Facebook Says Data Broker Bought User IDs

A handful of developers have been suspended for violating Facebook policies.

Thomas Claburn, Editor at Large, Enterprise Mobility

November 1, 2010

2 Min Read

Facebook on Friday said that an unspecified data broker had been paying Facebook developers for user identification numbers (UIDs) and that it has suspended a number of Facebook developers -- less than a dozen -- for six months as punishment.

The company said that no private user data had been sold -- Facebook does not consider UIDs to be private even though they can be used to track individual users -- and it said that the UIDs transferred were not used to access private data.

"Facebook has never sold and will never sell user information," said Facebook engineer Mike Vernal in a blog post. "We also have zero tolerance for data brokers because they undermine the value that users have come to expect from Facebook."

Facebook does not have to sell user information since most Facebook users give their information away to Facebook developers when they choose to use Facebook applications.

Facebook did not name the data broker that had paid for UIDs, but Vernal's blog post said that the company had also reached an agreement with RapLeaf, "the data broker who came forward to work with us on this situation." As part of the agreement, RapLeaf will delete UIDs in its possession and refrain from future activities involving Facebook, directly or indirectly.

The acknowledgement comes following a Wall Street Journal investigation last month that found popular Facebook apps revealed UID numbers. UID numbers can be used to determine a Facebook user's name and possibly other information. The principal privacy risk is that UIDs can be used to associate a Facebook identity with actions outside of Facebook.

In response to that investigation, Facebook put forward a plan to enable the optional encryption of UID numbers. The company has published a technical outline and solicited feedback from developers. It maintains that the additional issue of information exposed through HTTP Referer headers must be addressed by a broad range of technology companies.

The company also said that it is tightening its policies about how UIDs can be used, stored, and transmitted.

About the Author(s)

Thomas Claburn

Editor at Large, Enterprise Mobility

Thomas Claburn has been writing about business and technology since 1996, for publications such as New Architect, PC Computing, InformationWeek, Salon, Wired, and Ziff Davis Smart Business. Before that, he worked in film and television, having earned a not particularly useful master's degree in film production. He wrote the original treatment for 3DO's Killing Time, a short story that appeared in On Spec, and the screenplay for an independent film called The Hanged Man, which he would later direct. He's the author of a science fiction novel, Reflecting Fires, and a sadly neglected blog, Lot 49. His iPhone game, Blocfall, is available through the iTunes App Store. His wife is a talented jazz singer; he does not sing, which is for the best.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights