Facebook: How much is your personal information worth?

How Instant Personalisation works

The implications of Instant Personalization are more serious than your discovering your boss's love for '80s boy bands. Partner sites can work with Facebook to learn a whole more about you than what you may have told them directly.

According to Peter Eckersley, senior staff technologist for the Electronic Frontier Foundation, the Instant Personalisation partner sites use JavaScript code and Ajax calls to get personally identifying information about you from Facebook. So if you already had an account on the Instant Personalisation partner site, that site can now see your Facebook information and your existing account information at the same time.

"[The Facebook partner sites] would see the usual cookie that they set in your browser, and the one that Facebook's API constructs using Ajax, simultaneously," says Eckersley. "The design of the Facebook API clearly anticipates that the website will do this."

Application Developers

Facebook applications are fun. According to All Facebook, which calls itself the "Unofficial Facebook Resource," the site's Facebook Application Leaderboard of applications with the highest monthly users shows that a variety of games, including Zynga's FarmVille, Texas HoldEm Poker and Café World, make up more than half of the top 20 applications.

However, fun comes at the cost of privacy. Once you accept an application on Facebook, it gets an all-access pass to your profile data. The application runs through an iframe (inline frame), a widely used HTML element that lets a site embed its content onto Facebook's site.

As a result, you're sending data directly to the third-party application's servers. Previously that server was required to refresh its Facebook data every 24 hours, but as of the April F8 conference, Facebook did away with that requirement. As a result, the outside parties can store user data for longer periods before refreshing it.

"You've authorized that application to do whatever it wants to do," says Thought Labs' Popp. And even if you don't use Facebook applications, your friends do.

Unless you've gone into the 'info accessible though your friends' portion of Facebook's "Applications, Games and Websites" privacy settings, your friends are taking your profile information with them on their farming and gambling adventures, without your knowledge, but in most cases with your tacit consent.

Game applications are big business. For instance, FarmVille maker Zynga is reportedly valued at as much as $4 billion. Plus, Facebook just revamped its Insights dashboard, which page owners and application developers can use to obtain data and graphic visualisations about social plugins and integrated site content to better understand their return on investment for using Facebook.

Hackers and Worms

Right now it's hard to know the worth of user data shared through Facebook's Instant Personalisation since the program is so new, but in the wrong hands such information could represent a large chunk of change.

A May article on TechCrunch reported a proof-of-concept exploit on Yelp that took advantage of cross-site scripting to grab Facebook addresses and other information. The exploit's author was a security consultant looking to prove a point. Yelp, which declined to be interviewed for this story, patched the vulnerability. No user data was stolen.

But other, genuine security threats are thriving on Facebook. The Koobface worm has been lurking on Facebook since 2008, growing more sophisticated with its ability to create an account, friend strangers, and join groups. And on Memorial Day weekend, hundreds of thousands of Facebook users encountered a clickjacking worm that duped them into "liking" pages that led to the installation of malware for perpetuating the worm's spread.

"The biggest danger that I can see is that they get your log-in credentials," says Beth Jones, senior threat researcher at Sophos Labs. The intruders can gain access to information such as mobile phone numbers, partial credit card numbers, and billing addresses stored in the Payments section of Facebook's account settings.

"That's where some of the true value of stealing these log-in details comes in," says Jones. "[Attackers] can start pulling off some really decent identity theft."

Identity theft can also occur when a snoop looks through Facebook profile data that privacy settings haven't locked down. "Unfortunately a lot of password-reset questions are answered in your profile," says the Electronic Frontier Foundation's Opsahl. So how much is your Facebook identity worth?

Researchers at VeriSign's iDefense recently reported that a hacker named Kirllos claimed he had 1.5 million Facebook accounts for sale for a price of $20 to $45 per 1000 accounts, depending on the number of contacts. According to a New York Times story, Facebook said that its own investigation did not find the claim credible. Facebook did not answer an interview request for this article.

Marketers and Advertisers

Companies selling everything from online dating services to lattes are thrilled that they can direct their advertising to Facebook's 400 million users through nine key demographic and psychographic filters.

"It offers the kind of targeting that marketers have been looking for for years," says Debra Aho Williamson, senior analyst for eMarketer.

In January, Einstein Bros Bagels ran a highly successful Facebook promotional campaign, offering new fans of its Facebook page a digital coupon for a free bagel and schmear. The company grew its fanbase from 7000 to 613,063 (as of this writing). In exchange for free food, Facebook users gave Einstein Bros feedback on food preferences, stores and who they are.

Reggie Bradford, CEO of social media management company Vitrue, calls Facebook pages a great way to get to know your fans. "There are features like polls, quizzes, or coupons, through those vehicles, you can collect all kinds of market research," says Bradford.

But how much are people like those rabid bagel eaters worth?

To answer that question, Vitrue created the Social Page Evaluator tool, which attempts to quantify the return on investment for a Facebook page. The tool places a $3,227,020 value on the Einstein Bros. Bagels page based on the number of fans, the posted content on the page, and the interaction between the two. Note: The dollar amount doesn't correlate to real-world dollars, but instead serves mostly as a way to compare the "value" between pages. You can evaluate your own Facebook page.

You could also say that Facebook users are worth the $605 million that eMarketer expects marketers to spend on worldwide Facebook advertising by the end of 2010. That's up from $435 million in 2009. eMarketer defines advertising as display, video, search, and other forms of advertising appearing within social network environments.

"Quantifying the value of a Facebook fan is something we're going to see a lot more of in the next year," says eMarketer's Williamson. Despite waves of privacy backlash, Facebook continues to thrive and to look for new ways to make money for itself and its partners. To do that, Facebook will continue to leverage its biggest asset: you.

"Facebook is a business. I don't think they have any ill will toward anyone, but they're going to do anything they can as a corporation to be successful," says Popp. "The onus of privacy is on the person using the web."