• by Wendy Davis , Staff Writer @wendyndavis, October 19, 2010

The revelation this week that app developers are sending Facebook users' names to advertisers -- in violation of the social networking sites' terms of service -- has already resulted in litigation, international headlines and an inquiry by Congress.

But for all the turmoil, news of the data leakage raises more questions than it answers. This much is known: Until May, the referrer headers sent by Facebook to advertisers when users clicked on ads included user IDs -- from which users' names can be gleaned. Additionally, as of this week, Facebook transmitted user IDs to app developers like Zynga when those users accessed apps like Farmville, according to The Wall Street Journal. Some of those developers then transmitted that information to other companies, including advertising networks and data brokers, the Journal reports.

But what's still unclear is the extent to which personally identifiable data was used by outside advertising companies. The Journal says that advertisers and data brokers who received the information could tie users' names to anonymous profiles based on their Web-surfing activity, and that at least one company, Rapleaf, linked the IDs of Facebook users to its own database.

Rapleaf says that it stopped transmitting Facebook IDs to ad networks last week. "The transmissions, when they occurred, were not a result of any purposefully engineered process by Rapleaf," the company says.

It's unknown how many companies pieced together the names of social networking users with their anonymous profiles and what became of the data. A dozen companies who received data from Rapleaf told the Journal that they didn't collect or use it.

But just the thought that advertisers can connect this information strikes some observers as problematic. "Allowing advertisers and other third parties to easily and definitively correlate a real name with an otherwise 'anonymous' IP address, cookie, or profile is a dangerous path forward for privacy," writes Harlan Yu on the Freedom to Tinker blog.

Meanwhile, Reps Ed Markey (D-Mass) and Joe Barton (R-Texas) sent Facebook a letter with a host of questions, including when it knew about the privacy breach, whether there have been similar breaches in the past, and how the company polices third party app developers.

While those questions are a good start, the full consequences of the privacy slip-up won't be known until data brokers and ad networks can shed light on what they did with users' names.