Facebook Must Explain Security Rift

(CC) Brian Solis, www.briansolis.com
Mark Zuckerberg

The Democrat and Republican who head the U.S. House Bi-Partisan Privacy Caucus have asked Facebook CEO Mark Zuckerberg to answer questions regarding a privacy breach reported in the Wall Street Journal.

The Journal says many of Facebook’s most popular applications, including FarmVille, Texas HoldEm Poker and FrontierVille, are transmitting Facebook user ID numbers to advertisers, even if Facebook users set their profiles to the strictest privacy settings. The information is being transmitted in a “referer,” which sends the address of the last page viewed when a user clicks a link. On Facebook, referers include a user’s ID number.

U.S. Reps. Edward Markey (D., Mass.) and Joe Barton (R., Texas) initially gave Zuckerberg until Oct. 27 to say how many users had been affected by the breach, how soon Facebook knew about it and what changes the social network will make to prevent the problem from recurring. The deadline was extended into early November.

Facebook told the Journal that the breach violates its policies. It briefly suspended applications created by LOLapps Media Inc., which include Gift Creator, Quiz Creator, Colorful Butterflies and Best Friends Gifts.

The Journal reported that LOLapps applications and the Family Tree application were sending user ID numbers to marketing company RapLeaf, which then linked the ID numbers to files it had assembled on their owners. RapLeaf imbedded that information in a tracking file known as a cookie. "We didn’t do it on purpose," said Joel Jewitt, RapLeaf’s vice president of business development.

Facebook subsequently announced actions it is taking to repair the underlying cause of the privacy breach. "This underlying issue isn’t at all specific to Facebook and has existed across the Internet for years," said Andrew Noyes, Facebook’s manager of public policy communications in a statement. "However, within days of discovering the implications of this issue for applications on Facebook, we announced a solution — to encrypt all user IDs that applications access.

"But we aren’t stopping there. We’re going to work with browser manufacturers to address this issue on the browser level across the Internet," said Noyes.

Categories: Updates