Practical Ecommerce

Facebook Privacy ‘Breach’ Versus Public Information

“Facebook in Privacy Breach” is the title of the recent Wall Street Journal article. It describes the transfer of Facebook user IDs from Facebook application providers to data gathering companies.

But Facebook user IDs are public and are otherwise embedded in the URLs of Facebook account holders’ profiles. As such, is the transfer, willful or not, of those user IDs a “breach?”

We asked that to our own social media director, Paul Chaney, a Facebook expert. He has reported here extensively on Facebook and Facebook apps, and we solicited his views on The Wall Street Journal report, and on the sharing on publicly available information.

Practical eCommerce: The breach involved Facebook applications, a topic we’ve reported on extensively. What, exactly, was breached? Was it a Facebook error or an error by Facebook application providers?

Paul Chaney

Paul Chaney

Paul Chaney: “According to The Wall Street Journal, who broke the story, a number of Facebook application providers provided outside agencies the Facebook user IDs of the applications’ customers. So, it really wasn’t a breach as much as a transfer of user IDs by application providers to outside agencies. The apps that transferred the information are those used by individuals, and include games like Farmville, Frontierville, Mafia Wars, and Texas Hold’em. The accompanying Wall Street Journal article includes a list of the ten offending apps, many of which appear to be created by popular Facebook gaming company, Zynga. Most of the apps have been suspended, as I understand it, for a period of time until this issue is resolved.

“To the extent that this is a problem, both Facebook and the app providers have culpability. Facebook includes user IDs in referring URLs. That’s just how the Facebook platform works. The user ID is the unique identifier the system uses to know who is who. I should add that number of pundits suggest this is issue is overblown. This includes the editor of TechCrunch, Michael Arrington, who addressed it in this TechCrunch article.

“The app providers were passing along this information to third party agencies and advertisers. Facebook addressed it in its ‘Developer Blog’ and stated, ‘in most cases, developers did not intend to pass this information, but did so because of the technical details of how browsers work.’

“However, another group, Facebook users, also has culpability. It’s not without merit to suggest that if individuals put information online and make it public, that the data is not ‘fair game’ to those who, for whatever reason, want to scrape it. We can’t expect entitlement. Some would go so far as to say the term ‘Internet privacy’ is an oxymoron.

“That’s not to excuse either Facebook or the app providers, however. And, to Facebook’s credit, the company said that even though app providers may have done so in ignorance, such behavior is a violation of Facebook’s privacy policy and have taken action to rectify the problem.”

PEC: Does it involve any ecommerce-related applications that you are aware of?

Chaney: “The lists I’ve seen include only games used by individuals by means of their personal profiles. To my knowledge, no ecommerce-related applications, such as those used on Facebook pages, appear to be among the apps listed. I contacted a couple of such companies and neither of the persons I spoke with know of any ecommerce app providers (or any Fan page app providers, for that matter) who were guilty of this behavior.”

PEC: A social commerce critic might contend that this is another reason not to place a third-party company (Facebook) between an ecommerce site and a consumer. You can’t control the actions of the third-party relative to your customers’ information. Thoughts on that?

Chaney: “Doubtless, there are risks anytime a third-party enters the picture, just as there are benefits. It’s a matter of weighing one against the other. In the case of Facebook, due to its enormity of size and continued rampant growth, I think the opportunities outweigh any liabilities. But, yes, there are liabilities and everyone will have to make up their own mind about such things.

“In this case, only information that was publicly available to begin with was what was shared. And, in spite of past gaffes, Facebook takes its privacy policies very seriously now.”

PEC: The Wall Street Journal says the “breach” involved sharing user IDs with marketing agencies. A Facebook user ID is public information, isn’t it? Why the dustup?

Chaney: “Precisely. This is publicly available information. But, that’s not The Journal’s main issue. It’s that there are a ‘growing field of companies that build detailed databases on people in order to track them online,’ to use The Journal’s phrase. It has been tracking this issue for some time.

“For whatever reason, it appears they chose to make Facebook a whipping boy. Keep in mind, The Journal is owned by Rupert Murdoch’s News Corp., which also owns MySpace. I’m not suggesting that has anything to do with it, except that I wonder if The Journal is also investigating MySpace, which runs many of the same apps, as listed on this MySpace page.

“However, this is a web-wide issue, not just isolated to Facebook. Data spiders and bots have been around for years scraping most everything. And, let’s not forget about cookies and the information they retain.”

PEC: Say I’m an ecommerce merchant. I use a Facebook app to sell my products on Facebook. Facebook users buy my products on that app, and then the app providers sell my customers’ user names to a marketing company. How should I feel about that?

Chaney: “First, let’s be clear, no such app providers were named as party to this breach. To my knowledge, none participate in that kind of behavior. But, hypothetically speaking, let’s say that happens. Well, I’d be angry. That’s not what I signed up for when making that transaction and I would expect the company to respect that.

“The real ‘breach’ here is one of trust. I’m trusting these third parties to look out for my best interests, when, ultimately, that’s my responsibility. No one is going to look out for my well being to the degree that I will. If I don’t want information shared, then I don’t need to make it public.”

PEC: Anything else our readers should know about this topic?

Chaney: “The Huffington Post published a tutorial on Facebook privacy settings that can help users concerned about this issue nail down how apps can interact with them and what information get shared.

“What we have here is a clash of worldviews. One assumes a right to privacy. Another assumes that, on the Internet, nothing is private. Those two extremes are heading for a clash.

“A Facebook friend of mine, Tom Cunniff, creative director at consumer package goods company Combe Incorporated, put it this way: ‘It’s only a matter of time until there is a gigantic privacy backlash. Predictions: 1) It won’t be fair (the event that sparks it will probably be a combination of malfeasance and user error). 2) There will be an over-reaction including legislation that makes some problems even worse. 3) Despite digital industry hand-wringing, we will find a new “normal” that’s just as good or better than today.’

“Perhaps Mike Arrington, the TechCrunch editor, said it best, ‘If you do stuff online, people are tracking it and putting it into a database and trying to sell you stuff based on that. There’s not much you can do about it except not be online.'”

Practical Ecommerce

Practical Ecommerce

Bio   •   RSS Feed


email-news-env

Sign up for our email newsletter

  1. eKasia October 20, 2010 Reply

    I believe that Bruce Schneier said it better: "…the very notion that we have to educate people about Internet security means that we, as security technologists, have failed in our jobs. Security needs to be built in; technology is changing so fast that people don’t have time to develop an intuition about Internet security; we need to build security that protects people despite themselves."

    Most people simply do not understand how these technologies work, or the potential repercussions, but that does not make exploiting them OK.

  2. facebookbreach October 27, 2010 Reply

    Hi,

    I have a client who came to me for help with outrageous privacy breach involving Facebook.

    A person had several email accounts at completely different email providers, like GMail, Google Apps, Yahoo, Hotmail etc. These email accounts were strictly separated and used to communicate with completely different groups of people. Not a single contact from one group ever sent or received an email using any of the other accounts.

    This person created several unrelated Facebook accounts under different names using those unrelated email addresses.

    Surprise! People from those unrelated groups got a popup in their Facebook accounts that they may know that person. They indeed knew him and he knew them. But everything was messed up. His clients from his business account somehow got a popup from unrelated personal facebook account that the client never wanted to expose to his clients. The accounts were under different names, registered with different phone numbers, different birthdays.

    How is this possible? How deeply Facebook does data mining? Do they monitor people’s private mailboxes with popular email providers like GMail, Google Apps, Yahoo, Hotmail? Even if they do, that other mechanisms do they use to identify people’s friends and contacts?

    Can anyone explain how this situation is even possible?

    I think don’t have an answer. If you do, please contact me as I would love to have an explanation for myself and pass it to my client.

    Regards,
    Vlad

    http://www.604-GET-HELP.com