New Facebook privacy breach involves apps leaking user data

Results of a Wall Street Journal investigation published today show that many of the most popular Facebook applications have been transmitting personally identifying information—in some cases, even your friends' names—to dozens of advertising and Internet tracking companies.

The issue affects tens of millions of Facebook app users, including people who set their profiles to be completely private. The practice breaks Facebook's rules, and renews questions about its ability to keep identifiable information about its users' activities secure.

The WSJ says affected apps include...

Zynga Game Network Inc.'s FarmVille, with 59 million users, and Texas HoldEm Poker and FrontierVille. Three of the top 10 apps, including FarmVille, also have been transmitting personal information about a user's friends to outside companies.

Again, this means you may have been compromised even if you yourself didn't use the apps, but your friends did.

Facebook in Privacy Breach

(Photo: Facebook, a Creative Commons-licensed photo from the Flickr stream of Franco Bouly)

Boing Boing editor/partner and tech culture journalist Xeni Jardin hosts and produces Boing Boing's in-flight TV channel on Virgin America airlines (#10 on the dial), and writes about living with breast cancer. Diagnosed in 2011. @xeni on Twitter. email: xeni@boingboing.net.

MORE: privacy • Technology

More at Boing Boing

The technology that links taxonomy and Star Trek

Hackers prepare for first "national holiday" in their honor

bkad

Oh no! Not FarmVille!
ackpht

So we’re all clear on “this was their business model all along”, right?
BungaDunga

Not exactly a surprise. We’ve known apps could do this; it’s not a bug, it’s a feature. It’s how the API works.
TEKNA2007

Friends don’t let friends drive Facebook.
jungletek

Didn’t really need another reason to consider Zynga total fucking scumbags, but thanks!
Anonymous

This has been known all along. If you don’t want your friend’s apps to give out your private data, you need to uninstall all your apps and then disable the entire app platform. That means not only can’t you play Farmville, but you can’t even update your Facebook from TweetDeck. But such is the price of privacy I guess.
princessalex

Just another reason to be thankful I’ve never been on Facebook.
- bklynchris
  
  Bwahahahaha! You are absolutely right!!!! It’s like catching a mouse, no matter where we move the traps, or what we bait it with, I still wake up in the morning and find teeny turds on my counter.
  
  Zuckerburg gets caught in one spot, makes us believe we can “protect” ourselves if we click through a menu maze, before we can even change our settings he’s found another way in.
  
  Closing my FB page is my New Year’s resolution.
dave78981

I’m a bit bored with the whole “What’s the point of Farmville?” question. What’s the point of any game? They provide enjoyment, whether through the accomplishment of a goal or the completion of a task or a set of tasks. In addition, Farmville has an element of design that people enjoy too. In order to earn the in-game credits needed to purchase the pretty things, you have to complete tasks. Simple as that.

What Farmville really has done is taken away gaming from the geeks and the nerds and given it to old ladies who can barely log onto Facebook and I think that really rubs the geeks and the nerds the wrong way.

As far as privacy concerns, I’m in the what’s the big deal? camp. So the amorphous “they” knows my name and that I have a Facebook page and can look at my locked down profile? Have at it. You can see my hiking photos and some photos of me and my girlfriend eating pizza. You might find out that I’m pretty liberal when it comes to social issues. Big deal- I advertise that on my car. Christ, I have an ACLU sticker on my laptop.

As far as being targeted for advertising- the system is laughably bad. I frequently get ads delivered to my FB page that couldn’t be more opposite of my interests. So I don’t really feel like my personal data is being used to unduly coerce me into buying stuff.

And if you’re dumb enough to post pictures of yourself dressed as a hooker, fellating a dildo and then a few years later you decide to run for public office, then you deserve what you get.
EH

And of course they don’t mention that this has been happening for what, years?

Put it this way: Since pretty much everybody knows someone who is playing Farmville/Mobwhatever, Zynga now basically has a copy of Facebook’s entire friend structure.

Since a Facebook user ID is a public part of any Facebook profile, anyone can use an ID number to look up a person’s name, using a standard Web browser, even if that person has set all of his or her Facebook information to be private

Why isn’t what Facebook did (“default to open”) illegal yet?
- KWillets
  
  Er, about that social graph: http://www.readwriteweb.com/archives/facebook_user_data_analysis.php .
- skysky
  
  It’s tempting to want to outlaw or otherwise prevent “default to open,” but doing so would be a real pain in the ass. Twitter defaults to open, and good thing too because it’s a pain in the ass when people lock their tweets (I can’t tell if they’re worth following or not before I follow them). The standard on Twitter is that everything can be seen, and then people can choose how much information to divulge. I’m ticked off when people I might want to follow have protected tweets (though there are good reasons for protecting them, e.g. my friend in politics who has protected his personal tweets for the duration of a campaign).
  
  It’s OK that Twitter defaults to open because Twitter is set up in a way that makes things very simple and clear. There are only a few places to input information, and these input methods are much more impersonal and less specific than those of Facebook. Facebook is always trying to wheedle you into providing more personal information. Twitter is never going to ask you for the name of your significant other. It basically just gives you a couple of empty boxes and you can write in whatever you want.
  
  The real problem with Facebook is not its “default to open” policy. “Default to Open” actually becomes fairly harmless if you know that it is in fact Facebook’s policy, and if you know its ramifications. The problem is that Facebook is deliberately designed to mislead its users into ignorance or misunderstanding of these policies and ramifications, and is set up to try to extract exactly the sorts of information that one would likely want to keep private. Really, the bigger problem is not about facebook’s policies with its members at all, but rather with its policies toward Zynga and other 3rd parties that do business with the data members give it, as this privacy breach illustrates.
Robert

I can’t help but think that while you and I may be fully aware of the information elements we put on FB, and fake some elements that we don’t wish to be known without any compunction, we must represent something like 1% of the Internet population. The rest just freely put birthdays, home addresses, and other dangerous stuff up.

So while we might chuckle and shake our heads at the gullibility of people, it’s clear that we’re not exactly the norm. So rather than blame the masses, I’d rather put the blame squarely on FB.
EH

Also, I’m sure Facebook doesn’t mind finding out who their dumbest users are when they inevitably introduce some “privacy” checkbox buried deep in your account settings. The stupidest users (i.e. best advertising targets) are the ones who don’t change the setting.
MrJM

What makes Facebook immune to the common law crime of “fraud” — and what can I do to get similar immunity?
nixiebunny

The fine WSJ article has mention of many app companies that were transmitting the Facebook user ID, yet when questioned, claimed that they didn’t transmit any personally identifiable information.

The story doesn’t mention whether the reporter asked them if they transmitted these IDs or not. Perhaps reporters these days aren’t comfortable with catching people in lies.
NuOrder72

I enjoyed Facebook for the first few months of reconnecting with long-lost classmates and old friends. However, I have never really made any REAL connections on Facebook that are of the least bit of value to me. Facebook, for people in my age group (30-40 years old), seem to use it to brag about their beautiful kids, their beautiful home, or their wonderful vacations to Disney or Hawaiiâ€¦(It is the PERFECT place to put on appearances.)

Reading about every little mundane detail of their lives is also not what I have in mind. I donâ€™t think I could read another â€œcute quoteâ€ from a new parent who is going on and on about how their kid pronounces the word â€œGorillaâ€ as â€œGu-wuh-wuhâ€â€¦(UGH!!!) No doubt, facebook is the most FAKE place on earth I hope we can someday come back to some type of normalcy in this world where people can reconnect in the real-life and meet out at bars or restaurantsâ€¦.(Which I actually do now, but you know what I mean.)
lesbianjesus

The only thing real is my name (make sure you have a false dob for the inevitable identiy hack some day), I have no apps, I audit my privacy settings. It’s the best i can do. Still have to be on there cause it’s the only way to talk to my son while he’s in college.

Goes to show people just aren’t paranoid enough.
- Anonymous
  
  > Still have to be on there cause it’s the only way
  > to talk to my son while he’s in college.
  
  Oh come one…it’s “the only way” to talk to your son? Ever heard of chat rooms, or email, or telephones, or texting, or Skype? Please, at least try and come up with a believable excuse for using Facebook.
lakelady

another example of why I only use my real name on the internet on rare ocassions. don’t want private info on the net? don’t post it. period. when are people going to learn this?
- peacefrog
  
  so you think lakelady is discrete? do you think if someone knew you personally they would be able to guess?
  - Antinous / Moderator
    
    I use different pseudonyms everywhere except for the most bland and innocent sites. Plus, based on the number of times that ‘Antinous’ has already been taken, it’s in common use. It’s amazing to me how some people will say the vilest, most threatening things in a political forum and then post their home address under the same pseudonym in the knitting forum.
Anonymous

When are people going to realize that these “accidental” security breaches are done on purpose? Seriously, how long before people get a clue?

Do you think Facebook is your friend, or that they *really* give a damn about your privacy? NO, they don’t. Their job is to sell every bit of info on you at whatever the market will bear. I find it disheartening that people still believe that the hundreds and hundreds of ongoing personal information “leaks” are unintentional. Give me a break- I couldn’t code that poorly on purpose.

Wake up, folks. It happens *regularly* and occurs in every single part of Facebook over and over again. And each time, lo and behold, it’s the advertisers who somehow end up with the data. Gee, what an amazing coincidence.
dave78981

I predict the level of smugly righteous indignation in this thread will reach epic proportions
technogeek

If there is information which you would mind seeing widely distributed, do not post it on a server which you do not control and which is not under contract to you to guarantee security.

That include BoingBoing. Not that I think anyone here is likely to abuse data, but it can be spidered, and the way to maintain a habit is to never let yourself get _out_ of the habit.

There are reasons I have at least four separate online identities, plus an “employee” who registers for some things on my behalf. And I’m selective about what hits the net even in my e-mail.

Heck, I recently went thru and cleaned a bunch of stuff off my hard disk because I wasn’t using it and didn’t want to think about whether it posed a risk.
Verre

Seriously, what is the appeal of FarmVille? Can anyone explain this to me?
- teapot
  
  Seriously, what is the appeal of FarmVille? Can anyone explain this to me?
  
  I never got it either but, then I’ve never used it. I imagine it’s somewhat similar to how addictive Sim City is. Or Plants vs. Zombies….. I beat that game ages ago, but I still occasionally open it up just to water my lil’ guys in the garden. Crazy, maybe…but not as crazy as auto-posting status updates about it.
GuyInMilwaukee

Careful with your apps, Eugene.
- TEKNA2007
  
  Careful with your apps, Eugene
  
  I get that! Very good.
KWillets

“It’s not clear if developers of many of the apps transmitting Facebook ID numbers even knew that their apps were doing so. The apps were using a common Web standard, known as a ‘referer,’ which passes on the address of the last page viewed when a user clicks on a link. On Facebook and other social-networking sites, referers can expose a user’s identity.”

OK, I work for Zynga, so I’m probably already guilty of some heinous crime I’m not yet aware of, but referer is a browser-supplied field. When you click on a link, the browser sends the url of the page you were on when you clicked it, in the http header. If you’re in your FB account the url includes your userid. ZOMG.

Also, I wouldn’t put the comma inside the quote there.
- TEKNA2007
  
  Also, I wouldn’t put the comma inside the quote there.
  
  Zyng!
  
  Actually, it’s different in different countries, and now that we’re all reinventing the language as we go along, we’re seeing it both ways, but comma inside the quote has been standard in U.S. English for a while.
  
  Programmers don’t get that because it breaks nesting and makes it hard to parse, and why would anybody do it that way? That’s English for ya.
  - Anonymous
    
    I think you both misunderstand what he was referring to, and what a comma is.
  - Anonymous
    
    Wrong. The comma being referred to was unambguously in the wrong place. Read that post again and you’ll see why ‘referer,’ can never be right.
    
    Your response may have been a worthwhile point had you linked it to a relevant example. Personally I see no justification for the sentence punctuation being inside the quote. Punctuation inside the quote is punctuation of the quote; sentence (containing a quote) punctuation is outside the quote.
    
    As for this FB thing – I’m confused. Some say “no story – example, of the bleedin’ obvious, it’s a normal function of how these things work”, some say “no story – example of the bleedin’ obvious, it’s a normal function of how the evil empire of FB works”.
    
    I don’t suppose there is any chance of an objective evaluation of the allegation in the story – just so that those of us who want to, can say it’s a story about the bleedin’ obvious, but for the right reason?
    - Anonymous
      
      TEKNA2007 is not wrong: commas are often placed inside quotations in both cases. For an example you need look no further than The Elements of Style, which says that “typographical usage dictates that the comma be inside the marks, though logically it often seems not to belong there.”
      
      Personally I think your rule makes more sense, but it’s still a matter of convention, so I wouldn’t try to force other posters one way or the other.
      - Donald Petersen
        
        I, for one, appreciate TEKNA2007′s moderate (and accurate) response.
        
        Those that leap upon an “unambguously… wrong” placement of a comma, and then follow up the accusation with an unfortunately misplaced question mark at the end of a somewhat tortured declarative sentence, do thereby imprudently tweak the testes of Muphry.
      - Frank W
        
        Who’s Muphry?
      - Donald Petersen
        
        Who’s Muphry?
        
        Nobody I know, but I understand he has a Law.
zibalatz

In fact, we recognized and discussed a solution to this problem in the group “Anything PRIVATE shall never be made PUBLIC” over here:
http://www.facebook.com/topic.php?uid=122212854462445&topic=81

It is not overly difficult to fix the design of the API in order to both allow privacy and flexibility in app creation.

BTW, the goal of this group is to come up with concrete solutions to FB’s privacy problems. Check it out here:
http://www.facebook.com/group.php?gid=122212854462445
Promethean Sky

I’m probably alone in this, but I really don’t give a damn about my privacy. Anything that I want kept private, doesn’t go online ANYWHERE. The vast majority of the stuff about me, I don’t care who knows. Fun fact: contained in this post is everything needed to find my facebook, email, real name, and tens of thousands of message board posts.

Yes, I understand that what’s happening to other people here sucks. I fully believe that Zuckerberg needs a swift kick in the ass. But at this point, only a fool expects the stuff they do online to stay private. Make peace with that.
- Chevan
  
  THIS THIS THIS THIS THIS
  
  The trick to using Facebook is to NOT CARE about the information you release while using it.
  
  Using Facebook is a transaction. You trade your information for use of the platform, its applications, and its server space. The reason Facebook is popular is that there are hordes of people who don’t believe that certain information is worth the effort it takes to keep it secret.
  
  My own rule of thumb is that information someone else could acquire by coincidentally sitting next to me in a public space while I’m having a conversation is not information I need to bother with protecting.
Antinous / Moderator

Hmm. http://www.assbook.com/
meatpigeon

I always follow the golden rule of the internet:

If you don’t want people to find out about something don’t post it on the internet.

Facebook is, ostensibly, an advertisement for your life. You can expect everything you post on there to be pretty much public.
Anonymous

I think that part of the reason that FaceBook has been able to do these things is because they essentially have had no competition, and this has given members no choice but to continue to put up with Facebooks lack of respect for members rights.

We are about to launch a new kind of social network were members rights will be respected and where members have the opportunity to share in the value that the community creates.
satablank

Good thing my facebook account doesn’t contain any personally identifying information about me.
KWillets

I just went through an entire load of Frontierville in Firebug (over 500 urls) and found no requests outside of FB or Zynga. That doesn’t completely disprove the article, but I wanted to double-check in case I misunderstood it, and somehow FB and apps are sending out scads of background http requests to outside sites with referers containing user ID’s, etc. I couldn’t find anything. Not one outside pageload.

The article seems to be basing its thesis entirely on the case where the user sees an ad, clicks on it, and the linked site sees the referer with a userid in it, in addition to all the stuff the site can see since the user is deliberately connecting to it.

So, to re-create this increasingly far-fetched scenario, I clicked on an ad, and found that it POSTs some stuff to a script called end.php, and the ad link loads in a separate window. The referer on that window does not appear to contain my userid at all, only the end.php url with some gobbledygook which appears to be anonymized tracking info, exactly what I would want it to have (well, ideally no tracking info, but close enough).

I’m failing to find a smoking gun here. I can’t prove that it doesn’t happen, of course, but so far I’ve found nothing.
Cowicide

People look at me like I’m nuts when they ask if I’m on Facebook and I say no (except for my “secret” dummy lurker account). And I look at them like they’re nuts for using it so much and tell them if they want to talk with ME, I have an email.

Don’t really care if you had a bunch of undigested peanuts in your stool that day and want me and everyone else to know about it on your Facebook page.

Sigh…. if having Facebook is a requirement for hanging out with someone, then I figure that’s a good sign that they are a bore and don’t deserve my company. Hahaha….. twits.
ADavies

Skysky nails it.

Facebook creates the illusion (or promise) of privacy. I think they do this on purpose because it encourages more open sharing and discussion, which makes Facebook feel more valuable to people.

I bet if people realized how public their content is, they’d think a lot harder before posting.
Aloisius

This deserves one and only one response:

Duh.
katnipkitkat

I don’t care about my privacy. Back in the good old days someone could just look me up in the phone book and come straight to my house. Now I live in Japan. All my friends are still in the US. I use Facebook to keep in contact with all my friends in one place. I rarely look at my email accounts, they are always so full of junk mail. I put all the information about me that I could in Facebook because I want people to find me.
Anonymous

I use my real name in everything I do.
Anonymous

At least FB strips the EXIF info from uploaded photos. The thought of my phone automatically adding location info to pictures I take with the phone is far more troubling than the possibility that FB might share some information I knowingly posted to the site.
Todd Knarr

The problem isn’t exactly that your Facebook ID’s being handed out to third parties. The real problem is that those third parties have (or have access to) histories of user behavior that are probably anonymous, but given a tie between a Facebook ID and a particular behavior history they can not only put a name to that user but also put together multiple otherwise-anonymous and otherwise-unconnected behavior histories belonging to the same person. THAT is the problem.

I think what we need isn’t more laws trying to enforce privacy. I think what we need is simply a law saying that the behavior history of a person (eg. what Web sites and pages they’ve visited) belongs to that person, and that an entity collecting and using that information is collecting and using the property of that person. Now they can be sued for damages in the amount of the fair market value of the information they’ve misappropriated from it’s owner, and you’d get to use their own statements about the value of this information against them.
Cynical

I’m another one who fails to see how this is a real problem. So they get my name, the uni I’m studying at and the fact that I’m friends with people I know? You could reasonably extract that information from my email address and I don’t really see what use it is to advertisers.

I use adblock and don’t tie in my “likes” to actual pages (out of a vague sense of distrust more than any actual concrete security fears) and even then I’m not entirely sure why I bother, beyond the fact that page ads are generaly ugly and distracting as hell.

Can someone tell me why this activity poses a security risk to me? My address and phone number aren’t on there, neither is my full dob. The worst case scenario I can come up with is that an advertiser will spot that I like Massive Attack and try to sell me concert tickets, which I won’t be aware of because of adblock.
cjp

Fake name, fake D.O.B., fake interests to go along with my fake Facebook friends and no drunken party shots = no worries. Pretty simple concept, really. Who would put their real info on the net?
- Anonymous
  
  If that’s truly the content of your facebook account why do you even have one? :p
  
  Having you real name on the internet attached to no other personal data is no more dangerous than simply having a name.
angusm

I am shocked, just shocked I tell you. I never for a minute imagined that something like this would happen.
GraemeM

I have around 70 “friends” on Facebook, less than 10 family, a few real friends and a quickly growing number of people who I have never and will probable never ever meet. If anything this information it totally useless unless you want to know how many allies I have on Facebook games.

I did this not because I wanted to (although it is fun to peek at their walls and discover just how much alike we really all are) but you have to in order to advance in the game.
SamSam

Fake name, fake D.O.B., fake interests to go along with my fake Facebook friends

Wow, that’s brilliant. Except, what the hell’s the point? Is it just to get onto FB to see pictures of other people’s drunken party shots?