Social network MySpace told users it wouldn’t share personally identifiable information (PII), but then it gave advertisers individual Friend IDs that could be easily connected with user profiles and the information publicly posted there, according to the Federal Trade Commission. The agency says MySpace also incorrectly told users it complied with the U.S.-EU Safe Harbor Framework related to personal data.
The FTC says MySpace misled “millions of users.”
MySpace has agreed to a settlement with the FTC over the charges, which has the company saying it won’t make privacy misrepresentations in the future, implementing a comprehensive privacy program, and arranging for independent privacy assessments every two years for the next 20 years. There was no fine assessed as part of the agreement, nor did MySpace specifically admit fault.
The key lesson here seems to be that social network and publishers need to be very careful with unique user IDs and how they are protected and shared — no matter how far removed they seem from personally identifiable information.
In a post on the FTC Tech Blog, FTC Chief Technologist Ed Felten wrote:
While enabling syncing [associating one pseudonym with another] was one of the issues in this case, it’s important to recognize that syncing of pseudonyms is not always a privacy problem nor a violation of the law. What made the possible syncing problematic in the case of Myspace was that (1) Myspace enabled ad networks to use Myspace’s Friend ID pseudonym to get personal information about the associated user, and (2) Myspace promised its users that it would not share that personal information with third parties.
If your product syncs pseudonyms or identifiers with third parties, or makes such syncing possible, you might want to ask yourself which information flows, if any, are enabled by the syncing, and whether those information flows are consistent with your privacy obligations.
Biennial Privacy Audits Becoming Standard
MySpace is just the latest social network to get slapped on the wrist by the FTC. Other players in the social space — Facebook, Twitter and Google — have also agreed to multiple years of privacy audits in the last couple of years, making such biennial audits effectively the industry standard.
Facebook had a similar privacy scandal involving unique user IDs, when it was discovered that various apps were passing unique Facebook IDs to advertising companies.
MySpace is now owned by Specific Media, which acquired it in June of 2011. Specific Media, in a blog post on its site, says the practices the FTC was concerned about are now in the past:
“…one of our first actions after acquiring Myspace was to thoroughly examine the company’s business practices and, where applicable, make improvements. A major focus of this review was to ensure that Myspace delivered advertisements to consumers in a manner that safeguarded their privacy. Applying our expertise in online advertising, we successfully improved upon Myspace’s historical practices, bringing the social media platform to the forefront of industry best practice for ad delivery. “
But the FTC said MySpace did share Friend IDs, along with their specific browsing data, with advertisers. Those Friend IDs could be directly tied back to users’ public profiles, which often contained their real full names, which could then be tied back — to additional web-browsing activity, in violation of federal law, the FTC said.
The proposed settlement will now be subject to a public comment period, after which commissioners will decide whether to make it final.