A report in the Wall Street Journal this evening reveals that Facebook, MySpace,
The Journal article doesn’t get into too much technical detail, but it sounds like Facebook and the others are failing to scrub ‘referring’ URLs that are always passed along whenever a user clicks a link. This is actually normal behavior — typically when you click a link on a website, the site you’re being directed to will get to see where you came from. The issue is that these social sites include some identifying information as part of their URLs; when you visit a friend’s Facebook profile, the resulting URL might include both your friend’s username and your Facebook ID, which could be used to associate you with the ads you’re clicking on.
Facebook was making it possible for advertisers to see ids for users who clicked (not just the profile url). This was happening through a ref equals profile code getting passed through after a user clicked on their profile and then an ad. Facebook acknowledged that this could be used to identify users who clicked, not just the profile of the user on whose page an ad appeared.
That said, the Journal reports that the ad companies it contacted had not used the data:
Several large advertising companies identified by the Journal as receiving the data, including Google Inc.’s DoubleClick and Yahoo Inc.’s Right Media, said they were unaware of the data being sent to them from the social-networking sites, and said they haven’t made use of it.
However, the article doesn’t say that all ad networks that placed ads on Facebook were ignoring the data. We’ve reached out to Facebook to ask if it’s possible that smaller networks could have leveraged it.
The WSJ article notes that the discovery was pointed out back in August by researchers from AT&T Labs and Worcester Polytechnic Institute, but that the issue has persisted until this morning (Facebook and MySpace have now “rewritten some of the offending computer code”).
Update: The Twitter issue mentioned in the WSJ seems to be much less of an problem (it doesn’t even have ads yet).
Image via alancleaver