Facebook's New Privacy Problem: Partners and Guilt by Association

Last Updated Jun 15, 2010 4:19 PM EDT

Facebook has another privacy storm brewing on the horizon. Only this time, it's not what Facebook does with users' data, but what its third party application developers do. Some users have found that recent e-commerce purchases can come back to haunt them through ads, listing exactly what they bought and showing how much of their personal lives are open to marketers.

Facebook says that the activity is out of its control, not that it matters. From a user's view, the activity seemed to take place on Facebook's site, so the company is guilty by association. The irony is that the techniques in play are about as old as web marketing.

I first heard of this incarnation of privacy problem from a colleague who had recently placed an order for baby products on Diapers.com, a site owned by e-commerce company Quidsi Inc. Later, she logged in at Facebook and started to play Lexulous, a word game application on the site. Suddenly she noticed a Diapers.com ad showing the same two product she had just bought.

My colleague was surprised and emailed customer service at Diapers.com:

I'd like to know how you share info with Facebook that I have not authorized. What is your privacy policy on this? See the screenshot below. It has a diapers.com window including the items in my recent order. Thank you for your explanation.
A customer service representative responded:
I am in receipt of your email inquiring about our privacy policy due to the fact that you have found information regarding your shopping cart of Facebook.com. Unfortunately, I am un-aware [sic] of the answer for this question; However, I will be contacting our Marketing team here in order to get this answer to you. Once I am in receipt of this information, we will contact you regarding what that policy is and how we can adjust the settings in order to prevent this from occurring in the future. I am very sorry for any discomfort this may have caused, but please note that I will see to it this matter gets resolved. If you have any future questions or comments, please feel free to contact your friends here at Diapers.com. I hope you have a pleasant day!
I called the Quidsi office, asked to speak to the PR or marketing department, and was told to write to a "receptionist-temp" email address. I settled for leaving a phone number but have yet to hear back. I also emailed Lexulous, run by RJ Softwares in India, and haven't received a response, though the time difference could explain that.

I spoke with Facebook spokesperson Brandon McCormick, who says that the vendors have significant autonomy in what appears on their pages. "It's not our ad," he said. "That's why we have our policy that doesn't allow third parties to target ads based on personal information."

One of Facebook's strengths has been a roster of applications that entice users to return and spend time on the system. All software developers want to find ways to make their investment pay, and display advertising is a popular option. As often happens on the web, third party ad networks actually serve the ads and also place and read cookies on users' systems to gather behavioral and personally identifying information.

According to McCormick, the practice of a third party displaying an ad on someone else's site is called retargeting. The ad network effectively creates an independent relationship with a consumer, separately tracking activity. "Retargeting isn't anything new, and I'm surprised that users are surprised," McCormick says.

That's really the nut of the issue, and it shows the danger of being too informed. If you know how online marketing works, then of course you remain unsurprised when companies use cookies to build intimate portraits of consumers through their actions, including the Web sites they've visited and the transactions they've undertaken. The cookie tells the site and provides the identifying information. The ad network passes that information back to the site, which is a client, and receives, in return, the ordered items -- or any other information about the consumer that the site wants to provide.

From a consumer's view, Facebook owns the web site and, therefore, is responsible for the experience, no matter what policies it has in place. If you've spent the last couple of years getting kicked one way and another over privacy issues, you're the natural target. It's an argument for the approach that Apple takes with iAd and the iPhone and iPad. Ultimately, people will point at the name on the device -- or on the web site.

Related:

Image: RGBStock.com user lusi, site standard license.
  • Erik Sherman On Twitter» On Facebook»

    Erik Sherman is a widely published writer and editor who also does select ghosting and corporate work. The views expressed in this column belong to Sherman and do not represent the views of CBS Interactive. Follow him on Twitter at @ErikSherman or on Facebook.