Privacy Crackdown Rattles Facebook Developers

Following an embarrassing expose in the Wall Street Journal, Facebook has tightened its controls over the ways in which applications that use the social networking platform can share unique user identity information (or UIDs). The company also banned several applications accused of improperly disclosing user data. 

Following an embarrassing expose in the Wall Street Journal, Facebook has tightened its controls over the ways in which applications that use the social networking platform can share unique user identity information (or UIDs). The company also banned several applications accused of improperly disclosing user data. 

The company outlined its new policy in a post on Facebook’s Developer’s blog on Friday by Mike Vernal, a company engineer. Facebook has adopted a “zero tolerance” policy for data brokers, and issued a six month moratorium on access to the Facebook network for a handful of developers that sold Facebook unique identifiers to third party data brokers. 

“This violation of our policy is something we take seriously,” Vernal wrote in his blog post. A Facebook spokesman, contacted by Threatpost by e-mail said the company would not comment about the new policy, beyond what was stated in the post on the Developers blog.

The banned developers will be banned from “Facebook communication channels,” and will have to submit their data practices to an audit in the future to determine whether they are in compliance with the company’s policies, according to the blog post.

On the technical front, Facebook said it will soon be updating two key APIs (application program interfaces) to make it possible for developers to share unique identifiers confidentially and without compromising user privacy. The company said it will release those new APIs this week and require their use by January 1, 2011. The company is also demanding that third party ad networks and offer companies that use the Facebook Platform use the new, anonymous identifiers and delete any Facebook UIDs they may be storing. 

RapLeaf, one such company that was mentioned in the Wall Street Journal article, has agreed to delete any Facebook UID data and forego any activities on the Facebook Platform directly or indirectly going forward, and anecdotal evidence suggests that developers and firms who have done business with RapLeaf are among those targeted by Facebook administrators for suspension. 

Other vendors that have built thriving businesses around enabling Facebook applications with offers for third party products and services or by offering virtual currency are likely to be affected by the new policy. Such companies rely on the UID to associate their product with a specific Facebook user, according to Anatoly Lubarsky, CEO of X2Line, a Marietta, Georgia firm that makes applications and games for social networks.  

Some of the applications named in the Wall Street Journal story, including those by Facebook gaming giant Zynga – maker of Farmville and Mafia Wars — were unaffected by the new policy, while smaller players like LolApps.com and Familybuilder.com were. According to a report on InsideFacebook.com, those applications have had their ability to spread on the Facebook network severely restricted: application access to invitations, notifications and wall posts are all disabled for LOLapps products.

Top applications suspended by the new policy include Pencake with 44 million monthly active users on Facebook, Topzy with 15.8 million, Who is following you, with 13.8 monthly active users, and Friend FAQ with 13.5 million monthly active users, according to Insidefacebook.com. 

There have been, at the same time, complaints from smaller outfits and individual developers, registered in Facebook’s developers forums, that they or applications they contributed to were banned or similarly hamstrung. While its unclear exactly what criteria was used to determine which applications were and were not suspended, customers of data aggregators like RapLeaf appear to have faced extra scrutiny. Facebook declined to comment on how it chose which applications to suspend, but allows developers to protest application removals using a Web based form

In the meantime, developers expressed frustration with the changes in policy, with many lamenting what they considered an overreaction to media coverage of the UID issue. Facebook itself has gone to great lengths to point out that the sharing of the UID didn’t lead to the inadvertent sharing of personal or private information. Writing on Facebook’s developer forums, application developers point out that Facebook, itself, makes the UID readily visible in URLs for user profiles, and that the number, itself, has little value. 

“The reality of the Facebook UID is that it’s simply a number, and nothing more.  The fact that somehow people believe their privacy is being compromised because of UIDs is just so ridiculous to me,” wrote Mike Wojcik, CEO of iMakeInternet.com, a social- and Web application development shop based near Detroit, Michigan.

Facebook’s extensive privacy options make it unlikely that any data would be accessible to third parties that users didn’t agree to make public – and that data is freely available by other means, developers note. 

As for the updated APIs and the increased focus on privacy, developers like Wojcik, who has developed a number of Facebook applications including Glamble Texas Holdem Poker said he didn’t expect them to drastically change the nature of application developers – which will switch from text UIDs to their encrypted equivalents. 

“It will generally just (mean) more time and consideration during the development phases of existing and future applications (and) games.  In general things will remain almost similar.  Instead of throwing UIDs around from page to page we’ll be throwing around an encrypted string of text.”

Suggested articles

45 Million Medical Images Left Exposed Online

45 Million Medical Images Left Exposed Online

A six-month investigation by CybelAngel discovered unsecured sensitive patient data available for third parties to access for blackmail, fraud or other nefarious purposes.