Facebook is facing yet another privacy fight after it emerged that millions of users’ details were being sent to advertising companies and online behaviour trackers.
The fault – first reported in the Wall Street Journal – centres on apps, such as Farmville, that the paper discovered had been providing access to people's details to dozens of advertising companies.
“The information being transmitted is one of Facebook's basic building blocks: the unique 'Facebook ID' number assigned to every user on the site,” the WSJ reported after an in-house investigation.
“Since a Facebook user ID is a public part of any Facebook profile, anyone can use an ID number to look up a person's name, using a standard browser, even if that person has set all of his or her Facebook information to be private.”
Facebook told PC Pro the problem was “ongoing” and said it was working with developers to resolve the issue.
The apps in question aren’t produced by Facebook, and break the company’s rules, but the fundamental problem is difficult to eradicate, Facebook said.
“The design and operation of the internet doesn’t always provide the greatest control that is technically possible,” a spokesperson said. "For example, this spring, it was brought to our attention that Facebook user IDs may be inadvertently included in the URL referrer sent to advertisers."
“Here, WSJ has uncovered the same issue on Facebook Platform, where a Facebook user ID may be inadvertently shared by a user’s internet browser or by an application delivering content to a user,” the spokesperson said.
Facebook told us that there was “no evidence that any personal information was misused or even collected as a result of this issue”.
However, the WSJ found that one advertising network had linked Facebook user ID information obtained from apps to its own database of internet users, which it sells. RapLeaf also transmitted the Facebook IDs it obtained to a dozen other firms, the newspaper found, although the company said it had resolved the issue.
“This is a serious potential privacy risk – and most Facebook applications are impacted by this issue,” said Rapleaf in its company blog.
“The underlying issue is with a piece of the HTTP header called the referrer URL. We recognise that referrer URLs are a major industry-wide problem with the structure of internet security, so Rapleaf has taken extra steps to strip out identifying information from referrer URLs.
“When we discovered that Facebook IDs were being passed to ad networks by applications that we work with, we immediately researched the cause and implemented a solution to cease the transmissions.”
According to the WSJ it was not clear if the apps transmitting data even knew of the potential breach, but Facebook has reportedly closed down some apps as a result.