Facebook defends privacy practices to Congress

Letter from Facebook executive says reports of a privacy breach are "false" and due in part to a misunderstanding of how Web technology works.

Declan McCullagh
Declan McCullagh Former Senior Writer
Declan McCullagh is the chief political correspondent for CNET. You can e-mail him or follow him on Twitter as declanm. Declan previously was a reporter for Time and the Washington bureau chief for Wired and wrote the Taking Liberties section and Other People's Money column for CBS News' Web site.
2 min read

Facebook offered a pointed defense of its data protection practices in a letter to two members of Congress released today, saying recent reports of a privacy breach are "false" and misunderstood.

Marne Levine, the company's vice president for global public policy, said a widely circulated Wall Street Journal article last month was largely mistaken because it incorrectly claimed that the sharing of Facebook user IDs was a "privacy breach," when it did not "involve the sharing of any private user data."

In fact, Levine wrote (PDF), a Facebook UID "at most enables access only to information that a user has already chosen to share and make publicly available." In other words, if a Facebook user chooses to keep that information private, it won't be available to someone who knows a UID.

Facebook sent the letter last week to Rep. Ed Markey, a Massachusetts Democrat, and Rep. Joe Barton, a Texas Republican. A week earlier, the duo had asked Facebook CEO Mark Zuckerberg to respond to a series of questions they posed.

It's not clear how involved the two politicians, who have repeatedly pressed Internet companies over data collection, will be in technology regulation, when the new Congress convenes in 2011.

Because Rep. Rick Boucher (D-Va.) lost his bid for re-election, Markey could become the senior Democrat on an Internet subcommittee. And whether Barton or fellow Republican Fred Upton will become the next chairman of the full House Energy and Commerce Committee remains a toss-up. (Because Barton is running up against the GOP's term-limit rules for committee chairman, he'd need a waiver from party leadership.)

Levine's letter did acknowledge that Facebook had "identified a handful of applications that were intentionally sharing UIDs with a third-party data broker" in violation of the terms of service. "We have taken (i) enforcement action against the applications in question, and (ii) steps to ensure the deletion of the Facebook user data that was improperly transferred. The third-party data broker in question has also agreed not to operate on Facebook Platform in the future." (Here's a blog post with more details.)

In a statement released today, Barton pledged to hold hearings on the topic in the next Congress.

"The fact remains that some third-party applications were knowingly transferring personal information in direct violation of Facebook's privacy promises to its users," Barton said. "Millions of people put their information into the hands of Facebook and services like it because they believe what they're told about walls protecting their privacy."