A Facebook update
earlier this year resulted in the disclosure of users' names and sensitive information to advertisers, two social networking site members assert in new court papers.
David Gould and Mike
Robertson allege that from February until May, Facebook leaked a host of data about users who clicked on ads via the referrer headers, which allegedly transmitted enough data to marketers that they
could identify the people who landed on advertisers' sites after clicking ads on Facebook.
"This unauthorized disclosure of a person's identity and what Facebook page they were viewing could
have the effect of revealing to advertisers confidential and sometimes highly sensitive information, including a user's private interests," Gould and Robertson allege in an amended complaint filed
Monday in federal district court in San Jose. "For example, if a Facebook user who was gay and struggling to come out of the closet was viewing the Facebook page of a gay support group, and then
clicked on an ad, the advertiser would know the exact identity of that person, and that s/he was viewing the Facebook page of a gay support group just before navigating to their site."
The
plaintiffs allege that Facebook violated federal and state privacy laws as well as its own privacy policy -- which, they allege, promised users that their personal information "will only be disclosed
to advertisers in the specific ways and circumstances set out in Facebook's privacy policy and with user consent." They are seeking class-action status. The new complaint replaces two separate
lawsuits that were filed in June.
Last year, two computer scientists from AT&T and Worcester Polytechnic Institute
published the report, "On the Leakage of Personally Identifiable Information via Online Social Networks," which outlined how Facebook and other social networks could be leaking personally identifiable
information by including it in the HTTP header information that is automatically sent to ad networks.
At the time, a Facebook spokesperson said that referring URLs only provided information
about the profile page a user had been on when he or she clicked on the ad, but didn't reveal whether that user was the person featured in the profile or a friend of the member.
But Facebook
allegedly began embedding additional information in the referring URLs in February, according to the amended lawsuit. "Facebook caused Referrer Headers to include not just the URL of a web page a
person was viewing (e.g. a person viewing the profile of Facebook user John Doe) but also confirmation of the specific identify of the person viewing a web page (e.g. that it is John Doe himself who
is viewing his own profile)," the complaint alleges. Gould and Robertson also allege that Facebook revealed the names of users who clicked on ads displayed on Facebook pages other than their own
profiles.
Facebook allegedly stopped embedding that data in referring URLs in May, after being contacted by the press about the practice.
It wasn't clear why Facebook allegedly began
embedding more information in the referring URLs in February. But Michael Aschenbrener, a lawyer with EdelsonMcGuire who represents plaintiffs in the case, says Facebook could have avoided leaking
personal information. "It's well-known how to prevent this," he says.
Facebook did not respond to a request for comment regarding the amended complaint.