Several major social networks are reexamining their policies after the revelation of a loophole that could allow advertisers to access personal details of users more easily.
The problem is remarkably simple: when a user of a website (Facebook, Myspace, etc…) clicks on an advert, the advertiser is able to see the website address from which they clicked. The way several social networks are set up means that an identification number, or even simply the user name, is displayed as part of the web address when profile pages are accessed.
This means the advertiser could use the data to find out any details listed on the profile page. While that’s a laborious process to do manually, it wouldn’t be too hard to carry out automatically.
In most cases the usefulness of this technique would be limited as the advertiser could only know the profile page on which the advert was clicked, rather than exactly who clicked on it. (That said, the chances are most people are more likely to click on ads on their own profile page if targeting really works.) In Facebook’s case, the information in the specific web address showed which user had clicked on the ad.
The issue was covered in a research paper from AT&T Labs and Worcester Polytechnic Institute, then raised by the Wall Street Journal. As a result, Facebook has changed its system to remove the details of the person clicking the link, but will still display the profile details. MySpace says it will work on a method to “obfuscate” the user ID, while several other sites argued there wasn’t a problem as users don’t have to sign up with their real names.
It’s only fair to note that there’s no evidence any advertisers have taken advantage of the loophole. The problem seems to be that two situations have come together in an unexpected way. Most people will likely accept that any information they put on a publicly accessible profile page will be, well, publicly accessible. And most people will likely accept that advertisers should be able to know where their ads are getting clicks. But combining the two might be seen as a step too far, particularly given the existing skepticism about the privacy policies of major websites.