Unbelievable - Facebook in yet another privacy scrape

Who would have believed it - Facebook -- and, to be fair, many of les autre Social Nets - has been up to yet another trick in the Big Book of Privacy Abuse - its selling your PII (Private IDs) to advertisers - WSJ:

Across the Web, it's common for advertisers to receive the address of the page from which a user clicked on an ad. Usually, they receive nothing more about the user than an unintelligible string of letters and numbers that can't be traced back to an individual. With social networking sites, however, those addresses typically include user names that could direct advertisers back to a profile page full of personal information. In some cases, user names are people's real names.

Most social networks haven't bothered to obscure user names or ID numbers from their Web addresses, said Craig Wills, a professor of computer science at Worcester Polytechnic Institute, who has studied the issue.

The sites may have been breaching their own privacy policies as well as industry standards, which say sites shouldn't share and advertisers shouldn't collect personally identifiable information without users' permission. Those policies have been put forward by advertising and Internet companies in arguments against the need for government regulation.

More amusingly, ReadWriteWeb sort of misunderstood what they were up to and lambasted the WSJ for its "unbelievable" tech naivete, but I think this comment on the site says it all:

Unbelievable? they're sharing PII (profile IDs, etc.) with advertisers, despite specifically saying that they don't do so. from facebook's privacy policy regarding advertisers: "We don’t share your information with advertisers without your consent. (An example of consent would be if you asked us to provide your shipping address to an advertiser to receive a free sample.)...For example, we might use your interest in soccer to show you ads for soccer equipment, but we do not tell the soccer equipment company who you are."

http://www.facebook.com/policy.php

it's not a matter of being a "pioneer" as one commenter suggested. it's not a matter of "a browser functionality" as another commenter suggested. if a company issues a privacy statement claiming that they do not provide PII to an advertiser, then i figure they have a responsibility to not provide PII to advertisers. they could ensure that this information is not passed along, OR they could change their privacy policy so that it accurately reflects that advertisers can (in some cases, apparently) identify the user that clicked on an ad.

I see RWW is now trying to worm out of its own unbelievable naivete

Update: Vascellaro has responded by email, emphasizing an apparently now-resolved if legitimate issue discussed vaguely as "in some cases" in the original story. Conflating that and the simple matter of referring URLs seems odd, to say the least. That said, it does appear that there was some grounds for debate around what was being communicated in some URLs. I've added some more thoughts, along with the text of Vascellaro's more clear explanation by email, to the footer of this post. I don't think the situation is as crazy now as I did when I first read it and wrote this post.

Sorry RWW, but the situation was pretty clear just from the WSJ article. Its just that the automatic position of the Silicon Valley A-List blogs seems to be to leap to Facebook's defence these days. Quite why this is we can't imagine

Hat tip Alex Van Elsas for pointing out the story