles to be completely private, and the practice breaks Facebook’s rules on privacy, the Journal said.
Acknowledging the problem, a Facebook spokesman said Sunday that the company is taking steps to dramatically limit the exposure of users’ personal information. The story indicates this privacy breach may be why all of the apps built by LOLapps, which has 150 million Facebook users, were banned over the weekend. The Journal found that all of the 10 most popular apps on Facebook were transmitting users’ IDs to outside companies.
They include games from Zynga, including its FarmVille, Texas HoldEm Poker and FrontierVille titles. Facebook assigns a Facebook ID number to every user on the site. Anyone can use that ID number to look up a person’s name, using a standard web browser, even if that person has set his or her info to be private. The Journal said the apps reviewed by its reporters were sending Facebook ID numbers to at least 25 ad and data-tracking firms. One firm, RapLeaf, had linked Facebook user ID info from the apps to its own database of internet users, which it sells. RapLeaf transmitted the Facebook IDs it obtained to a dozen other firms.
LOLapps and Zynga have not yet responded to requests for comment. RapLeaf’s vice president of business development, Joel Jewitt, told the Journal that his company didn’t transmit the information on purpose. But Facebook said it has taken steps to limit RapLeaf’s ability to use any Facebook data. The transmission of private data may have been unintentional because the browsers were using a “referrer,” which transmits the data of the last page a user had visited. That link may include the user’s private information.
The Journal found that some LOLapps apps were transmitting users’ Facebook ID numbers to RapLeaf, which then linked those ID numbers to files it had previously created on the users. RapLeaf then embedded that information in a web-tracking file called a cookie. Arjun Sethi, chief executive of LOLapps, is scheduled to speak on a case studies panel at VentureBeat’s DiscoveryBeat 2010 conference in San Francisco tomorrow.
Update: Read Write Web has questioned whether or not the use of referrers is in fact a privacy violation.
Facebook has issued the following response.
“As part of our work to provide people with control over their information, we’ve learned that the design and operation of the Internet doesn’t always provide the greatest control that is technically possible. For example, in the Spring, it was brought to our attention that Facebook user IDs may be inadvertently included in the URL referrer sent to advertisers. Here, WSJ has uncovered the same issue on Facebook Platform where a Facebook user ID may be inadvertently shared by a user’s Internet browser or by an application delivering content to a user.
While knowledge of user ID does not permit access to anyone’s private information on Facebook, we plan to introduce new technical systems that will dramatically limit the sharing of User ID’s.
This is an even more complicated technical challenge than the similar issue we successfully addressed last Spring, but one that we are committed to addressing. Our technical systems have always been complemented by strong policy enforcement, and we will continue to rely on both to keep people in control of their information.
It is important to note that there is no evidence that any personal information was misused or even collected as a result of this issue. In fact, all of the companies questioned about this issue said publicly that they did not use the user IDs or did not use them to obtain personal info.”