Facebook punishes developers for passing on user IDs

Facebook's move comes as the company says it will not tolerate data brokers

Facebook is punishing several application developers for passing certain information to a data broker in the latest move by the social networking site to control growing concerns over privacy.

Facebook will deny those application developers access to "communication channels" for six months, wrote Mike Vernal, on Facebook's blog, late on Friday. The developers number fewer than a dozen, he said.

The developers were being paid by a data broker for user IDs, unique numerical identifiers assigned to the site's users, which can appear in a URL when they use the site.

As a result, "we will require these developers to submit their data practices to an audit in the future to confirm that they are in compliance with our policies," Vernal wrote. "This impacts fewer than a dozen, mostly small developers, none of which are in the top 10 applications on Facebook Platform."

After an investigation into online privacy by the Wall Street Journal, Facebook said last month that in some cases user IDs were inadvertently being passed on to applications, which is against Facebook's policy. The situation was due to a Web standard called referral URLs that lets a website know where a person was previously browsing.

The user IDs do not contain personal information, but could lead to information that the person has chosen to display publicly. The latest revelation, however, shows that some application developers were then passing those user IDs to a data broker. Those brokers typically compile information to sell to advertising networks so users can be targeted with ads that are related to their personal interests.

"Facebook has never sold and will never sell user information," Vernal said. "We also have zero tolerance for data brokers because they undermine the value that users have come to expect from Facebook."

The brokers claim the information is made anonymous enough so that an individual users can't be identified, but privacy activists often question their methods.

Vernal wrote that Facebook is working on a "technical solution" to prevent inadvertent passing of user IDs, and will also work with browser vendors on the issue.

The technical fix, to be released next week, will allow application developers to share a unique but anonymous identifier with permitted third parties such as content partners, advertisers or service providers, Vernal wrote.

Facebook will also mandate that user IDs can't leave an application. Developers will still be allowed to use services such as Akamai and Amazon Web Services as long as the services keep the user IDs confidential, Vernal wrote.

In another development, Vernal wrote that Facebook has reached an agreement with a data broker called Rapleaf, which was storing user IDs. Rapleaf was one of many companies that stored user IDs that have now said they will delete the information from their databases.

But following a detailed story in the Wall Street Journal about Rapleaf, Facebook has taken steps further against the company.

Rapleaf has "agreed not to conduct any activities on the Facebook platform (either directly or indirectly) going forward," Vernal wrote.

Rapleaf scans the Web for e-mail addresses and links its findings with publicly available information, including census data, voter registration records and social networking profiles. It creates profiles for people, then takes steps to make those profiles anonymous.

Rapleaf partners with websites to use its system. When people log in to a website that uses Rapleaf, their e-mail addresses are looked up in the Rapleaf database to see whether a profile exists.

Cookies -- small files containing information about a person's interests -- are placed on the users' browsers. The cookies are then examined by advertising networks in order to serve ads based on interests in the users' profiles. The company said there is no personally identifiable information and nothing stored about a user's browsing behavior.

Join the CSO newsletter!

Error: Please check your email address.

Tags advertisingInternet-based applications and servicessecurityRapLeafinternetprivacyFacebook

More about Akamai TechnologiesAmazon Web ServicesFacebookWall Street

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jeremy Kirk

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place