A report in the Wall Street Journal indicates that a number of social networking sites (including Facebook, MySpace, and Digg) may be sharing users’ personal information with advertisers. Since the Journal started looking into this possible breach of privacy, both Facebook and MySpace have moved to make changes.
The practice is actually a somewhat defensible one–and most of the companies involved did try to defend it–in which the advertisers receive information on the last page viewed before the user clicked on their ad. This is common practice all over the web, and, in most cases, is no issue–advertisers receive information on the last page viewed, which cannot be traced back to the user. In the case of social networking sites, the information on the last page viewed often reveals user names or profile ID numbers that could potentially be used to look up the individuals.
Depending on what those individuals have made public, advertisers can then see anything from hometowns to real names.
The Journal interviewed some of the advertisers who received the data (including Google’s DoubleClick and Yahoo’s Right Media), who said they were unaware of the data and had not used it.
The real problem is, of course, that social networking sites have the ability to obscure user names and profile ID numbers from advertisers–but they simply haven’t. While many of the sites only reveal information about the last page viewed (which may not be the user’s profile and may therefore not reveal anything about that person), Facebook was a more serious offender as it sent information on both what profile was being viewed and who was doing the viewing.
Other sites, including MySpace, LiveJournal, Hi5, Xanga, Digg, and Twitter, revealed the user names and profiles being visited when the ad was clicked on.
Ironically, these companies may be breaching their own terms and conditions–in which they promise not to share personal data with third parties, without the user’s explicit consent and knowledge.
While Facebook has made changes to fix this privacy breach (it fixed some of the code Thursday morning), the other sites claim their user names are not personally identifiable, because they don’t require that users reveal their real names. Not only that, but “this is just how the Internet and browsers work,” according to a Twitter spokesperson.
According to Anne Toth, vice president of global policy and head of privacy at Yahoo, the advertisers don’t want this personally identifying information. “If it happens to be there, we are not looking for it,” she told the Journal.