The State of Anti-Virus Software
A Review of Bank of America PrivacySource

RapLeaf, Facebook, Data Mining, and Privacy

There is a good article in CNN Money about RapLeaf, its ties to Facebook, and the impact of data mining on privacy. In this latest data breach, RapLeaf obtained from Facebook applications (commonly referred to as "apps") the IDs of Facebook members, merged the data with its own database, and then resold that combined data to advertising networks.

You never heard of RapLeaf before? Neither had I. It is one of many information brokers like Acxiom, ChoicePoint, Spokeo, and Quantcast. This blog covered them, and now RapLeaf, too. The Facebook breach fiasco highlighted several related privacy issues. The issues I see affecting consumers:

  1. The Facebook apps never should have transmitted members' IDs and personal information, especially those Facebook members that had set their privacy settings to private. As I've written before, this breach questions whether Facebook is administratively and technically competent to keep private the personal information its members' specify as private
  2. There are plenty of information brokers eager to do business with Facebook -- to access the sensitive personal information in Facebook members' profiles and apps. Several information brokers, like RapLeaf, already do business with Facebook
  3. RapLeaf combined the data it obtained from Facebook, including IDs from members' who had specified their data stay private, and then resold that combined information to advertisers. RapLeaf later said it shouldn't have transmitted Facebook IDs and removed that data element from information it sells to advertisers
  4. The large network of data sharing relationships in #2 means your sensitive personal information will travel a lot further and faster to more companies and advertisers than you ever imagined. This is the "cost" of a free service like Facebook
  5. Information brokers' data mining efforts are getting more precise. Before they knew your lifestyle: car owned, rent vs. homeowner, favorite genres of films and music, favorite travel destinations, where you live, favorite websites, and purchases you made. Now they know your habits: when during the day you drive and destinations, the times of day you listen to certain genres of music, when you are at work versus traveling on business or pleasure, where you post messages from, and daily routines
  6. Many information brokers don't give consumers any control over the information they have collected about you. They view it as their information to use in other products and services, regardless of of whether it is accurate, totally inaccurate or a mix. Consequences to the consumer be damned

CNN Money summarized the problem facing RapLeaf and information brokers:

"... privacy experts said they believe Rapleaf is being disingenuous. They noted that the company links users' names and e-mail addresses to many social networking profiles -- including Flickr, Friendster, LinkedIn, Twitter, Pandora, Wordpress, MySpace, Bebo, Tribe, Livejournal, Yelp and Amazon -- and sells that information to third-parties..."

I agree. Data miners like RapLeaf can't serve two masters. The drive for profits is too great. Consumers' privacy will be the loser.

While reading the CNN Money article, I also learned what a Klout Score is. Do you know your social media Klout Score? A better question might be: what information brokers know your Klout Score. A more insightful question might be: do you have control over who accesses your Klout Score? According to the number-crunchers at, my Klount Score (based on my Twitter account) is "5 - Explorer:"

"You actively engage in the social web, constantly trying out new ways to interact and network. You're exploring the ecosystem and making it work for you. Your level of activity and engagement shows that you "get it", we predict you'll be moving up."


After reading the CNN Money article, I browsed some of the RapLeaf blog and read the company's spin on its reselling of Facebook members' personal information and IDs:

"The underlying issue is with a piece of the HTTP header called the referrer URL. We recognize that referrer URLs are a major industry-wide problem with the structure of internet security, so Rapleaf has taken extra steps to strip out identifying information from referrer URLs. When we discovered that Facebook ids were being passed to ad networks by applications that we work with, we immediately researched the cause and implemented a solution to cease the transmissions."

Really? RapLeaf's information systems are totally reactionary without any quality controls or checks?

Okay, I get it. Facebook IDs were embedded into the referrer URL and RapLeaf didn't scrub the headers and remove said sensitive information. Sounds to me like the system was programmed for speed over both quality and privacy. Rapleaf corrected the problem later, but the damage had already been done.

What exactly was the damage? In his Freedom To Tinker blog, Harlan Yu analyzed the Facebook app breach:

"Because of the way Zynga (the makers of FarmVille) crafts some of its URLs to include the user’s Facebook ID, the browser will forward this identifying information on to third parties. I confirmed yesterday evening that using FarmVille does indeed transmit my Facebook ID to a few third parties, including Doubleclick, Interclick and"

So, it's not just RapLeaf. Yu summarized well the threat to consumers:

"... allowing advertisers and other third parties to easily and definitively correlate a real name with an otherwise "anonymous" IP address, cookie, or profile is a dangerous path forward for privacy."

Dangerous, indeed. What do you think?

During the past few months, I have heard people comment on blog posts that, "online privacy is dead." I don't buy that. It is a lame excuse by corporate apologists and executives who want to do as they please with consumers' personal information without having to worry about disclosures, rules, accountability, or responsibility.

If the information brokerage and advertising industries can't police their companies to ensure consumers with reasonable online privacy, then it will get sorted out in the courts. Several ISPs and technology firms already learned this the hard way with behavioral advertising. Meanwhile, some things consumers can do to maintain privacy online:


Feed You can follow this conversation by subscribing to the comment feed for this post.


Addendum: if you want to learn more about RapLeaf, the Wall Street Journal ran a good, informative cover story today in its What They Know series:



One problematic thing with Facebook apps is something as seemingly trivial as apps that demand access to certain users' information before they can be used. Those who insist on privacy are deprived of such apps.


One problem? There are plenty of issues with apps. Transparency. Disclosure. Opt-in and not opt-out default. Quality Assurance that only the promised users' profile data is shared. The preview page for many FB apps is often insufficient disclosure and details.

New apps often override location based opt-out settings. This applies not only to Facebook but also many smart phone-based apps. Some of the issues with a proprietary, walled system.



I don't think that an effective privacy mechanism has been invented yet. I mean, FB is doing an o.k job, but they have a lot to aspire for.

The comments to this entry are closed.