19 Oct 2010

Referrer Madness


By now, many of you have heard of the information that is “leaking” from Facebook applications, and how this wide-ranging problem might affect your personal privacy.

On Monday, the Wall Street Journal continued its online privacy series by reporting that many popular Facebook applications leak personal information – in the form of Facebook user IDs – to online advertisers.  A Facebook user ID is a unique number issued to every user of the site, and is part of a person’s public profile: you cannot restrict access to your user ID simply by modifying your account’s privacy settings.

When you visit a web page, browsers typically report the URL of the page you were viewing before you clicked over to the current page: this is known as the “referrer” URL.  A Facebook app is often loaded on the same web page as third-party ads. When these ads are fetched (to be loaded onto the page), the application tells the advertising network the URL of the current page that is loading their ad. In the case of many Facebook apps, this URL contains the unique user ID of the person who loaded the page. This ID can then be used to identify that specific user – it is linked to public profile information like their full name.  The URL (with the ID) is sent even if the user does not click on any ads.

This is not the first time it has been the subject of discussion. It was raised in a research paper in August 2009 and – in a similar context – described in an earlier WSJ article about Facebook ads. A lawsuit has been filed in California that alleges that Facebook has shared personal data with advertisers.

Current debate around the privacy implications of referrer information has also included criticism of the statements made in the WSJ article. Some commentators found the article alarmist, and others pointed out that these issues are not specific to Facebook, but are a wider web privacy concern. Indeed, the broader privacy implications of referrer data have also been recently raised as part of a complaint to the Federal Trade Commission about Google’s use of referrer headers.

It is important to note that using referrer data is, by itself, a legitimate practice. The web standards that underpin how information and instructions are communicated across the internet allow browsers to send the referrer field as an optional part of a request to a web server. However, there is flexibility as to exactly what information is included in the referrer header, and also whether users allow their browsers to send referrer data in the first place. Harlan Yu outlined a number of solutions in a timely blog post; these include omitting IDs from the web request, using placeholder IDs instead of real Facebook IDs, and improving browsers to give people better control over the transmission of referrer data.

One prominent member of the web community co-wrote an Internet standard document that pointed out privacy concerns of referrer data:

Note: Because the source of a link may be private information or may reveal an otherwise private information source, it is strongly recommended that the user be able to select whether or not the Referer field is sent. For example, a browser client could have a toggle switch for browsing openly/anonymously, which would respectively enable/disable the sending of Referer…information.

The co-author? Tim-Berners Lee (considered the father of the web), in 1996. The privacy debate continues…


2 Responses

Tweets that mention Office of the Privacy Commissioner » Blog Archive » Referrer Madness -- Topsy.com Says:

[...] This post was mentioned on Twitter by Privacy Commission , trevortye and cippic, LawyerNexus. LawyerNexus said: Referrer Madness: By now, many of you have heard of the information that is “leaking” from Facebook applications, … http://bit.ly/bgXiwo [...]

Winston Says:

It’s not really as complicated as that. There’s no reason Facebook needs to ever have personally-identifying information in the URL. They could use cookies (rather than the URL) to track who the user is, or send information by POST rather than GET (which would result in it not appearing the the URL)

Leave a Reply

If you wish to leave a reply, you will be asked to provide your name and e-mail address. Your e-mail address is required for the purposes of limiting spam and contacting you should we have questions about your comment.





To learn more about why this information is collected and how it will be used, please read our Blog Comment Policy.