Why your Facebook ID is marketers' Holy Grail

safe_gold_money.ju.top.jpg By David Goldman, staff writer


NEW YORK (CNNMoney.com) -- Armed with your e-mail address, data miners can hit Facebook and match it up with your user ID. That key unlocks a treasure trove of personal information.

At bare minimum, your ID provides access to your name and profile photo, no matter what privacy settings you have. Those who stick with Facebook's recommended settings will reveal even more: their location, hometown, list of friends, lots of photos, and many of their "likes," such as activities and interests.

That's a goldmine for companies that are trying to target their products to you.

"Once you have an ID you can look up the person," said Axel Schultze, CEO of Xeesm, a social media marketing software developer. That gives you access to all the information publicly available in their profile, and from that, "you can build correlations between all sorts of other data."

Robin Dindayal, director of product management at social marketing software company Awareness Inc., ran an experiment and plugged my Facebook ID into Facebook's Graph API. That's a tool Facebook makes available for programmers who want to connect to the site's platform.

The API returned a smattering of information about me, including my gender and geographic settings. A person -- or a machine -- can retrieve that data after starting with nothing more than my e-mail address. (You can follow our instructions on how to run the experiment with your own Facebook ID.)

"Combine this with an e-mail address and I can add you to a mailing list," Dindayal said. "Beyond that, some users within Facebook don't have their privacy settings set very high and even more information might be made available."

Facebook has technical safeguards in place intended to prevent data miners with massive lists of e-mail addresses from sucking in troves of public information about Facebook's users. But invaders keep slipping through the site's defenses.

A company named Rapleaf kicked off a backlash two months ago when press reports drew attention to its practice of collecting Facebook IDs and including them in the personal profiles it sells. The ways Rapleaf gathered the data violated Facebook's rules, and when caught, Rapleaf changed its methods. It recently deleted the Facebook information from its dataset.

But it's a game of whack-a-mole: Others have popped right up to fill the void.

Take Match Factory, a new tool launched four months ago that promised marketers it would "securely match as many e-mail addresses from your list with Facebook accounts as possible." It was created by 3dna, a Los Angeles-based software developer that makes tools for political activists.

Facebook's terms of service prohibit anyone from accessing the site or collecting user information "using automated means (such as harvesting bots, robots, spiders, or scrapers)."

That's exactly what Match Factory did. It sent more than 37,000 automated requests to Facebook over the last few months to pull user IDs -- and didn't hear a peep from Facebook in response.

"I have not talked to Facebook," Match Factory creator Jim Gilliam told CNNMoney last week. "They haven't complained to me at all."

Gilliam said he wasn't aware that Match Factory's automated data gathering violated Facebook's policies.

CNNMoney asked Facebook about Match Factory -- and on Friday, Facebook cut off the tool's access to its platform.

"The impact was extremely small and no private information was shared," Facebook spokesman David Swain said of Match Factory's data gathering. "We were able to take immediate action to shut down the service in question."

But Match Factory isn't the only one linking e-mail addresses to Facebook identities without users' explicit permission. Other data aggregation companies, including Pipl and Wink.com, also have big stashes of Facebook IDs.

Some fly under Facebook's radar; others, like Pipl, navigate the gray area of what Facebook allows. Pipl doesn't directly sell the data it gathers -- its business model is to run ads on pages that display all the personal information it has amassed.

Right now, your Facebook user ID is mostly valuable to direct marketers and political campaigns, but insurance companies and prospective employers are starting to take interest too. Privacy experts say the market for your information will keep expanding.

The battle zone

Facebook's in an unenviable position: Its entire reason for being is to encourage members to connect and broadcast personal information. The more you share, the stronger Facebook's business model becomes. But the site is also trying to balance that against a pledge to respect its members' privacy preferences.

"Facebook is committed to providing users a safe and secure experience, and we work aggressively to develop technical and human solutions to keep people in control of their information," Facebook spokesman Swain said.

Facebook has a history of shooting itself in the foot, though, when it comes to dealing with privacy concerns.

After the Rapleaf firestorm -- which included the revelation that some Facebook application developers were selling user IDs to data aggregators -- Facebook announced that it had a solution: It would ban all applications from sharing user IDs with outside parties.

Developers freaked out, and leapt on an obvious flaw in that plan: For-profit applications often use third-party virtual currency companies like Tapjoy (formerly Offerpal) monetize their apps. So Facebook went back to the drawing board, and is working to finalize a new technical policy that will keep information from data brokers but allow developers to work with advertisers and payment companies. The new rules are slated to take effect Jan. 1.

That doesn't solve the bigger problem: Facebook is sitting on a massively valuable data stash of information that users make available publicly, and keeping it away from commercially motivated data harvesters is an arms race.

Deleting information after the fact -- as Rapleaf did -- doesn't wipe it from the record books.

Some Rapleaf customers, including popular e-mail add-on Rapportive, appear to still be using saved versions of the Facebook data Rapleaf previously provided. Queries run through Rapportive's system last week by Awareness Inc.'s Dindayal returned Facebook user names.

Rapportive did not respond to several requests for comment.

"The genie is out of the bottle," Dindayal said. "Once the information is out, it's impossible to know who has a copy of it." To top of page

Frontline troops push for solar energy
The U.S. Marines are testing renewable energy technologies like solar to reduce costs and casualties associated with fossil fuels. Play
25 Best Places to find rich singles
Looking for Mr. or Ms. Moneybags? Hunt down the perfect mate in these wealthy cities, which are brimming with unattached professionals. More
Fun festivals: Twins to mustard to pirates!
You'll see double in Twinsburg, Ohio, and Ketchup lovers should beware in Middleton, WI. Here's some of the best and strangest town festivals. Play
Index Last Change % Change
Dow 16,450.95 -112.35 -0.68%
Nasdaq 4,328.31 -41.46 -0.95%
S&P 500 1,917.66 -13.01 -0.67%
Treasuries 2.50 -0.05 -2.07%
Data as of 11:55am ET
Company Price Change % Change
Bank of America Corp... 14.96 -0.29 -1.90%
Apple Inc 95.48 -0.12 -0.13%
Facebook Inc 71.91 -0.74 -1.02%
General Electric Co 25.16 0.01 0.03%
Microsoft Corp 42.96 -0.20 -0.46%
Data as of 11:40am ET

Sections

Malaysia Airlines was in major trouble even before the twin disasters of Flight 370 and Flight 17 claimed the lives of 537 people. More

The U.S. economy added 209,000 jobs in July. But that's lower than the number of jobs added In June ... and it was not as strong as what economists expected. More

Terrell White has had a profit-sharing plan for his employees since 1981, believing that if the staff isn't happy, guests won't be either. More

Get paid to go on vacation, receive a couple of bonus weeks at the end of the year or take as much time as you need. Such vacation policies are more than a dream at some small, niche -- and often tech-based -- companies. More

Market indexes are shown in real time, except for the DJIA, which is delayed by two minutes. All times are ET. Disclaimer Morningstar: © 2014 Morningstar, Inc. All Rights Reserved. Disclaimer The Dow Jones IndexesSM are proprietary to and distributed by Dow Jones & Company, Inc. and have been licensed for use. All content of the Dow Jones IndexesSM © 2014 is proprietary to Dow Jones & Company, Inc. Chicago Mercantile Association. The market data is the property of Chicago Mercantile Exchange Inc. and its licensors. All rights reserved. FactSet Research Systems Inc. 2014. All rights reserved. Most stock quote data provided by BATS.