Facebook, MySpace and several other social-networking sites have been sending data to advertising companies that could be used to find consumers' names and other personal details, despite promises they don't share such information without consent.
The practice, which most of the companies defended, sends user names or ID numbers tied to personal profiles being viewed when users click on ads. After questions were raised by The Wall Street Journal, Facebook and MySpace moved to make changes. By Thursday morning Facebook had rewritten some of the offending computer code.
Advertising companies are receiving information that could be used to look up individual profiles, which, depending on the site and the information a user has made public, include such things as a person's real name, age, hometown and occupation.
Several large advertising companies identified by the Journal as receiving the data, including Google Inc.'s DoubleClick and Yahoo Inc.'s Right Media, said they were unaware of the data being sent to them from the social-networking sites, and said they haven't made use of it.
Across the Web, it's common for advertisers to receive the address of the page from which a user clicked on an ad. Usually, they receive nothing more about the user than an unintelligible string of letters and numbers that can't be traced back to an individual. With social networking sites, however, those addresses typically include user names that could direct advertisers back to a profile page full of personal information. In some cases, user names are people's real names.
Most social networks haven't bothered to obscure user names or ID numbers from their Web addresses, said Craig Wills, a professor of computer science at Worcester Polytechnic Institute, who has studied the issue.
The sites may have been breaching their own privacy policies as well as industry standards, which say sites shouldn't share and advertisers shouldn't collect personally identifiable information without users' permission. Those policies have been put forward by advertising and Internet companies in arguments against the need for government regulation.
The problem comes as social networking sites—and in particular Facebook—face increasing scrutiny over their privacy practices from consumers, privacy advocates and lawmakers.
At the same time, lawmakers are preparing legislation to govern websites' tactics for collecting information about consumers, and the way that information is used to target ads.
In addition to Facebook and MySpace, LiveJournal, Hi5, Xanga and Digg also sent advertising companies the user name or ID number of the page being visited. (MySpace is owned by News Corp., which also owns The Wall Street Journal.) Twitter—which doesn't have ads on profile pages—also was found to pass Web addresses including user names of profiles being visited on Twitter.com when users clicked other links on the profiles.
For most social-networking sites, the data identified the profile being viewed but not necessarily the person who clicked on the ad or link. But Facebook went further than other sites, in some cases signaling which user name or ID was clicking on the ad as well as the user name or ID of the page being viewed. By seeing what ads a user clicked on, an advertiser could tell something about a user's interests.
Ben Edelman, an assistant professor at Harvard Business School who studies Internet advertising, reviewed the computer code on the seven sites at the request of the Journal.
"If you are looking at your profile page and you click on an ad, you are telling that advertiser who you are," he said of how Facebook operated, if a user had clicked through a specific path, before the fix. Mr. Edelman said he had sent a letter on Thursday to the Federal Trade Commission asking them to investigate Facebook's practices specifically.
The sharing of users' personally identifiable data was first flagged in a paper by researchers at AT&T Labs and Worcester Polytechnic Institute last August. The paper, which drew little attention at the time, evaluated practices at 12 social networking sites including Facebook, Twitter and MySpace and found multiple ways that outside companies could access user data.
The researchers said in an interview they had contacted the sites, which some sites confirmed. But nine months later, the issue still exists.
Source:
S.wsj net
