Following an arguably overblown investigation into Facebook application developers sharing publicly-available user identification numbers with third parties, Facebook has made a few additional moves to clamp down on the problem. One is a policy update, another is punishment for those developers that purposefully sold this information — most had done it accidentally — and a third is confirmation of a change it previously proposed to how user IDs are handled.
Given that the user IDs are already publicly available, there was no privacy violation — contrary to how many news organizations covered the story. But selling user data to third parties is explicitly forbidden in Facebook’s developer terms. So Facebook’s actions here are likely motivated in part by the need to reassure the public that their (public) data is safe, while also setting an example to developers.
First, the policy change, from the company’s developer blog post on the matter:
Today, we are clarifying our policy to ensure that developers understand the proper use of UIDs in their applications. Our policy has always stated that data received from Facebook, including UIDs, cannot be shared with data brokers and ad networks. Moving forward, our policy will state that UIDs cannot leave your application or any of the infrastructure, code, and services you need to build and run your application. You can use services, such as Akamai, Amazon Web Services and analytics services as long as those services keep UIDs confidential to your application.
Second, developers will also need to adopt the new mechanism for making user IDs anonymous.
We realize that developers may sometimes need a way to share a unique identifier outside of their application with permitted third parties, such as content partners, advertisers or other service providers. We are adding a mechanism that developers must use to share anonymous identifiers for this purpose. We will release this functionality (available via the Graph API and FQL) early next week. We encourage developers to move to this mechanism quickly and will require it on January 1, 2011.
Ad networks on Facebook, the post notes, are also being required to delete any IDs in their possession in order to continue doing business on the platform; Facebook is also requiring that developers anonymize any IDs they send to these companies.
It is also banning some currently unknown developers for having purposefully brokered this data to third parties. It’s not naming names, but please let us know in comments if you have more information about who they are. From the post:
As we examined the circumstances of inadvertent UID transfers, we discovered some instances where a data broker was paying developers for UIDs. While we determined that no private user data was sold and confirmed that transfer of these UIDs did not give access to any private data, this violation of our policy is something we take seriously. As such, we are taking action against these developers by instituting a 6-month full moratorium on their access to Facebook communication channels, and we will require these developers to submit their data practices to an audit in the future to confirm that they are in compliance with our policies. This impacts fewer than a dozen, mostly small developers, none of which are in the top 10 applications on Facebook Platform.
Finally, Facebook says it has worked out a deal where one of the data brokers that was buying the data, Rapleaf, will delete all user IDs in its possession