A few facts:
1. When you embed an iframe with fb:iframe, the parameters Facebook passes to your app get passed to the iframe automatically. This includes the Facebook UID. This is the way everyone has always embedded Facebook ad units and AFAIK nobody has ever been punished for doing so. I've had people at Facebook look over my apps with a fine tooth comb when dealing with TOS violations and this has never once come up.
2. Facebook will take action against apps if people use fb-provided widgets in ways that "violate" the TOS, i.e., if Facebook's own widgets violate the TOS they will take action against the app.
This happened to be with the fb:wall widget, where Facebook told me I wasn't allowed to have comments auto-post to people's walls (the default behavior) and must include a "report" link to every comment (impossible / not a feature of fb:wall). They disabled feed posting for one of my apps due to that "violation."
3. Facebook, as an organization, hates, hates, hates bad press. They will move mountains to prevent or preempt bad press. I've had people at Facebook tell me more-or-less verbatim that whatever I did, my applications were not allowed to generate bad press for Facebook. If they did, I would be banned.
4. Facebook will scapegoat companies. When the Scamville drama happened, Facebook banned Gambit payments from the platform and threatened any application developer with banning if they used Gambit. They were no worse than Offerpal or Super Rewards with respect to the types of offers they were running -- everyone was getting their offers from the same pool -- but Facebook banned Gambit and implicitly endorsed Offerpal and Super Rewards.
Gambit was the smallest of the three, so the general feeling in the FB developer community is that they picked the weakest one and took them out to show how "serious" they were in dealing with the problem. They also made SR and Offerpal clean up their offers and punished Zynga for running questionable offers, but only Gambit was permanently and forever banned.
So, given the above, I have to wonder...did Facebook ban lolapps, the smallest of the major FB game companies, from the platform as a way to preempt the press fallout from this article?
I doubt any viable organization would act any differently about bad press. Are you trying to say in your third point that Facebook takes it to an extreme beyond other companies you've worked with? Could you expand on your thought?
Why was Gambit the weakest of the three payment companies? From your perspective, is it possible that the FB dev scuttlebutt was conspiracy theory, or are you reasonably sure they used Gambit as their sacrificial lamb?
Thanks for your insight.
That's their MO.
2. I know some of the parties involved, and Gambit wasn't doing anything differently than the other offer providers in this regard.
Even if they were being more aggressive, say, why not ban them until they cleaned up their act vs. banning them forever?
And why ban any developer who decided to use them, even if they were only serving up compliant ads?
Facebook was going so far as to send out C&Ds to developers using Gambit at one point.
"The apps, ranked by research company Inside Network Inc. (based on monthly users), include Zynga Game Network Inc.'s FarmVille, with 59 million users, and Texas HoldEm Poker and FrontierVille. Three of the top 10 apps, including FarmVille, also have been transmitting personal information about a user's friends to outside companies...
The information being transmitted is one of Facebook's basic building blocks: the unique "Facebook ID" number assigned to every user on the site. Since a Facebook user ID is a public part of any Facebook profile, anyone can use an ID number to look up a person's name, using a standard Web browser, even if that person has set all of his or her Facebook information to be private. For other users, the Facebook ID reveals information they have set to share with "everyone," including age, residence, occupation and photos.
The apps reviewed by the Journal were sending Facebook ID numbers to at least 25 advertising and data firms, several of which build profiles of Internet users by tracking their online activities."
Right after that will be your id.
(There are other ways as well, but this is a pretty easy way)
Facebook is so Microsoft.
Personally I only find first point to be controversial, the other ones are rather obvious for anyone who uses Facebook.
Though it doesn't seem to explain the details of what happened. It would have been useful for them to include the specifics of what occurred and exactly what data was erroneously transmitted to whom (a la Foursquare's post-mortem from a week or two ago.) This could be as valuable a lesson for system architects as the 4sq one was.
This doesn't surprise me at all, it was just a matter of time before ad networks and retargeters, et al, caught up to include Facebook. FB's "social plugins" and the cookies they leave laying around give these companies an incredibly reliable way of identifying unique users and mapping their profiles. Which is very valuable to them.
One of the larger sites I run was recently approached by an ad network to drop a pixel upon user registration that would pair a user's email address with an identifier for unique tagging within their ad network. I declined for ethical reasons, but it was interesting nonetheless to see that this pairing is so valuable to ad networks, that they would pay for it separate from any display services.
How many people didn't see this coming?
Using an app gives it additional info about you, and nothing prevents it from passing that along to outside sources. And now we find out that all of the top 10 applications are doing just that? Surprise, surprise.
Anyone who thinks Facebook is anything other than a machine that turns your information into cash for Facebook is kidding themselves.
First, Facebook can and does police what people pass to third-party ad networks. When the FB platform first launched app developers did what you're describing.
In mid-2008 Facebook amended the TOS to prevent people from passing in PII to third-party ad networks. Apps that did this got banned.
In mid-2009 Facebook again amended the TOS to prevent people from passing in their friends UIDs, and apps doing this also got banned. In addition at least two ad networks were banned from ever advertising on the FB Platform again.
This nonsense from the WSJ is about passing your Facebook UID to third-party application, which (unlike the two cases above) happens automatically for every developer that has ever used any ad network.
Your Facebook UID is not private information. The only information one can get with your Facebook UID is the information you've decided to make public.
Now, you can argue that Facebook has incentivized people to overshare and not realize the consequences. That's fine.
But this article is 100% not about developers passing personal data to third-party ad networks, unless you somehow consider your Facebook user ID personal data. A stretch, considering until a year or so ago it was part of your profile URL, and still is for many people.
On the one side, you've got ad networks who are salivating at the thought and willing to pay big bucks in order to target tiny demographic buckets of consumers, but cannot get their hands on the necessary information, because consumers want them to fuck off.
Along comes Zynga, bless their hearts, who have cracked the code of human behavior in order to get consumers to do whatever it takes to keep playing their games. The poor bastards, after spending their last bit of disposable income on virtual cows and sheep are either willing to or are unknowingly handing over the keys to their personal information in order to keep getting their daily hits of the social gaming drug.
So, how does the personal information get extracted from the consumer and put into the hands of the ad network?
In the middle, you've got the granddaddy of all personal data warehouses, Facebook, whose future rests upon bringing consumers to their site in order to gather personal information for their ad platform or, more recently, to reap the cash cow of virtual game items through the credits system they're launching.
And finally, next to the advertisers, you've got the aggregators, who are jumping through whatever hoops necessary in order to get this information in order to provide it directly to ad networks through a nice, clean, fast API or tracking cookie for the ad networks to use.
According to the article allegedly they're getting the social gaming providers to send it along. So the circle's complete. If the story is true (and I'm not sure it is), they're basically keeping the social gaming companies profitable by either paying them for this data or allowing them to use it for more efficient advertising. Their survival makes Facebook happy, since it's driving more people back to the site and giving them more Facebook credit revenue. Facebook would never be able to build this type of direct-to-the-ad-network data pipe the ad networks need to operate, but certainly benefits from it existing.
What's happening here is what I'm going to coin right here on HN: "information laundering." Facebook doesn't give away your personal information, they give it to innocent gaming companies. Who then give it to aggregators. Who then give it to advertising networks. Plausible deniability for everyone!
It's almost beautiful how it's all come together, each member of this ecosystem now dependent on the next. If any single person pulls the plug, the whole thing comes crashing down. It seems the valley's created a monster. No, it's not a conspiracy. It's just everyone acting "rationally selfish." But this behavior should come as no surprise to anyone who has been watching the majority of the types of companies launching at conferences the last several years.
So, what's next? Here's the worrisome part. The aggregation and dissemination of this type of personal information has been up until now largely used (we assume) for benign purposes like advertising. But, we're now in an era where access to this information is easy (APIs) and access to massive computing power (AWS) and analysis tools (Hadoop) is cheap.
It doesn't take much of an imagination to come up with ways this information can be used for far more nefarious purposes than selling weight loss pills. Surely the politicians are already plugged into this in order to craft advertising to manipulate people into voting for their guy. But it could be much worse than this, of course.
The truth is, the "information trade" will likely have the same connotation as the "drug trade" for the Millennials as they get older. As soon as there is a mainstream story about how this type of leak has ruined lives, or directly led to large scale fraud, blackmail, or even violence, things will start to happen.
I expect the next phase of this will play out in the press (expect alarmist articles like this one to be followed with more alarmist news pieces on TV) until some politician (as likely a Republican or Democrat, for different reasons of course) takes it up as their pet cause. It will start as "think of the children!" but over the years this will turn into "think of us!" as the children turn into the adults.
I expect to see legislation eventually that criminalizes a lot of the practices going on today with regards to aggregating and transmitting large amounts of personal information.
fb is going to continue to aggressively monetize the information people have given them. I'd wager Zuckerberg thinks he is running a $20+ billion dollar company, and all that money is going to come from using your information to sell you to advertisers.
"If you are not paying for it, you're not the customer; you're the product being sold."
Most of us are not Google's customers. We are the raw materials google uses to fabricate a product to sell.