Looking at the lack of privacy protection in social network Ads systems from a research perspective

Along with all the latest news about Facebook’s new privacy policies came this article from The Wall Street Journey on Facebook and MySpace now correcting a privacy loophole in their ads system. To summarize, apparently many of the social networks including Facebook, MySpace, LiveJournal, Hi5, Xanga and Digg used to (or are still) attaching username or user ID in the referral links when users click on ads on people’s profiles. So the advertising companies could potentially track who it was that clicked on the ad by doing a search for the username/ID on the social network.

Some of the social network representatives even go about saying

“They don’t consider their user names or ID numbers to be personally identifiable, because unlike Facebook, consumers are not required to submit their real names when signing up for an account. They also said since they are passing along the user name of the page the ad is on, not for the person clicking on the ad, there is nothing advertisers can do with the data beyond seeing on what page their ad appeared.”

It [MySpace] is only sharing the ID name users create for the site, which permits access only to the information that a user makes publicly available on the site.”

All I can say to this is ouch!

When doing research or any sort of data collecting on people, the standard is absolute anonymity.

• People must sign consent forms before data can even be collected
• Only aggregate data should be presented: aggregate as in presenting things in terms of percentage and averages, and general trends
• People are only ever identified by ID numbers even in the raw data: You should not be able to tell this set of data comes from John Doe, regardless of whether this is a real name or a screen name

Now with that in mind, let’s examine the social network ads system.

• No consent: most people (myself included) do not even realize advertisers can track every single ad click, let alone who is doing the clicking
• No aggregation of data: advertisers know exactly who’s doing the clicking, from where and at what time
• No coded ID numbers used: most social networks attach public username or user ID to their ad links, which means advertisers can look you up on the network

There is virtually zero privacy protection in these ad systems. I cannot believe this has been happening for so long and only came into light now. I am thankful Facebook and MySpace are now starting to correct this issue. Hopefully the rest of the social networks will follow suit.