It's been months since the last major Facebook privacy debacle. I was beginning to lose hope. Thank goodness, then, for the news that the world's biggest social network has fumbled the ball yet again.
The Wall Street Journal is reporting that Facebook's largest apps, which collectively boast tens of millions of users, are capturing personally identifiable information about Facebook users and sharing it with advertisers -- violating both Facebook's and the app makers' own privacy policies.
[ Want to cash in on your IT experiences? InfoWorld is looking for stories of an amazing or amusing IT adventure, lesson learned, or war tale from the trenches. Send your story to firstname.lastname@example.org. If we publish it, we'll keep you anonymous and send you a $50 American Express gift cheque. ]
In other words, as you're milking cows in Farmville, someone is milking you.
What's happening is a variation on something that happens on the Web a billion times a day. Whenever you click a hyperlink, the page you're sent to usually gets a "referrer URL" -- the address of the page from whence you came. This can be useful for sites wanting to analyze their traffic sources.
The same thing happens when you click an ad; this referrer URL lets the advertisers know which sites are driving traffic to them and, in the case of pay-per-click ads, how much money it owes the site that referred them.
What's special about Facebook is that once you've logged in, the referrer URLs it generates may contain a unique identification number or, if you've opted for a personalized Facebook URL (like facebook.com/robertxcringely), your name. That gets passed along inside the URL to app makers, who then pass it on to advertisers and online data brokers, who add it to their trove of information about you.
Mike Vernal describes the problem and Facebook's response to it in Facebook's official developer blog (I've annotated with my own responses below):
We take user privacy seriously.  We are dedicated to protecting private user data while letting users enjoy rich experiences with their friends. This more social Web will only occur if users trust that they are in control of their information. 
1. Whenever anything starts with "We take user privacy very seriously," you know you're about to get screwed.
2. In this case, of course, users are not in control of their information -- and apparently neither is Facebook. So that makes it even Steven. Right?
Our policy is very clear about protecting user data, ensuring that no one can access private user information without explicit user consent.  Further, developers cannot disclose user information to ad networks and data brokers. We take strong measures to enforce this policy, including suspending and disabling applications that violate it. 
3. Except when they can. But why dwell on such things?
4. Also regular spankings. But only after they've gathered this information and sold it dozens of times. And then we'll quietly let them back into Facebook a few weeks later after people have forgotten about this. Those Farmville cows are so darned cute we just can't stay mad at them very long.