A Wall Street Journal article today draws attention to yet another unexpected way in which Facebook's privacy practices have not complied with its public statements and have disregarded users' privacy rights. Just last week, when asked about Facebook's privacy practices with advertisers, Facebook executive Elliot Schrage wrote:
We don’t share your information with advertisers. Our targeting is anonymous. We don’t identify or share names. Period.
As the Wall Street Journal report shows, this was not true. In fact, Facebook's architecture at the time allowed advertisers to see detailed personal information about some Facebook users.
The article identified a security flaw concerning referer URLs, a basic part of the web's architecture. For readers who aren't web gurus: A "referer" is a piece of information sent whenever you click on a link. It tells the site you're visiting what URL you've just come from. (The term's strange spelling is one of the web's many historical in-jokes.) In some instances, the referer URL will also include a "query string" that reveals additional information.
Ordinarily, the query string doesn't reveal anything sensitive. In fact, it's a maxim of web engineering that sensitive information (like passwords) should never be placed in the query string, exactly because doing so can cause security and privacy problems.
It's a maxim that Facebook apparently forgot. A paper published last August by researchers at AT&T Labs and Worcester Polytechnic (blogged by EFF here) showed how Facebook's referers revealed information to advertisers that could be used to personally identify visitors. The problem was made far worse by the changes Facebook made in December and April, which designated radically more user data as "publicly available information" and created new tech tools for mining that data.
Yesterday, facing the pressure of the impending Wall Street Journal article, Facebook fixed the worst aspects of that loophole. They say they're in the process of fixing the rest.
The fixes come not a moment too soon. The flaws were not only in conflict with Schrage's public statements, but with Facebook's own privacy policy, which states that "We don’t share your information with advertisers without your consent."
Beyond the fixes Facebook has already made, what steps can be taken to prevent this kind of data leakage in the future? There are some steps Facebook could take, like moving users to HTTPS, which can limit transmission of referer URLs. And users can protect themselves by using plugins like Firefox's RefControl. We also encourage both social networking services and web browsers to adopt emerging standards like 'noreferrer', which would allow sites much simpler control over how referers are handled.
Of course, as demonstrated in the AT&T/WPI paper, referer strings are not the only path by which social networks leak personal information to advertisers. That paper found that 11 of the 12 social networking sites it examined leak personal information to advertisers by one method or another. Hopefully, today's WSJ article is a sign that all of these methods will soon be receiving closer scrutiny.