May 21, 2010

Herre we go again...

Sigh, this is classic for anyone who's worried about data privacy when developing web-based apps. The WSJ reports today that:

The practice, which most of the companies defended, sends user names or ID numbers tied to personal profiles being viewed when users click on ads. After questions were raised by The Wall Street Journal, Facebook and MySpace moved to make changes. By Thursday morning Facebook had rewritten some of the offending computer code.

Advertising companies are receiving information that could be used to look up individual profiles, which, depending on the site and the information a user has made public, include such things as a person's real name, age, hometown and occupation.

So if you click on an ad from your profile page, the referring URL is sent to the advertiser without being scrubbed. Looks like steps are being/have been taken by at least Facebook, but this is a rookie mistake. To ameliorate the sting of yet another Facebook privacy smack-down, other social networks are doing the same:

In addition to Facebook and MySpace, LiveJournal, Hi5, Xanga and Digg also sent advertising companies the user name or ID number of the page being visited. (MySpace is owned by News Corp., which also owns The Wall Street Journal.) Twitter—which doesn't have ads on profile pages—also was found to pass Web addresses including user names of profiles being visited on when users clicked other links on the profiles.

And don' tell me advertisers armed with URL referrers back to user profile pages are making sure they are getting user's consent before looking at the profiles.

Facebook said its practices are now consistent with how advertising works across the Web. The company passes the "user ID of the page but not the person who clicked on the ad," the company spokesman said. "We don't consider this personally identifiable information and our policy does not allow advertisers to collect user information without the user's consent."

A URL referrer (i.e., user ID of the page) is a technicality; if it goes back to the user's profile page then it is a breach of a policy not to divulge personally identifiable information to 3rd parties.

I repeat myself, I'm glad all of this is happening. The social media is growing up and it's the consumers that are ensuring that things are getting safer out there. Apparently when experts expose security issues the fixes languish:

The sharing of users' personally identifiable data was first flagged in a paper by researchers at AT&T Labs and Worcester Polytechnic Institute last August. The paper, which drew little attention at the time, evaluated practices at 12 social networking sites including Facebook, Twitter and MySpace and found multiple ways that outside companies could access user data.

I know it's hip to buck the established/academic technology world in social media tech circles, but sometimes these smarty-pants can actually help to prevent some embarrassing moments.

Facebook, MySpace Confront Privacy Loophole -

No comments: