Facebook user IDs distributed by application developers

News by Dan Raywood

Facebook has admitted that some of its applications have distributed user IDs without user consent.

Facebook has admitted that some of its applications have distributed user IDs without user consent.

According to a report in the Wall Street Journal, many of the most popular applications on the social networking site have been transmitting identifiable information to dozens of advertising and internet tracking companies.

It claimed that the issue affects tens of millions of Facebook app users, including people who set their profiles to Facebook's strictest privacy settings. It breaks Facebook's rules and renews questions about its ability to keep identifiable information about its users' activities secure.

The information being transmitted includes the unique ‘Facebook ID' number that is assigned to every user on the site and for users who have not set their privacy to maximum, the Facebook ID reveals information they have set to share with ‘everyone', including age, residence, occupation and photos.

The apps reviewed were sending Facebook ID numbers to at least 25 advertising and data firms, several of which build profiles of internet users by tracking their online activities.

Writing on the Facebook developer page, Mike Vernal said the site's policy is very clear about protecting user data, ensuring that no one can access private user information without explicit user consent.

He said: “Further, developers cannot disclose user information to ad networks and data brokers. We take strong measures to enforce this policy, including suspending and disabling applications that violate it.

“Recently, it has come to our attention that several applications built on Facebook Platform were passing the User ID (UID), an identifier that we use within our APIs, in a manner that violated this policy. In most cases, developers did not intend to pass this information, but did so because of the technical details of how browsers work.”

He claimed that press reports ‘have exaggerated the implications of sharing a UID', as knowledge of a UID does not enable anyone to access private user information without explicit user consent.

“Nevertheless, we are committed to ensuring that even the inadvertent passing of UIDs is prevented and all applications are in compliance with our policy. We have experience addressing this sort of issue previously, although the technical challenges here are greater. We are talking with our key partners and the broader web community about possible solutions. We will have more details over the course of the next few days,” he said.

Chester Wisniewski, senior security advisor at Sophos Canada, said: “To Facebook's credit, this time the problems are not entirely their fault, but this is yet another example of how their free and loose approach to user data continually exposes their users to risk.

“Facebook says they will look into this problem and take actions to correct it. This will not be an easy task, and it doesn't solve the problem. Facebook has made a major push in the last year to become a provider of federated identity.

“Typically, people access hundreds of services over the internet. Maintaining separate, secure logins and passwords for all of these sites is difficult, but you can now use your Facebook credentials to log into many of these services, cementing Facebook's goal of being a central source of identity. Unfortunately, most Facebook users do not understand how easy it is for all this data to be tied together and to make its way into the hands of marketers and others who can make a lot of money from their identity.”


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews