The Wall Street Journal maintains that it has discovered the concealed practice of the social networks of sending users' ID numbers and/or names to the agencies every time the users click on the ads, but that Facebook and MySpace have reacted expeditiously to the questions about it and have already changed much of the code that allowed this practice.
The problem with the advertising agencies being given this information is that they could use it to mine other personal data from the profiles of those users, if they shared it with the network and if the privacy settings are set to minimum. The advertising agencies in question - including Yahoo's Right Media and Google's DoubleClick - claim that they haven't used the data because they didn't know the data was being sent in the first place.
It seems that the sending of this data could have occurred by mistake or simply by disregarding the fact that the address of the page from which someone clicked on an ad - if that page is of a social network - could contain user names or ID numbers. In an ideal world, this information should be obscured.
The question now raised is this one: "Haven't the social-networking sites been violating their own privacy policies and industry standards?"
Digg, LiveJournal, Hi5, Xanga and Twitter have also been caught sending the information. The Wall Street Journal asked Ben Edelman, an assistant professor at Harvard Business School and a connoisseur of Internet advertising, to have a look at the code of all the 7 sites in question. He confirmed their suspicions and even alerted the FTC to the offending practice, petitioning for a deeper investigation.
Incidentally, this is not the first time this issue has arisen. Researchers from AT&T Labs and Worcester Polytechnic Institute discovered the practice and published a paper about it last year in August. They even notified the sites in question of their discovery, but nine months later, the issue still exists. It's obvious, then, that the we-didn't-know-about-it excuse can't work.
When contacted about it, they offered the following explanations.
Facebook - "We fixed this case as soon as we heard about it." They are also experimenting on changing the formatting for the text of the address so that no identifiable information is passed on.
MySpace, Hi5, Digg, Xanga and Live Journal say that since their users aren't required to use their real names, they don't regard IDs and user names as relevant or personally identifiable. But still, MySpace is working on a method to obfuscate this information, and Digg scrambles the data before sending it on.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.