Facebook sent some user data to advertisers

Facebook appears to have violated its promise not to share "identifiable" user data with advertisers in a situation it says it has since corrected.

Elinor Mills Former Staff Writer
Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service and the Associated Press.
Declan McCullagh Former Senior Writer
Declan McCullagh is the chief political correspondent for CNET. You can e-mail him or follow him on Twitter as declanm. Declan previously was a reporter for Time and the Washington bureau chief for Wired and wrote the Taking Liberties section and Other People's Money column for CBS News' Web site.
Elinor Mills
Declan McCullagh
3 min read

Facebook's privacy policy promises, in no uncertain terms, that it doesn't "share your information with advertisers without your consent." Only "non-personally identifiable" data, it says, are shared.

But the social-networking site confirmed late Thursday that it has, at least in some circumstances, sent the user name of a Facebook member to its advertising partners. That can be used to glean a person's name, interests, and list of friends.

A Facebook spokesman told CNET that the apparent privacy leak has been fixed.

News of this data sharing, which appeared in the Wall Street Journal on Thursday evening, could prove embarrassing to the social-networking site, which is already on the defensive after Washington politicians have been calling for regulatory action on privacy grounds and over a dozen advocacy groups have charged that Facebook engages in "unfair and deceptive" business practices.

Facebook's admission also may conflict with its previous statements. In a blog post last month, a company official wrote: "We don't share your information with advertisers unless you tell us to...Any assertion to the contrary is false. Period."

"We were recently made aware of one case where if a user takes a specific route on the site, advertisers may see that they clicked on their own profile and then clicked on an ad," the Facebook spokesman said on Thursday. "We fixed this case as soon as we heard about it. In addition, we have been working on ways to no longer include user IDs in Referer: URLs."

Browsers typically send a Web site, in what's called a Referer: field, the location of the page you last visited. This lets Web operators know where their visitors are coming from, and it's viewed as a perfectly normal and commonplace practice.

The rub: if you're logged into Facebook, the Referer: field can reveal your user name to advertisers.

Ben Edelman, an assistant professor at Harvard Business School who has a background in Internet advertising, described the problem in a new essay that says: "When a user views her own profile, or a page linked from her own profile, the "?ref=profile" tag is added to the URL--exactly confirming the identity of the profile owner." Facebook could eliminate any privacy concerns by configuring a different type of Referer: set-up, Edelman said.

Other social-networking sites

Other social-networking sites also included the Referer: field, but Facebook appears to be the only one that uses it--inadvertently or intentionally--to signal the identity of who's logged on.

That's not necessarily a privacy leak. If someone clicks on an theoretical advertisement on, say, Twitter.com/jessicaalba or Myspace.com/usher, the Referer: field won't reveal the identity of the reader.

And MySpace, Twitter, Digg, Xanga, and Live Journal downplayed the issue when contacted by the Journal, saying it was standard industry practice.

"While access to a MySpace 'FriendID' does not permit anyone access to information beyond what a user has already made publicly available, MySpace is currently implementing a methodology that will obfuscate the 'FriendID' in any URL that is passed along to advertisers," MySpace said in an e-mail statement.

Facebook acknowledged the issue and said it did not consider the data personally identifiable although it was nonetheless working to change its practice.

"As is common with advertising across the Web, the data that is sent in a referrer URL includes information about the Web page the click came from. This may include the user ID of the page but not the person who clicked on the ad. We don't consider this personally identifiable information and our policy does not allow advertisers to collect user information without the user's consent," a Facebook spokesman said in e-mail.

Edelman, however, says his analysis shows that the user name is frequently leaked. He pointed to a paper outlining precisely this issue written by AT&T Labs and Worcester Polytechnic Institute researchers, which was presented at a conference in Barcelona last August.

It's unclear whether any advertisers have acted on the information they received, but Google's DoubleClick and Yahoo's Right Media told the newspaper they were unaware of the situation and had not used any such data. In Google's case, as a result of DoubleClick's 2002 settlement with state attorneys general, advertisers (and not Google) own the data.