The Wall Street Journal is reporting today on yet another major Facebook privacy blunder. Despite Facebook's various polices and promises about users' privacy when using apps, apps have been feeding Facebook users' information to advertisers and Internet tracking companies regardless of the individual user's Facebook privacy settings.
Internet advertising networks claim to track users "anonymously," but the Facebook leak allows these web marketing snoops to associate Facebook users with the supposedly-anonymous browsing-history cookies that trackers use to see a user's movements across the web. Based on the WSJ's reporting, the leak has the potential to affect tens of millions of Facebook users, as all of the top ten Facebook apps — like Farmville and Mafia Wars — were found to be violating the Facebook app developer agreement and users' privacy by handing their personal data over to advertising and data aggregation companies.
If this outrageous episode sounds familiar, it's because earlier this year, Facebook was caught leaking the exact same data to advertisers. At the time, Facebook promised to fix the problem, but it's clear that their so-called fixes failed to apply to the more than half a million apps available on the site. EFF and other privacy advocates have long warned Facebook that apps are the weakest link in the Facebook privacy ecosystem, and this report from the Wall Street Journal overwhelmingly validates that concern.
Facebook reassures privacy-conscious users by pointing to the developer agreement that requires app providers to take strong steps to protect privacy. But given that Facebook apps have been found to be leaking data that Facebook promised to protect five months ago, it's obvious that Facebook has no way of effectively enforcing those rules for the countless apps on the Facebook Platform.
Facebook simply can't claim that apps are safe to use when serious privacy issues around apps — like this referrer security breach — are abundant and endemic.
If you're a Facebook user concerned about apps leaking your data, the most straightforward fix at the moment is to turn off apps completely. To do this, log in to Facebook, open up the "Account" menu in the upper-right corner, chooose "Privacy Settings," choose to edit your settings for "Applications and Websites" in the lower-left corner, and click on the option to "Turn off all platform applications." Also, check out EFF's earlier blog post on How to Get More Privacy From Facebook's New Privacy Controls to minimize the information on your Facebook account that's accessible to others.
While the overall picture of what is happening is clear, the as-yet murky details will have a serious impact on understanding the breadth and depth of the breach, the roster of companies involved, and the list of the best solutions. EFF is looking into these factors and will follow up with our findings here on Deeplinks. In the meantime, Harlan Yu has posted a clear explanation of the suspected technical details of the leak on the Freedom to Tinker blog. Facebook application developers should consider catching up on a best-practices paper by Justine Osborne describing Secure Application Development on Facebook.