
Facebook Apps transmit Personal IDs and Friends' Names to Advertisers - jakarta
http://online.wsj.com/article/SB10001424052702304772804575558484075236968.html?mod=djemalertTECH
======
jfarmer
Hmm. This is very interesting.

A few facts:

1\. When you embed an iframe with fb:iframe, the parameters Facebook passes to
your app get passed to the iframe automatically. This includes the Facebook
UID. This is the way everyone has always embedded Facebook ad units and AFAIK
nobody has ever been punished for doing so. I've had people at Facebook look
over my apps with a fine tooth comb when dealing with TOS violations and this
has never once come up.

2\. Facebook will take action against apps if people use fb-provided widgets
in ways that "violate" the TOS, i.e., if Facebook's own widgets violate the
TOS they will take action against the app.

This happened to be with the fb:wall widget, where Facebook told me I wasn't
allowed to have comments auto-post to people's walls (the default behavior)
and must include a "report" link to every comment (impossible / not a feature
of fb:wall). They disabled feed posting for one of my apps due to that
"violation."

3\. Facebook, as an organization, hates, hates, hates bad press. They will
move mountains to prevent or preempt bad press. I've had people at Facebook
tell me more-or-less verbatim that whatever I did, my applications were not
allowed to generate bad press for Facebook. If they did, I would be banned.

4\. Facebook will scapegoat companies. When the Scamville drama happened,
Facebook banned Gambit payments from the platform and threatened any
application developer with banning if they used Gambit. They were no worse
than Offerpal or Super Rewards with respect to the types of offers they were
running -- everyone was getting their offers from the same pool -- but
Facebook banned Gambit and implicitly endorsed Offerpal and Super Rewards.

Gambit was the smallest of the three, so the general feeling in the FB
developer community is that they picked the weakest one and took them out to
show how "serious" they were in dealing with the problem. They also made SR
and Offerpal clean up their offers and punished Zynga for running questionable
offers, but only Gambit was permanently and forever banned.

So, given the above, I have to wonder...did Facebook ban lolapps, the smallest
of the major FB game companies, from the platform as a way to preempt the
press fallout from this article?

Very interesting.

~~~
amadiver
I really like your comment, and appreciate that someone with real world
experience is giving an inside look into dealing with Facebook.

I doubt any viable organization would act any differently about bad press. Are
you trying to say in your third point that Facebook takes it to an extreme
beyond other companies you've worked with? Could you expand on your thought?

Why was Gambit the weakest of the three payment companies? From your
perspective, is it possible that the FB dev scuttlebutt was conspiracy theory,
or are you reasonably sure they used Gambit as their sacrificial lamb?

Thanks for your insight.

~~~
jfarmer
1\. No, I'm just saying Facebook reacts very strongly to bad press. Maybe more
or less strongly than other companies, but they don't typically take swift
action on the platform (e.g., putting a 50-person company out of business
overnight) unless there's a bad press story lurking somewhere.

That's their MO.

2\. I know some of the parties involved, and Gambit wasn't doing anything
differently than the other offer providers in this regard.

Even if they were being more aggressive, say, why not ban them until they
cleaned up their act vs. banning them forever?

And why ban any developer who decided to use them, even if they were only
serving up compliant ads?

Facebook was going so far as to send out C&Ds to developers using Gambit at
one point.

------
jakarta
Specifically:

"The apps, ranked by research company Inside Network Inc. (based on monthly
users), include Zynga Game Network Inc.'s FarmVille, with 59 million users,
and Texas HoldEm Poker and FrontierVille. Three of the top 10 apps, including
FarmVille, also have been transmitting personal information about a user's
friends to outside companies...

The information being transmitted is one of Facebook's basic building blocks:
the unique "Facebook ID" number assigned to every user on the site. Since a
Facebook user ID is a public part of any Facebook profile, anyone can use an
ID number to look up a person's name, using a standard Web browser, even if
that person has set all of his or her Facebook information to be private. For
other users, the Facebook ID reveals information they have set to share with
"everyone," including age, residence, occupation and photos.

The apps reviewed by the Journal were sending Facebook ID numbers to at least
25 advertising and data firms, several of which build profiles of Internet
users by tracking their online activities."

~~~
rhizome
Ironically, fb_id is one of the big missing pieces in the personal datadump
that Facebook users can now download.

~~~
sanj
It is trivial to identify. If you don't have a vanity URL, it is in your
profile URL.

~~~
raptrex
How do you find it if you do have a vanity URL?

~~~
far33d
[http://graph.facebook.com/<user_id>](http://graph.facebook.com/<user_id>);

------
brendano
In the article, Rapleaf says de-anonymized linking of ID's to real names
"wasn't intentional." That's a little hard to believe -- isn't the point of
the company to have a massive person database of information like this?

~~~
wavesplash
Yes. The main crux of their business is turning ids/email-addresses into
personal profiles.

~~~
wanderr
OTOH, they may not actually care what your name is; it's probably less
uniquely identifying than your FB ID.

------
nphase
_The apps reviewed by the Journal were sending Facebook ID numbers to at least
25 advertising and data firms, several of which build profiles of Internet
users by tracking their online activities._

This doesn't surprise me at all, it was just a matter of time before ad
networks and retargeters, et al, caught up to include Facebook. FB's "social
plugins" and the cookies they leave laying around give these companies an
incredibly reliable way of identifying unique users and mapping their
profiles. Which is very valuable to them.

One of the larger sites I run was recently approached by an ad network to drop
a pixel upon user registration that would pair a user's email address with an
identifier for unique tagging within their ad network. I declined for ethical
reasons, but it was interesting nonetheless to see that this pairing is so
valuable to ad networks, that they would pay for it separate from any display
services.

------
Groxx
Serious question:

How many people _didn't_ see this coming?

Using an app gives it additional info about you, and _nothing_ prevents it
from passing that along to outside sources. And now we find out that _all_ of
the top 10 applications are doing just that? Surprise, surprise.

Anyone who thinks Facebook is _anything_ other than a machine that turns your
information into cash for Facebook is kidding themselves.

~~~
jfarmer
You're speaking out of ignorance.

First, Facebook can and does police what people pass to third-party ad
networks. When the FB platform first launched app developers did what you're
describing.

In mid-2008 Facebook amended the TOS to prevent people from passing in PII to
third-party ad networks. Apps that did this got banned.

In mid-2009 Facebook again amended the TOS to prevent people from passing in
their friends UIDs, and apps doing this also got banned. In addition at least
two ad networks were banned from ever advertising on the FB Platform again.

This nonsense from the WSJ is about passing your Facebook UID to third-party
application, which (unlike the two cases above) happens automatically for
every developer that has ever used any ad network.

Your Facebook UID is not private information. The only information one can get
with your Facebook UID is the information you've decided to make public.

Now, you can argue that Facebook has incentivized people to overshare and not
realize the consequences. That's fine.

But this article is 100% not about developers passing personal data to third-
party ad networks, unless you somehow consider your Facebook user ID personal
data. A stretch, considering until a year or so ago it was part of your
profile URL, and still is for many people.

~~~
thecoffman
That's not entirely true, your Facebook UID always maps to your real name,
gender, and your locale (country ie: en_us etc). That information in the hands
of someone clever is more than ample to make some pretty decent guesses as to
your identity, especially when you can pair it with other data that you may or
may not have collected in your own app. In a previous job I held where we
dealt with this sort of stuff facebook ids were generally thought of as PII.

------
Rabidgremlin
When you sign into a facebook app you give away all sorts of interesting
information. Check out <http://www.rabidgremlin.com/fbprivacy/> and click on
the "view raw data" links to see what I mean.

------
gfodor
This to me is probably the first large visible salvo in the coming "personal
information wars" I've personally predicted for some time now that we can
expect to see for the next 10-20 years play out between corporations and
consumers.

On the one side, you've got ad networks who are salivating at the thought and
willing to pay big bucks in order to target tiny demographic buckets of
consumers, but cannot get their hands on the necessary information, because
consumers want them to fuck off.

Along comes Zynga, bless their hearts, who have cracked the code of human
behavior in order to get consumers to do whatever it takes to keep playing
their games. The poor bastards, after spending their last bit of disposable
income on virtual cows and sheep are either willing to or are unknowingly
handing over the keys to their personal information in order to keep getting
their daily hits of the social gaming drug.

So, how does the personal information get extracted from the consumer and put
into the hands of the ad network?

In the middle, you've got the granddaddy of all personal data warehouses,
Facebook, whose future rests upon bringing consumers to their site in order to
gather personal information for their ad platform or, more recently, to reap
the cash cow of virtual game items through the credits system they're
launching.

And finally, next to the advertisers, you've got the aggregators, who are
jumping through whatever hoops necessary in order to get this information in
order to provide it directly to ad networks through a nice, clean, fast API or
tracking cookie for the ad networks to use.

According to the article allegedly they're getting the social gaming providers
to send it along. So the circle's complete. If the story is true (and I'm not
sure it is), they're basically keeping the social gaming companies profitable
by either paying them for this data or allowing them to use it for more
efficient advertising. Their survival makes Facebook happy, since it's driving
more people back to the site and giving them more Facebook credit revenue.
Facebook would never be able to build this type of direct-to-the-ad-network
data pipe the ad networks need to operate, but certainly benefits from it
existing.

What's happening here is what I'm going to coin right here on HN: "information
laundering." Facebook doesn't give away your personal information, they give
it to innocent gaming companies. Who then give it to aggregators. Who then
give it to advertising networks. Plausible deniability for everyone!

It's almost beautiful how it's all come together, each member of this
ecosystem now dependent on the next. If any single person pulls the plug, the
whole thing comes crashing down. It seems the valley's created a monster. No,
it's not a conspiracy. It's just everyone acting "rationally selfish." But
this behavior should come as no surprise to anyone who has been watching the
majority of the types of companies launching at conferences the last several
years.

So, what's next? Here's the worrisome part. The aggregation and dissemination
of this type of personal information has been up until now largely used (we
assume) for benign purposes like advertising. But, we're now in an era where
access to this information is easy (APIs) and access to massive computing
power (AWS) and analysis tools (Hadoop) is cheap.

It doesn't take much of an imagination to come up with ways this information
can be used for far more nefarious purposes than selling weight loss pills.
Surely the politicians are already plugged into this in order to craft
advertising to manipulate people into voting for their guy. But it could be
much worse than this, of course.

The truth is, the "information trade" will likely have the same connotation as
the "drug trade" for the Millennials as they get older. As soon as there is a
mainstream story about how this type of leak has ruined lives, or directly led
to large scale fraud, blackmail, or even violence, things will start to
happen.

I expect the next phase of this will play out in the press (expect alarmist
articles like this one to be followed with more alarmist news pieces on TV)
until some politician (as likely a Republican or Democrat, for different
reasons of course) takes it up as their pet cause. It will start as "think of
the children!" but over the years this will turn into "think of us!" as the
children turn into the adults.

I expect to see legislation eventually that criminalizes a lot of the
practices going on today with regards to aggregating and transmitting large
amounts of personal information.

------
code_duck
I thought this was common knowledge.

------
earl
As some hn reader pointed out -- and I wish I remembered his or her name -- if
you aren't paying for it, you are the product.

fb is going to continue to aggressively monetize the information people have
given them. I'd wager Zuckerberg thinks he is running a $20+ billion dollar
company, and all that money is going to come from using your information to
sell you to advertisers.

~~~
tapp
Was actually from MeFi, I believe (and I agree that it's a fantastically
succinct observation):

"If you are not paying for it, you're not the customer; you're the product
being sold."

<http://www.metafilter.com/95152/Userdriven-discontent>

