Top Apps Breached Facebook's Privacy Policies

All of the top ten applications on Facebook, and probably thousands others, were caught transmitting unique user IDs (UIDs) to advertising and data gathering companies.

The new Facebook privacy mess was uncovered by the Wall Street Journal and is an expansion of the "referer" header problems the social network had earlier this year.

The referer [misspelling intentional] field in HTTP headers sent by browsers to a website, contains the URL of a page a user came from. A webmaster can use it to tell which visitors came from where.

Earlier this year, following a website upgrade, Facebook started leaking user IDs via referrer headers.

These unique numbers can easily be used to track down a user's Facebook profile, which at the least, contains their name.

The Wall Street Journal found that the ten most popular Facebook applications, were exposing UIDs to advertising partners and other companies in a similar way.

In addition, three of them, including Zynga's FarmVille, which has 59 million users, also transmitted information about people's friends.

San Francisco-based RapLeaf, which builds dossiers on users from publicly available information and sells them for targeted advertising purposes, was one of the companies receiving user IDs from Facebook apps.

RapLeaf shared the user IDs with twelve other firms involved in advertising or data collection, but the company claims that this was completely unintentional.

"When we discovered that Facebook ids were being passed to ad networks by applications that we work with, we immediately researched the cause and implemented a solution to cease the transmissions," Jeremy Lizt, RapLeaf's VP of engineering, wrote on the company's blog.

Meanwhile, Facebook acknowledged that sharing UIDs with advertisers is a violation of its policies and several of the applications reported by the Wall Street Journal were suspended.

"We have experience addressing this sort of issue previously, although the technical challenges here are greater.

We are talking with our key partners and the broader Web community about possible solutions. We will have more details over the course of the next few days," explained Mike Vernal, on Facebook's developer blog.

Facebook is clearly having a hard time keeping the over 550,000 registered applications in check and making sure their don't break policy.

The social network was recently sued for its own UID misstep from earlier this year and it wouldn't be surprising if similar lawsuits are filed over this new incident too.