Personal information from tens of millions of Facebook users has been leaked without their knowledge to advertisers and Web trackers by the social network's application makers, including creators of the popular games FarmVille and Texas HoldEm.
The back-door data trafficking revealed on Monday has forced the world's biggest social network once again to wrestle with the kind of privacy backlash that has dogged the company since it began connecting university students in a Harvard dorm room in 2004.
Canada's Privacy Commissioner, which has been the toughest cop on the Facebook beat, on Monday indicated that it might blow the whistle again.
"We have major concerns" about the latest reports, a spokeswoman for the Ottawa-based regulator said. "We are evaluating the possibility of launching an investigation."
Facebook, which is based in Palo Alto, Calif., has 500 million users worldwide. Canada is one of the social network's most active markets, with nearly half the population, or 16 million people, using it. According to the company, 70 per cent of its users activate an application each month.
Tamir Israel, a lawyer with the Ottawa-based Canadian Internet Policy and Public Interest Clinic, said Facebook's applications, or "apps," are very popular north of the border, and "it is a pretty safe assumption" that data were leaked from users in Canada.
Canada has been at the forefront of policing Facebook's privacy policies, backed by privacy Commissioner Jennifer Stoddart and some of the world's most stringent privacy laws. A privacy commission investigation launched in 2008 prompted Facebook to adopt global protections, the latest of which was an option this year to allow members to block advertisers and other apps from capturing and transferring personal information.
Despite these protections, a Facebook spokesman confirmed in a company blog on Monday a Wall Street Journal story that said personal information was leaked in violation of its privacy policies. The spokesman said that most of the leaks were inadvertent.
Kevin Bankston, a senior staff lawyer with San-Francisco-based Electronic Frontier Foundation, said the controversy raises questions about Facebook's ability to police the more 550,000 apps that operate on its site.
"This is a major privacy blunder. Another privacy blunder," he said. "If The Wall Street Journal can catch these leaks, why didn't Facebook?"
In a Facebook blog post, company engineer Mike Vernal said the social network's rules clearly say: "Developers cannot disclose user information to ad networks and data brokers. We take strong measures to enforce this policy, including suspending and disabling applications that violate it."
Mr. Vernal said the media have "exaggerated the implications" of the leaks, because mostly they involve only identification numbers that Facebook attaches to users. If users restrict outside access to their information, the identity or so-called UID numbers would yield only names. If users do not restrict access to their Facebook information, advertisers and web trackers could get information on friends, schools, employers, birthdates and other personal details.
"We are committed to ensuring that even the inadvertent passing of UIDs is prevented and all applications are in compliance with our policy," Mr. Vernal said.
Art Cockfield, a professor specializing in privacy law at Queen's University, said the misuse of Facebook information by application makers "is a clear violation of Canadian privacy law."
Even if Facebook was unaware of the leaks, he said, under Canadian law, the company "remains accountable for this misuse of personal information."
According to The Wall Street Journal, some of the highlighted apps have been suspended. However, some of the biggest names, including the wildly popular FarmVille, are still running. Farmville, designed by Zynga Game Network Inc., was also found to be distributing personal information about its users' friends, meaning information may have been disclosed about users who never played the game.
The most extensive use of Facebook personal information revealed by the Journal involved the San Francisco company RapLeaf, which sells profiles of individuals based partly on their online activities. RapLeaf, the newspaper said, obtained Facebook UID numbers from app makers and added the info to special dossiers on the individuals. That was then embedded in online tracking files to help ad companies target products to the individuals.
According to the Journal, RapLeaf transferred the information to a dozen advertising and data companies, including a unit of Google Inc., Invite Media. When contacted by the newspaper, the companies said they didn't collect, store or use the information.
Facebook's UID numbers can allow advertisers and Web tracking companies to find out individual users' names and habits to better target advertising campaigns.
Canada's privacy laws prohibit commercial enterprises from sharing personal data about customers without their explicit permission.