In Facebook’s vice president for public policy Elliot Schrage’s infamous Q&A session with the New York Times readers, he made this statement:
The privacy implications of our ads, unfortunately, appear to be widely misunderstood. People assume we’re sharing or even selling data to advertisers. We’re not. We have no intention of doing so. If an advertiser targets someone interested in boats, we’ll serve ad impressions to people with ‘boats’ on their profile somewhere. However, we don’t provide the advertiser any names or other personal information about the Facebook users who view or even click on the ads.
Either Schrage was lying, or he has no idea what his company actually does in practice. (Either one is problematic)
The Wall Street Journal reports today that Facebook, MySpace and other social-networking sites have been routinely — and quite openly, it turns out — sending data to advertising companies about users who click their ads that could be used to find consumers’ names and other personal details on the social networks, despite promises like Schrage’s that they don’t provide such information.
In the case of Facebook, the unique user ID is sent to the advertiser each time you click. The advertiser can then easily locate that user on Facebook, and since Facebook has deemed certain personal information permanently public — the user’s name, profile photo, gender, and pages she’s a fan of (now called “connections”) — the advertiser now can easily connect that personal information with the user who clicked its ad.
The kicker here is that Facebook knew about this 9 months ago, but didn’t do anything until now:
The sharing of users’ personally identifiable data was first flagged in a paper by researchers at AT&T Labs and Worcester Polytechnic Institute last August. The paper, which drew little attention at the time, evaluated practices at 12 social networking sites including Facebook, Twitter and MySpace and found multiple ways that outside companies could access user data.
The researchers said in an interview they had contacted the sites, which some sites confirmed. But nine months later, the issue still exists.
A Facebook spokesman acknowledged it has been passing data to ad companies that could allow them to tell if a particular user was clicking an ad. After being contacted by the Journal, Facebook said it changed its software to eliminate the identifying code tied to the user from being transmitted.
Honestly, nothing surprises me anymore regarding the increasingly reckless approach to user privacy taken by Facebook.
UPDATE: The WSJ has received some criticism (here and here) about their reporting of this story, with some suggesting that all that was happening was an ID passing through the referring URL — the typical way incoming links to a website operate. The WSJ responded, providing more detail as to how there was additional information being sent by Facebook beyond the norm:
Facebook was making it possible for advertisers to see ids for users who clicked (not just the profile url). This was happening through a ref equals profile code getting passed through after a user clicked on their profile and then an ad. Facebook acknowledged that this could be used to identify users who clicked, not just the profile of the user on whose page an ad appeared. They changed this after we alerted them to it, so it cannot currently be demonstrated.
Others are just passing urls on pages viewed but myspace and fb said — and we reported –are working to obscure those too as it could be construed as personally identifiable data about some users, if not the users who clicked. Of course, whether people view it as personally identifiable varies, as we say. They are, however, changing it.