Facebook Response Prompts Strong Words From Privacy Lawmakers

Facebook last week responded to a host of questions from congressmen playing key roles in the future of online privacy regulations. Congressman Joe Barton of Texas, who is in the running to chair the House Energy and Commerce Committee now that Republicans will control that body, indicated dissatisfaction with Facebook’s answers to a series of questions he posed following allegations of a Facebook user data privacy breach.

“I want the Internet economy to prosper, but it can’t unless the people’s right to privacy means more than a right to hear excuses after the damage is done,” stated Barton in a press release posted on the House Energy and Commerce Republicans site. “In the next Congress, the Energy and Commerce Committee and our subcommittees are going to put Internet privacy policies in the crosshairs,” he continued.

Facebook submitted responses to the inquiry in a 13-page document dated October 29, and signed by the company’s VP Global Public Policy Marne Levine. The firm stressed that no privacy breach occurred when user IDs (UIDs) were transferred between Facebook and third-party app developers. Facebook also said that all ad networks must delete Facebook UIDs in order to operate on its platform.

“It’s good that Facebook was in a hurry to respond to our concerns, but the fact remains that some third-party applications were knowingly transferring personal information in direct violation of Facebook’s privacy promises to its users,” said Barton in the statement.

Congressman Edward Markey of Massachusetts, who co-chairs the House Bi-Partisan Privacy Caucus with Barton, added, “Facebook needs to protect personal consumer information to ensure that getting connected doesn’t mean being unwittingly friended by data brokers and marketers. No one likes being friends with someone who invades their privacy.” He continued, “With privacy legislation under consideration by the Energy and Commerce Committee, I will continue to work with my colleagues to ensure that Facebook personal user data isn’t siphoned off and sold to a data broker who cannot be unfriended.”

Last month, Barton and Markey sent a letter to Facebook CEO Mark Zuckerberg inquiring about an alleged privacy breach reported in The Wall Street Journal. A story in that newspaper published October 18 alleged that some of the top Facebook applications such as Zynga’s FarmVille had transmitted Facebook ID numbers to several advertising and data firms, calling the data transfer a “privacy breach.”

The article prompted the letter from Barton and Markey. Among the 18 questions and requests: “What terms contained in your privacy policy were violated by this series of privacy breaches?” “What procedures do you have in place to detect and/or prevent third-party applications that may breach the terms of Facebook’s privacy policy?” and “Will Facebook seek the deletion of its users’ personal information from data bases of the Internet or advertising companies who received it as a result of this series of privacy breaches?”

In its response, Facebook stated that “the sharing of UIDs is critical to people’s ability to use third-party applications on the Facebook Platform.” The company later added, “Regarding the intentional transmission of UIDs to a data broker, this is the first instance in which we have learned of such activity, and, as noted, we have taken decisive enforcement action.”

It is understood that data firm Rapleaf is the data broker referred to in Facebook’s statement. The social media giant said on October 29 that it reached an agreement with Rapleaf by which all Facebook UIDs would be deleted from Rapleaf’s databases. The deal also banned Rapleaf from conducting activities on Facebook’s platform.

Facebook told the congressmen it receives no “remuneration, financial or otherwise” from sharing information with third-party firms, and added, “Facebook expressly prohibits application developers from selling user data and from transferring user data to such companies.”

Facebook also stressed that the transference of UIDs “is not a Facebook-specific issue” because “in the course of its normal operation on the Internet, the browser includes the referrer URL in its request to the third party.” The firm said it is “working to launch an industry-wide initiative to equip browsers with privacy controls that would prevent such inadvertent passing of information,” and added, “In the coming months, we expect to work with such manufacturers to enable users to control the passage of information via referrer URLs.”

In addition, Facebook will now require any ad networks that have UIDs stored to delete the IDs. “[A]lthough we have seen no evidence to suggest that ad networks were or are using UIDs to obtain even this basic information, we see no reason for ad networks to store such UIDs. We therefore are mandating that all ad networks delete any Facebook UIDs they may have stored as a precondition to their continued ability to operate on Facebook Platform,” said Facebook in its response.

Related reading