Compare People on Facebook

The Truth About Facebook - Privacy Settings Every Facebook User Should Know, and Much More - The Facts You Should Know 
Vulnerability: The Compare People application on Facebook sends user profile information, such as age, gender, city, ZIP code, favorite music, favorite movies, favorite TV shows, favorite books, “about me,” activities, interests, and political view to Google AdSense when displaying advertisements within the application.

Progress: Facebook has been notified. Compare People has commented; see below for updates.

More Detail: Today I was checking out my rankings in Compare People and decided to check for any security or privacy holes. While I haven’t actually hacked it (though I have some ideas), I was quite surprised to discover how much of my profile information is collected and sent to AdSense. From what I understand, this information is stored by Google, and thus this practice clearly violates Facebook’s TOS in that it...
  1. shares personal information with a third party without the user’s knowledge or consent and 
  2. the third party stores information whose storages is restricted by the platform documentation. 
The code for Compare People caches this information and information on a user’s friends, but does not appear to store any of the data long-term. I checked Compare People’s application page and off-Facebook documentation for a privacy policy and never found one, which could be another TOS violation.

Update: Thanks to Naval Ravikant from Compare People for replying and clarifying some things. First, according to Ravikant, Google does not store the profile fields like location, favorite movies, etc. and only uses them as keywords when generating the ads. Prior to posting I had researched this feature of AdSense, and best I could tell the info was stored. But as Ravikant pointed out, “personally identifiable information,” such as a user ID or name, is not passed on. Finally, Ravikant mentioned that many Facebook applications are employing the same techniques in generating their ads. I still don’t think transmitting such data to another application without notification or consent from the user would be consistent with the TOS, but Facebook will have to answer that question.

Compare People is disabling the feature until they get some clarification on whether it violates the TOS, and I appreciate their responsiveness. In any event, this once again reminds users how many ways data about them can be collected and used on the Internet, both with Facebook applications and Google AdSense.

Update 2: VentureBeat received word from Google that they have asked Facebook app developers not to send such information as keywords any more, has stopped using such keywords, and has not received any “personally identifiable information.”


PT comment:

This article was sent to us by a reader in follow up to our general Privacy article.