A report in the Wall Street Journal this evening reveals that Facebook, MySpace, Twitter, and a number of other popular social sites are passing along data that advertisers could potentially use to identify users who click their ads. The article is focused on Facebook in particular, which appears to have been passing along the most data of the aforementioned sites and has also been embroiled in a major privacy controversy.
The Journal article doesn’t get into too much technical detail, but it sounds like Facebook and the others are failing to scrub ‘referring’ URLs that are always passed along whenever a user clicks a link. This is actually normal behavior — typically when you click a link on a website, the site you’re being directed to will get to see where you came from. The issue is that these social sites include some identifying information as part of their URLs; when you visit a friend’s Facebook profile, the resulting URL might include both your friend’s username and your Facebook ID, which could be used to associate you with the ads you’re clicking on.
Update: Jessica Vascellaro, one of the writers on the WSJ article, has sent ReadWriteWeb more technical details on what Facebook was doing. Her explanation, in part (you can see the full thing here):
Facebook was making it possible for advertisers to see ids for users who clicked (not just the profile url). This was happening through a ref equals profile code getting passed through after a user clicked on their profile and then an ad. Facebook acknowledged that this could be used to identify users who clicked, not just the profile of the user on whose page an ad appeared.
That said, the Journal reports that the ad companies it contacted had not used the data:
Several large advertising companies identified by the Journal as receiving the data, including Google Inc.’s DoubleClick and Yahoo Inc.’s Right Media, said they were unaware of the data being sent to them from the social-networking sites, and said they haven’t made use of it.
However, the article doesn’t say that all ad networks that placed ads on Facebook were ignoring the data. We’ve reached out to Facebook to ask if it’s possible that smaller networks could have leveraged it.
Join 10k+ tech and VC leaders for growth and connections at Disrupt 2025
Netflix, Box, a16z, ElevenLabs, Wayve, Hugging Face, Elad Gil, Vinod Khosla — just some of the 250+ heavy hitters leading 200+ sessions designed to deliver the insights that fuel startup growth and sharpen your edge. Don’t miss the 20th anniversary of TechCrunch, and a chance to learn from the top voices in tech. Grab your ticket before doors open to save up to $444.
Join 10k+ tech and VC leaders for growth and connections at Disrupt 2025
Netflix, Box, a16z, ElevenLabs, Wayve, Hugging Face, Elad Gil, Vinod Khosla — just some of the 250+ heavy hitters leading 200+ sessions designed to deliver the insights that fuel startup growth and sharpen your edge. Don’t miss a chance to learn from the top voices in tech. Grab your ticket before doors open to save up to $444.
The WSJ article notes that the discovery was pointed out back in August by researchers from AT&T Labs and Worcester Polytechnic Institute, but that the issue has persisted until this morning (Facebook and MySpace have now “rewritten some of the offending computer code”).
Update: The Twitter issue mentioned in the WSJ seems to be much less of an problem (it doesn’t even have ads yet).
Image via alancleaver
