• by Wendy Davis  @wendyndavis, November 3, 2010

Facebook told federal lawmakers that it prohibits developers from transferring users' names to other companies and deploys a "suite of sophisticated tools to detect and prevent" applications from doing so.

Nonetheless, the social networking service admitted that it only became aware of a policy breach three days before The Wall Street Journal published a story revealing that app developers sold users' names to at least one data broker.

"We first learned that an application developer might be intentionally transferring UIDs [user IDs] to a data broker on October 14, 2010. Upon confirmation of that fact on October 15, we immediately suspended the operation of that developer's applications," Facebook's Marne Levine, vice president for global public policy, wrote to Reps Ed Markey (D-Mass.) and Joe Barton (R-Texas), co-chairs of the bi-partisan privacy caucus.

The company's letter, made public on Wednesday, was sent in response to a list of questions from Markey and Barton about a report that app developers were transferring information about users' names to outsiders via referrer headers. Facebook said that many such transfers -- but not all -- appeared to have been inadvertent. But the company also said that it is requiring ad networks that received user IDs to delete them as a condition of continuing to run on the company's platform. "We see no reason for ad networks to store such UIDs," Facebook said.

While Facebook said that transferring users' names obtained via referrer headers to outside companies violated its terms of service, the company also said that doing so wasn't a privacy breach because referrer headers leak only "publicly available information."

Facebook considers users' names to be publicly available, but marketers and policymakers often consider people's names "personally identifiable information" -- and ad networks have long said that they don't collect identifying data without users' explicit consent. In addition, some companies can combine users' names with "anonymous" information about them gleaned from cookies that track sites visited.

Markey and Barton both said on Wednesday that they intend to continue to focus on online privacy. "It's good that Facebook was in a hurry to respond to our concerns, but the fact remains that some third-party applications were knowingly transferring personal information in direct violation of Facebook's privacy promises to its users," Barton said in a statement. "I want the Internet economy to prosper, but it can't unless the people's right to privacy means more than a right to hear excuses after the damage is done."

Markey added: "Facebook needs to protect personal consumer information to ensure that getting connected doesn't mean being unwittingly friended by data brokers and marketers."