Over the weekend, the Wall Street Journal, in its continuing series of excellent articles about online privacy, released a controversial story about Facebook apps transmitting identification information to outside advertisers — in clear violation of Facebook policies. In response, a number of other media outfits have collectively shrugged their shoulders, maintaining that sending this information happens all the time and no one should be particularly concerned. Did the Journal overreact? Or are others missing the point?
The Journal reported that all of the top ten apps on Facebook (e.g., Farmville, Causes, Mafia Wars, etc.) were inadvertently sending along a user's Facebook ID to the advertising partners that delivered ads while users interacted with the apps. This happened despite Facebook's requirement that app developers never transmit personally identifiable information to advertisers, and despite the affirmative promises that many (if not all) of the apps developers had made in their privacy policies not to transmit such information.
The allegation here is not that the apps were sending along private info from your Facebook profile. It's that those apps' advertisers could easily query Facebook for your real name identity based on the Facebook ID. Dozens of advertising networks and data aggregators already have detailed profiles about consumers based on the data they collect on thousands of websites; those websites report to the networks which pages the consumer visits, and the ad network assembles a profile based on those sites that it then uses to determine which ads to serve. But those profiles aren't linked to a real name — they're just linked to a unique cookie named "G5reR64ewge32" or the like. Heretofore, linking those "anonymous" (really pseudonymous) profiles to real name identity has been a Rubicon that the advertising industry has been reluctant to cross.
Indeed, this is precisely what the Federal Trade Commission investigated DoubleClick for back in 2000. At that time, DoubleClick had acquired a small company named Abacus that could have allowed it to use real names to add offline data to its online behavioral profiles. In response to the FTC investigation and public outcry, DoubleClick dropped its plans to join up this information (and still, to this day, makes affirmative representations that it won't link behavioral profiles to personally identifiable information). Now, however, it looks like any advertiser who served ads to any of the biggest Facebook apps could have easily made the connection since the apps were reporting back not just that a previously pseudonymous user was playing FrontierVille, but also, by the way, here's a unique ID you can easily search to find out the user's real name.
From Facebook's point of view, this was more of a security issue than a privacy issue — certainly Facebook never intended for its apps developers to transmit this information off-site, and explicitly required in its developer terms that apps not send along personally identifiable information. Giving away identifying information for free to ad network competitors is hardly in Facebook's interest. However, last May, it was shown that Facebook had been inadvertently sending out real name IDs in referring urls to its own advertisers; Facebook quickly fixed the problem then, but should have considered whether there were other opportunities for identifying urls to leak off the site.
Long Running Concern
CDT has long been concerned about companies merging a consumer's distinct personas into one massive all-encompassing identity. We criticized Facebook's initial rollout of "Instant Personalization" which combined by default a user's pseudonymous participation on websites like Yelp and Pandora with their Facebook presence, and sent information about what users did on those other sites to their Facebook friends. And if real name linkage to online behavioral advertising profiles is the uncrossed Rubicon, a number of companies are starting to dip their toes in the river.
The Wall Street Journal article references one company named Rapleaf whose business model is to scrape social networking sites for publicly available information on consumers to use in online advertising. Rapleaf acknowledged to the Journal that it used the Facebook ID in compiling its database of consumer profiles. To date, no other ad networks or data aggregators have admitted to using the Facebook ID in such a way.
Rapleaf (and others) have for some time been seeking ways to append to advertising profiles information from distinct online personas as well as offline consumer data. As social networking continues to grow and consumer data becomes easier to collect and match up — and as more and more players, including app developers and data aggregating intermediaries, exchange that data — consumers will find it increasingly difficult to limit the exposure of their information and to maintain separate identities online and off, unless some clear rules are set, in both law and technology. (As a side note, CDT has engaged with Rapleaf in the past, one of many interactions we have with companies to urge better corporate practices on privacy and other issues. As part of our engagement with Rapleaf, my colleague Jim Dempsey was a member of Rapleaf's privacy "advisory board," which urged the company to address a range of privacy issues. Last week, when inquiries by the Wall Street Journal led us to conclude that Jim's involvement was being perceived as an endorsement of Rapleaf's practices, Jim resigned from the advisory panel. We will continue to talk with any company that wants to improve its privacy practices, but we do not endorse any company by doing so.)
We hope that Facebook and its apps developers work quickly to stem this latest leak of identifying info. As some bloggers have posited, it could be as easy as sticking a solitary character into referring urls.
But this is not solely a glitch to be patched. The latest controversy highlights the serious policy issues that are unresolved in both the apps space and in online profiling. Both industry practices and legal rules need to catch up, quickly, with clear and enforceable standards. That is why CDT supports comprehensive baseline federal privacy legislation, with adequate rulemaking authority for the FTC. That is also why we support strong FTC enforcement using its existing authority.
Back to the question of whether the Journal story is no story at all. Despite what Techcruch says, the linking of information across profiles and the combining of online and offline data are not the way that the web used to work, nor is it how the web should work. Referring urls may be normal, but they do not have to include IDs that can be linked to other identifying information. In fact, before the rise of the social web, few if any referring urls had embedded IDs that were publicly searchable to reveal real names. Now that the risk is clear, that should be changed.
Alternatively (or better yet, in addition), browsers could be configured to stop sending along referring IDs with every HTTP request. (CDT will be issuing a report next month comparing the various browser's privacy controls, including controls over blocking transmission of referring urls.) For years, the browser makers have had the ability to fix this issue (and similar ones) across the entire web, not just Facebook, and the time is long overdue for strong default privacy settings to be built directly into every browser.