Tsibouris & Associates Home | Practice Areas | Attorneys | Contact | Publications | Clients | Blog Home

Tuesday, October 19, 2010

Facebook Faces Renewed Privacy Challenges

By Mehmet Munur

The Wall Street Journal reports that a Facebook user ID may be inadvertently shared by a Facebook application and may then be further transferred to other third parties.  While this sharing is similar to the sharing issues Facebook experienced last spring, incidents such as these are only likely to increase calls for accountability and privacy by design principles in privacy enforcement.

WSJ reports that the top ten most popular apps on Facebook were found to be transmitting users’ IDs to third parties.  WSJ reports that the apps were sending data to 25 other firms, some of which build profiles on users.  WSJ further found that at least one firm that received this information combined it with its own database and then sold it to other third parties.  Facebook Developer Principles and Policies requires that user data not be used “for any purpose off of Facebook, without user consent.”  This sharing by apps with third parties likely violates this provision of the Facebook policy.  Thus, WSJ contends that some of these apps may have violated the Developer Principles and Policies as well as the developers’ own privacy policies.

Facebook responded by shutting down some of those apps since the WSJ story ran.  Facebook also responded with this developer blog post stating that the sharing of user IDs was inadvertent and that the press “exaggerated the implications of sharing.”  Instead, the post focused on how the sharing of the user ID did not allow the sharing of “private user information.” 

However, when it comes to advertising and behavioral tracking, the FTC has stated in its 2009 Staff Report that 

in the context of online behavioral advertising, the traditional notion of what constitutes PII versus non-PII is becoming less and less meaningful and should not, by itself, determine the protections provided for consumer data. . . .  In staff’s view, the best approach is to include within the Principles’ scope any data collected for online behavioral advertising that reasonably could be associated with a particular consumer or with a particular computer or device.

Considering that the user IDs are unique, means that the information can easily be identified with an individual.  Whether or not “private” information is shared appears to be beside the point.  

Additionally, the ecosystem for the sharing of information about individuals highlighted by the WSJ article is not new.  In fact, the FTC has highlighted these issues in its roundtable.  This flow chart describes in detail how personal information may be shared among entities.  Mostly due to the complexity of these data flows, regulators in both the EU and the US are pushing for principles such as accountability and privacy by design. 

You may read more by the WSJ on the What They Know series here and watch the FTC roundtables here.