But the big privacy breach unveiled in The Wall Street Journal’s latest paranoid entry in the “What They Know” series of screeds merely makes me roll my eyes. However, the echo chamber known as the media has rattled enough that the U.S. Congress is sticking its fat, useless nose into the matter.
First off, it was not a breach, but an oversight — Facebook user IDs were appearing in referrer URLs when apps such as FarmVille reached for ads, in effect handing ad networks user IDs. (Much thanks to Freedom to Tinker’s Harlan Yu for explaining the “privacy breach” in layman’s terms, something the The Wall Street Journal story passed over in favor of sensationalism.) It doesn’t appear that ad technology and data collecting companies were taking advantage of the minimal amount of information that could be gleaned through a user ID — a user’s name and any public information on his/her profile (which could be found through a search engine).
But scream “online privacy breach” and not only do the pageviews stack up, the ears of elected officials perk up because online ad technology is a nice easy target — it creeps out Internet browsers (many of them voters, and this is an election year) merely because they don’t understand it. Why don’t they understand the technology? Well, it’s frickin’ complicated and the average American’s attention span rivals a hummingbird — not that our industry has done a great job on the transparency front, but at least people are making an effort.
Edward Markey (D-Mass) and Joe Barton (R-TX), co-chairmen of the House Bipartisan Privacy Caucus, sent a letter to Facebook CEO Mark Zuckerberg demanding answers to these pressing questions by Oct. 27: How many users are affected? When did you first learn about the breach? What are are you doing to fix it? What are you hiding beneath that hoodie?
Normally I’d snort when hearing a Facebook spokesperson say an incident is being blown out of proportion, but in this case I’m nodding my head in agreement — it’s a very weird feeling and I hope it doesn’t last long. Sure, Facebook did screw up — but more accurate are the accusations of laziness in building the infrastructure.
I am no developer or engineer, so I can’t tell you how easy the referrer situation is to fix, but it seems like a bit of elbow grease could have avoided this problem entirely. In particular, there’s the proxy scheme, in which Facebook apps would receive placeholder IDs instead of real IDs, a handy extra layer of security. Adrienne Felt, working on her computer science PhD at the University of California Berkeley, suggested this two years ago, but was Facebook listening?
The overreaction to this privacy oversight is a result of a paranoid fantasy that the WSJ has been fueling with its “What They Know” series: advertising technology companies are harvesting so much information to build J. Edgar Hoover-style profiles on all consumers for sinister purposes.
This is partly the industry’s fault for not being transparent enough about data practices, but it’s also the public’s for being ignorant, possibly naive. In NPR’s take on the incident, the industry’s favorite privacy advocate Jeff Chester references how banks will sell the information garnered through “free mortgage calculators” to any interested parties — how lacking in common sense are you if you insert your data into that calculator and don’t expect that to happen? That’s like taking a Scientology Personality Test and being shocked when they try to get you to join the church.
Information has always been a hot commodity (remember those great Glengarry leads?) and offline targeting companies have legally been pulling these stunts for decades. Lorrie Cranor, a professor at Carnegie Mellon University, states the obvious: “We tend to weigh more heavily the pleasure that we’ll get out of the immediate reward than the risk that may be long term and further off.”
Never has that been more true than on the Internet.
Any information you toss on the Internet is likely to have a buyer and a seller. For the millionth time, the Internet is not free and Facebook privacy is an oxymoron. This “security breach” is merely a social hiccough and will be fixed soon — the fear and outrage elicited is mainly a result of the failure to communicate between the interactive ad industry and Internet users. It’s a mutual problem.