Facebook caught sending user data to advertisers
|
21 May 2010 |
| |
Facebook, MySpace and several other social-networking sites have been sending data to advertising companies that could be used to find consumers' names and other personal details, despite promises they don't share such information without consent.
The practice, which most of the companies defended, sends user names or ID numbers tied to personal profiles being viewed when users click on ads. After questions were raised by The Wall Street Journal, Facebook and MySpace moved to make changes. By Thursday morning Facebook had rewritten some of the offending computer code.
Advertising companies are receiving information that could be used to look up individual profiles, which, depending on the site and the information a user has made public, include such things as a person's real name, age, hometown and occupation.
Several large advertising companies identified by the Journal as receiving the data, including Google Inc.'s DoubleClick and Yahoo Inc.'s Right Media, said they were unaware of the data being sent to them from the social-networking sites, and said they haven't made use of it.
Across the Web, it's common for advertisers to receive the address of the page from which a user clicked on an ad. Usually, they receive nothing more about the user than an unintelligible string of letters and numbers that can't be traced back to an individual. With social networking sites, however, those addresses typically include user names that could direct advertisers back to a profile page full of personal information. In some cases, user names are people's real names.
Most social networks haven't bothered to obscure user names or ID numbers from their Web addresses, said Craig Wills, a professor of computer science at Worcester Polytechnic Institute, who has studied the issue.
The sites may have been breaching their own privacy policies as well as industry standards, which say sites shouldn't share and advertisers shouldn't collect personally identifiable information without users' permission. Those policies have been put forward by advertising and Internet companies in arguments against the need for government regulation.
View Full Image
facebook1
Bloomberg News
Facebook, MySpace and several other social-networking sites gave advertising companies information that could be used to look up individual profiles, which, depending on the site and the information a user has made public, include such things as a person's real name, age, hometown and occupation. Above, Facebook's headquarters in Palo Alto, Calif.
The problem comes as social networking sites in particular Facebook - face increasing scrutiny over their privacy practices from consumers, privacy advocates and lawmakers.
At the same time, lawmakers are preparing legislation to govern websites' tactics for collecting information about consumers, and the way that information is used to target ads.
In addition to Facebook and MySpace, LiveJournal, Hi5, Xanga and Digg also sent advertising companies the user name or ID number of the page being visited. (MySpace is owned by News Corp., which also owns The Wall Street Journal.) Twitter-which doesn't have ads on profile pages-also was found to pass Web addresses including user names of profiles being visited on Twitter.com when users clicked other links on the profiles.
For most social-networking sites, the data identified the profile being viewed but not necessarily the person who clicked on the ad or link. But Facebook went further than other sites, in some cases signaling which user name or ID was clicking on the ad as well as the user name or ID of the page being viewed. By seeing what ads a user clicked on, an advertiser could tell something about a user's interests.
Ben Edelman, an assistant professor at Harvard Business School who studies Internet advertising, reviewed the computer code on the seven sites at the request of the Journal.
"If you are looking at your profile page and you click on an ad, you are telling that advertiser who you are," he said of how Facebook operated, if a user had clicked through a specific path, before the fix. Mr. Edelman said he had sent a letter on Thursday to the Federal Trade Commission asking them to investigate Facebook's practices specifically.
The sharing of users' personally identifiable data was first flagged in a paper by researchers at AT&T Labs and Worcester Polytechnic Institute last August. The paper, which drew little attention at the time, evaluated practices at 12 social networking sites including Facebook, Twitter and MySpace and found multiple ways that outside companies could access user data.
The researchers said in an interview they had contacted the sites, which some sites confirmed. But nine months later, the issue still exists.
The issue is particularly significant for Facebook on two fronts: the company has been pushing users to make more of their personal information public and the site requires users to use their actual names when registering on the site.
A Facebook spokesman acknowledged it has been passing data to ad companies that could allow them to tell if a particular user was clicking an ad. After being contacted by the Journal, Facebook said it changed its software to eliminate the identifying code tied to the user from being transmitted.
"We were recently made aware of one case where if a user takes a specific route on the site, advertisers may see that they clicked on their own profile and then clicked on an ad," the Facebook spokesman said. "We fixed this case as soon as we heard about it."
Facebook said its practices are now consistent with how advertising works across the Web. The company passes the "user ID of the page but not the person who clicked on the ad," the company spokesman said. "We don't consider this personally identifiable information and our policy does not allow advertisers to collect user information without the user's consent."
The company said it also has been testing changing the formatting for the text it shares with advertisers so that it doesn't pass through any user names or IDs.
Privacy Problem
MySpace, Hi5, Digg, Xanga and Live Journal said they don't consider their user names or ID numbers to be personally identifiable, because unlike Facebook, consumers are not required to submit their real names when signing up for an account. They also said since they are passing along the user name of the page the ad is on, not for the person clicking on the ad, there is nothing advertisers can do with the data beyond seeing on what page their ad appeared.
MySpace said in a statement it is only sharing the ID name users create for the site, which permits access only to the information that a user makes publicly available on the site.
Nevertheless, a MySpace spokeswoman said the site is "currently implementing a methodology that will obfuscate the 'FriendID' in any URL that is passed along to advertisers."
A Twitter spokeswoman said passing along the Web address happens when people click a link from any Web page. "This is just how the Internet and browsers work," she said.
Although Digg said it masks a user's name when they click on an ad and scrambles data before sharing with outside advertising companies, the site does pass along user names to ad companies when a user visits a profile page. "It's the information about the page that you are visiting, not you as a visitor," said Chas Edwards, Digg's chief revenue officer.
The advertising companies say they don't control the information a website chooses to send them. "Google doesn't seek in any way to make any use of any user names or IDs that their URLs may contain," a Google spokesman said in a statement.
"We prohibit clients from sending personally identifiably information to us," said Anne Toth, Yahoo's head of privacy. "We have told them. 'We don't want it. You shouldn't be sending it to us. If it happens to be there, we are not looking for it."
|
Found this article interesting? Click the envelope below to email it to a friend!
 |
Original Article Link: |
http://online.wsj.com/article/SB10001424052748704513104575256701215465596.html
|
| |
Recent Technology News Articles |
Samsung announced a whole lot of new gizmos today, ranging from the new SF, RF, QX and NF series of note- and netbooks, a new Wave smartphone running on Samsung's open Bada OS to a 4G netbook. The new SF notebooks will come with 13.3", 14" and 15.6" size screens, run on Intel i3 and i5 dual-core CPUs and apparently will run for 7.5 hours, while recharging fully in two to three hours. Samsung also says the SF series will use the company's fast start technology, to get the notebook up, running and connected... | Google said Sept. 1 Gmail users made more than 10 million calls through its new Call Phones from Gmail feature since it launched a week ago. Launched Aug. 25, Call Phones from Gmail lets users place calls to contacts directly from Gmail. Calls placed from Gmail in the United States and Canada are free and start at 2 cents per minute outside those countries. The tool, which requires Google's voice and video plug-in, lets users click a Call Phone link. This opens a window with a dialer keypad. Users may... | Google could be ready to turn Gmail into a communications hub by adding the ability to make phone calls from the Google Chat interface. CNET has learned that Google is testing a Web-based service within Gmail that will allow users to place phone calls from their in-boxes. It's launched from the Google Chat window on the lower left-hand side of a Gmail page and allows users to place and receive calls from within their contacts through a user interface that strongly resembles the one used in Google Voice.... | Whether Google is liable for damages for secretly intercepting data on open WiFi routers across the United States is to be aired out in a Silicon Valley federal court. Eight proposed class-actions from across the country that seek unspecified monetary damages from Google were consolidated this week and transferred to US District Judge James Ware in San Jose, California. Another five cases are likely to join. The lawsuits allege Google violated federal and state privacy laws in collecting fragments of data... | While LTE starts rolling out from major U.S. carriers in 2011, the WiMAX Forum is hoping to have the so-called WiMAX 2 standard up and ready to go by the start of 2012. Declan Byrne, the marketing director for the WiMAX Forum industry group, says the WiMAX 2 standard, formally known as 802.16m, will be finalized by the Institute of Electrical and Electronics Engineers (IEEE) this November, with an eye toward certifying devices based on the standard throughout 2011. From there, he expects ISPs to start... | Despite signing up its 500 millionth member last month, the average amount of time spent on Facebook by a Briton has decreased from 30 minutes in December 2009, to 27.36 minutes during June and July 2010. The figures, collated by web-analytics firm Hitwise, show that Facebook is still the second most visited site in the UK, after Google, and that it accounts for one in every six web pages accessed in Britain. However, Robin Goad, Hitwises research director, believes that the figures show that Facebook is... | South Korean police raided Google's offices Tuesday to see whether the company broke local laws by collecting user data in kicking off its Street View service in the country. The Korean National Police Agency confirmed the probe of the search giant in a statement sent to Reuters and other news sources. "[The police] have been investigating Google Korea LLC on suspicion of unauthorized collection and storage of data on unspecified Internet users from Wi-Fi networks," the agency said in the statement. "We... | Kaspersky Lab, a leading developer of secure content management solutions, announces that the first malicious program classified as a Trojan-SMS has been detected for smartphones running on Google's Android operating system. Named Trojan-SMS.AndroidOS.FakePlayer.a, it has already infected a number of mobile devices. The new malicious program penetrates smartphones running Android in the guise of a harmless media player application. Users are prompted to install a file of just over 13 KB with the standard... | A reporter at the BBC has created a smartphone application which spies on the owner of the device, in an attempt to prove how straightforward it is to create malicious software for mobiles. Reporter Mark Ward designed a simple noughts and crosses game using a popular smartphone application toolkit. However, the crude game was a cover for a piece of malware, which hid under the hood gathering contacts, copying text messages, logging the phones location and sending it to a specially set up email address.... | Mobile satellite company Inmarsat has announced more details of a plan to expand its mobile broadband network delivered by satellite. In a statement this week, the company said it had agreed to purchase three 702HP Ka-band satellites from Boeing. The new satellites will be used to create the Inmarsat-5 constellation of satellites, which the company says will provide a worldwide high-speed mobile broadband service called Global Xpress. The new service is expected to be up and running by 2014 and will provide... | |
