Facebook and MySpace Are Begging Congress to Regulate Them on Privacy

Did the sun rise this morning? Then there must be a new privacy scandal. Bringing today's event are Facebook, MySpace (NWS), and some other social networking sites that have been sending data to advertisers in such a way as to let them uncover user identities and personal information.

This can happen even when the social networking site promises not to share data without user permission. When will executives at the social networks stop playing games? What seems like a smart move to them is more like walking into a congressional bull ring, waving a red flag. With no exit. And no sword.

The practice, which most of the companies defended, sends user names or ID numbers tied to personal profiles being viewed when users click on ads. After questions were raised by The Wall Street Journal, Facebook and MySpace moved to make changes. By Thursday morning Facebook had rewritten some of the offending computer code.

Advertising companies are receiving information that could be used to look up individual profiles, which, depending on the site and the information a user has made public, include such things as a person's real name, age, hometown and occupation.

One Web page can generally get the URL of the previous page a browser displayed. That means the URL with the identifying information is generally available to the next site a users views. Additionally, depending on the page you've left, the information remains in the browser's cache and so could be available to another Web page.

In Facebook, for example, I set my browser to work offline and then went into history. I couldn't bring up my profile page, but I could bring up my home page, which contains my name and photo as well as names and photos for people I know who happened to have status messages on the screen at that time. This also doesn't stop at your own profile. If you have a Facebook account, log on and check your profile. Your name appears in the URL. Now check a friend's profile. His or her name appears in the URL. So, if you go to another site, you're might deliver that name.

It's easy to dismiss this as a simple accident. After all, who would have thought about this possibility? However, if you know anything about the advertising industry, this sounds as likely as July snow in southern Florida. Companies that depend on advertising for revenue must get detailed customer information, one way or the other, to their clients if they want to command rates high enough to let them stay in business. Remember that, on the average, online ads pay $2.48 per thousand impressions. The sites not only need volume, but something to sweeten the pot and raise advertising rates.

Given the depth of technical knowledge at the social networks, to pretend ignorance of the information delivery would be an out-and-out sham. And yet, look at the New York Times Q&A session with Facebook vice president for public policy Elliot Schrage and an answer he provided to a reader's question:

The second part of your question reflects what is probably the most common misconception about Facebook. We don't share your information with advertisers. Our targeting is anonymous. We don't identify or share names. Period. Think of a magazine selling ads based on the demographics and perceived interests of its readers. We don't sell the subscriber list. We protect the names.

This type of out and out misrepresentation and false statement amounts to taking that red flag and repeatedly shaking it. Privacy advocates, from public policy non-profits to politicians jockeying for reelection, will react one way: badly. That would be fine if the repercussions were felt only by the social networks, but any action will be broad and take into account everyone company using online ads as a revenue source. The one chance the industry has is for big players to put immense pressure on the younger ventures that are willing to take a chance, no matter who gets hurt in the process.

Image: stock.xchng user originaldN, site standard license.