Two new lawsuits have popped up against Facebook and Zynga, the biggest game developer on the social networking site, in the wake of the weekend’s revelations about Facebook applications leaking user IDs to third parties.
A Wall Street Journal investigation on the weekend revealed the top app makers were sharing Facebook user ID numbers with outside firms. The numbers could be used to look up people’s names and other information and could potentially be tied to advertising preferences or other data.
Facebook, which claims it had no prior knowledge of this, temporarily banned one game company, LOLApps, as a result.
Now the WSJ reports on two new lawsuits based on the privacy breaches – the first against Zynga in California and the second against Facebook in Rhode Island.
California resident Nancy Walther Graf has sued Zynga, the maker of popular games such as Farmville, for allegedly transmitting the personally identifiable information to third parties “for substantial profit”. In the suit filed in U.S. District Court in the Northern District of California on Monday afternoon, the plaintiff said Zynga’s use of the data without users’ permission violated federal laws that protect the privacy of electronic communications, as well as a California computer-crime law. Her lawyer later said the suit targeted Zynga rather than Facebook because Facebook’s policies prohibit app makers from transferring data about users to outside advertising and data companies. A Zynga statement says the complaint is without merit and the company would defend it vigorously.
The second case by a plaintiff in Rhode Island amends an earlier suit filed in June. The original lawsuit was filed in June after the WSJ exposed Facebook and MySpace for sending user ID numbers to advertisers without users’ consent. Facebook amended its own code but apparently did not check to see what its application developers were doing. The lawsuit has now been amended to include information sent by third-party developers. Unlike in the California case, the Rhode Island plaintiff is arguing that Facebook bears responsibility for this.
While user IDs can only be used to look up information that a Facebook user has chosen to make publicly available, I can’t see any good reason for this information to be revealed to third parties. At the very least, it links Facebook identities with information about which games they play, for how long and when, information that I for one would consider private. It’s not the biggest breach of security ever – and I think WSJ is probably overblowing it somewhat – but it shouldn’t have happened.
The app developers should have known better given that Facebook had to close this very same loophole in their own code in May and also because there are terms and conditions prohibiting this from happening. Should Facebook also be held responsible? I would be inclined to say yes given that the company was aware of the technicalities of the problem from May and apparently failed to enforce its own policies governing developers on the Facebook Platform. That they couldn’t keep tabs on even the top 10 app makers suggests to me that some sort of “don’t ask, don’t tell” policy was in operation.
What do you think?