Here's the paper giving details:<p><a href="http://www2.research.att.com/~bala/papers/wosn09.pdf" rel="nofollow">http://www2.research.att.com/~bala/papers/wosn09.pdf</a><p>There's three ways info leaks:<p>1 - Referer header, eg facebook.com/profile.php?id=1<p>2 - Request, eg analytics.google.com/script.js?page=facebook.com/profile.php?id=1<p>3 - Cookies, eg z.digg.com points to an <i>omniture</i> server, and so passes all digg cookies to them!<p>1 and 2 are easily exploitable by advertisers who wanted to, but 1 especially seems like a very standard way of building urls on most services. Definitely will get them hammered for good reason, but there's not necessarily any bad intent.<p>3 seems a lot worse. Are there legit reasons I'm missing for hosting ad servers on the same domain, and so puncturing the browser security model?
"Caught" is a little strong. It's not like they were selling the information to advertisiers -- in fact, several of the advertisers who were receiving the information have said they were unaware it was even being sent, far less doing anything with it.<p>They didn't write any code to "share" this data; they just failed to put safeguards in place to prevent it leaking via HTTP referrers.<p>I'm willing to put this down to incompetence rather than malice, though of course incompetence is still not great.
It never ends does it?<p>FB has a real problem, I hear my totally clueless (when it comes to computer related things) family members discuss their facebook privacy and whether or not they should quit.<p>I never expected to see that happen.<p>And all that in the space of about 2 months.
"Not surprisingly, Facebook appears to have gone farther than the other sites when it comes to sharing data."<p>This isn't really the expectation you want your users to have.<p>Interesting to note that Google comes up in this though.<p>This is leading to regulation. Hard and swift.
Yes Facebook is evil. When I saw that Zuckerberg called users "dumb f<i></i>*s" for trusting him with their data, and I mused on how criminals could exploit that data via phishing, pw guessing, and social engineering schemes, I joined the Perma-Delete revolution.
<i>We don’t share your information with advertisers. Our targeting is anonymous. We don’t identify or share names. Period.</i><p>-- Elliot Schrage, vice president for public policy at Facebook. May 11, 2010.<p><a href="http://bits.blogs.nytimes.com/2010/05/11/facebook-executive-answers-reader-questions/" rel="nofollow">http://bits.blogs.nytimes.com/2010/05/11/facebook-executive-...</a><p>ouch.
This is the part that troubles me: " It wasn't until WSJ contacted them that changes were made."<p>How do you interpret that?<p>1) Too busy to care enough to prioritize this?
2) Indeed there was intent?
3) To dumb to realize the consequences?<p>Maybe I'm too biased now, but I can't think of a good way to put a positive spin on that.
There is an interesting related thread on Quora.<p><a href="http://www.quora.com/How-did-Elliot-Schrage-not-know-that-Facebook-was-identifying-Facebook-users-to-advertisers-when-he-made-a-statement-in-The-New-York-Times" rel="nofollow">http://www.quora.com/How-did-Elliot-Schrage-not-know-that-Fa...</a><p>Here is what one of the Facebook guys says about the situation:<p>The Wall Street Journal article is not exactly factually false, but the implication you're drawing from it is incorrect -- the actual issue is that in some cases (e.g., after performing some editing operations) the viewing user's ID is contained in the page URL. If the user happens to click on an ad on such a page, the browser will send a Referer header line that has the URL with the ID in it. On the other hand, if the user clicks away to a different page then clicks on an ad there, the ID will no longer be present.<p>This by no stretch of the imagination represents Facebook "going out of its way" to pass user information to advertisers.<p>In any event, the accusation makes little sense given the context. If Facebook wanted to leak user IDs to advertisers, surely it would be far more profitable to do it reliably, on every ad click, rather than doing it via a mechanism that (even according to the WSJ article) only discloses user IDs a small percentage of the time when the user happens to be viewing certain pages in certain ways.
The spin people are putting on this is just unbelievably sensation-mongering. ReadWriteWeb of all places is calling them on it - <a href="http://www.readwriteweb.com/archives/unbelievable_wsj_calls_referring_urls_a_privacy_vi.php" rel="nofollow">http://www.readwriteweb.com/archives/unbelievable_wsj_calls_...</a>.<p>It's so disappointing to see Hacker News be a part of this mob mentality.
Disclaimer: I have always thought Facebook was the devil -- it uses a growth model that co-opts human behavior in a manner not in the best interests of the participants<p>Having said that, the media coverage is starting to get the feeling of piling on. Reporters have decided the media narrative around FB is something like "Big company goes evil. Users revolt"<p>I think we may have reached the point where the leaders of FB really want to do this correctly, but the momentum of the company and the overriding media narrative may continue to drive lots of stories like this.<p>So. I'm going to be careful to double-check the "Facebook is killing your grandma!" types of stories. The media is famous for getting tech wrong. My guess is that most all of them will have a grain of truth. And most all of them will need some technical clarification before we can make heads or tails of it.