Congress pokes Facebook

Lawmaker letter to Zuckerberg chides the service as breaching "consumer privacy."

In response to reports that third-party applications on Facebook have been collecting and distributing user information, Reps. Edward Markey, D-Mass., and Joe Barton, R-Texas, want to know how many people were affected, when Facebook found out, and what the company plans to do about it.

In a letter to CEO Mark Zuckerberg, the lawmakers scolded the social media website for what appears to be a violation of consumer trust.

"Given the number of current users, the rate at which that number grows worldwide, and the age range of Facebook users, combined with the amount and the nature of information these users place in Facebook's trust, this series of breaches of consumer privacy is a cause for concern," Markey and Barton wrote.

The letter said Facebook must respond by October 27.

As co-chairmen of the House Bipartisan Privacy Caucus,Markey and Barton have teamed up before on online privacy. In early August, they sought information from 15 top websites on their consumer tracking practices.

Facebook spokesman Andrew Noyes said in an e-mail that "the suggestion that the passing of a user ID to an application... constitutes a 'breach' is curious at best." Noyes wrote that, "As our privacy policy states, when a Facebook user connects with an application, the user ID is part of the information that the application receives."

Noyes said Facebook would be cooperative with the lawmakers, adding, "We look forward to addressing any confusion that has resulted from the Wall Street Journal article" that originally reported the data sharing. The newspaper found that third-party applications, like FarmVille and Gift Creator, were taking Facebook ID numbers (UIDs) and passing them along to advertisers and Internet companies. The UIDs can then be used to obtain names and information about users, which is against Facebook's privacy policy.

In a blog post, Facebook developer Mike Vernal admitted that a number of applications did in fact violate Facebook policy but described most cases as accidental due to the "technical details of how browsers work."

Vernal added, "Press reports have exaggerated the implications of sharing a UID. Knowledge of a UID does not enable anyone to access private user information without explicit user consent." However, he said, "we are committed to ensuring that even the inadvertent passing of UIDs is prevented and all applications are in compliance with our policy."

RapLeaf Inc., a start-up dedicated to customer tracking that was singled out by the Wall Street Journal as having passed along UIDs, has put up a blog post saying that the problem on its end has been fixed.

"When we discovered that Facebook IDs were being passed to ad networks by applications that we work with, we immediately researched the cause and implemented a solution to cease the transmissions," the post says. "As of last week, no Facebook IDs are being transmitted to ad networks in conjunction with the use of any Rapleaf service."