WASHINGTON, D.C.—Senator John D. (Jay) Rockefeller IV, Chairman of the U.S. Senate Committee on Commerce, Science, and Transportation, today sent letters to Facebook CEO Mark Zuckerberg and MySpace President Michael Jones requesting more information about privacy breaches reported in the Wall Street Journal.

According to Wall Street Journal reports, users of Facebook and MySpace have had their personal information, such as their user IDs, transferred to third-party companies without their knowledge. As reported by the Wall Street Journal:

• Third-party applications have transferred Facebook users’ personal information to marketing firms, data brokers and tracking companies. This violates Facebook’s explicitly stated privacy policy.

•  MySpace has shared user IDs with third-party advertisers. This has happened after users clicked on advertisements or accessed affiliated third-party applications.

“These reports raise serious questions about social networking sites’ commitment to enforcing their own privacy policies on behalf of consumers,” Senator Rockefeller said. “As Chairman of the Senate Commerce Committee, I am dedicated to protecting American consumers from abuse and violations of their trust. I intend to find out whether today’s social networking sites are adequately protecting their users’ personal information.”

The text of Chairman Rockefeller’s letter to Mr. Zuckerberg follows:

Dear Mr. Zuckerberg:

Last week, an article in the Wall Street Journal revealed the apparent widespread practice of Facebook applications (or “apps”) transferring users’ personal information to marketing firms and tracking companies. I found the details of the Journal’s article troubling and write this letter to request further information on Facebook’s enforcement efforts with regard to the company’s Privacy Policy.

Facebook’s Privacy Policy makes clear that apps must not share personal information with outside parties. Section 4 states that when users connect to a Facebook app or website, “it will have access to General Information” about users, which includes “names, profile pictures, gender, user IDs, [and] connections.” The policy also declares: “Prior to allowing [applications and websites] to access any information about you, we require them to agree to terms that limit their use of your information (which you can read about in Section 9 of our Statement of Rights and Responsibilities)”. Next, Section 9 of the referenced Statement of Rights and Responsibilities states the requirements and obligations by which “Developers/Operators of Applications and Websites” must abide. The two most relevant directives to qualified apps and websites are below:

• “You will not directly or indirectly transfer any data you receive from us to (or use such data in connection with) any ad network, ad exchange, data broker, or advertising related toolset, even if a user consents to that transfer or use.”

•  “You will not sell user data.”

According to the Wall Street Journal article, the ten most popular Facebook apps are in violation of these explicit prohibitions. The Journal reports that Facebook apps regularly collect and disseminate “Facebook IDs” to advertisers, data brokers, and other third parties. These IDs are presumably the “user IDs” referenced by your Privacy Policy as “General Information,” and are the publicly available usernames or unique individual numbers assigned to all Facebook users. The Journal article alleges that these IDs can be used to personally identify users. One company, RapLeaf, acquired user IDs from applications created by LOLaps Media Inc. and subsequently linked these ID numbers with information profiles the company had previously compiled on those individuals. If the Wall Journal article is accurate, the privacy of tens of millions of Facebook users could be seriously compromised in violation of the company’s stated policy.

The Journal’s report raises serious questions about Facebook’s commitment and ability to enforce its own explicit privacy policies on behalf of consumers. One quoted Facebook official asserts that, “[o]ur technical systems have always been complemented by strong policy enforcement, and we will continue to rely on both to keep people in control of their information.” However, given the scope of the reported privacy breach and the fact that Facebook’s most popular apps are not abiding by your company’s rules, this assertion appears to be strained. Consequently, I request that you provide answers – with specificity – to the following questions:

1) How does Facebook enforce its Privacy Policy relating to affiliated application operators and websites? What logistical protocols are in place to promote maximum compliance? What resources, including the number of personnel, does Facebook dedicate to monitoring and enforcing application operators’ compliance with its Privacy Policy?

2) What penalties does Facebook impose on application operators and websites that violate the company’s Privacy Policy? Are offending application operators allowed to continue to do business with Facebook?

3) Does Facebook take steps to retrieve information from application operators found in violation of the company’s Privacy Policy?

4) The Journal article quotes a Facebook official that asserts the company has “taken steps… to significantly limit RapLeaf’s ability to use any Facebook-related data.” What exactly does this mean?

5) According to the Journal article, there appears to be a pattern of privacy infractions involving Facebook applications. Specifically, what other past problems has Facebook encountered with regard to applications, and what steps did Facebook take to rectify them? Are these applications still available on Facebook’s platform?

6) To the extent that personal data has been shared in violation of Facebook’s Privacy Policy, what steps has Facebook taken to notify individual users as to the specific information that has been mishandled, and who has had access to that information?

Thank you for your prompt attention to this matter. In my position as Chairman of the Senate Commerce Committee, I am dedicated to protecting consumers from abuse and violations of their trust. In this regard, I fully intend to conduct oversight and formulate strong public policy that protects the privacy of American consumers. I look forward to receiving your response.

The text of Chairman Rockefeller’s letter to Mr. Jones follows:

Dear Mr. Jones:

Last week, an article in the Wall Street Journal revealed the practice of MySpace and affiliated applications (or “apps”) transferring user IDs to third-party advertisers. I found the details of the Journal’s article troubling and write this letter to request further information on MySpace’s Privacy Policy and how you enforce that stated policy.

The Journal reports that MySpace and MySpace apps shared Members’ user IDs with third-party advertisers when those Members clicked on advertisements or used third-party applications. According to the article, MySpace “had pledged to discontinue the practice of sending personal data when users click on ads after the Journal reported it in May.” Furthermore, a MySpace official asserts the company prohibits third party application operators from transferring user IDs to other third parties and further states that “[i]t has recently come to our attention that several third-party app developers may have violated these terms and we are taking appropriate action against those developers.” To the extent that your company has made such a pledge, I find the lack of enforcement disconcerting.

In addition to failing to adequately monitor third-party advertisers and applications, MySpace’s Privacy Policy provides insufficient basic privacy protections that other social networks employ. Buried in MySpace’s Privacy Policy is the following:

• “Some of the advertisements that appear on MySpace Services may also be delivered to you by third party Internet advertising companies. These companies utilize certain technologies to deliver advertisements and marketing messages and to collect non-PII about your visit to or use of MySpace Services, including information about the ads they display, via a cookie placed on your computer that reads your IP address.”

Under the policy, user IDs are classified as non-personally identifiable information (or “non-PII”).

With regard to affiliated “third party applications... created by third party developers” and the use of Member information, MySpace’s Privacy Policy states the following:

•  “MySpace does not control the third party developers, and cannot dictate their actions. When a Member engages with a third party application, that Member is interacting with the third party developer, not with MySpace.”

Even with regard to personally identifiable information (PII) – which consists of the user’s “full name, email address, mailing address, telephone number, or credit card number” – MySpace’s Privacy Policy largely exonerates the company from the actions of any affiliated third-party; and places the onus on MySpace users who wish to protect this information:

•  “MySpace is not responsible for the privacy practices of websites or other services operated by third parties that are linked to or integrated with MySpace Services or for the privacy practices of third party Internet advertising companies. Once you leave MySpace Services via such a link, access a third party application (such as widgets) or click on an advertisement, you should check the applicable privacy policy of the third party or advertisers site to determine, among other things, how they will handle any PII they collect from you."

The Journal’s report and MySpace’s current Privacy Policy raise serious questions about your commitment to develop and maintain strong privacy protections for consumers. Consequently, I request that you provide answers – with specificity – to the following questions:

1) Why does MySpace’s Privacy Policy place the responsibility on Members to control their personal information when interacting with affiliated apps and advertisers, when other social networking sites have more restrictive policies that better protect consumer privacy?

2) Why does MySpace’s Privacy Policy assert that the company “does not control” and “cannot dictate” the actions of third-party applications on how they retrieve and use Members’ information when other social networking sites impose limits on the use of such information?

3) The definition of PII is very narrow and does not capture a range of consumer information – such as user IDs – that could be used to identify MySpace Members. Please explain the rationale behind this narrow definition of PII and how it differs from personal information that is considered non-PII.

4) How does MySpace reconcile the explicit terms of its own Privacy Policy with the Journal’s report that the company “had pledged to discontinue the practice of sending personal data” to ad networks and similarly prohibited third-party application operators from doing so?

5) If MySpace has publicly pledged to prohibit such information transfers, how has this prohibition been enforced and what plans does MySpace have in place to effectively enforce its policy in the future?

Thank you for your prompt attention to this matter. In my position as Chairman of the Senate Commerce Committee, I am dedicated to protecting consumers from abuse and violations of their trust. In this regard, I fully intend to conduct oversight and formulate strong public policy that protects the privacy of American consumers. I look forward to receiving your response.

###