10/21/2010 01:24 am ET Updated May 25, 2011

Facebook's Latest Privacy Flap Is Due to Web Plumbing, Not Policy

On Monday, the Wall Street Journal reported that many of the most popular Facebook application developers, including Zynga Game Network whose apps include FarmVille, Texas HoldEm Poker and FrontierVille, "have been transmitting identifying information -- in effect, providing access to people's names and, in some cases, their friends' names -- to dozens of advertising and Internet tracking companies."

Smoking Gun?

To some, it was the smoking gun proving Facebook is in the business of selling users' personal information. But if you read the story closely, you'll see that isn't at all what it is about.

To begin with, Facebook has a policy of not sharing user information with advertisers and an agreement with its third party developers that they not share such information either.

Even the Journal article made this clear: "Facebook prohibits app makers from transferring data about users to outside advertising and data companies, even if a user agrees."

While it's clear that some third-party developers did share unique IDs that are associated with user accounts, there is no evidence that private information was disclosed. As far as I can tell, all the developers are accused of sharing is information that could lead advertisers to know users names and, possibly, a list of their friends. But, as Facebook makes abundantly clear, users names are not considered private -- they are searchable on Facebook -- and a friends list is public information until the user chooses to opt out.

Good practices or not, Facebook's policies are clearly stated.

Besides, it's not in Facebook's interest to turn over personal information to advertisers.

Think about their business model; Facebook delivers ads directly to members based on information the company knows such as age, gender, location and relationship status. That's all valuable information because it allows Facebook to charge advertisers to deliver their messages to a highly targeted audience. Facebook would actually hurt its long-term business interests giving away or selling that information.

Bad Code

The culprit in this case is not bad intentions but bad Internet code.

The poor coding not only affects Facebook but most websites and all browsers. As my co-director Anne Collier pointed out in her blog post, the technical problem the Journal was reporting on, "is a phenomenon as old as Web links that has become a problem with the advent of social networking in general."

As the Journal pointed out, "The apps were using a common Web standard, known as a 'referer,' which passes on the address of the last page viewed when a user clicks on a link. On Facebook and other social-networking sites, referers can expose a user's identity."

Referers aren't necessarily a bad thing. They enable websites to know where their traffic is coming from, but they are not supposed to include personally identifiable information. There is even a website called that provides free code to help web owners identify who is referring traffic to them.

And there's nothing new about the issue. Although Monday's Journal article focused only on Facebook and its developers, the same newspaper in May reported that Facebook, MySpace and several other social-networking sites have been sending data to advertising companies that could be used to find consumers' names and other personal details, despite promises they don't share such information without consent.

The Journal correctly pointed out that, "Across the Web, it's common for advertisers to receive the address of the page from which a user clicked on an ad."

On its developers' blog, Facebook has acknowledged "that several applications built on Facebook Platform were passing the User ID," which was a violation of its privacy policy that prohibits application developers from disclosing "user information to ad networks and data brokers."

"In most cases, developers did not intend to pass this information, but did so because of the technical details of how browsers work," Facebook said.

What's at issue here is a technical bug in the Web's plumbing that doesn't just affect Facebook's App developers but other companies as well. And while Facebook -- one of the world's largest web properties with 500 million users -- ought to be doing all it can to fix this problem, the company is far from the only culprit.

Let's just hope that Facebook's talented engineers put as much effort into solving this problem as they have into building their network.

Disclosure: Larry Magid is co-director, a non-profit Internet safety organization that receives financial support from a number of Internet companies, including Facebook, MySpace and Google.

Read Larry's Internet safety articles at