WSJ: MySpace, Apps Leak User Data

http://online.wsj.com/article/SB10001424052702303738504575568460409331560.html

OCTOBER 23, 2010

MySpace, Apps Leak User Data

Site Sends Personal IDs When Ads Are Clicked, a Journal Investigation Finds

By GEOFFREY A. FOWLER And EMILY STEEL

MySpace and some popular applications on the social-networking site have been transmitting data to outside advertising companies that could be used to identify users, a Wall Street Journal investigation has found.

The information was primarily sent by MySpace when users clicked on ads. The website had pledged to discontinue the practice of sending personal data when users click on ads after the Journal reported it in May.

A MySpace spokesman said the data identify the user profile being viewed but not necessarily the person who clicked on the ad. MySpace is owned by News Corp., which also owns The Wall Street Journal.

MySpace, which had 58 million visitors in the U.S. in September, has been struggling to turn its business around in the face of tough competition from Facebook Inc., which had 148 million U.S. visitors last month, according to comScore Inc.

The data being transmitted were MySpace user IDs. These unique numbers can be used to look up a person's MySpace profile page, which sometimes includes their real name, photographs, location, gender and age. The advertising companies being sent the data, which included Google Inc., Quantcast Corp. and Rubicon Project, said they didn't use the information.

Earlier this week, the Journal reported that the top 10 most-popular applications on Facebook were passing that site's user ID numbers to outside companies. Facebook said it is changing its technology to block the transmission of user IDs.

The MySpace leaks appear to be more limited than those at Facebook, which has far more users and requires them to make public their name, gender and country.

On Facebook, the user ID is linked to a person's real name. MySpace allows users to hide their real names and use a "display name" on the network. That means that user IDs don't necessarily link to people's real identities. MySpace says knowledge of a user ID number only provides access to information a person has made public on their profile.

In addition, the Journal investigation found some MySpace applications were transmitting user IDs, including BitRhymes Inc.'s TagMe, which lets its 8.3 million users make and comment on friends; WonderHill Inc.'s GreenSpot, a virtual gardening game with 1.8 million users; and RockYou Inc.'s RockYou Pets, a game with 6.1 million users.

MySpace said it prohibits app makers from sharing user data, including user IDs, with other entities. "It has recently come to our attention that several third-party app developers may have violated these terms and we are taking appropriate action against those developers," a MySpace spokesman said.

The Journal's investigation demonstrates how fundamental Web technologies can jeopardize user privacy. When a user clicks on an online ad, several pieces of data are transmitted, including the web address of the page where the user saw the ad. At both MySpace and Facebook, that web address has included a user ID.

Craig Wills, a professor at Worcester Polytechnic Institute who has studied how social-networking sites handle user IDs, said such referral data are a growing problem for the Web. As more sites try to tap into social-networking capabilities, "there is the potential danger that those sites with the identifier don't necessarily take care of it, and potentially leak it to whatever third parties are present," he said.

In many cases, the transmission is inadvertent. A RockYou spokeswoman said a company that works with RockYou was transmitting user information to a third company without RockYou's knowledge. "We have taken immediate action to indefinitely suspend their services in connection with RockYou and we are reviewing all third-party providers to ensure compliance with our platform partners' terms of service," she said.

WonderHill didn't respond to requests for comment.

The Journal found that TagMe transmitted a user ID to online tracking company RapLeaf Inc. MySpace and TagMe both said TagMe has since stopped the practice. RapLeaf declined to comment.

BitRhymes, maker of TagMe, said it "has a strict policy of not passing personally identifiable information to any third parties. When we were informed of the issue, any suspect relationship was immediately dissolved."

--Courtney Banks contributed to this article.

Write to Geoffrey Fowler at geoffrey.fowler@wsj.com and Emily Steel at emily.steel@wsj.com