Facebook's 'ID-gate' privacy breach: Why it matters
Facebook has suffered yet another privacy breach, accidentally sharing its members' identities with advertisers. Yes, again. Here's why you should care.
It seems the 10 most popular Facebook apps are sharing your Facebook ID -- and possibly your name -- with advertisers, in direct violation of both Facebook’s and the app makers’ privacy policies. It also seems neither Facebook nor the app developers were aware of this fact until some Wall Street Journal reporters told them about it. At least, that’s their story and they’re sticking to it.
Cue the usual Internet uproar over Facebook privacy, or the lack thereof.
Should you care? I think so. There are a few good reasons, which I’ll get into in a bit. But first a little background.
For more than a decade, Internet ad firms have used a variety of tricks to track your Web surfing behavior across multiple sites -- mostly via browser and (more recently) Flash cookies. Why do they want to do this? Because the more an ad company knows about the sites you like to visit, the more detailed a profile they can create, which lets them do a better job of targeting ads.
[ See also: Facebook + Bing: The Good, the Bad, & the Incontinent ]
In other words, if the ad companies know you’ve been visiting auto sites, they might deliver you an ad from Ford or GM or Toyota on another site, even if that site has nothing to do with cars. In theory this makes the ad more relevant/interesting to you, the Web surfer who’s being tracked, but mostly it’s a way for advertisers and publishers to make more money. (Not that there’s anything wrong with that – ad revenues are ultimately how I get paid too.)
Tracking also has other nasty implications, of course. You wouldn’t want someone following you around the mall as you shopped and writing down the names of the stores you entered and the products you bought, why should you tolerate this on the Web? So the ad firms have relied on two key justifications for tracking:
1. The tracking is done anonymously; ad company servers can identify only your browser, not the person sitting at the keyboard.
2. You can opt out, if you’re willing to jump through some hoops.
Those defenses, already fairly porous with caveats and exceptions, have now just crumbled to dust. If Facebook advertisers have your name, anonymity goes out the window. There is no opt out, short of quitting Facebook (unlikely) or not installing any apps (a good idea) or not clicking on any ads (a very good idea). In any case, how can you opt out of something you don’t know is happening?
In the short term, this kind of data leak isn’t as serious as, say, a government agency or credit bureau spilling millions of social security or credit card numbers, which has happened ad nauseum over the last 10 years. In the long run, though, it’s worse. If advertisers can tie your identity to your Web history, so can anyone else. The concept of aggregating anonymous information becomes as quaint and archaic as the rotary phone, and the Web becomes even more of a data miner’s paradise.
It’s like that old Sting song: Everywhere you go, everything you do, they’ll be watching you.
Call it the “slippery slope” or “the frog in the boiling water” or “the canary in the coal mine.” Pick a metaphor, any metaphor. It’s bad. But that’s not all. Other conclusions you might draw from this incident:
* Once again, Facebook demonstrates that it “takes user privacy seriously” mostly by issuing statements about how it takes user privacy seriously -- not by being proactive about it.
* Privacy policies aren’t worth the paper they’re not printed on. Good intentions (sincere or otherwise) don’t mean squat if there’s no oversight.
* Penalizing companies after they’ve already got your data is a lame response. It’s like trying to unring a bell. Once the data is out there, there’s no way to get it all back.
* The WSJ looked at 10 apps. That leaves 549,990 to go. I don’t imagine the news gets much better.
* Incompetence is a poor defense.
To its credit, Facebook recognized the seriousness of this breach and responded immediately, instead of the usual “let’s cover our ears and hide in our cubicles until people stop complaining” response. On the other hand, some apps that got suspended for this behavior were reinstated a few hours later. And the biggest single app on the WSJ’s list, Zynga’s hateful Farmville, didn’t get dinged at all.
Here’s my favorite bit about this whole thing. As part of its defense, Facebook Developer Blogger Mike Vernal writes:
We have experience addressing this sort of issue previously, although the technical challenges here are greater. We are talking with our key partners and the broader Web community about possible solutions. We will have more details over the course of the next few days.
In other words, you can trust Facebook to fix this problem, because they fixed one very much like it earlier this year. Let that one sink in for a moment.
Why didn’t they anticipate this problem and fix it before it became yet another headline? Because nobody at Facebook seems to be paying attention. User privacy isn’t a priority at Facebook, it’s an annoyance. Until that changes, this sort of thing is going to happen again and again and again.
ITworld TY4NS blogger Dan Tynan tries to avoid Facebook apps whenever possible, and thinks you should too. Visit his snarky humor site eSarcasm (Geek Humor Gone Wild) or follow him on Twitter:@tynan_on_tech.