Yesterday afternoon, Miranda Miller of Search Engine Watch broke the news about how some Facebook app developers are exploiting the private information of social media users. In her article, she relates the story of Bogomil Shopov, an Internet marketer and blogger.
On October 23, Shopov posted to his blog about a deal he spotted on Gigbucks to purchase over a million Facebook data entries for $5. The file he received contained a huge spreadsheet divided into 12 sheets, where each sheet contains roughly 100,000 email addresses with first name, last name, and Facebook profile information. The profile information was for English-speaking users in the United States, Canada, the United Kingdom, and Europe.
If that’s not troubling enough, one of the recent comments to Shopov’s blog states:
“You don’t need to be a hacker to harvest these data. Any programmer can write a script that harvests profile links and looks for email addresses on those profiles. Surely, you’ll find 1 million email address amongst roughly 1 billion FB accounts. There’s nothing illegal about it and there’s nothing FB can do against it, except for hiding all e-mail addresses on all profiles.”
Shopov was concerned about how much data he was able to access in this manner, so he went the extra step to contact Facebook. Here is how he describes the encounter on his blog:
When Miranda Miller contacted Facebook about this story, the Facebook spokesperson told Search Engine Watch:
“We have dedicated security engineers and teams that look into and take aggressive action on reports like those raised here. Since this is ongoing, we are not in a position to discuss the investigation at this time.”
In other words they got an answer that really wasn’t an answer.
What can you glean from this? It looks to me as if Facebook has no agreements with app developers regarding the data they collect from Facebook users. When you click on an app, you are given a pop-up window explaining what information the app will be collecting and what information they will be posting to your timeline on your behalf. Once you click the button agreeing to the terms, the app developer has direct permission from you the user to access your personal information. Facebook does not require that the developer disclose what they will do with your data once they collect it. And, you have no way of asking the app what they intend to do with your information. Facebook is in the business of collecting and monetizing data. It is not necessarily in their best interest to protect the data that you freely share with them.
If you haven’t already, go to your Account Settings, select Apps, and go through each and every app running on your profile. Once you have gotten rid of all of the ones that you don’t feel comfortable about, you need to consider what you want to do about email addresses and other information that has been leaked from those developers to whoever was willing to pay the $5 for the data.
4:30 10/26/2012 UPDATE:
Search Engine Journal was contacted this afternoon by Chris Kraeuter of the OutCast Agency apparently on behalf of Facebook. My comment about the app developer agreement is, in essence, incorrect and I’m happy to correct it for fact.
From Chris Kraeuter:
Every developer on Platform is required to meet our policies (https://developers.facebook.com/policy/). See especially Section II: Storing and Using Data You Receive from Us. We take action against apps that violate our platform policies in order to maintain a trustworthy experience for users.
It is the honest hope of this writer that Facebook does indeed take appropriate action in this case. We will be keeping a sharp eye as this story continues to develop.