Applications on Facebook (and there are over 550,000 of them) rely on Facebook to send the user's profile ID and sometimes supply them with other information. Facebook's terms state that these applications are not to share that information outside of the application's need, but this rule is not enforced and it appears that application providers largely ignore it.
Specifically, the Journal's research shows that Facebook users' numeric profile IDs, which applications need to identify a user, were being shared with third party advertising companies. Some of these organizations, RapLeaf for instance, were then sharing them with even more advertising partners to build dossiers on people's friends and surfing habits.
The data housed by Facebook is too tempting a gold mine for marketing organizations. For Facebook to expect companies to self-police is foolish. Zynga, the publisher of Farmville, which is the top application on Facebook, already admitted to breaking the rules. Facebook insists that it checks "some" applications when they are submitted to weed out scams, fraud and policy abuse. But clearly they didn't check the ten most popular applications. Their lack of attention to Farmville alone potentially exposed the details of over 50 million users.
Facebook says they will look into this problem and take actions to correct it. This will not be an easy task, and it doesn't solve the problem. Facebook has made a major push in the last year to become a provider of federated identity. Typically, people access hundreds of services over the internet. Maintaining separate, secure logins and passwords for all of these sites is difficult, but you can now use your Facebook credentials to log into many of these services, cementing Facebook's goal of being a central source of identity. Unfortunately, most Facebook users do not understand how easy it is for all this data to be tied together and to make its way into the hands of marketers and others who can make a lot of money from their identity.
Apart from the inherent problems with federated identity, what's the solution? I don't often compliment Apple, but in this case I think Facebook should take a page from Apple's playbook. Facebook should review submitted applications for compliance with their policies, and periodically spot-check existing applications to ensure they have not gone rogue.
At this time there is very little you can do to protect yourself aside from making sure Facebook is aware of your privacy concerns or quitting the service.
To help raise awareness and enable IT administrators to help educate their users to the risks and best practices of social networking Sophos has produced a Social Media Security Toolkit. Download it now for free presentations, videos and tools you can use to help your users be more aware of how to be safe in these communities.
Creative Commons image courtesy of solidstate_'s Flickr photostream.