recommended reading

Congress pokes Facebook

In response to reports that third-party applications on Facebook have been collecting and distributing user information, Reps. Edward Markey, D-Mass., and Joe Barton, R-Texas, want to know how many people were affected, when Facebook found out, and what the company plans to do about it.

In a letter to CEO Mark Zuckerberg, the lawmakers scolded the social media website for what appears to be a violation of consumer trust.

"Given the number of current users, the rate at which that number grows worldwide, and the age range of Facebook users, combined with the amount and the nature of information these users place in Facebook's trust, this series of breaches of consumer privacy is a cause for concern," Markey and Barton wrote.

The letter said Facebook must respond by October 27.

As co-chairmen of the House Bipartisan Privacy Caucus,Markey and Barton have teamed up before on online privacy. In early August, they sought information from 15 top websites on their consumer tracking practices.

Facebook spokesman Andrew Noyes said in an e-mail that "the suggestion that the passing of a user ID to an application... constitutes a 'breach' is curious at best." Noyes wrote that, "As our privacy policy states, when a Facebook user connects with an application, the user ID is part of the information that the application receives."

Noyes said Facebook would be cooperative with the lawmakers, adding, "We look forward to addressing any confusion that has resulted from the Wall Street Journal article" that originally reported the data sharing. The newspaper found that third-party applications, like FarmVille and Gift Creator, were taking Facebook ID numbers (UIDs) and passing them along to advertisers and Internet companies. The UIDs can then be used to obtain names and information about users, which is against Facebook's privacy policy.

In a blog post, Facebook developer Mike Vernal admitted that a number of applications did in fact violate Facebook policy but described most cases as accidental due to the "technical details of how browsers work."

Vernal added, "Press reports have exaggerated the implications of sharing a UID. Knowledge of a UID does not enable anyone to access private user information without explicit user consent." However, he said, "we are committed to ensuring that even the inadvertent passing of UIDs is prevented and all applications are in compliance with our policy."

RapLeaf Inc., a start-up dedicated to customer tracking that was singled out by the Wall Street Journal as having passed along UIDs, has put up a blog post saying that the problem on its end has been fixed.

"When we discovered that Facebook IDs were being passed to ad networks by applications that we work with, we immediately researched the cause and implemented a solution to cease the transmissions," the post says. "As of last week, no Facebook IDs are being transmitted to ad networks in conjunction with the use of any Rapleaf service."

Threatwatch Alert

Thousands of cyber attacks occur each day

See the latest threats


Close [ x ] More from Nextgov

Thank you for subscribing to newsletters from
We think these reports might interest you:

  • Featured Content from RSA Conference: Dissed by NIST

    Learn more about the latest draft of the U.S. National Institute of Standards and Technology guidance document on authentication and lifecycle management.

  • PIV- I And Multifactor Authentication: The Best Defense for Federal Government Contractors

    This white paper explores NIST SP 800-171 and why compliance is critical to federal government contractors, especially those that work with the Department of Defense, as well as how leveraging PIV-I credentialing with multifactor authentication can be used as a defense against cyberattacks

  • Toward A More Innovative Government

    This research study aims to understand how state and local leaders regard their agency’s innovation efforts and what they are doing to overcome the challenges they face in successfully implementing these efforts.

  • From Volume to Value: UK’s NHS Digital Provides U.S. Healthcare Agencies A Roadmap For Value-Based Payment Models

    The U.S. healthcare industry is rapidly moving away from traditional fee-for-service models and towards value-based purchasing that reimburses physicians for quality of care in place of frequency of care.

  • GBC Flash Poll: Is Your Agency Safe?

    Federal leaders weigh in on the state of information security

  • Data-Centric Security vs. Database-Level Security

    Database-level encryption had its origins in the 1990s and early 2000s in response to very basic risks which largely revolved around the theft of servers, backup tapes and other physical-layer assets. As noted in Verizon’s 2014, Data Breach Investigations Report (DBIR)1, threats today are far more advanced and dangerous.


When you download a report, your information may be shared with the underwriters of that document.