Skip to Content

Facebook’s Latest Privacy Breach is Decades Old

A quirk of the Web has caught out the world’s largest social network.
October 19, 2010

The Wall Street Journal reported this weekend that some Facebook applications–such as games–share the unique number assigned to each of the social network’s half-a-billion members with third-party companies including advertising firms. But this latest Facebook privacy scare has actually been brewing for more than a decade. It’s all down to a “vulnerability” that was described back in 1999 by Tim Berners-Lee and others working on version 1.1 of the HTTP standard, and which underlies the Web: “The Referrer header allows reading patterns to be studied and reverse links drawn. Although it can be very useful, its power can be abused if user details are not separated from the information contained in [it].”

Here’s what that means: Every time your browser loads a new Web page, or a section of one, the server providing the data gets to know the address of the page that sent you there. The same process is at work when you’re interacting with an app inside Facebook, which means the app gets a Referrer header containing your unique Facebook ID. That ID is not exactly on a par with a Social Security number. It’s a public number that can be used to pull up the public version of a person’s profile page, which shows no more than a person has allowed to be seen publically. In most cases it’s enough to reveal a person’s name, though.

It’s not unusual for apps and Web services of all kinds to bundle up metrics and data on their users to share with third parties, and The Wall Street Journal says that bundles from some apps have contained user IDs. Facebook says that in most cases app makers “did not intend” to share IDs and it has reinstated some apps that suddenly disappeared after the Journal’s story appeared. As yet, there seems to be no evidence that user IDs were sold intentionally, or used to guide marketing efforts. It’s also debatable whether your ID number counts as personal information, and the extent to which Facebook was culpable. On the latter point, it’s clear that anyone with a good technical knowledge of the Web would be familiar with this somewhat ancient feature/bug of HTTP, including many at Facebook and elsewhere.

That being the case it seems surprising that, first, there’s apparently no established way to cash in on it and, second, no systems exist to head off the issue. As for a fix, one approach would be for companies like Facebook to design their systems to alter this built-in behavior. Another would be a clean-slate redesign of the Web, preventing the need for case-by-case fixes.

Deep Dive


Five poems about the mind

DREAM VENDING MACHINE I feed it coins and watch the spring coil back,the clunk of a vacuum-packed, foil-wrappeddream dropping into the tray. It dispenses all kinds of dreams—bad dreams, good dreams,short nightmares to stave off worse ones, recurring dreams with a teacake marshmallow center.Hardboiled caramel dreams to tuck in your cheek,a bag of orange dreams…

Work reinvented: Tech will drive the office evolution

As organizations navigate a new world of hybrid work, tech innovation will be crucial for employee connection and collaboration.

lucid dreaming concept
lucid dreaming concept

I taught myself to lucid dream. You can too.

We still don’t know much about the experience of being aware that you’re dreaming—but a few researchers think it could help us find out more about how the brain works.

panpsychism concept
panpsychism concept

Is everything in the world a little bit conscious?

The idea that consciousness is widespread is attractive to many for intellectual and, perhaps, also emotional
reasons. But can it be tested? Surprisingly, perhaps it can.

Stay connected

Illustration by Rose WongIllustration by Rose Wong

Get the latest updates from
MIT Technology Review

Discover special offers, top stories, upcoming events, and more.

Thank you for submitting your email!

Explore more newsletters

It looks like something went wrong.

We’re having trouble saving your preferences. Try refreshing this page and updating them one more time. If you continue to get this message, reach out to us at with a list of newsletters you’d like to receive.