Armed with your e-mail address, data miners can hit Facebook and match it up with your user ID. That key unlocks a treasure trove of personal information.
At bare minimum, your ID provides access to your name and profile photo, no matter what privacy settings you have. Those who stick with Facebook's recommended settings will reveal even more: their location, hometown, list of friends, lots of photos, and many of their "likes," such as activities and interests.
That's a goldmine for companies that are trying to target their products to you.
"Once you have an ID you can look up the person," said Axel Schultze, CEO of Xeesm, a social media marketing software developer. That gives you access to all the information publicly available in their profile, and from that, "you can build correlations between all sorts of other data."
Robin Dindayal, director of product management at social marketing software company Awareness Inc., ran an experiment and plugged my Facebook ID into Facebook's Graph API. That's a tool Facebook makes available for programmers who want to connect to the site's platform.
The API returned a smattering of information about me, including my gender and geographic settings. A person -- or a machine -- can retrieve that data after starting with nothing more than my e-mail address. (You can follow our instructions on how to run the experiment with your own Facebook ID.)
"Combine this with an e-mail address and I can add you to a mailing list," Dindayal said. "Beyond that, some users within Facebook don't have their privacy settings set very high and even more information might be made available."
Facebook has technical safeguards in place intended to prevent data miners with massive lists of e-mail addresses from sucking in troves of public information about Facebook's users. But invaders keep slipping through the site's defenses.
A company named Rapleaf kicked off a backlash two months ago when press reports drew attention to its practice of collecting Facebook IDs and including them in the personal profiles it sells. The ways Rapleaf gathered the data violated Facebook's rules, and when caught, Rapleaf changed its methods. It recently deleted the Facebook information from its dataset.
But it's a game of whack-a-mole: Others have popped right up to fill the void.
Take Match Factory, a new tool launched four months ago that promised marketers it would "securely match as many e-mail addresses from your list with Facebook accounts as possible." It was created by 3dna, a Los Angeles-based software developer that makes tools for political activists.
Facebook's terms of service prohibit anyone from accessing the site or collecting user information "using automated means (such as harvesting bots, robots, spiders, or scrapers)."
That's exactly what Match Factory did. It sent more than 37,000 automated requests to Facebook over the last few months to pull user IDs -- and didn't hear a peep from Facebook in response.
"I have not talked to Facebook," Match Factory creator Jim Gilliam told CNNMoney last week. "They haven't complained to me at all."
Gilliam said he wasn't aware that Match Factory's automated data gathering violated Facebook's policies.
CNNMoney asked Facebook about Match Factory -- and on Friday, Facebook cut off the tool's access to its platform.
"The impact was extremely small and no private information was shared," Facebook spokesman David Swain said of Match Factory's data gathering. "We were able to take immediate action to shut down the service in question."
But Match Factory isn't the only one linking e-mail addresses to Facebook identities without users' explicit permission. Other data aggregation companies, including Pipl and Wink.com, also have big stashes of Facebook IDs.
Some fly under Facebook's radar; others, like Pipl, navigate the gray area of what Facebook allows. Pipl doesn't directly sell the data it gathers -- its business model is to run ads on pages that display all the personal information it has amassed.
Right now, your Facebook user ID is mostly valuable to direct marketers and political campaigns, but insurance companies and prospective employers are starting to take interest too. Privacy experts say the market for your information will keep expanding.
The battle zone
Facebook's in an unenviable position: Its entire reason for being is to encourage members to connect and broadcast personal information. The more you share, the stronger Facebook's business model becomes. But the site is also trying to balance that against a pledge to respect its members' privacy preferences.
"Facebook is committed to providing users a safe and secure experience, and we work aggressively to develop technical and human solutions to keep people in control of their information," Facebook spokesman Swain said.
Facebook has a history of shooting itself in the foot, though, when it comes to dealing with privacy concerns.
After the Rapleaf firestorm -- which included the revelation that some Facebook application developers were selling user IDs to data aggregators -- Facebook announced that it had a solution: It would ban all applications from sharing user IDs with outside parties.
Developers freaked out, and leapt on an obvious flaw in that plan: For-profit applications often use third-party virtual currency companies like Tapjoy (formerly Offerpal) monetize their apps. So Facebook went back to the drawing board, and is working to finalize a new technical policy that will keep information from data brokers but allow developers to work with advertisers and payment companies. The new rules are slated to take effect Jan. 1.
That doesn't solve the bigger problem: Facebook is sitting on a massively valuable data stash of information that users make available publicly, and keeping it away from commercially motivated data harvesters is an arms race.
Deleting information after the fact -- as Rapleaf did -- doesn't wipe it from the record books.
Some Rapleaf customers, including popular e-mail add-on Rapportive, appear to still be using saved versions of the Facebook data Rapleaf previously provided. Queries run through Rapportive's system last week by Awareness Inc.'s Dindayal returned Facebook user names.
Rapportive did not respond to several requests for comment.
"The genie is out of the bottle," Dindayal said. "Once the information is out, it's impossible to know who has a copy of it."