Is Facebook evil or merely incompetent?

It's been months since the last major Facebook privacy debacle. I was beginning to lose hope.

It's been months since the last major Facebook privacy debacle. I was beginning to lose hope. Thank goodness, then, for the news that the world's biggest social network has fumbled the ball yet again.

The Wall Street Journal is reporting that Facebook's largest apps, which collectively boast tens of millions of users, are capturing personally identifiable information about Facebook users and sharing it with advertisers -- violating both Facebook's and the app makers' own privacy policies.

In other words, as you're milking cows in Farmville, someone is milking you.

What's happening is a variation on something that happens on the Web a billion times a day. Whenever you click a hyperlink, the page you're sent to usually gets a "referrer URL" -- the address of the page from whence you came. This can be useful for sites wanting to analyze their traffic sources.

The same thing happens when you click an ad; this referrer URL lets the advertisers know which sites are driving traffic to them and, in the case of pay-per-click ads, how much money it owes the site that referred them.

What's special about Facebook is that once you've logged in, the referrer URLs it generates may contain a unique identification number or, if you've opted for a personalized Facebook URL (like, your name. That gets passed along inside the URL to app makers, who then pass it on to advertisers and online data brokers, who add it to their trove of information about you.

Mike Vernal describes the problem and Facebook's response to it in Facebook's official developer blog (I've annotated with my own responses below):

We take user privacy seriously. [1] We are dedicated to protecting private user data while letting users enjoy rich experiences with their friends. This more social Web will only occur if users trust that they are in control of their information. [2]

1. Whenever anything starts with "We take user privacy very seriously," you know you're about to get screwed.

2. In this case, of course, users are not in control of their information -- and apparently neither is Facebook. So that makes it even Steven. Right?

Our policy is very clear about protecting user data, ensuring that no one can access private user information without explicit user consent. [3] Further, developers cannot disclose user information to ad networks and data brokers. We take strong measures to enforce this policy, including suspending and disabling applications that violate it. [4]

3. Except when they can. But why dwell on such things?

4. Also regular spankings. But only after they've gathered this information and sold it dozens of times. And then we'll quietly let them back into Facebook a few weeks later after people have forgotten about this. Those Farmville cows are so darned cute we just can't stay mad at them very long.

Recently, it has come to our attention that several applications built on Facebook Platform were passing the User ID (UID), an identifier that we use within our APIs, in a manner that violated this policy. In most cases, developers did not intend to pass this information, but did so because of the technical details of how browsers work. [5]

5. Remember, it's the browser's fault. Damn you, Marc Andreessen. Damn you to Hell.

Press reports have exaggerated the implications of sharing a UID. [6] Knowledge of a UID does not enable anyone to access private user information without explicit user consent. [7] Nevertheless, we are committed to ensuring that even the inadvertent passing of UIDs is prevented and all applications are in compliance with our policy. [8]

6. Not to be confused with sharing an IUD. That's definitely a bad idea.

7. That's true. It's all those other explicit consents users agree to when installing the application that give them access to private user information -- and in most cases, your friends' data too.

8. We've been vewwy bad, and we're vewwy sowwy.

What's fishy about this problem is that it came as a huge surprise to Facebook and the developers of these apps. Yet, as Vernal notes, Facebook fixed a similar glitch last May, where referrer URLs containing Facebook user IDs were being sent to advertisers when FBers clicked directly on ads. That problem came to Facebook's attention thanks to -- yes, that's right -- the Wall Street Journal.

Maybe it's just me, but don't you think somebody at Facebook might have wondered whether this whole URL referrer problem extended to the 550,000 apps currently polluting -- er, populating Facebook right now?

Perhaps Facebook should hire some WSJ reporters to police the service since the company seems incapable of policing it on its own. I'm sure the journos would appreciate the extra cash.

It seems when Facebook screws up, it's usually the last to learn about it. For a service that desperately wants to earn our trust it as it butters itself all over the Web, that's exactly the wrong way to go about it.

Facebook: Evil, incompetent, or both? You make the call. Email me:

Join the Good Gear Guide newsletter!

Error: Please check your email address.

Tags Internet-based applications and servicessecuritysocial networkinginternetprivacyFacebook

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Robert X. Cringely

Show Comments

Most Popular Reviews

Latest News Articles


PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?