WSJ: Referers: How Facebook Apps Leak User IDs

http://blogs.wsj.com/digits/2010/10/18/referers-how-facebook-apps-leak-user-ids/

October 18, 2010

Referers: How Facebook Apps Leak User IDs

Many of the most popular applications, or "apps," on Facebook have been transmitting users' Facebook ID numbers to marketers and tracking companies, the Wall Street Journal reported. [1]

These leakages shine a light on one of the Web's enduring privacy weak links, known as referers. Long a part of the basic standards of the Web, referers are a piece of information sent whenever a user clicks on a link. Referers let sites know about the page from which the user is arriving. That information -- passed discreetly from one server to the next -- helps sites analyze the sources of their traffic and customize the information they present.

Referers usually aren't a problem when users visit websites. But on Facebook and other social-networking sites, such communications have the potential to expose a user's identity.

"The thing that is perhaps surprising is how much of a privacy problem referers have turned out to be," said Peter Eckersley, a senior staff technologist for the Electronic Frontier Foundation, a privacy-advocacy group. "Advertisers could know you and your real-world identity."

The privacy problem arises when companies are able to connect a user ID to other online identifiers and cookies, which are not normally linked to a user's identity.

"The ad industry likes to say they collect only anonymous information," Mr. Eckersley said. But, he added, referers can let marketers connect anonymous profiles "to the very non-anonymous Facebook User ID, which is linked back to your real-world name and identity."

In Facebook's case, the company's app platform passes the user ID number to authorized applications to enable them to tap into your Facebook profile. That ID is sometimes passed on to outside firms via referer headers. Figuring out how to avoid doing that is one of the challenges Facebook faces at it introduces new technical systems that will limit the sharing of user IDs.

In May, the Journal reported [2] on a similar referer issue, in which Facebook was sometimes sending user IDs to marketers when users clicked on an ad from Facebook. After being contacted by the Journal, Facebook changed its system to remove all user IDs from being included in the addresses sent to outside websites, including advertisers. A lawsuit [3] moving through the California court system violated Federal and California law and breached a contract with users when it sent the data before changing its behavior.

-- Geoffrey A. Fowler and Emily Steel

[1] http://online.wsj.com/article/SB10001424052702304772804575558484075236968.html

[2] http://online.wsj.com/article/SB10001424052748704513104575256701215465596.html

[3] http://blogs.wsj.com/digits/2010/10/17/facebook-faces-suit-over-earlier-breach/