Written by Marshall Kirkpatrick
In a jaw dropping move of bizarreness, Wall St. Journal writers Emily Steel and Jessica E. Vascellaro have called out major social networking websites tonight for violating user privacy apparently by passing profile page URLs to advertisers as the referring URLs when users click on ads. We’ve emailed both writers to ask for clarification in the event that they are in fact referring to something else, but haven’t heard back from them yet.
Update: Vascellaro has responded by email, emphasizing an apparently now-resolved if legitimate issue discussed vaguely as “in some cases” in the original story. Conflating that and the simple matter of referring URLs seems odd, to say the least. That said, it does appear that there was some grounds for debate around what was being communicated in some URLs. I’ve added some more thoughts, along with the text of Vascellaro’s more clear explanation by email, to the footer of this post. I don’t think the situation is as crazy now as I did when I first read it and wrote this post.
“Facebook, MySpace and several other social-networking sites have been sending data to advertising companies that could be used to find consumers’ names and other personal details, despite promises they don’t share such information without consent,” the article begins.
“Across the Web, it’s common for advertisers to receive the address of the page from which a user clicked on an ad. Usually, they receive nothing more about the user than an unintelligible string of letters and numbers that can’t be traced back to an individual. With social networking sites, however, those addresses typically include user names that could direct advertisers back to a profile page full of personal information. In some cases, user names are people’s real names.”
It’s just incredible. Go read it for yourself. Or don’t. The tone of the article implies that some major scandal has been broken wide open. To be fair, some other people we’ve spoken with tonight agree with the Journal’s assessment of the situation. This sure reads like anti-technology fear-mongering to me though, and I’ve been one of Facebook’s very loudest critics regarding privacy. Related but perhaps less surprising coverage of the Journal’s story comes from Gawker, with the over-the-top headline Facebook Secretly Sold Your Identity to Advertisers. Hello, pageviews!
The Journal writers do allude to something a step beyond referring URLs when they write: “But Facebook went further than other sites, in some cases signaling which user name or ID was clicking on the ad as well as the user name or ID of the page being viewed.” Those additional cases weren’t discussed any more explicitly.
The Journal coverage even went so far as to claim that some social networks changed their behavior once questioned by said venerable publication! Facebook, according the the Journal, eliminated those mysterious “other cases” upon being questioned. So problem fixed right?
Of course anyone who has ever looked at a website‘s traffic logs knows that referring URLs are shown to destination domains. [Ok, so that's not actually very many people in the world.] And yes, on social networks sometimes those URLs include profile names. As the Journal acknowledged, that doesn’t mean it was the profile owner who clicked on the ad.
As the Journal’s own coverage said:
That’s right. That’s just how the Internet works.
Privacy and Facebook are serious issues. It’s irresponsible and unhelpful to report on them like this. If we’re reading this wrong, then at the very least it’s being communicated poorly.
Update: Vascellaro’s email to us in response:
Facebook was making it possible for advertisers to see ids for users who clicked (not just the profile url). This was happening through a ref equals profile code getting passed through after a user clicked on their profile and then an ad. Facebook acknowledged that this could be used to identify users who clicked, not just the profile of the user on whose page an ad appeared. They changed this after we alerted them to it, so it cannot currently be demonstrated.Others are just passing urls on pages viewed but myspace and fb said — and we reported –are working to obscure those too as it could be construed as personally identifiable data about some users, if not the users who clicked. Of course, whether people view it as personally identifiable varies, as we say. They are, however, changing it.
Decide for yourself then, readers.
Updated upon further reflection: I think if it had been put like this, the WSJ story would have been more more clear: Facebook used to, in some cases, send referring URLs with logged-in user IDs inside the URL when a user clicked on an ad. The Journal alerted them to that situation and they now obfuscate those URLs. That’s good. Potential privacy situation dealt with. Unfortunately, this is something that is hard to explain to non-technical readers and in its attempt to do so, I believe the Journal’s coverage left more technical readers confused and concerned that all referring URLs were being criticized unfairly. That is my working understanding of the situation right now.