Rapleaf is selling your identity

rapleaf.top.jpgRapleaf shows consumers who enroll on its site only a small subset of the information it has amassed on them. By David Goldman, staff writer

NEW YORK (CNNMoney.com) -- Rapleaf knows your name, your age and where you live. It knows your e-mail address, your income and what social networks you use. It knows your likes and dislikes. And it makes money by selling much of that personal information to advertisers.

Of course, Rapleaf is far from the only company that does this. Acxiom, ChoicePoint, Quantcast, and BluKai also collect and sell your data, as do many others. Google (GOOG, Fortune 500), Facebook and other Web companies also gather data about you in an attempt to target very personal ads.

But Rapleaf was thrust into the spotlight this week after the Wall Street Journal reported that the San Francisco-based company obtained Facebook IDs from many of the social network's apps and sold those IDs to advertisers -- even from users who requested that data be kept private.

By merging a user's Facebook ID with other data about them, Rapleaf gave advertisers a detailed window into many Web users' personal information. In a recent blog post on the issue, Rapleaf called it "a serious potential privacy risk."

In passing on the information, the apps violated Facebook's terms of service agreement -- inadvertently, the developers say. And Rapleaf has been forced into the uncomfortable position of explaining how it maintains the privacy of the 400 million Web users it tracks while also selling their profiles to advertisers.

The company claims that it did not intend to transmit quite as much detail as it did.

"We do not sell Facebook IDs to ad networks," said Michael Hsu, spokesman for Rapleaf. "They were being sent because of technical issues with browsers today in which the referrer URLs were including them inadvertently."

What Rapleaf really knows

But a number of privacy experts said they believe Rapleaf is being disingenuous. They noted that the company links users' names and e-mail addresses to many social networking profiles -- including Flickr, Friendster, LinkedIn, Twitter, Pandora, Wordpress, MySpace, Bebo, Tribe, Livejournal, Yelp and Amazon -- and sells that information to third-parties.

Rapleaf's API documentation includes Facebook IDs as a data point it offers.

"If Rapleaf hadn't gotten caught, they would have kept on doing it," Murray Jennex, professor of knowledge management at San Diego State University, said of the company's Facebook data harvest. "Social networks' terms of service are a loose barrier. They're a gray area that companies like Rapleaf try to get around, and they're not all that powerful a deterrent."

Rapleaf downplays to consumers how much it's tracking about them.

The company's site invites visitors to sign up for a Rapleaf account and "manage your info," but logging in won't show you the detailed profile Rapleaf has compiled: It displays only basic demographic information and broad interest categories. Rapleaf will tell you that it knows you like "social networks," but it won't reveal that it knows your Facebook, Pandora and Plaxo handles -- plus your Klout score, how often you tweet and what's on your Amazon wishlist.

(Updated: Late Thursday, after this article published, Rapleaf made changes to its site to display more of the personal data it has collected to those who enroll and log to check their own profile.)

Rapleaf declined to comment. A spokesman said company executives were too busy to field further questions.

This isn't the first time Rapleaf has been accused of privacy violations. In 2007, CNET reported that the company operated two other subsidiaries that secretly shared information with one another to create extremely detailed profiles about users -- including their social network affiliations. Rapleaf quickly responded by merging all of its businesses under one brand.

Connecting the dots to your secrets

Rapleaf's Facebook ID misstep highlights a much larger issue: Even if one data aggregator doesn't share personally identifying information, customers of many data collectors can very easily link up different sources of information to discover things you thought couldn't be traced back to you.

"People don't really appreciate how much can be known about you online," Jennex said. "It's not just a single company doing this, it's everybody."

Using only a name, an e-mail address and information provided by data aggregators including Rapleaf, one privacy researcher -- who asked not to be identified because of his business dealings with several companies in the field -- ran a test combining all of the data from multiple sources. In 86% of his trials, the resulting profile linked the subject's name to his or her full, nine-digit social security number.

The security concerns are far-reaching.

"Here's the truth of the matter when it comes to data mining today: The data they collect will be used in ways they never imagined or intended," said Michael Fertik, CEO of privacy software maker ReputationDefender. "You can mash up huge data sets that were never meant to be mashed together, that are very specific."

Building databases about customers is hardly a new business, nor is it illegal or illegitimate. Telemarketers, political candidates and advertisers have been gathering information about people for years. Online, it's what Web users exchange in return for free services and content.

But the information is becoming far more precise. It's one thing for a marketer to know you're 40 years old and subscribe to travel magazines; it's another for them to know you're leaving Saturday for a week in Italy.

"What's different is that the information now is likely going to be accurate and specific, because it's coming from social networks like Facebook where you represent yourself as you really are," said Debra Williamson, senior analyst at eMarketer.

And as the data ooze spreads, so do the implications. If you talk on Facebook about your late credit-card payment -- or your cancer treatments -- there's a growing risk you'll be overheard.

"The consequences aren't only about advertising, because, in the scheme of things, who cares about that?" Fertik said. "What I'm worried about is health information and your life getting stolen from you. That moment of reckoning is coming." To top of page

Just the hot list include
Frontline troops push for solar energy
The U.S. Marines are testing renewable energy technologies like solar to reduce costs and casualties associated with fossil fuels. Play
25 Best Places to find rich singles
Looking for Mr. or Ms. Moneybags? Hunt down the perfect mate in these wealthy cities, which are brimming with unattached professionals. More
Fun festivals: Twins to mustard to pirates!
You'll see double in Twinsburg, Ohio, and Ketchup lovers should beware in Middleton, WI. Here's some of the best and strangest town festivals. Play
Index Last Change % Change
Dow 32,627.97 -234.33 -0.71%
Nasdaq 13,215.24 99.07 0.76%
S&P 500 3,913.10 -2.36 -0.06%
Treasuries 1.73 0.00 0.12%
Data as of 6:29am ET
Company Price Change % Change
Ford Motor Co 8.29 0.05 0.61%
Advanced Micro Devic... 54.59 0.70 1.30%
Cisco Systems Inc 47.49 -2.44 -4.89%
General Electric Co 13.00 -0.16 -1.22%
Kraft Heinz Co 27.84 -2.20 -7.32%
Data as of 2:44pm ET


Bankrupt toy retailer tells bankruptcy court it is looking at possibly reviving the Toys 'R' Us and Babies 'R' Us brands. More

Land O'Lakes CEO Beth Ford charts her career path, from her first job to becoming the first openly gay CEO at a Fortune 500 company in an interview with CNN's Boss Files. More

Most stock quote data provided by BATS. Market indices are shown in real time, except for the DJIA, which is delayed by two minutes. All times are ET. Disclaimer. Morningstar: © 2018 Morningstar, Inc. All Rights Reserved. Factset: FactSet Research Systems Inc. 2018. All rights reserved. Chicago Mercantile Association: Certain market data is the property of Chicago Mercantile Exchange Inc. and its licensors. All rights reserved. Dow Jones: The Dow Jones branded indices are proprietary to and are calculated, distributed and marketed by DJI Opco, a subsidiary of S&P Dow Jones Indices LLC and have been licensed for use to S&P Opco, LLC and CNN. Standard & Poor's and S&P are registered trademarks of Standard & Poor's Financial Services LLC and Dow Jones is a registered trademark of Dow Jones Trademark Holdings LLC. All content of the Dow Jones branded indices © S&P Dow Jones Indices LLC 2018 and/or its affiliates.