Until August of 2011, the online video service included the User ID that it assigned people in the URLs of their profile pages, according to papers that Hulu filed in a pending lawsuit. The result is that anyone who had Hulu users' assigned User IDs -- including companies like comScore and Nielsen -- could find users’ names.
Hulu, which is currently defending itself on charges that it violated a federal video privacy law, says that there's no proof that anyone reverse-engineered users' identities that way. But that doesn't mean it didn't happen. In fact, anyone who did so wouldn't have had much incentive to inform Hulu about the glitch -- especially if they were drawing on that data for their own purposes.
Hulu's decision to incorporate User IDs in URLs is the same kind of shoddy privacy practice that AT&T used when it included the serial numbers of iPads in URLs that contained the owners' email addresses. The hacker who blew the whistle on this practice, Andrew “weev” Auernheimer, is now sitting in jail for doing so.
Hulu says the privacy case against it should be dismissed, arguing that the federal Video Privacy Protection statute only prohibits disclosure of personally identifiable information, and not random strings of numbers.
It's not yet clear how judges will view that argument. But it is clear that assigning people a unique User ID, and then making that ID available to others, doesn't go very far toward protecting people's privacy.