Zynga implicated in Facebook privacy breach

Faith Merino · October 18, 2010 · Short URL: https://vator.tv/n/12ca

A WSJ investigation finds that all top ten apps have been transmitting user data to ad agencies

Facebook is caught up in another privacy imbroglio.  The Wall Street Journal reported Monday morning that the ten most popular apps on Facebook have been transmitting users’ personal information (even users with the strictest privacy settings) to at least 25 outside advertising and Internet tracking companies.  Three of those ten apps have even been transmitting users’ friends’ information.

The culprits

Zynga appears to be the biggest violator, accounting for six of the top ten apps, with FarmVille, FrontierVille, Texas HoldEm Poker, Café World, Mafia Wars, and Treasure Isle all found to have been transmitting user info to advertisers and online trackers.  Other apps include Phrases (an app for finding and sharing phrases and quotes), Causes (an online philanthropy company that just raised $9 million in Series C funding), Quiz Planet, and iHeart (an app that allows users to send hearts to friends).

Facebook prohibits apps from sharing user data with outside advertisers, and as of Monday morning several of the apps were unavailable to users (after the Wall Street Journal informed Facebook of the violations), accept, notably, Zynga apps.  FarmVille accounts for the biggest share of Facebook users, with 59.4 million, and Texas HoldEm Poker comes in at number three with 36.3 million users. On the whole, Zynga dominates Facebook apps with almost 219 million monthly active users, followed by Crowdstar, which claims some 58 million users. 

A Zynga spokesperson told the Wall Street Journal: "Zynga has a strict policy of not passing personally identifiable information to any third parties. We look forward to working with Facebook to refine how web technologies work to keep people in control of their information."

The firms

"The apps reviewed by the Journal were sending Facebook ID numbers to at least 25 advertising and data firms, several of which build profiles of Internet users by tracking their online activities," WSJ reported.

Defenders of such advertising tactics maintain that the practice is harmless and anonymous.  Not so, according to WSJ, which found that one data-gathering firm, RapLeaf Inc., was linking Facebook user information gathered by the apps to its own user database, which it sells to other firms.  WSJ’s investigation found that RapLeaf Inc. has also shared Facebook user information with a dozen other data-gathering firms.

RapLeaf’s VP of business development told WSJ: “We didn’t do it on purpose.”  That’s right.  RapLeaf was accidentally gathering and selling Facebook user data.  It happens to me all the time.  

“The article left out some points we raised during our conversation with the reporters,” a RapLeaf spokesperson said via email.  When we discovered that Facebook IDs were being passed to ad networks by applications that we work with, we immediately researched the cause and implemented a solution to cease the transmissions…The transmissions, when they occurred, were not a result of any purposefully engineered process by Rapleaf. Instead, they were due to broader issues — as discussed in the article — concerning site referrer URLs, which are managed by sites themselves and ad networks.”

WSJ acknowledged that it is possible that app developers were not even aware that their apps were transmitting user data.  The apps were using a common Web standard, known as a ‘referer,’ which passes on the address of the last page viewed when a user clicks on a link. On Facebook and other social-networking sites, referers can expose a user's identity,” WSJ explained in the report.

But the Journal also contended that RapLeaf knew what it was doing, insisting that while RapLeaf says it strips out a user’s name before sharing information, the Journal’s investigation found that RapLeaf transmitted Facebook user IDs to a dozen other ad firms, including Google’s Invite Media.

Facebook's privacy woes

The report does not bode well for Facebook, which has long struggled with user privacy and has been heavily criticized in the past for redesigning privacy settings to make a user’s information more visible and accessible.  Last spring the social networking juggernaut was widely criticized after a Wall Street Journal investigation found that the company was transmitting user data to outside advertisers when users clicked on ads.  Following the WSJ report, the company discontinued the practice.

Earlier this month, Facebook took measures to give users more control over how much information they share with apps by creating a control panel that shows users which categories of their information apps are accessing (for example, basic information).  It does not, however, show what information friends’ applications are accessing on a user. 

Update: A Facebook spokesperson responded to my email with the following statement:

As part of our work to provide people with control over their information, we’ve learned that the design and operation of the Internet doesn’t always provide the greatest control that is technically possible.  For example, in the Spring, it was brought to our attention that Facebook user IDs may be inadvertently included in the URL referrer sent to advertisers.  Here, WSJ has uncovered the same issue on Facebook Platform where a Facebook user ID may be inadvertently shared by a user’s Internet browser or by an application delivering content to a user. 

While knowledge of user ID does not permit access to anyone’s private information on Facebook, we plan to introduce new technical systems that will dramatically limit the sharing of User ID’s. This is an even more complicated technical challenge than the similar issue we successfully addressed last Spring, but one that we are committed to addressing.  Our technical systems have always been complemented by strong policy enforcement, and we will continue to rely on both to keep people in control of their information.

It is important to note that there is no evidence that any personal information was misused or even collected as a result of this issue.  In fact, all of the companies questioned about this issue said publicly that they did not use the user IDs or did not use them to obtain personal info.  

Image source: facebook.com

Related News