WSJ reports Facebook apps — including banned LOLapps games — transmitted private user data

The Wall Street Journal reported that its investigation of Facebook apps found that many of the most popular titles have been transmitting identifying user information to dozens of advertising and internet tracking companies.

The issue affects tens of millions of Facebook app users, according to the story that appeared this evening in the lead spot on the Wall Street Journal’s web site (subscription required). The apps are not only transmitting the names of app users to the advertisers, but also the names of their friends in some cases. The problem affects users who have set their profiles to be completely private, and the practice breaks Facebook’s rules on privacy, the Journal said.

Acknowledging the problem, a Facebook spokesman said Sunday that the company is taking steps to dramatically limit the exposure of users’ personal information. The story indicates this privacy breach may be why all of the apps built by LOLapps, which has 150 million Facebook users, were banned over the weekend. The Journal found that all of the 10 most popular apps on Facebook were transmitting users’ IDs to outside companies.

They include games from Zynga, including its FarmVille, Texas HoldEm Poker and FrontierVille titles. Facebook assigns a Facebook ID number to every user on the site. Anyone can use that ID number to look up a person’s name, using a standard web browser, even if that person has set his or her info to be private. The Journal said the apps reviewed by its reporters were sending Facebook ID numbers to at least 25 ad and data-tracking firms. One firm, RapLeaf, had linked Facebook user ID info from the apps to its own database of internet users, which it sells. RapLeaf transmitted the Facebook IDs it obtained to a dozen other firms.

LOLapps and Zynga have not yet responded to requests for comment. RapLeaf’s vice president of business development, Joel Jewitt, told the Journal that his company didn’t transmit the information on purpose. But Facebook said it has taken steps to limit RapLeaf’s ability to use any Facebook data. The transmission of private data may have been unintentional because the browsers were using a “referrer,” which transmits the data of the last page a user had visited. That link may include the user’s private information.

The Journal found that some LOLapps apps were transmitting users’ Facebook ID numbers to RapLeaf, which then linked those ID numbers to files it had previously created on the users. RapLeaf then embedded that information in a web-tracking file called a cookie. Arjun Sethi, chief executive of LOLapps, is scheduled to speak on a case studies panel at VentureBeat’s DiscoveryBeat 2010 conference in San Francisco tomorrow.

Update: Read Write Web has questioned whether or not the use of referrers is in fact a privacy violation.

Facebook has issued the following response.

“As part of our work to provide people with control over their information, we’ve learned that the design and operation of the Internet doesn’t always provide the greatest control that is technically possible.  For example, in the Spring, it was brought to our attention that Facebook user IDs may be inadvertently included in the URL referrer sent to advertisers. Here, WSJ has uncovered the same issue on Facebook Platform where a Facebook user ID may be inadvertently shared by a user’s Internet browser or by an application delivering content to a user.

While knowledge of user ID does not permit access to anyone’s private information on Facebook, we plan to introduce new technical systems that will dramatically limit the sharing of User ID’s. This is an even more complicated technical challenge than the similar issue we successfully addressed last Spring, but one that we are committed to addressing. Our technical systems have always been complemented by strong policy enforcement, and we will continue to rely on both to keep people in control of their information.

It is important to note that there is no evidence that any personal information was misused or even collected as a result of this issue. In fact, all of the companies questioned about this issue said publicly that they did not use the user IDs or did not use them to obtain personal info.”

Update: Facebook has also issued a blog post on the matter. Facebook’s Mike Vernal said in his post that “press reports have exaggerated the implications of sharing a user ID.” He noted that several applications were passing the User ID in a manner that violated Facebook’s privacy policy. RapLeaf has also posted on its blog about how it has responded to the crisis by fixing the problem on its end.

Getting content noticed is a challenge for everyone making apps. Join us at DiscoveryBeat 2010 and hear secrets from top industry executives about how to break through and profit in the new cross-platform app ecosystem. From metrics to monetization, we’ll take an in depth look at the best discovery strategies and why they’re working. See the full agenda here. The conference takes place on October 18 at the Mission Bay Conference Center in San Francisco. To register, click here. Hurry though. Tickets are limited, and going fast.