Facebook Apps transmit Personal IDs and Friends' Names to Advertisers

Hmm. This is very interesting.<p>A few facts:<p>1. When you embed an iframe with fb:iframe, the parameters Facebook passes to your app get passed to the iframe automatically. This includes the Facebook UID. This is the way everyone has always embedded Facebook ad units and AFAIK nobody has ever been punished for doing so. I've had people at Facebook look over my apps with a fine tooth comb when dealing with TOS violations and this has never once come up.<p>2. Facebook will take action against apps if people use fb-provided widgets in ways that "violate" the TOS, i.e., if Facebook's own widgets violate the TOS they will take action against the app.<p>This happened to be with the fb:wall widget, where Facebook told me I wasn't allowed to have comments auto-post to people's walls (the default behavior) and must include a "report" link to every comment (impossible / not a feature of fb:wall). They disabled feed posting for one of my apps due to that "violation."<p>3. Facebook, as an organization, hates, hates, hates bad press. They will move mountains to prevent or preempt bad press. I've had people at Facebook tell me more-or-less verbatim that whatever I did, my applications were not allowed to generate bad press for Facebook. If they did, I would be banned.<p>4. Facebook will scapegoat companies. When the Scamville drama happened, Facebook banned Gambit payments from the platform and threatened any application developer with banning if they used Gambit. They were no worse than Offerpal or Super Rewards with respect to the types of offers they were running -- everyone was getting their offers from the same pool -- but Facebook banned Gambit and implicitly endorsed Offerpal and Super Rewards.<p>Gambit was the smallest of the three, so the general feeling in the FB developer community is that they picked the weakest one and took them out to show how "serious" they were in dealing with the problem. They also made SR and Offerpal clean up their offers and punished Zynga for running questionable offers, but only Gambit was permanently and forever banned.<p>So, given the above, I have to wonder...did Facebook ban lolapps, the smallest of the major FB game companies, from the platform as a way to preempt the press fallout from this article?<p>Very interesting.

Specifically:<p>"The apps, ranked by research company Inside Network Inc. (based on monthly users), include Zynga Game Network Inc.'s FarmVille, with 59 million users, and Texas HoldEm Poker and FrontierVille. Three of the top 10 apps, including FarmVille, also have been transmitting personal information about a user's friends to outside companies...<p>The information being transmitted is one of Facebook's basic building blocks: the unique "Facebook ID" number assigned to every user on the site. Since a Facebook user ID is a public part of any Facebook profile, anyone can use an ID number to look up a person's name, using a standard Web browser, even if that person has set all of his or her Facebook information to be private. For other users, the Facebook ID reveals information they have set to share with "everyone," including age, residence, occupation and photos.<p>The apps reviewed by the Journal were sending Facebook ID numbers to at least 25 advertising and data firms, several of which build profiles of Internet users by tracking their online activities."

In the article, Rapleaf says de-anonymized linking of ID's to real names "wasn't intentional." That's a little hard to believe -- isn't the point of the company to have a massive person database of information like this?

<i>The apps reviewed by the Journal were sending Facebook ID numbers to at least 25 advertising and data firms, several of which build profiles of Internet users by tracking their online activities.</i><p>This doesn't surprise me at all, it was just a matter of time before ad networks and retargeters, et al, caught up to include Facebook. FB's "social plugins" and the cookies they leave laying around give these companies an incredibly reliable way of identifying unique users and mapping their profiles. Which is very valuable to them.<p>One of the larger sites I run was recently approached by an ad network to drop a pixel upon user registration that would pair a user's email address with an identifier for unique tagging within their ad network. I declined for ethical reasons, but it was interesting nonetheless to see that this pairing is so valuable to ad networks, that they would pay for it separate from any display services.

Serious question:<p>How many people <i>didn't</i> see this coming?<p>Using an app gives it additional info about you, and <i>nothing</i> prevents it from passing that along to outside sources. And now we find out that <i>all</i> of the top 10 applications are doing just that? Surprise, surprise.<p>Anyone who thinks Facebook is <i>anything</i> other than a machine that turns your information into cash for Facebook is kidding themselves.

When you sign into a facebook app you give away all sorts of interesting information. Check out <a href="http://www.rabidgremlin.com/fbprivacy/" rel="nofollow">http://www.rabidgremlin.com/fbprivacy/</a> and click on the "view raw data" links to see what I mean.

This to me is probably the first large visible salvo in the coming "personal information wars" I've personally predicted for some time now that we can expect to see for the next 10-20 years play out between corporations and consumers.<p>On the one side, you've got ad networks who are salivating at the thought and willing to pay big bucks in order to target tiny demographic buckets of consumers, but cannot get their hands on the necessary information, because consumers want them to fuck off.<p>Along comes Zynga, bless their hearts, who have cracked the code of human behavior in order to get consumers to do whatever it takes to keep playing their games. The poor bastards, after spending their last bit of disposable income on virtual cows and sheep are either willing to or are unknowingly handing over the keys to their personal information in order to keep getting their daily hits of the social gaming drug.<p>So, how does the personal information get extracted from the consumer and put into the hands of the ad network?<p>In the middle, you've got the granddaddy of all personal data warehouses, Facebook, whose future rests upon bringing consumers to their site in order to gather personal information for their ad platform or, more recently, to reap the cash cow of virtual game items through the credits system they're launching.<p>And finally, next to the advertisers, you've got the aggregators, who are jumping through whatever hoops necessary in order to get this information in order to provide it directly to ad networks through a nice, clean, fast API or tracking cookie for the ad networks to use.<p>According to the article allegedly they're getting the social gaming providers to send it along. So the circle's complete. If the story is true (and I'm not sure it is), they're basically keeping the social gaming companies profitable by either paying them for this data or allowing them to use it for more efficient advertising. Their survival makes Facebook happy, since it's driving more people back to the site and giving them more Facebook credit revenue. Facebook would never be able to build this type of direct-to-the-ad-network data pipe the ad networks need to operate, but certainly benefits from it existing.<p>What's happening here is what I'm going to coin right here on HN: "information laundering." Facebook doesn't give away your personal information, they give it to innocent gaming companies. Who then give it to aggregators. Who then give it to advertising networks. Plausible deniability for everyone!<p>It's almost beautiful how it's all come together, each member of this ecosystem now dependent on the next. If any single person pulls the plug, the whole thing comes crashing down. It seems the valley's created a monster. No, it's not a conspiracy. It's just everyone acting "rationally selfish." But this behavior should come as no surprise to anyone who has been watching the majority of the types of companies launching at conferences the last several years.<p>So, what's next? Here's the worrisome part. The aggregation and dissemination of this type of personal information has been up until now largely used (we assume) for benign purposes like advertising. But, we're now in an era where access to this information is easy (APIs) and access to massive computing power (AWS) and analysis tools (Hadoop) is cheap.<p>It doesn't take much of an imagination to come up with ways this information can be used for far more nefarious purposes than selling weight loss pills. Surely the politicians are already plugged into this in order to craft advertising to manipulate people into voting for their guy. But it could be much worse than this, of course.<p>The truth is, the "information trade" will likely have the same connotation as the "drug trade" for the Millennials as they get older. As soon as there is a mainstream story about how this type of leak has ruined lives, or directly led to large scale fraud, blackmail, or even violence, things will start to happen.<p>I expect the next phase of this will play out in the press (expect alarmist articles like this one to be followed with more alarmist news pieces on TV) until some politician (as likely a Republican or Democrat, for different reasons of course) takes it up as their pet cause. It will start as "think of the children!" but over the years this will turn into "think of us!" as the children turn into the adults.<p>I expect to see legislation eventually that criminalizes a lot of the practices going on today with regards to aggregating and transmitting large amounts of personal information.

I thought this was common knowledge.

As some hn reader pointed out -- and I wish I remembered his or her name -- if you aren't paying for it, you are the product.<p>fb is going to continue to aggressively monetize the information people have given them. I'd wager Zuckerberg thinks he is running a $20+ billion dollar company, and all that money is going to come from using your information to sell you to advertisers.