Facebook Admits App Developers Sold User IDs To Data Broker

Taking another hit to its already-poor reputation for how it protects user data, Facebook has acknowledged that a data broker paid application developers for user identification information.

Facebook, which disclosed the news in a blog posted late Friday by platform engineer Mike Vernal, said it has banned the developers from connecting to Facebook for six months and must submit to data practice audits in the future.

Word of the violation comes just weeks after The Wall Street Journal reported that a number of popular Facebook applications have leaked personal information to advertisers and Internet tracking firms.

That's led to a class action lawsuit in U.S. District Court seeking damages against game developer Zynga. Facebook said it uncovered the latest problem when it investigated a Web browser bug that inadvertently shared user ID (UID) data.

id
unit-1659132512259
type
Sponsored post

"As we examined the circumstances of inadvertent UID transfers, we discovered some instances where a data broker was paying developers for UIDs," Vernal wrote in his blog. "While we determined that no private user data was sold and confirmed that transfer of these UIDs did not give access to any private data, this violation of our policy is something we take seriously."

NEXT: Facebook Privacy Policy Clarifications

"As such, we are taking action against these developers by instituting a 6-month full moratorium on their access to Facebook communication channels, and we will require these developers to submit their data practices to an audit in the future to confirm that they are in compliance with our policies. This impacts fewer than a dozen, mostly small developers, none of which are in the top 10 applications on Facebook platform," Vernal wrote.

Facebook did not specifically identify the broker that was buying user IDs. But Vernal said Facebook had reached an agreement with Rapleaf, "the data broker who came forward to work with us on this situation," under which Rapleaf would delete all user ID information in its possession and agree to no longer conduct any activities on the Facebook platform. Facebook did not identify the application developers that allegedly sold the user ID information.

"Today, we are clarifying our policy to ensure that developers understand the proper use of UIDs in their applications," Vernal wrote. "Our policy has always stated that data received from Facebook, including UIDs, cannot be shared with data brokers and ad networks. Moving forward, our policy will state that UIDs cannot leave your application or any of the infrastructure, code, and services you need to build and run your application. You can use services, such as Akamai, Amazon Web Services and analytics services as long as those services keep UIDs confidential to your application.

"Facebook has never sold and will never sell user information," Vernal continued. "We also have zero tolerance for data brokers because they undermine the value that users have come to expect from Facebook. To restate our policy, developers may not pass any data from Facebook to data brokers, and we are now including anonymous identifiers in this protected category of Facebook data."