The top 10 applications on Facebook have all been transmitting user data, including access to people’s names and, in some cases, their friends’ names, to dozens of advertising and Internet tracking firms, according to a news report.
The Wall Street Journal investigation found that the issue affects tens of millions of Facebook app users, including people who set their profiles to Facebook’s strictest privacy settings.
The Journal found that all of the 10 most popular apps on Facebook were transmitting users’ IDs to outside companies, including well-known games such as FarmVille, Mafia Wars and Texas Hold’em.
Responding to the report, Facebook has admitted to the problem, which it said was ‘inadvertent’ and was down to a technical fault.
A spokesperson for the social network said it is taking steps to “dramatically limit” the exposure of users’ personal information id it is taking steps to “dramatically limit” the exposure of users’ personal information, It is unclear how long the breach was in place.
The practice breaks Facebook’s rules, and renews questions about its ability to keep identifiable information about its users’ activities secure.
It’s not clear if developers the named apps even knew that they were transmitting this data.
The apps were using a common Web standard, known as a “referer,” which passes on the address of the last page viewed when a user clicks on a link. On Facebook and other social-networking sites, referers can expose a user’s identity.
Speaking to the WSJ, a Facebook spokesman said: “A Facebook user ID may be inadvertently shared by a user’s Internet browser or by an application.”
He added that knowledge of an ID “does not permit access to anyone’s private information on Facebook,”, adding that the company would introduce new technology to contain the problem identified by the WSJ.
“Our technical systems have always been complemented by strong policy enforcement, and we will continue to rely on both to keep people in control of their information,” the Facebook official said.
The apps, ranked by research company Inside Network Inc. (based on monthly users), include Zynga Game Network Inc.’s FarmVille, with 59 million users, and Texas HoldEm Poker and FrontierVille. Three of the top 10 apps, including FarmVille, also have been transmitting personal information about a user’s friends to outside companies, the WSJ found.
Several apps became unavailable to Facebook users after the WSJ told Facebook that the apps were transmitting personal information; the specific reason for their unavailability remains unclear.
The information being transmitted includes the unique “Facebook ID” number assigned to every user on the site., which allows anyone to look up person’s name, even if a user’s profile is set to private. For other users, the Facebook ID reveals information they have set to share with “everyone,” including age, residence, occupation and photos.
The apps reviewed by the Journal were sending Facebook ID numbers to at least 25 advertising and data firms, several of which build profiles of Internet users by tracking their online activities. Facebook prohibits app makers from transferring data about users to outside advertising and data companies, even if a user agrees.
One firm, RapLeaf, was found to have linked Facebook user data gleaned from its catalogue of apps to its own database of internet users. RapLeaf said the data breach was unintentional.
Zynga, the company behind FarmVille, said it would work with Facebook to refine web control technologies to better ensure the preservation of personal information.
Writing in the company blog, Mike Vernal, a Facebook engineer, said: “In most cases, developers did not intend to pass this information, but did so because of the technical details of how browsers work.”
“Press reports have exaggerated the implications of sharing a UID. Knowledge of a UID does not enable anyone to access private user information without explicit user consent. Nevertheless, we are committed to ensuring that even the inadvertent passing of UIDs is prevented and all applications are in compliance with our policy.”
Read the full WSJ report here.