Facebook caught sending user info to advertisers

Posted May 21, 2010 at 5:40 a.m.

Facebook CEO Mark Zuckerberg delivers a keynote address, showing Facebook’s interconnectedness, at a conference in San Francisco in April. (AP Photo/Marcio Jose Sanchez)

Dow Jones Newswires-Wall Street Journal | Facebook, MySpace and several other social-networking sites have been sending data to advertising companies that could be used to find consumers’ names and other personal details, despite promises they don’t share such information without consent.

The practice, which most of the companies defended, sent user names or ID numbers tied to personal profiles being viewed when users clicked on ads. After questions were raised by The Wall Street Journal, Facebook and MySpace moved to make changes. By Thursday morning Facebook had rewritten some of the offending computer code.

Advertising companies were given information that could be used to look up individual profiles, which, depending on the site and the information a user has made public, include such things as a person’s real name, age, hometown and occupation.

Several large advertising companies identified by the Journal as receiving the data, including Google Inc.’s DoubleClick and Yahoo Inc.’s Right Media, said they were unaware of the data being sent to them from the social-networking sites, and said they haven’t made use of it.

Across the Web, it’s common for advertisers to receive the address of the page from which a user clicked on an ad. Usually, they receive nothing more about the user than an unintelligible string of letters and numbers that can’t be traced back to an individual. With social networking sites, however, those addresses typically include user names that could direct advertisers back to a profile page full of personal information.

Most social networks haven’t bothered to obscure user names or ID numbers from their Web addresses, said Craig Wills, a professor of computer science at Worcester Polytechnic Institute, who has studied the issue.

The sites may have been breaching their own privacy policies as well as industry standards, which say sites shouldn’t share and advertisers shouldn’t collect personally identifiable information without users’ permission. Those policies have been put forward by advertising and Internet companies in arguments against the need for government regulation.

The problem comes as social networking sites–and in particular Facebook–face increasing scrutiny over their privacy practices from consumers, privacy advocates and lawmakers.

At the same time, lawmakers are preparing legislation to govern websites’ tactics for collecting information about consumers, and the way that information is used to target ads.

In addition to Facebook and MySpace, LiveJournal, Hi5, Xanga and Digg also sent advertising companies the user name or ID number of the page being visited when a user clicked on an ad. Twitter also was found to pass Web addresses including user names of a profile being visited on Twitter.com.

Facebook went further than other sites, in some cases sending data on the person clicking on the ad as well as information on the page being viewed.

In the case of sites other than Facebook, the data identified the profile page being viewed, not necessarily the person who clicked on the ad or the link.

Ben Edelman, an assistant professor at Harvard Business School who studies Internet advertising, reviewed the code on the seven sites at the request of the Journal.

“If you are looking at your profile page and you click on an ad, you are telling that advertiser who you are,” he said of how Facebook operated before the fix. Mr. Edelman said he had sent a letter on Thursday to the Federal Trade Commission asking them to investigate Facebook’s practices specifically.

The sharing of users’ personally identifiable data was first flagged in a paper by researchers at AT&T Labs and Worcester Polytechnic Institute last August. The paper, which drew little attention at the time, evaluated practices at 12 social networking sites including Facebook, Twitter and MySpace and found multiple ways that outside companies could access user data.

The researchers said in an interview they had contacted the sites, which some sites confirmed. But nine months later, the issue still exists.

The issue is particularly significant for Facebook on two fronts: the company has been pushing users to make more of their personal information public and the site requires users to use their actual names when registering on the site.

A Facebook spokesman acknowledged it has been passing data to ad companies that could allow them to tell if a particular user was clicking an ad. After being contacted by the Journal, Facebook said it changed its software to eliminate the identifying code tied to the user from being transmitted.

“We were recently made aware of one case where if a user takes a specific route on the site, advertisers may see that they clicked on their own profile and then clicked on an ad,” a Facebook spokesman said. “We fixed this case as soon as we heard about it.”

The company said it also has been testing changing the formatting for the text it shares with advertisers so that it doesn’t pass through any user names or IDs.

“As is common with advertising across the web, the data that is sent in a referrer URL includes information about the web page the click came from,” the Facebook spokesman said. “This may include the user ID of the page but not the person who clicked on the ad. We don’t consider this personally identifiable information and our policy does not allow advertisers to collect user information without the user’s consent.”

MySpace, Hi5, Digg, Xanga and Live Journal said they don’t consider their user names or ID numbers to be personally identifiable, because unlike Facebook, consumers are not required to submit their real names when signing up for an account. They also said since they are passing along the user name of the page the ad is on, not for the person clicking on the ad, there is nothing advertisers can do with the data beyond seeing on what page their ad appeared.

MySpace said in a statement it is only sharing the ID name users create for the site, which permits access only to the information that a user makes publicly available on the site.

Nevertheless, a MySpace spokeswoman said the site is “currently implementing a methodology that will obfuscate the ‘FriendID’ in any URL that is passed along to advertisers.”

A Twitter spokeswoman said passing along the Web address happens when people click a link from any Web page. “This is just how the Internet and browsers work,” she said.

Although Digg said it masks a user’s name when they click on an ad and scrambles data before sharing with outside advertising companies, the site does pass along user names to ad companies when a user visits a profile page. “It’s the information about the page that you are visiting, not you as a visitor,” said Chas Edwards, Digg’s chief revenue officer.

The advertising companies say they don’t control the information a website chooses to send them. “Google doesn’t seek in any way to make any use of any user names or IDs that their URLs may contain,” a Google spokesman said in a statement.

“We prohibit clients from sending personally identifiably information to us,” said Anne Toth, Yahoo’s vice president of global policy and head of privacy. “We have told them. .. We don’t want it. You shouldn’t be sending it to us. If it happens to be there, we are not looking for it.”



  1. spellin May 21, 2010 at 7:20 a.m.

    Duly noted and posted to my page. I sure would hate to give up my Viking Clan, but if they’re going to sell me out, facebook can count on one less member.

  2. Cattin May 21, 2010 at 8:11 a.m.

    Class action suit, anyone?

  3. bisco4business May 21, 2010 at 8:16 a.m.

    They should be called Disgracebook!

  4. just saying May 21, 2010 at 8:24 a.m.

    Not too hard to believe from facebook, since their ads are so very much directly aimed at the user. For instance I am Irish and low & behold, I have advertising for Irish stuff. Do other groups have these advertisements? I don’t get any other race specific ads. And now if you want to share with your friends your place of employment etc., the whole world gets to know. Facebook is slowly loosing it’s purpose. They are going down a bad road. Am looking forward to a different site to come up for social networking. One that cares more about integrity than the buck.

  5. askbill May 21, 2010 at 8:39 a.m.

    Who cares. Are you really adversely effected? Find something real to get angry about. As a matter of fact, get off your Facebook-watching dead-*** and get a job.

  6. DD May 21, 2010 at 8:43 a.m.

    I always just assumed that when I clicked on an ad that the advertiser would capture my info. If you chose to disclose your personal info on a social networking site (religion? political affiliation? Come on!), then you should assume that it’s going to end up broadcasted to this advertiser hungry world.

  7. Bons May 21, 2010 at 8:45 a.m.

    I would not trust Facebook for anything!!!

  8. notleftbehind May 21, 2010 at 8:57 a.m.

    In the past two weeks, my personal att email account has been hit with so many ads. I never had spam coming into my att account until now. I have a Facebook page but only visit it once every few months. I believe Facebook is behind my now deluged email inbox. Boycott Facebook!

  9. N.R. Bovee May 21, 2010 at 8:59 a.m.

    AdBlock in Firefox will take care of most, if not all of the ads. And NEVER click on their ads-this only encourages them to put more of them out. These young punks idea of hard work is sitting at Starbucks all day while they design a web page laden with ads for people to click on.

  10. JeffRob May 21, 2010 at 9:08 a.m.

    Good for Facebook. This is the future. Get over it, people. If the idea of businesses using social networking to make purchasing the items you love easier for you is one that really gets under your skin, then by all means, drop everything.

  11. rick May 21, 2010 at 9:09 a.m.

    this company should be SUED big time then they’ll learn.

  12. Marcus Twain May 21, 2010 at 9:27 a.m.

    “Not too hard to believe from facebook, since their ads are so very much directly aimed at the user. For instance I am Irish and low & behold, I have advertising for Irish stuff. Do other groups have these advertisements? I don’t get any other race specific ads.”
    You probably don’t get race specific ads since you’re caucasian. Being Irish is an ethnicity, not a race.
    This clue has been brought to you by the letter “I”.

  13. sunny boner May 21, 2010 at 9:47 a.m.

    “Follow us on Facebook” …..”Become our fan on Twitter”….what the hell does all this crap mean anyway? I have no use for either of them.

  14. robert May 21, 2010 at 9:47 a.m.

    Hey all you Facebook users – now even more people are your “friends” than you first thought – hope you didn’t post anything inappropriate….smile your face and name is part of a marketing groups database

  15. Nicole May 21, 2010 at 9:49 a.m.

    What Facebook did was unethical, plain and simple. Made even worse by the face that Facebook made no effort to change it until the media noticed this was happening and called out Facebook on the issue. Be very afraid, y’all. And keep supporting traditional media, lest they all go under and then we have no watchdogs left.

  16. Emily May 21, 2010 at 9:49 a.m.

    I am addicted to FB to stay in touch with friends, share info and photos, etc. But this is just too much. I am disgusted and will be leaving as soon as I can back up all the important stuff (emails, photos, etc.).

  17. Everyday American May 21, 2010 at 9:54 a.m.

    HAHAHA @ all the people who put this stuff on a corporate-owned, publicly available website and then act shocked when a corporation undermines your interests. Are you people really that stupid, or do you actually intend to sell yourselves to the corporations on the installment plan?
    Corporations NEVER have your best interests in mind, and if you think they do, you are a SUCKER! It’s amazing just how naive and ignorant people in this country are. Don’t you people realize that when you post things to Facebook, as with most sites, you are giving them a degree of ownership rights to that property? Or do you just put it up there and ignorantly assume that the corporation is going to put your interests ahead of their profit?
    I’m kind of jealous of Zuckenberg for figuring out how to exploit our self-disrespecting, ignorant, self-important and generally just dumb population. I have absolutely NO sympathy for you fools. I’ve got to figure out how to exploit you wage slaves before you’re all sold out!

  18. The Truth May 21, 2010 at 9:58 a.m.

    Zuckenberg was right when he referred to Facebook users as “dumb f***s”.
    Cattin | May 21, 2010 8:11 AM | Reply
    Class action suit, anyone?
    Based on what? Because you failed to read the last terms of service you agreed to?

  19. KK May 21, 2010 at 10:03 a.m.

    Just permantently deleted my account

  20. Steve May 21, 2010 at 10:03 a.m.

    Easy solution – don’t click on the ads. If you see something that genuinely interests you, type in the web address directly.

  21. Cattin May 21, 2010 at 10:06 a.m.

    Get over yourself.

  22. MustafaP May 21, 2010 at 10:24 a.m.

    hay askbill what are you talking about “get off your Facebook-watching dead-*** and get a job”? These people are on their jobs checking facebook every second.

  23. pcjake May 21, 2010 at 10:59 a.m.

    Agreed. Who cares? Have any of you actually clicked on any of the ads?

  24. lab May 21, 2010 at 11:19 a.m.

    What else is new? They say they won’t and don’t, but don’t trust them. Once it’s out, you have no privacy. Always assume that when you are in an internet site that you have absolutely no privacy, even if the address contains “https.”

  25. Jill May 21, 2010 at 11:20 a.m.

    , ha, ha! You think no one is watching. It’s somewhat unnerving to know that these sites know more about you than you think. Linked In suggested a connection for me to a former colleague. Mind you, I had a totally blank profile for months, and it somehow figured out a connection between us. I would like to know just how this was noodle–other than tapping into your personal email addresses?

  26. Lawrence May 21, 2010 at 11:44 a.m.

    How is this any different than when you stop on Michigan Ave. and stare at a store front display at Nieman Marcus? Guess what – people can see you doing that, too! The internet is not private people!

  27. Joe1 May 21, 2010 at 1:04 pm

    anyone who is surprised at the money is everything and cheat to do it America was born yesterday/

  28. tina james May 21, 2010 at 1:06 pm

    YES YES YES – A hit to the wallet is the only thing that get’s their attention or don’t use it anymore, that will work too. I know it’s a hard concept for many thinkers to comprehend but your personal freedoms are increasingly being given up with each fad/bandwagon you attach yourself to. Just because it’s a new idea doesn’t make it a good one. Oops, good for the one who created it (ka ching) but unfortunately not for the dope who buys into it.

  29. HeyNow May 21, 2010 at 1:11 pm

    I don’t use Facebook, but I have relatives that do. I can’t believe some of the stuff they post on there. First off, they have these “friends” that see their pages, despite the fact that they may not even have spoken to that person in years. Yet they post when they are leaving their house, when they are on vacation, names of kids, where they live, etc. You’re basically asking to be robbed. Now this news about data being sold…I don’t understand the fascination with wanting everyone to know all of the details of your life.

  30. MB May 21, 2010 at 1:17 pm

    FYI Ireland is a country. Irish is a nationality, not an ethnicity.
    Ehtnicity refers to customs, beliefs and common language. Arguably Irish people may have some commonalities but being from a specific country only determines your citizenship. (IE I’m caucasion but if I were born in Mexico, my Nationality would be Mexican but my ethnicity could be otherwise.)

  31. Tom S. May 21, 2010 at 1:28 pm

    Is that the CEO or the CEO’s kid?

  32. Joe May 21, 2010 at 2:36 pm

    Facebook and MySpace are the new body piercings and tattoos in that they enable me to quickly identify the useless and stupid.

  33. Notamommy May 21, 2010 at 3:22 pm

    Their targeting doesn’t work well when you don’t click on the ads. I keep getting stuff that tells me how I can totally “beat the LSAT” — even though I graduated Law School two years ago — and how I can “get a $10,000 scholarship, MOMS ONLY!” even though I am and will always be child-free.

  34. Thin The Herd May 21, 2010 at 4:20 pm

    For a good % of social network users, it’s not so much getting a job, as doing it rather than being on FB or Twitter half the day.

  35. TT May 21, 2010 at 5:17 pm

    Tom S, that’s the CEO :o )

  36. Not Surprised May 21, 2010 at 8:13 pm

    I closed my FB account yesterday; monster.com aka yahoo.com and careerbuilder do the same thing. The call it behavioral targeting and they make money off people giving away their info. So if you dont want to give them a job, don’t put your business out there.

  37. Drew May 21, 2010 at 9:04 pm

    Well, unless the ones who are whining and moaning own stock in Facebook, there’s not much you can do about how FB operates. Since it doesn’t cost you anything to be a member of Facebook, and they certainly have operating costs, exactly how did you think they were making their money? If you’re not interested in the ads, don’t click on them. Common sense.