WSJ Investigation Finds Facebook in Privacy Breach with Personally Identifiable Information (PII) of Users

 By Thomas Ahearn, ESR News Blog

A recent Wall Street Journal (WSJ) investigation (see WSJ article ‘Facebook in Privacy Breach’) has found many of the most popular “apps” (applications) on the world’s most popular social networking site, Facebook.com, have been transmitting Personally Identifiable Information (PII) of tens of millions of users – such as names and names of friends – to advertising and Internet tracking companies.

After a WSJ investigation showed that personal IDs were being transmitted to third parties via “apps” – pieces of software that let Facebook’s more than 500 million users play games or share common interests with one another – a Facebook spokesman said the social networking site would take steps to “dramatically limit” the exposure of the PII of users. The WSJ found that all of the 10 most popular apps on Facebook were transmitting PII. 

According to the WSJ investigation, the information transmitted – the unique “Facebook ID” number assigned to every user on the site –is a public part of any Facebook profile that anyone can use to look up names of users even if they have set their Facebook information to be private. For those profiles set to share information with “everyone,” the Facebook ID reveals data including age, residence, job occupation, and photos.

As defined on Wikipedia.com, “Personally Identifiable Information (PII), as used in information security, refers to information that can be used to uniquely identify, contact, or locate a single person or can be used with other sources to uniquely identify a single individual. The abbreviation PII is widely accepted, but the phrase it abbreviates has four common variants based on personal, personally, identifiable, and identifying. Not all are equivalent, and for legal purposes the effective definitions vary depending on the jurisdiction and the purposes for which the term is being used.”

In addition, Personally Identifiable Information “has become much more important as information technology and the Internet have made it easier to collect PII, leading to a profitable market in collecting and reselling PII. PII can also be exploited by criminals to stalk or steal the identity of a person, or to plan a person’s murder or robbery, among other crimes. As a response to these threats, many web site privacy policies specifically address the collection of PII, and lawmakers have enacted a series of legislation to limit the distribution and accessibility of PII.”

According to Wikipedia, the following are often used for the express purpose of distinguishing individual identity, and thus are clearly PII under the definition used by the U.S. Office of Management and Budget:

  • Full name (if not common)
  • National identification number
  • IP address (in some cases)
  • Vehicle registration plate
  • Driver’s license number
  • Face, fingerprints, or handwriting
  • Credit card number
  • Digital identity
  • Birthday
  • Birthplace
  • Genetic information

The following are less often used to distinguish individual identity, because they are traits shared by many people. However, they are potentially PII, because they may be combined with other personal information to identify an individual.

  • First or last name, if common
  • Country, state, or city of residence
  • Age, especially if non-specific
  • Gender or race
  • Name of the school they attend or workplace
  • Grades, salary, or job position
  • Criminal record

For more information about PII, please visit Employment Screening Resources (ESR) News Blog for posts tagged ‘personally identifiable information’ at: http://www.ESRcheck.com/wordpress/tag/personally-identifiable-information/

For more information about background checks, visit Employment Screening Resources (ESR) at http://www.ESRcheck.com.

Sources:

http://online.wsj.com/article/SB10001424052702304772804575558484075236968.html

http://en.wikipedia.org/wiki/Personally_identifiable_information