Facebook, the giant social network now under fire over its privacy practices, has been sending personal information to online advertising companies without its users’ consent, according to a Harvard Business School professor who filed a letter of complaint with the Federal Trade Commission Thursday.
“Facebook has been telling its users one thing and then doing the opposite,” Ben Edelman, an assistant professor at Harvard Business School, told DailyFinance Thursday. “Facebook never told anyone, anywhere, they were going to do this. It’s no longer about quality of disclosure, but about whether Facebook is telling the truth in the first place.”
Sending Data to Advertisers
According to Edelman, Facebook and other social networking sites including MySpace have been sending data to online ad giants that could be used to identify a user’s name, age, hometown and occupation — regardless of their privacy settings. Edelman said Google’s (GOOG) Doubleclick and Yahoo!’s (YHOO) Right Media had received data from MySpace, while Facebook had sent data to its ad partners.
Software giant Microsoft (MSFT), which invested $240 million in Facebook in 2006 for an equity stake and an advertising arrangement, didn’t immediately respond to requests for comment about whether it, too, has received Facebook users’ personal data. Microsoft is the exclusive provider of banner advertising and sponsored links on Facebook using Microsoft’s “digital advertising solutions,” according to a press release when the pact was announced.
The ad companies receive the data in the form of Web addresses from which the clicks originated. In the case of Facebook and others, those addresses have sometimes contained information that could be used to identify users.
“If you go to your own profile and then click on an ad, the advertiser will know who you are,” Edelman says. The Wall Street Journal first reported Edelman’s finding Thursday evening.
This Is Informed Consent?
The new revelation prompted Facebook and MySpace to change their policies, the paper reported, with Facebook making changes to its code Thursday. “We fixed this case as soon as we heard about it,” a Facebook spokesperson said in a statement to DailyFinance. “In addition, we have been working on ways to no longer include user IDs in referrer URLs.”
Facebook characterized the issues as a “loophole” and says it has now been closed.
To date, the Facebook privacy debate has centered on the complexity of Facebook’s settings, which makes them difficult to navigate. But the new report suggests for the first time that Facebook disclosed users’ personal data without their consent. In other words, even if you took the time to tweak your privacy settings — or even put your Facebook page on complete lockdown — your user information has still been at risk.
Google, Yahoo Claim Ignorance
Jeffrey Chester, executive director of the Center for Digital Democracy in Washington, D.C., said the disclosure that Facebook has “routinely turned over data-mined information to advertisers should not come as a surprise. Privacy groups have been telling regulators — especially the FTC — that consumer privacy has been at risk.”
In a statement, a Facebook spokesperson said the company was “recently made aware of one case where, if a user takes a specific route on the site, advertisers may see that they clicked on their own profile and then clicked on an ad. We fixed this case as soon as we heard about it.”
“As is common with advertising across the Web, the data that is sent in a referrer URL includes information about the Web page the click came from,” the Facebook spokesman continued. “This may include the user ID of the page but not the person who clicked on the ad. We don’t consider this personally identifiable information, and our policy does not allow advertisers to collect user information without the user’s consent.”
Both Google and Yahoo, which had been receiving user information, claimed Thursday that they were unaware they were even getting it, and said they had never used it. In a statement to DailyFinance, a Google spokesperson said the company “doesn’t seek in any way to make any use of any user names or IDs that their URLs may contain,” but wouldn’t elaborate.
Facebook Statement Raises Questions
This statement from Facebook raised additional questions. Facebook admits that the data “may include the user ID of the page,” and yet claims it doesn’t “consider this personally identifiable information.” On Facebook, the user ID is either a string of numbers or a user name you chose.
A Facebook spokesperson said he didn’t know how many users actually use a name in their user ID, which could be identifiable, but pointed out that people click on ads in Facebook outside their own profile page — for example, on fan or friend pages — in which case their user ID wouldn’t have been revealed.
But Edelman said advertisers could use seemingly anonymous numeric user IDs to identify individual users.
“Given a user number, you can get the user’s public profile page,” Edelman said. “All of that information is public by default. Even though it’s just a number I can still look you up, just as I can look you up based on your social security number.”
Don’t Collect This Data — We’ll Give It to You
Another question is why Facebook was sending information to advertisers that it prohibits them from collecting. Facebook says the improper information sharing occurred only when users clicked on the “Profile” link on their hompage, and then clicked on an ad, but the spokesman said he didn’t know how many instances of that occurred.
Online privacy advocates were not amused.
“Facebook and others have been disingenuous when saying they protect consumer privacy,” said Chester of the Center for Digital Democracy. “It’s all about stealthily monetizing our every social media move.”