Facebook vows to fix a flaw in data privacy in Farmville
SAN FRANCISCO — When you sign up for Facebook, you enter into a bargain. You share personal information with the site, and Facebook agrees to obey your wishes when it comes to who can see what you post.
At the same time, you agree that Facebook can use that data to decide what ads to show you.
It is a complicated deal that many people enter into without perhaps fully understanding what will happen to their information. It also involves some trust — which is why any hint that Facebook may not be holding up its end of the bargain is sure to kick up plenty of controversy.
The latest challenge to that trust came Monday, when Facebook acknowledged that some applications on its website, including the popular game FarmVille, had improperly shared information about users, and in some cases their friends, with advertisers and Web tracking companies. The company said it was talking to application developers about how they handled personal information, and was looking at ways to prevent this from happening again.
Having a user ID allows someone to look up that user’s name and any data posted on that person’s public profile, like a college or favorite movies, but not information that the user had set to be visible only to friends.
Privacy advocates and technology experts were split on the significance of the issue.
“That is extremely serious,” said Peter Eckersley, a senior staff technologist at the Electronic Frontier Foundation, an online liberties group.
Eckersley said advertisers could use the user IDs to link individuals with information they had collected anonymously about them on the Web. “Facebook, perhaps inadvertently, is leaking the magic key to tracking you online,” he said.
At the same time, Eckersley said there was no evidence that anyone who had access to this data had actually misused it.
Zynga, the maker of FarmVille and other games on Facebook that have a combined 219 million users, declined to comment.
Several technology pundits and bloggers minimized the issue, with some saying that credit card companies and magazines have access to far more detailed information about customers than any Facebook application.
Facebook also sought to downplay the importance of the leak, saying the sending of user IDs appeared to have been inadvertent. “Press reports have exaggerated the implications of sharing” a user ID, Mike Vernal, a Facebook engineer, wrote on a company blog for application developers. “Knowledge of a UID does not enable anyone to access private user information without explicit user consent.”