据《华尔街日报》报道，社交网站Facebook上多款备受欢迎的游戏存在盗用玩家个人资料，并转发给多家广告及互联网跟踪公司的嫌疑。

该报道是《华尔街日报》网站当天的头条消息，称成百上千万的Facebook用户已牵涉其中，这些游戏应用不但将用户姓名传送给广告商，而且用户友人的个人资料也同样受到牵连。即使是已将个人资料设定为完全保密状态的用户，也仍然不能幸免，这一操作已经明显违背了Facebook有关保护个人隐私的原则。

Facebook的新闻发言人周日表示，该公司目前正采取强力措施力避用户个人信息外泄。该报道还指出，LOLapps公司（拥有1.5亿用户基础）的相关应用近日被Facebook封杀可能正与此事有关。另外还发现，Facebook上最受欢迎的10款应用都存在这种情况。

frontierville

涉及此事的应用包括社交游戏开发商Zynga公司旗下的《FarmVille》、《德州扑克牌》（Texas HoldEm Poker）、《拓荒者小镇》（FrontierVille）等游戏。Facebook为每个用户分派了一个Facebook ID号码，每个用户都可以通过该号使用浏览器查询到他人姓名，即便对方已经将其个人资料设为保密状态也不例外。该报记者调查还发现，涉嫌此事的应用至少向25个广告和数据跟踪公司提供了Facebook ID号码，其中之一是RapLeaf公司，该公司通过与Facebook有关应用的链接，将Facebook用户个人资料添加到自己的互联网用户数据库中，然后转手出卖给他人，RapLeaf公司的客户不乏其数。

目前为止，LOLapps和Zynga公司尚未对此事做出回应。RapLeaf公司的业务开发副总裁乔尔杰·威特（Joel Jewitt）表示，该公司并非有意对外输送用户个人信息。但Facebook却表示自己正采取措施禁止RapLeaf再使用Facebook的任何数据。用户私人数据外泄也许并非刻意而为之，因为浏览器经常会使用反向链接，将用户访问的上一个页面的数据传至他处，而该页面很可能就包含用户的个人信息。

a title from LOLapps

调查还发现，LoLapps公司的一些应用将Facebook用户的ID号码传送给RapLeaf公司，后者再将这些号码与其原先建立的用户资料一一对应，形成链接，然后将这些信息嵌入一个名为cookie的网页跟踪文件中。LOLapps公司董事长阿琼·塞西（Arjun Sethi）原计划将现身本周一在旧金山举办的2010年DiscoveryBeat大会，我们期待他届时对此做出解释。

Facebook对此事的声明如下：

“我们的任务之一是提供用户的信息控制保障，互联网的设计和运行从技术层面上讲，并不一定能实现最有效的信息控制。比如今年春天，我们就已经注意到Facebook用户ID可能在不经意间通过反向链接发送给广告商。现在，《华尔街日报》公布了Facebook平台上的同类情况，Facebook用户ID可能在偶然间通过用户浏览器或应用传输内容被他人获取。

但是仅知道用户ID并不能获得用户在Facebook上的私人信息，我们将采用新的技术系统，力图限制用户ID外泄的情况发生。这项技术挑战将比今年春天我们顺利解决的那桩事情更加棘手，但我们仍将坚定不移地克服这一难题。Facebook的技术系统一直辅以强有力的政策执行，我们将继续以技术与政策两手抓的行动，保证用户的信息安全。

值得注意的是，目前还没有证据显示有任何用户的个人信息被滥用，或者像报道中所说的那样被统一收集出售。事实上，牵涉此事的公司均已公开宣称他们没有滥用这些ID，也没有通过这些ID收集用户个人资料。”

另外，Facebook也在博客空间贴出了相关告示，该公司的Connect和平台工程部门经理麦克·维纳尔（Mike Vernal）在博客中称“新闻报道夸大了用户ID外泄的影响”，表示一些游戏应用绕过了Facebook的个人隐私保护政策，擅自对外输送用户ID。（本文为游戏邦/gamerboom.com编译）

WSJ reports Facebook apps — including banned LOLapps games — transmitted private user data

The Wall Street Journal reported that its investigation of Facebook apps found that many of the most popular titles have been transmitting identifying user information to dozens of advertising and internet tracking companies.

The issue affects tens of millions of Facebook app users, according to the story that appeared this evening in the lead spot on the Wall Street Journal’s web site (subscription required). The apps are not only transmitting the names of app users to the advertisers, but also the names of their friends in some cases. The problem affects users who have set their profiles to be completely private, and the practice breaks Facebook’s rules on privacy, the Journal said.

Acknowledging the problem, a Facebook spokesman said Sunday that the company is taking steps to dramatically limit the exposure of users’ personal information. The story indicates this privacy breach may be why all of the apps built by LOLapps, which has 150 million Facebook users, were banned over the weekend. The Journal found that all of the 10 most popular apps on Facebook were transmitting users’ IDs to outside companies.

They include games from Zynga, including its FarmVille, Texas HoldEm Poker and FrontierVille titles. Facebook assigns a Facebook ID number to every user on the site. Anyone can use that ID number to look up a person’s name, using a standard web browser, even if that person has set his or her info to be private. The Journal said the apps reviewed by its reporters were sending Facebook ID numbers to at least 25 ad and data-tracking firms. One firm, RapLeaf, had linked Facebook user ID info from the apps to its own database of internet users, which it sells. RapLeaf transmitted the Facebook IDs it obtained to a dozen other firms.

LOLapps and Zynga have not yet responded to requests for comment. RapLeaf’s vice president of business development, Joel Jewitt, told the Journal that his company didn’t transmit the information on purpose. But Facebook said it has taken steps to limit RapLeaf’s ability to use any Facebook data. The transmission of private data may have been unintentional because the browsers were using a “referrer,” which transmits the data of the last page a user had visited. That link may include the user’s private information.

The Journal found that some LOLapps apps were transmitting users’ Facebook ID numbers to RapLeaf, which then linked those ID numbers to files it had previously created on the users. RapLeaf then embedded that information in a web-tracking file called a cookie. Arjun Sethi, chief executive of LOLapps, is scheduled to speak on a case studies panel at VentureBeat’s DiscoveryBeat 2010 conference in San Francisco tomorrow.

Update: Read Write Web has questioned whether or not the use of referrers is in fact a privacy violation.

Facebook has issued the following response.

“As part of our work to provide people with control over their information, we’ve learned that the design and operation of the Internet doesn’t always provide the greatest control that is technically possible.  For example, in the Spring, it was brought to our attention that Facebook user IDs may be inadvertently included in the URL referrer sent to advertisers. Here, WSJ has uncovered the same issue on Facebook Platform where a Facebook user ID may be inadvertently shared by a user’s Internet browser or by an application delivering content to a user.

While knowledge of user ID does not permit access to anyone’s private information on Facebook, we plan to introduce new technical systems that will dramatically limit the sharing of User ID’s.

This is an even more complicated technical challenge than the similar issue we successfully addressed last Spring, but one that we are committed to addressing. Our technical systems have always been complemented by strong policy enforcement, and we will continue to rely on both to keep people in control of their information.

It is important to note that there is no evidence that any personal information was misused or even collected as a result of this issue. In fact, all of the companies questioned about this issue said publicly that they did not use the user IDs or did not use them to obtain personal info.”

Facebook has also issued a blog post on the matter. Facebook’s Mike Vernal said in his post that “press reports have exaggerated the implications of sharing a user ID.” He noted that several applications were passing the User ID in a manner that violated Facebook’s privacy policy.（source:venturebeat）