Social Networks Caught Passing on Your Data to Advertisers

Social Networks Caught Passing on Your Data to Advertisers

As reported last week by The Wall Street Journal, despite the fact that social networking sites such as Myspace and Facebook say it ain’t so, they are sharing, without user consent,data with advertisers that may lead to the ad companies figuring out user’s personal information such as addresses, real names, etc…

According to the Wall Street Journal:

The practice, which most of the companies defended, sends user names or ID numbers tied to personal profiles being viewed when users click on ads. After questions were raised by The Wall Street Journal, Facebook and MySpace moved to make changes. By Thursday morning Facebook had rewritten some of the offending computer code.

Several large advertising companies identified by the Journal as receiving the data, including Google Inc.’s DoubleClick and Yahoo Inc.’s Right Media, said they were unaware of the data being sent to them from the social-networking sites, and said they haven’t made use of it.

You will notice, for instance in many social networking user pages the url often contains the actual ID numbers and username. Examples include not only Facebook and Myspace but Digg, LiveJournal, Xanga, Hi5 and even Twitter. For most of these  sites, the data identified the profile being viewed but not necessarily the person who clicked on the ad or link.  Facebook, though,  went further than others,. In some cases Facebook actually pointed out  which user name or ID was clicking on the ad as well as the user name or ID of the page being viewed. Observing which  ads a user clicked on, an advertiser could tell something about a user’s interests.

At the Wall Street Journal’s request, Ben Edelman, assistant professor at the Harvard Business School reviewed the computer code of 7 social sites. Of Facebook , he said:

“If you are looking at your profile page and you click on an ad, you are telling that advertiser who you are if a user had clicked through a specific path, before the fix.

Mr. Edelman  added his disdain to the mounting number of Facebook Practice Protesters by sending a letter on Thursday to the FTC asking them to investigate Facebook’s practices specifically.

A Facebook spokesman actually admitted it has been passing data to ad companies that could allow them to tell if a particular user was clicking an ad. Facebook said it changed its software to eliminate the identifying code tied to the user from being transmitted after being contacted by the Journal. Here is his quote:

We were recently made aware of one case where if a user takes a specific route on the site, advertisers may see that they clicked on their own profile and then clicked on an ad. We fixed this case as soon as we heard about it.

(The company passes along)the user ID of the page but not the person who clicked on the ad. We don’t consider this personally identifiable information and our policy does not allow advertisers to collect user information without the user’s consent.

Unlike the other social networks, Facebook requires the real name of the user when they register.In the Journal article, other networks responded to the question of how they are using ID and username information passed along in web addresses, etc… Here is the information they provided taken from that article:

MySpace said in a statement it is only sharing the ID name users create for the site, which permits access only to the information that a user makes publicly available on the site.

…A MySpace spokeswoman said the site is currently implementing a methodology that will obfuscate the ‘FriendID’ in any URL that is passed along to advertisers.

A Twitter spokeswoman said passing along the Web address happens when people click a link from any Web page. “This is just how the Internet and browsers work,” she said.

Although Digg said it masks a user’s name when they click on an ad and scrambles data before sharing with outside advertising companies, the site does pass along user names to ad companies when a user visits a profile page. “It’s the information about the page that you are visiting, not you as a visitor,” said Chas Edwards, Digg’s chief revenue officer.

The advertising companies say they don’t control the information a website chooses to send them. “Google doesn’t seek in any way to make any use of any user names or IDs that their URLs may contain,” a Google spokesman said in a statement.

“We prohibit clients from sending personally identifiably information to us,” said Anne Toth, Yahoo’s head of privacy. “We have told them. ‘We don’t want it. You shouldn’t be sending it to us. If it happens to be there, we are not looking for it.”

Leave a Reply