I am fairly late to this story, which I guess broke late yesterday, but once again Facebook is in a privacy mess, this time along with MySpace and other social networking sites.
Emily Steel and Jessica Vascellos, Facebook, MySpace Confront Privacy Loophole
Facebook, MySpace and several other social-networking sites have been sending data to advertising companies that could be used to find consumers’ names and other personal details, despite promises they don’t share such information without consent.
The practice, which most of the companies defended, sends user names or ID numbers tied to personal profiles being viewed when users click on ads. After questions were raised by The Wall Street Journal, Facebook and MySpace moved to make changes. By Thursday morning Facebook had rewritten some of the offending computer code.
Advertising companies are receiving information that could be used to look up individual profiles, which, depending on the site and the information a user has made public, include such things as a person’s real name, age, hometown and occupation.
Several large advertising companies identified by the Journal as receiving the data, including Google Inc.’s DoubleClick and Yahoo Inc.’s Right Media, said they were unaware of the data being sent to them from the social-networking sites, and said they haven’t made use of it.
Across the Web, it’s common for advertisers to receive the address of the page from which a user clicked on an ad. Usually, they receive nothing more about the user than an unintelligible string of letters and numbers that can’t be traced back to an individual. With social networking sites, however, those addresses typically include user names that could direct advertisers back to a profile page full of personal information. In some cases, user names are people’s real names.
Most social networks haven’t bothered to obscure user names or ID numbers from their Web addresses, said Craig Wills, a professor of computer science at Worcester Polytechnic Institute, who has studied the issue.
The sites may have been breaching their own privacy policies as well as industry standards, which say sites shouldn’t share and advertisers shouldn’t collect personally identifiable information without users’ permission. Those policies have been put forward by advertising and Internet companies in arguments against the need for government regulation.
If there was any doubt that privacy needs to be regulated, these last weeks have certainly proven the case.
[There is a bizarre back story to this. Apparently Marshall Kirkpatrick of ReadWriteWeb attacked the authors of the story for technical naivete, a point he lated retracted or at least ammended. As Alan Patrick comments on Broadstuff, “Sorry RWW, but the situation was pretty clear just from the WSJ article. Its just that the automatic position of the Silicon Valley A-List blogs seems to be to leap to Facebook’s defence these days. Quite why this is we can’t imagine.”
Yes, I agree. See Facebook Apologists Miss The Point: Facebook Isn’t The Future.]