Senator Sends Letters to Social Networking Sites Facebook and MySpace after Wall Street Journal Reports Privacy Breach

By Thomas Ahearn, ESR News Blog

Senator John D. (Jay) Rockefeller IV, Chairman of the U.S. Senate Committee on Commerce, Science, and Transportation, has sent letters to the heads of two popular social networking sites – Facebook CEO Mark Zuckerberg and MySpace President Michael Jones – requesting more information about privacy breaches recently reported in the Wall Street Journal (WSJ), according to a press release from the Senator that includes the text of both letters.

Senator Rockefeller states in both letters that he is troubled by a recent Wall Street Journal investigation report that revealed the practice of Facebook, MySpace, and affiliated applications (or “apps”) transferring user IDs and user personal information to marketing firms, tracking companies, and third-party advertisers without their knowledge. As reported by the WSJ:

  • Third-party applications have transferred Facebook users’ personal information to marketing firms, data brokers and tracking companies. This violates Facebook’s explicitly stated privacy policy.
  • MySpace has shared user IDs with third-party advertisers. This has happened after users clicked on advertisements or accessed affiliated third-party applications.

Senator Rockefeller is quoted in the press release saying that these reports “raise serious questions about social networking sites’ commitment to enforcing their own privacy policies on behalf of consumers” and that, as Chairman of the Senate Commerce Committee, he intends to “find out whether today’s social networking sites are adequately protecting their users’ personal information.”

In the letter to Facebook CEO Mark Zuckerberg, Senator Rockefeller requests answers – with specificity – to the following questions:

  • 1) How does Facebook enforce its Privacy Policy relating to affiliated application operators and websites? What logistical protocols are in place to promote maximum compliance? What resources, including the number of personnel, does Facebook dedicate to monitoring and enforcing application operators’ compliance with its Privacy Policy?
  • 2) What penalties does Facebook impose on application operators and websites that violate the company’s Privacy Policy? Are offending application operators allowed to continue to do business with Facebook?
  • 3) Does Facebook take steps to retrieve information from application operators found in violation of the company’s Privacy Policy?
  • 4) The Journal article quotes a Facebook official that asserts the company has “taken steps… to significantly limit RapLeaf’s ability to use any Facebook-related data.” What exactly does this mean?
  • 5) According to the Journal article, there appears to be a pattern of privacy infractions involving Facebook applications. Specifically, what other past problems has Facebook encountered with regard to applications, and what steps did Facebook take to rectify them? Are these applications still available on Facebook’s platform?
  • 6) To the extent that personal data has been shared in violation of Facebook’s Privacy Policy, what steps has Facebook taken to notify individual users as to the specific information that has been mishandled, and who has had access to that information?

In the letter to MySpace President Michael Jones, Senator Rockefeller requests answers – again, with specificity – to the following questions:

  • 1) Why does MySpace’s Privacy Policy place the responsibility on Members to control their personal information when interacting with affiliated apps and advertisers, when other social networking sites have more restrictive policies that better protect consumer privacy?
  • 2) Why does MySpace’s Privacy Policy assert that the company “does not control” and “cannot dictate” the actions of third-party applications on how they retrieve and use Members’ information when other social networking sites impose limits on the use of such information?
  • 3) The definition of PII is very narrow and does not capture a range of consumer information – such as user IDs – that could be used to identify MySpace Members. Please explain the rationale behind this narrow definition of PII and how it differs from personal information that is considered non-PII.
  • 4) How does MySpace reconcile the explicit terms of its own Privacy Policy with the Journal’s report that the company “had pledged to discontinue the practice of sending personal data” to ad networks and similarly prohibited third-party application operators from doing so?
  • 5) If MySpace has publicly pledged to prohibit such information transfers, how has this prohibition been enforced and what plans does MySpace have in place to effectively enforce its policy in the future?

The protection of Personally Identifiable Information (PII) of individuals – such as names, birthdates, addresses, identification such as Social Security Numbers (SSN) and driver’s licenses, and financial data – should be reflected in the Privacy Policy of every company.

Employment Screening Resources (ESR) does not re-sell or “offshore” Personally Identifiable Information (PII) of individuals and all domestic background checks are performed exclusively in the United States. Once Personally Identifiable Information is offshored and leaves the U.S., the PII is beyond the reach of U.S. privacy laws. A large number of background screening firms have also taken a position against offshoring Personally Identifiable Information at

For more information about Employment Screening Resources (ESR), visit

Employment Screening Resources (ESR) literally wrote the book on background checks with ‘The Safe Hiring Manual’ by ESR founder and President Lester Rosen. ESR is recognized as Background Screening Credentialing Council (BSCC) Accredited by the National Association of Professional Background Screeners (NAPBS®) for proving compliance with the Background Screening Agency Accreditation Program (BSAAP). For more information about Employment Screening Resources, visit