Why your Facebook ID is marketers' Holy Grail

safe_gold_money.ju.top.jpg By David Goldman, staff writer

NEW YORK (CNNMoney.com) -- Armed with your e-mail address, data miners can hit Facebook and match it up with your user ID. That key unlocks a treasure trove of personal information.

At bare minimum, your ID provides access to your name and profile photo, no matter what privacy settings you have. Those who stick with Facebook's recommended settings will reveal even more: their location, hometown, list of friends, lots of photos, and many of their "likes," such as activities and interests.

That's a goldmine for companies that are trying to target their products to you.

"Once you have an ID you can look up the person," said Axel Schultze, CEO of Xeesm, a social media marketing software developer. That gives you access to all the information publicly available in their profile, and from that, "you can build correlations between all sorts of other data."

Robin Dindayal, director of product management at social marketing software company Awareness Inc., ran an experiment and plugged my Facebook ID into Facebook's Graph API. That's a tool Facebook makes available for programmers who want to connect to the site's platform.

The API returned a smattering of information about me, including my gender and geographic settings. A person -- or a machine -- can retrieve that data after starting with nothing more than my e-mail address. (You can follow our instructions on how to run the experiment with your own Facebook ID.)

"Combine this with an e-mail address and I can add you to a mailing list," Dindayal said. "Beyond that, some users within Facebook don't have their privacy settings set very high and even more information might be made available."

Facebook has technical safeguards in place intended to prevent data miners with massive lists of e-mail addresses from sucking in troves of public information about Facebook's users. But invaders keep slipping through the site's defenses.

A company named Rapleaf kicked off a backlash two months ago when press reports drew attention to its practice of collecting Facebook IDs and including them in the personal profiles it sells. The ways Rapleaf gathered the data violated Facebook's rules, and when caught, Rapleaf changed its methods. It recently deleted the Facebook information from its dataset.

But it's a game of whack-a-mole: Others have popped right up to fill the void.

Take Match Factory, a new tool launched four months ago that promised marketers it would "securely match as many e-mail addresses from your list with Facebook accounts as possible." It was created by 3dna, a Los Angeles-based software developer that makes tools for political activists.

Facebook's terms of service prohibit anyone from accessing the site or collecting user information "using automated means (such as harvesting bots, robots, spiders, or scrapers)."

That's exactly what Match Factory did. It sent more than 37,000 automated requests to Facebook over the last few months to pull user IDs -- and didn't hear a peep from Facebook in response.

"I have not talked to Facebook," Match Factory creator Jim Gilliam told CNNMoney last week. "They haven't complained to me at all."

Gilliam said he wasn't aware that Match Factory's automated data gathering violated Facebook's policies.

CNNMoney asked Facebook about Match Factory -- and on Friday, Facebook cut off the tool's access to its platform.

"The impact was extremely small and no private information was shared," Facebook spokesman David Swain said of Match Factory's data gathering. "We were able to take immediate action to shut down the service in question."

But Match Factory isn't the only one linking e-mail addresses to Facebook identities without users' explicit permission. Other data aggregation companies, including Pipl and Wink.com, also have big stashes of Facebook IDs.

Some fly under Facebook's radar; others, like Pipl, navigate the gray area of what Facebook allows. Pipl doesn't directly sell the data it gathers -- its business model is to run ads on pages that display all the personal information it has amassed.

Right now, your Facebook user ID is mostly valuable to direct marketers and political campaigns, but insurance companies and prospective employers are starting to take interest too. Privacy experts say the market for your information will keep expanding.

The battle zone

Facebook's in an unenviable position: Its entire reason for being is to encourage members to connect and broadcast personal information. The more you share, the stronger Facebook's business model becomes. But the site is also trying to balance that against a pledge to respect its members' privacy preferences.

"Facebook is committed to providing users a safe and secure experience, and we work aggressively to develop technical and human solutions to keep people in control of their information," Facebook spokesman Swain said.

Facebook has a history of shooting itself in the foot, though, when it comes to dealing with privacy concerns.

After the Rapleaf firestorm -- which included the revelation that some Facebook application developers were selling user IDs to data aggregators -- Facebook announced that it had a solution: It would ban all applications from sharing user IDs with outside parties.

Developers freaked out, and leapt on an obvious flaw in that plan: For-profit applications often use third-party virtual currency companies like Tapjoy (formerly Offerpal) monetize their apps. So Facebook went back to the drawing board, and is working to finalize a new technical policy that will keep information from data brokers but allow developers to work with advertisers and payment companies. The new rules are slated to take effect Jan. 1.

That doesn't solve the bigger problem: Facebook is sitting on a massively valuable data stash of information that users make available publicly, and keeping it away from commercially motivated data harvesters is an arms race.

Deleting information after the fact -- as Rapleaf did -- doesn't wipe it from the record books.

Some Rapleaf customers, including popular e-mail add-on Rapportive, appear to still be using saved versions of the Facebook data Rapleaf previously provided. Queries run through Rapportive's system last week by Awareness Inc.'s Dindayal returned Facebook user names.

Rapportive did not respond to several requests for comment.

"The genie is out of the bottle," Dindayal said. "Once the information is out, it's impossible to know who has a copy of it." To top of page

Just the hot list include
Frontline troops push for solar energy
The U.S. Marines are testing renewable energy technologies like solar to reduce costs and casualties associated with fossil fuels. Play
25 Best Places to find rich singles
Looking for Mr. or Ms. Moneybags? Hunt down the perfect mate in these wealthy cities, which are brimming with unattached professionals. More
Fun festivals: Twins to mustard to pirates!
You'll see double in Twinsburg, Ohio, and Ketchup lovers should beware in Middleton, WI. Here's some of the best and strangest town festivals. Play
Index Last Change % Change
Dow 32,627.97 -234.33 -0.71%
Nasdaq 13,215.24 99.07 0.76%
S&P 500 3,913.10 -2.36 -0.06%
Treasuries 1.73 0.00 0.12%
Data as of 6:29am ET
Company Price Change % Change
Ford Motor Co 8.29 0.05 0.61%
Advanced Micro Devic... 54.59 0.70 1.30%
Cisco Systems Inc 47.49 -2.44 -4.89%
General Electric Co 13.00 -0.16 -1.22%
Kraft Heinz Co 27.84 -2.20 -7.32%
Data as of 2:44pm ET


Bankrupt toy retailer tells bankruptcy court it is looking at possibly reviving the Toys 'R' Us and Babies 'R' Us brands. More

Land O'Lakes CEO Beth Ford charts her career path, from her first job to becoming the first openly gay CEO at a Fortune 500 company in an interview with CNN's Boss Files. More

Most stock quote data provided by BATS. Market indices are shown in real time, except for the DJIA, which is delayed by two minutes. All times are ET. Disclaimer. Morningstar: © 2018 Morningstar, Inc. All Rights Reserved. Factset: FactSet Research Systems Inc. 2018. All rights reserved. Chicago Mercantile Association: Certain market data is the property of Chicago Mercantile Exchange Inc. and its licensors. All rights reserved. Dow Jones: The Dow Jones branded indices are proprietary to and are calculated, distributed and marketed by DJI Opco, a subsidiary of S&P Dow Jones Indices LLC and have been licensed for use to S&P Opco, LLC and CNN. Standard & Poor's and S&P are registered trademarks of Standard & Poor's Financial Services LLC and Dow Jones is a registered trademark of Dow Jones Trademark Holdings LLC. All content of the Dow Jones branded indices © S&P Dow Jones Indices LLC 2018 and/or its affiliates.