FTC, Myspace Settle Privacy Complaint About 'Leaked' Names

Privacy-eyeKeyhole-AMyspace has agreed to develop a comprehensive privacy program to settle charges that it violated its privacy policy by leaking users' personal information to advertisers. The agreement, announced on Tuesday by the Federal Trade Commission, also calls for Myspace to submit to 20 years of audits.

The charges apparently stemmed from a 2009 report that Myspace (and other companies) leak users' personal information to advertisers by including it in the HTTP header information that is automatically sent to ad networks.

In Myspace's case, the company transmitted users' age, gender and "FriendID" to ad networks via referrer headers, according to the FTC. Advertisers were then able to use the FriendID to access users' profile information, which included the full names of around 84% of Myspace users, the FTC alleges.

The commission says that Myspace's transmission of FriendID constituted a deceptive business practice because the company's privacy policy promised that it would not share "personally identifiable information" with outside companies.

The FTC says in its complaint that starting in 2009, Myspace automatically sent users' FriendIDs to its Fox Audience Network, which in turn often transmitted the information -- in clear text -- to third-party advertisers it worked with. In June of 2010 it began encrypting the data, but provided the key to Fox Audience Network, according to the FTC.

After Rubicon Project purchased Fox Audience Network in October of 2010, Myspace allegedly provided the encryption key to Rubicon -- which had no relationship with the social networking company. That arrangement lasted through October of 2011, according to the FTC's complaint, which was unveiled on Tuesday along with the settlement agreement,

The upshot was that "a third-party advertiser could take simple steps to get detailed information about individual users," the FTC alleges. For instance, advertisers could use FriendID to visit users' Myspace pages and obtain their real names. Advertisers also could "combine the user’s real name and other personal information with that advertiser’s tracking cookie and the history of websites the user has visited that it contains," the FTC says in its complaint.

Myspace isn't the only company to face scrutiny for its referrer header practice. The FTC's recent complaint against Facebook also included charges that the social networking service violated its privacy policy by including personal information in the referrer headers. That case also was settled. In addition, Google is facing a potential class-action suit stemming from allegations that it shared users' names with outside companies when it passed along search queries in the referrer headers; those queries occasionally included users' names.

Specific Media, which now owns Myspace, said in a statement that one of its first moves after acquiring the company last June "was to thoroughly examine the company’s business practices and, where applicable, make improvements."

The company added: "In order to put any questions regarding Myspace’s pre-acquisition advertising practices behind us, Myspace has reached an agreement with the FTC that makes a formal commitment to our community to accurately disclose how their information is used and shared."

Recommend (1)