Facebook, MySpace and several other social-networking sites have been sending data to advertising companies that could be used to find consumers’ names and other personal details, despite promises they don’t share such information without consent.
The practice, which most of the companies defended, sends user names or ID numbers tied to personal profiles being viewed when users click on ads. After questions were raised by The Wall Street Journal, Facebook and MySpace moved to make changes. By Thursday morning Facebook had rewritten some of the offending computer code.
Advertising companies are receiving information that could be used to look up individual profiles, which, depending on the site and the information a user has made public, include such things as a person’s real name, age, hometown and occupation.
Several large advertising companies identified by the Journal as receiving the data, includingGoogle Inc.’s DoubleClick and Yahoo Inc.’s Right Media, said they were unaware of the data being sent to them from the social-networking sites, and said they haven’t made use of it.
Across the Web, it’s common for advertisers to receive the address of the page from which a user clicked on an ad. Usually, they receive nothing more about the user than an unintelligible string of letters and numbers that can’t be traced back to an individual. With social networking sites, however, those addresses typically include user names that could direct advertisers back to a profile page full of personal information. In some cases, user names are people’s real names.
Most social networks haven’t bothered to obscure user names or ID numbers from their Web addresses, said Craig Wills, a professor of computer science at Worcester Polytechnic Institute, who has studied the issue.
The sites may have been breaching their own privacy policies as well as industry standards, which say sites shouldn’t share and advertisers shouldn’t collect personally identifiable information without users’ permission. Those policies have been put forward by advertising and Internet companies in arguments against the need for government regulation.
The problem comes as social networking sites—and in particular Facebook—face increasing scrutiny over their privacy practices from consumers, privacy advocates and lawmakers.
At the same time, lawmakers are preparing legislation to govern websites’ tactics for collecting information about consumers, and the way that information is used to target ads.
In addition to Facebook and MySpace, LiveJournal, Hi5, Xanga and Digg also sent advertising companies the user name or ID number of the page being visited. (MySpace is owned by News Corp., which also owns The Wall Street Journal.) Twitter—which doesn’t have ads on profile pages—also was found to pass Web addresses including user names of profiles being visited on Twitter.com when users clicked other links on the profiles.
For most social-networking sites, the data identified the profile being viewed but not necessarily the person who clicked on the ad or link. But Facebook went further than other sites, in some cases signaling which user name or ID was clicking on the ad as well as the user name or ID of the page being viewed. By seeing what ads a user clicked on, an advertiser could tell something about a user’s interests.
Ben Edelman, an assistant professor at Harvard Business School who studies Internet advertising, reviewed the computer code on the seven sites at the request of the Journal.
“If you are looking at your profile page and you click on an ad, you are telling that advertiser who you are,” he said of how Facebook operated, if a user had clicked through a specific path, before the fix. Mr. Edelman said he had sent a letter on Thursday to the Federal Trade Commission asking them to investigate Facebook’s practices specifically.
The sharing of users’ personally identifiable data was first flagged in a paper by researchers at AT&T Labs and Worcester Polytechnic Institute last August. The paper, which drew little attention at the time, evaluated practices at 12 social networking sites including Facebook, Twitter and MySpace and found multiple ways that outside companies could access user data.
The researchers said in an interview they had contacted the sites, which some sites confirmed. But nine months later, the issue still exists.
The issue is particularly significant for Facebook on two fronts: the company has been pushing users to make more of their personal information public and the site requires users to use their actual names when registering on the site.
A Facebook spokesman acknowledged it has been passing data to ad companies that could allow them to tell if a particular user was clicking an ad. After being contacted by the Journal, Facebook said it changed its software to eliminate the identifying code tied to the user from being transmitted.
“We were recently made aware of one case where if a user takes a specific route on the site, advertisers may see that they clicked on their own profile and then clicked on an ad,” the Facebook spokesman said. “We fixed this case as soon as we heard about it.”
Facebook said its practices are now consistent with how advertising works across the Web. The company passes the “user ID of the page but not the person who clicked on the ad,” the company spokesman said. “We don’t consider this personally identifiable information and our policy does not allow advertisers to collect user information without the user’s consent.”
The company said it also has been testing changing the formatting for the text it shares with advertisers so that it doesn’t pass through any user names or IDs.
MySpace, Hi5, Digg, Xanga and Live Journal said they don’t consider their user names or ID numbers to be personally identifiable, because unlike Facebook, consumers are not required to submit their real names when signing up for an account. They also said since they are passing along the user name of the page the ad is on, not for the person clicking on the ad, there is nothing advertisers can do with the data beyond seeing on what page their ad appeared.
MySpace said in a statement it is only sharing the ID name users create for the site, which permits access only to the information that a user makes publicly available on the site.
Nevertheless, a MySpace spokeswoman said the site is “currently implementing a methodology that will obfuscate the ‘FriendID’ in any URL that is passed along to advertisers.”
A Twitter spokeswoman said passing along the Web address happens when people click a link from any Web page. “This is just how the Internet and browsers work,” she said.
Although Digg said it masks a user’s name when they click on an ad and scrambles data before sharing with outside advertising companies, the site does pass along user names to ad companies when a user visits a profile page. “It’s the information about the page that you are visiting, not you as a visitor,” said Chas Edwards, Digg’s chief revenue officer.
The advertising companies say they don’t control the information a website chooses to send them. “Google doesn’t seek in any way to make any use of any user names or IDs that their URLs may contain,” a Google spokesman said in a statement.
“We prohibit clients from sending personally identifiably information to us,” said Anne Toth, Yahoo’s head of privacy. “We have told them. ‘We don’t want it. You shouldn’t be sending it to us. If it happens to be there, we are not looking for it.”
Lawsuit: School administrator ‘may be a voyeur’ who spied on kids for personal gratification
A Philadelphia-area school district secretly took “thousands” of webcam photos of students in their homes and tracked their Web site visits and parts of online chats through spy software installed on the students’ school-issued laptops, a Pennsylvania court heard yesterday.
In February, the family of Blake Robbins, a student at Harriton High School in Rosemont, sued the Lower Merion School District after the district admitted to them it had been spying on students via a remote-activated feature on the laptops it issued to all its 2,300 high school pupils.
In a motion filed in court on Thursday, Robbins’ lawyers asserted that the school district had taken at least 400 snapshots of 15-year-old Robbins, including some of him sleeping. The motion also stated that “thousands of webcam pictures and screen shots have been taken of numerous other students in their homes,” the Philadelphia Inquirer reports.
And in a strange twist to the story, the lawyers also suggested that Carol Cafiero, one of two school administrators with access to the spying technology, “may be a voyeur” who spied on students for her personal gratification, as some of the images taken by the laptops may have ended up on her personal computer.
The motion asks the judge to force Cafiero to turn over her home computer, which she has refused to do so far. Earlier this week, during a deposition, Cafiero pleaded the Fifth Amendment to all questions regarding her involvement in the alleged school spying.
Watching the students at home was like “a little [Lower Merion School District] soap opera,” said a staffer in an email obtained by Robbins’ lawyers.
“I know, I love it,” Cafiero responded in a reply email, as quoted at the Inquirer.
If true, the allegations against Cafiero would realize privacy advocates’ worst fears about the school district’s monitoring of students at home: That the technology is all too open to abuse by those who would seek to exploit children.
So far, there have been no allegations that the cameras captured any images of nude students, which could fall within the definition of child pornography.
On Thursday, the judge presiding over the case in a federal courtroom in Philadelphia restricted access to the images to the lawyers involved in the case, reports KYW news radio. The school board says it will soon notify the parents of children whose pictures were taken by the spy software, and is working on a way to transfer the photos to the parents, the Inquirer reported Friday.
The latest claims made against the school district contradict what the district itself has said about the use of the cameras. In February, when news of the spy software broke, the school districtpublished a statement saying administrators had activated the monitoring system only 42 times, most of those in order to retrieve lost or stolen laptops.
But the allegations made Thursday suggest “there were 42 instances when they began intensive surveillance on the suspected stolen computers,” reports tech blog Slashdot. “This consisted of (among other things) transmitting a picture from the laptop’s webcam every 15 minutes. This may have gone on for weeks.”
The school district announced in February it was shutting down the spy software, shortly after news of the spy software went public.
Robbins’ family launched the lawsuit two months ago after Blake Robbins was called into a vice-principal’s office and accused of taking drugs. As evidence, the vice-principal showed a photo of pills in Robbins’ bedroom. The Robbins family said the pills were candy, and launched a class-action lawsuit alleging the school district violated Blake’s right to privacy.
This week, Sen. Arlen Specter (D-PA), who held hearings into the Lower Merion School District’s spying activities, introduced legislation limiting the use of surveillance software.
The proposed Surreptitious Video Surveillance Act of 2010 “would update the federal wiretapping statute to create serious criminal and civil penalties for secret, nonconsensual video surveillance inside any temporary or permanent residence, be it your house, your apartment, or your hotel room,”reports the Electronic Frontier Foundation.
According to a document obtained by the ACLU under the Freedom of Information Act (FOIA) on Tuesday March 16, the 9/11 commission was warned on Jan. 6th, 2004 by high-level administration officials to “not cross the line” in the investigation of the events that occurred on Sept. 11, 2001.
Here’s a copy of the letter in question (page 26 of the PDF document).
Department of Defense Department of Justice Central Intelligence Agency (CIA)
National Commission on Terrorist Attacks Upon the United States
Thomas H. Kean, Chairman Lee H. Hamilton, Vice Chairman
Your staff has advised us that the Commission seeks to participate in the questioning of certain enemy combatants detained in the war against terrorists of global reach. Such action by the Commission would substantially interfere with the ability of the United States to perform its law enforcement, defense and intelligence functions in the protection of the American people.
Your legislative commission has had extraordinary — indeed, unprecedented in the annals of American history — access to many of the Nation’s most sensitive secrets in the conduct of its work, including detainee information. In response to the Commission’s expansive requests for access to secrets, the executive branch has provided such access in full cooperation. There is, however, a line that the Commission should not cross — the line separating the Commission’s proper inquiry into the September 11, 2001 attacks from interference with the Government’s ability to safeguard the national security, including protection of Americans from future terrorist attacks. The Commission staffs proposed participation in questioning of detainees would cross that line.
As the officers of the United States responsible for the law enforcement, defense and intelligence functions of the Government, we urge your Commission to not further pursue the proposed request to participate in the questioning of detainees.
John Ashcroft, Attorney General Donald H. Rumsfeld, Secretary of Defense George J. Tenet, Director of Central Intelligence
9/11 Commission findings based on torture
In December of 2009, we have published an important article titled “Much of 9/11 Commission findings cite intelligence garnered by torture” in which we describe that much of the material cited in the 9/11 Commission’s findings was derived from war detainees during brutal CIA interrogations authorized by the Bush administration. In fact, information derived from the interrogations was central to the 9/11 Report’s most critical chapters, those on the planning and execution of the attacks.
The CIA has since revealed that in 2005 it destroyed videotapes of prisoners being tortured.
When asked by MSNBC News anchor if “under duress, will people tell the truth if tortured?” former CIA officer Robert Baer answered “under duress, under the threat of duress, people will tell what they think you want to hear. It is an unreliable tool. And the reason I say this is I have spent 21 years in the CIA, in and out of prisons watching these techniques, one way or another, reading reports, and the countries that torture, uniformly produce inaccurate intelligence. Torture does not work.”
They also talk about Khalid Shaikh Mohammed who has been waterboarded over 183 times.
The below text is a excerpt of the Examiner.com article on this newly released memo
The warning in the memo released by the government to the ACLU is just one example of how the Bush administration fiercely struggled to prevent the 9/11 Commission from conducting a deeper probe into the attacks. It is common knowledge that Bush and Cheney refused to cooperate with the investigation and when forced to do so, only testified together, not under oath.
9/11 Commissioners criticism
What may not be known to many Americans is that members of the 9/11 Commission have publicly stated that the investigation was a whitewash, and stymied from the beginning.
“I’m saying that’s deliberate. I am saying that the delay in relating this information to the American public out of a hearing… series of hearings, that several members of Congress knew eight or ten months ago, including Bob Graham and others, that was deliberately slow walked… the 9/11 Commission was deliberately slow walked, because the Administration’s policy was, and its priority was, we’re gonna take Saddam Hussein out.”
— Senator Max Cleland, former 9/11 Commissioner who resigned after calling it a “national scandal”
On Democracy Now, Cleland also said, “One of these days we will have to get the full story because the 9-11 issue is so important to America. But this White House wants to cover it up”.
In 2006 the Washington Post reported that several members of the 9/11 Commission suspected deception on part of the Pentagon:
Some staff members and commissioners of the Sept. 11 panel concluded that the Pentagon’s initial story of how it reacted to the 2001 terrorist attacks may have been part of a deliberate effort to mislead the commission and the public rather than a reflection of the fog of events on that day, according to sources involved in the debate.
9/11 Commissioner Bob Kerry also has unanswered questions. According to an article in Salon.com, he believes that there are legitimate reasons to believe an alternative version to the official story.”There are ample reasons to suspect that there may be some alternative to what we outlined in our version,” Kerry said. The commission had limited time and limited resources to pursue its investigation, and its access to key documents and witnesses was obstructed by government agencies and key administration officials.
Commissioner Tim Roemer suggested that Commission members were considering a criminal probe of false statements. “We were extremely frustrated with the false statements we were getting,”Roemer told CNN. “We were not sure of the intent, whether it was to deceive the commission or merely part of the fumbling bureaucracy.”
The document that the ACLU has obtained corroborates what officials involved in the 9/11 Commission have been saying for years. The entire “investigation” was nothing more than a whitewash designed to hide the facts about 9/11 from the American people.