Has Facebook lost control of the Platform?

This time around, Facebook may actually have seen its privacy Watergate: A report in The Wall Street Journal on Monday found that the phenomenal amount of personal information that Facebook members put in their profiles may indeed have been sold extensively to marketers, advertisers, and data collectors. The big question, appropriately enough, is what did Facebook know and when did it know it?

Here's what happened: When Facebook members agree to connect their Facebook credentials to any of the hundreds of thousands of applications that implement its third-party developer application programming interface (API), they are giving those developers access to their Facebook member ID numbers and in turn all publicly available information about them on Facebook (which includes names and lists of friends).

The problem, according to the Journal, is that some of these third-party companies, including extremely popular ones like FarmVille manufacturer Zynga, were selling that data to advertisers and tracking companies in violation of Facebook's terms of use. Some of those tracking companies, too, were matching up Facebook user data to other personally identifying information that they had on hand, in effect putting together puzzle pieces into clear pictures of unsuspecting users' identities.

Thus, beyond the "What did Facebook know?" question comes the accompanying concern that the company's powerful development platform has gotten so big that Facebook can no longer wrangle it.

It's no secret that the initial explosion of apps on the platform, well over three years ago, was what gave Facebook its first big "kick" as a major power in Silicon Valley. The expansion of the platform into Facebook Connect, one data firm said, was what ultimately pushed it past MySpace in U.S. traffic. Some of the most prominent Facebook app manufacturers were making a profit before Facebook was, and at one point a third-party assessment concluded that the platform was a bigger business than Facebook itself. So, in short, Facebook owes a lot to the success of third-party apps, and those apps in turn can credit much of their success to the fact that they've been able to build on top of Facebook's powerful grid of connections.

Things have obviously changed a bit: Facebook is now far more powerful in its own right, to the extent that some third-party companies have been criticized for being overly reliant on it to the point of being unsustainable. In turn, some of the biggest manufacturers of Facebook apps--namely Zynga, which may even employ more people than Facebook--have become so big and influential that they are forces with which Facebook must reckon whenever it makes major changes to the platform. These apps are responsible for a sizable chunk of Facebook's traffic and audience; if they disagree on something, or if Facebook appears to be wielding too much muscle, the app companies could leave altogether.

Facebook quite likely was not unaware of what was exposed in the Journal report. The developer platform has, time and again, been central to activist and regulator concerns about Facebook, and third-party abuse of the platform terms of service has repeatedly made headlines. "They've seen this before already, where they made changes to their privacy policy and made sure that their app vendors were aware that they were not supposed to be doing this because they'd had abuse previously," Chet Wisniewski, an analyst with security firm Sophos, told CNET today.

Facebook has said in the wake of the Journal report that it will "dramatically limit" how much information third parties can access. "Our technical systems have always been complemented by strong policy enforcement, and we will continue to rely on both to keep people in control of their information," a Facebook representative said late yesterday.

Indeed, over the years Facebook has gone after applications that forced users to spam their friends, exposed users' personal information, and shadily spread viruses. But for the most part, these were rogue apps and spammers rather than powerhouses like Zynga--which has admitted to sketchy dealings in the past but has since been working to legitimize and be regarded as a power player in Silicon Valley as a whole, not just the social-games business.

But most of the biggest news headlines alleging dodgy dealings among Facebook app makers only bring in Facebook peripherally. Until now, the most prominent scandal involving the Facebook developer platform was likely the Offerpal Media mess: Last year Offerpal, a company that lets Facebook game players and other app users complete offers and surveys to earn points and virtual currency, was criticized for giving consumers offers that actually had significant charges attached to them. App makers like Zynga started distancing themselves from Offerpal, but Facebook itself stayed mum--they weren't the ones partnering with Offerpal, after all--until this summer when it declined to select Offerpal as a partner for its Facebook Credits virtual currency. Offerpal responded with employee layoffs.

An 'artful dodge' by Rapleaf?
In the latest situation, some of the most questionable activity in this situation was also going on behind Facebook's back. One of the companies named in the Journal article was a company called Rapleaf, which has been acquiring Facebook user numbers and profiles from apps, matching them up to its own database of Internet users, and selling it to marketers.

"By not engaging with Facebook directly, they are not breaching any policies, which is sort of an artful dodge," Wisniewski said of Rapleaf. "If you look at who they engaged with, I think it tells even more. They were working with companies like Zynga who have admitted to defrauding Facebook users publicly and said that it was part of their business model when they started their business."

Three years ago, a CNET investigation into Rapleaf, a San Francisco-based "people search" company backed by early Facebook investor Peter Thiel, found that the company had been packaging up publicly available but difficult-to-compile data about tens of millions of individual Web users and using a side business called TrustFuse to sell it to marketers who could match it to e-mail addresses. In response to the report, Rapleaf revised its privacy policy.

Rapleaf has since rebranded from people search to a marketer insights company. "When we discovered that Facebook IDs were being passed to ad networks by applications that we work with, we immediately researched the cause and implemented a solution to cease the transmissions," a post today on the Rapleaf blog read, blaming the issue on the fact that Facebook profile URLs contain member ID numbers. "As of last week, no Facebook IDs are being transmitted to ad networks in conjunction with the use of any Rapleaf service."

Rapleaf may well become the new Offerpal--a brand working with app manufacturers rather than Facebook itself, which in the wake of bad press those app companies may wish to disassociate from. But with now two major Facebook Platform scandals that primarily implicate large and powerful third-party companies and their business partners, rather than Facebook's, the broader question becomes whether Facebook can actually do much to rein them in.

"There's not any solid technological measure that they can do to prevent it," Sophos' Chet Wisniewski said. "There's no real way for Facebook to prevent their app vendors from doing this aside from having a privacy policy and occasionally auditing their vendors."

Part of this, he said, is the fact that Facebook has grown so big so fast that it's chosen to prioritize engineering resources rather than a complex and effective security team. "I think that the business model on Facebook, and where they've invested their human resources and their technology resources, has focused on growth and sharing," Wisniewski explained. "There's other parts of the organization that I don't think they've invested well enough in that i think they need to catch up on. I think they can control it."

Tightening up its security forces could be highly effective. But Facebook may have been turning a blind eye to this intentionally, keeping the environment friendly and profitable for big companies like Zynga. It doesn't want those companies to take their games and other apps elsewhere. And, until now, users hadn't been aware of just how far their personal information may have been drifting across the Web and how many times it may have changed hands.

This may turn out to be the situation that forces Facebook to choose which side to take: the powerful app manufacturers who have boosted its service and traffic to new levels, or the users who built its valuable groundwork of profiles in the first place.