Hacker News new | past | comments | ask | show | jobs | submit login
Facebook Apps transmit Personal IDs and Friends' Names to Advertisers (wsj.com)
133 points by jakarta on Oct 18, 2010 | hide | past | web | favorite | 27 comments

Hmm. This is very interesting.

A few facts:

1. When you embed an iframe with fb:iframe, the parameters Facebook passes to your app get passed to the iframe automatically. This includes the Facebook UID. This is the way everyone has always embedded Facebook ad units and AFAIK nobody has ever been punished for doing so. I've had people at Facebook look over my apps with a fine tooth comb when dealing with TOS violations and this has never once come up.

2. Facebook will take action against apps if people use fb-provided widgets in ways that "violate" the TOS, i.e., if Facebook's own widgets violate the TOS they will take action against the app.

This happened to be with the fb:wall widget, where Facebook told me I wasn't allowed to have comments auto-post to people's walls (the default behavior) and must include a "report" link to every comment (impossible / not a feature of fb:wall). They disabled feed posting for one of my apps due to that "violation."

3. Facebook, as an organization, hates, hates, hates bad press. They will move mountains to prevent or preempt bad press. I've had people at Facebook tell me more-or-less verbatim that whatever I did, my applications were not allowed to generate bad press for Facebook. If they did, I would be banned.

4. Facebook will scapegoat companies. When the Scamville drama happened, Facebook banned Gambit payments from the platform and threatened any application developer with banning if they used Gambit. They were no worse than Offerpal or Super Rewards with respect to the types of offers they were running -- everyone was getting their offers from the same pool -- but Facebook banned Gambit and implicitly endorsed Offerpal and Super Rewards.

Gambit was the smallest of the three, so the general feeling in the FB developer community is that they picked the weakest one and took them out to show how "serious" they were in dealing with the problem. They also made SR and Offerpal clean up their offers and punished Zynga for running questionable offers, but only Gambit was permanently and forever banned.

So, given the above, I have to wonder...did Facebook ban lolapps, the smallest of the major FB game companies, from the platform as a way to preempt the press fallout from this article?

Very interesting.

I really like your comment, and appreciate that someone with real world experience is giving an inside look into dealing with Facebook.

I doubt any viable organization would act any differently about bad press. Are you trying to say in your third point that Facebook takes it to an extreme beyond other companies you've worked with? Could you expand on your thought?

Why was Gambit the weakest of the three payment companies? From your perspective, is it possible that the FB dev scuttlebutt was conspiracy theory, or are you reasonably sure they used Gambit as their sacrificial lamb?

Thanks for your insight.

1. No, I'm just saying Facebook reacts very strongly to bad press. Maybe more or less strongly than other companies, but they don't typically take swift action on the platform (e.g., putting a 50-person company out of business overnight) unless there's a bad press story lurking somewhere.

That's their MO.

2. I know some of the parties involved, and Gambit wasn't doing anything differently than the other offer providers in this regard.

Even if they were being more aggressive, say, why not ban them until they cleaned up their act vs. banning them forever?

And why ban any developer who decided to use them, even if they were only serving up compliant ads?

Facebook was going so far as to send out C&Ds to developers using Gambit at one point.


"The apps, ranked by research company Inside Network Inc. (based on monthly users), include Zynga Game Network Inc.'s FarmVille, with 59 million users, and Texas HoldEm Poker and FrontierVille. Three of the top 10 apps, including FarmVille, also have been transmitting personal information about a user's friends to outside companies...

The information being transmitted is one of Facebook's basic building blocks: the unique "Facebook ID" number assigned to every user on the site. Since a Facebook user ID is a public part of any Facebook profile, anyone can use an ID number to look up a person's name, using a standard Web browser, even if that person has set all of his or her Facebook information to be private. For other users, the Facebook ID reveals information they have set to share with "everyone," including age, residence, occupation and photos.

The apps reviewed by the Journal were sending Facebook ID numbers to at least 25 advertising and data firms, several of which build profiles of Internet users by tracking their online activities."

Ironically, fb_id is one of the big missing pieces in the personal datadump that Facebook users can now download.

It is trivial to identify. If you don't have a vanity URL, it is in your profile URL.

How do you find it if you do have a vanity URL?

View source on your profile page and search for profile.php?id=

Right after that will be your id.

(There are other ways as well, but this is a pretty easy way)

as linked below, http://www.rabidgremlin.com/fbprivacy/ will give your FB id.

It's trivial to find out your own, sure, but Facebook handed out ids for every friend of the game users.

Facebook is so Microsoft.

So, if I understand this correctly, stripping it from all the decorative wording, it would go like this: 1) FB apps can obtain ids of one's friends 2) once having user's id you can obtain his name 3) ...and see the data that he (that user) has set to be visible to "everyone"

Personally I only find first point to be controversial, the other ones are rather obvious for anyone who uses Facebook.

I don't understand why there aren't more stories about this-- it is beyond rampant, I'd call it business as usual for most popular apps since the Apps platform launched. I'd like to see an article about creative uses for all that data.

In the article, Rapleaf says de-anonymized linking of ID's to real names "wasn't intentional." That's a little hard to believe -- isn't the point of the company to have a massive person database of information like this?

Yes. The main crux of their business is turning ids/email-addresses into personal profiles.

OTOH, they may not actually care what your name is; it's probably less uniquely identifying than your FB ID.

Rapleaf has posted a response here:


Though it doesn't seem to explain the details of what happened. It would have been useful for them to include the specifics of what occurred and exactly what data was erroneously transmitted to whom (a la Foursquare's post-mortem from a week or two ago.) This could be as valuable a lesson for system architects as the 4sq one was.

The apps reviewed by the Journal were sending Facebook ID numbers to at least 25 advertising and data firms, several of which build profiles of Internet users by tracking their online activities.

This doesn't surprise me at all, it was just a matter of time before ad networks and retargeters, et al, caught up to include Facebook. FB's "social plugins" and the cookies they leave laying around give these companies an incredibly reliable way of identifying unique users and mapping their profiles. Which is very valuable to them.

One of the larger sites I run was recently approached by an ad network to drop a pixel upon user registration that would pair a user's email address with an identifier for unique tagging within their ad network. I declined for ethical reasons, but it was interesting nonetheless to see that this pairing is so valuable to ad networks, that they would pay for it separate from any display services.

Serious question:

How many people didn't see this coming?

Using an app gives it additional info about you, and nothing prevents it from passing that along to outside sources. And now we find out that all of the top 10 applications are doing just that? Surprise, surprise.

Anyone who thinks Facebook is anything other than a machine that turns your information into cash for Facebook is kidding themselves.

You're speaking out of ignorance.

First, Facebook can and does police what people pass to third-party ad networks. When the FB platform first launched app developers did what you're describing.

In mid-2008 Facebook amended the TOS to prevent people from passing in PII to third-party ad networks. Apps that did this got banned.

In mid-2009 Facebook again amended the TOS to prevent people from passing in their friends UIDs, and apps doing this also got banned. In addition at least two ad networks were banned from ever advertising on the FB Platform again.

This nonsense from the WSJ is about passing your Facebook UID to third-party application, which (unlike the two cases above) happens automatically for every developer that has ever used any ad network.

Your Facebook UID is not private information. The only information one can get with your Facebook UID is the information you've decided to make public.

Now, you can argue that Facebook has incentivized people to overshare and not realize the consequences. That's fine.

But this article is 100% not about developers passing personal data to third-party ad networks, unless you somehow consider your Facebook user ID personal data. A stretch, considering until a year or so ago it was part of your profile URL, and still is for many people.

That's not entirely true, your Facebook UID always maps to your real name, gender, and your locale (country ie: en_us etc). That information in the hands of someone clever is more than ample to make some pretty decent guesses as to your identity, especially when you can pair it with other data that you may or may not have collected in your own app. In a previous job I held where we dealt with this sort of stuff facebook ids were generally thought of as PII.

When you sign into a facebook app you give away all sorts of interesting information. Check out http://www.rabidgremlin.com/fbprivacy/ and click on the "view raw data" links to see what I mean.

This to me is probably the first large visible salvo in the coming "personal information wars" I've personally predicted for some time now that we can expect to see for the next 10-20 years play out between corporations and consumers.

On the one side, you've got ad networks who are salivating at the thought and willing to pay big bucks in order to target tiny demographic buckets of consumers, but cannot get their hands on the necessary information, because consumers want them to fuck off.

Along comes Zynga, bless their hearts, who have cracked the code of human behavior in order to get consumers to do whatever it takes to keep playing their games. The poor bastards, after spending their last bit of disposable income on virtual cows and sheep are either willing to or are unknowingly handing over the keys to their personal information in order to keep getting their daily hits of the social gaming drug.

So, how does the personal information get extracted from the consumer and put into the hands of the ad network?

In the middle, you've got the granddaddy of all personal data warehouses, Facebook, whose future rests upon bringing consumers to their site in order to gather personal information for their ad platform or, more recently, to reap the cash cow of virtual game items through the credits system they're launching.

And finally, next to the advertisers, you've got the aggregators, who are jumping through whatever hoops necessary in order to get this information in order to provide it directly to ad networks through a nice, clean, fast API or tracking cookie for the ad networks to use.

According to the article allegedly they're getting the social gaming providers to send it along. So the circle's complete. If the story is true (and I'm not sure it is), they're basically keeping the social gaming companies profitable by either paying them for this data or allowing them to use it for more efficient advertising. Their survival makes Facebook happy, since it's driving more people back to the site and giving them more Facebook credit revenue. Facebook would never be able to build this type of direct-to-the-ad-network data pipe the ad networks need to operate, but certainly benefits from it existing.

What's happening here is what I'm going to coin right here on HN: "information laundering." Facebook doesn't give away your personal information, they give it to innocent gaming companies. Who then give it to aggregators. Who then give it to advertising networks. Plausible deniability for everyone!

It's almost beautiful how it's all come together, each member of this ecosystem now dependent on the next. If any single person pulls the plug, the whole thing comes crashing down. It seems the valley's created a monster. No, it's not a conspiracy. It's just everyone acting "rationally selfish." But this behavior should come as no surprise to anyone who has been watching the majority of the types of companies launching at conferences the last several years.

So, what's next? Here's the worrisome part. The aggregation and dissemination of this type of personal information has been up until now largely used (we assume) for benign purposes like advertising. But, we're now in an era where access to this information is easy (APIs) and access to massive computing power (AWS) and analysis tools (Hadoop) is cheap.

It doesn't take much of an imagination to come up with ways this information can be used for far more nefarious purposes than selling weight loss pills. Surely the politicians are already plugged into this in order to craft advertising to manipulate people into voting for their guy. But it could be much worse than this, of course.

The truth is, the "information trade" will likely have the same connotation as the "drug trade" for the Millennials as they get older. As soon as there is a mainstream story about how this type of leak has ruined lives, or directly led to large scale fraud, blackmail, or even violence, things will start to happen.

I expect the next phase of this will play out in the press (expect alarmist articles like this one to be followed with more alarmist news pieces on TV) until some politician (as likely a Republican or Democrat, for different reasons of course) takes it up as their pet cause. It will start as "think of the children!" but over the years this will turn into "think of us!" as the children turn into the adults.

I expect to see legislation eventually that criminalizes a lot of the practices going on today with regards to aggregating and transmitting large amounts of personal information.

I thought this was common knowledge.

As some hn reader pointed out -- and I wish I remembered his or her name -- if you aren't paying for it, you are the product.

fb is going to continue to aggressively monetize the information people have given them. I'd wager Zuckerberg thinks he is running a $20+ billion dollar company, and all that money is going to come from using your information to sell you to advertisers.

Was actually from MeFi, I believe (and I agree that it's a fantastically succinct observation):

"If you are not paying for it, you're not the customer; you're the product being sold."


Might have been me… I was talking about Google then but it's the same thing here and it's important to remember. The customers of these companies are the advertisers:

Most of us are not Google's customers. We are the raw materials google uses to fabricate a product to sell.


Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact