Myspace Learns the FTC Means Business
In it's settlement with Myspace earlier this week the Federal Trade Commission showed that it is willing to forgive little when it comes to privacy violations. Myspace agreed to settle an FTC lawsuit accusing the company of misrepresenting its protection of personal information. As a result of the settlement Myspace is required to implement a comprehensive privacy program and will be subjected to 20 years of privacy assessments.
This is the same sort of settlement that both Google and Facebook agreed to last year, so on the face of it, the terms themselves aren't that surprising. However, when looking a bit deeper into how Myspace violated the privacy of its users, I find it surprising the FTC treated Myspace's violation on par with Google's and Facebook's.
It's apparent that both Google and Facebook, as acused by the FTC, perpetrated privacy violations on their users as they clearly misrepresented themselves in a way that warranted the settlements. But the root cause of Myspace's violation wasn't misdeeds, it was the result of poor attention to security.
The crux of the accusation comes down to Myspace's "Friend ID." That identifier is a unique number that, when known, allows direct access to the ID owner's page. The Friend ID is not secret. A quick people search on myspace.com shows results containing the Friend ID appended to the end of every URL in the list (see the image below). Clearly just exposing that number by itself is not a privacy violation. The violation occured when Myspace carelessly included the Friend ID in reports back to advertisers enabling the advertisers to link users with specific demographic profiles. That's a no-no.
To understand why providing the Friend ID to advertisers is a problem you need to understand a bit about how Google, Twitter, Facebook, etc. use the personal information they collect for advertising. While an advertiser can buy access to a particular demographic, the advertisers aren't provided the identities of specific individuals they reach. In that way, even though Google may know all about your habit of eating toilet paper, Charmin can't buy a list of users that would include your identity. The advertisers only buy the opportunity to display a message to you, preventing disclosure of personal information to the third party (a privacy violation). This is a fine but important distinction, and one that Myspace failed to make.
However, as I already mentioned, this was not an intentional action on Myspace's part yet they were still treated as roughly as other purposeful violators. The lesson here is two-fold. One, the FTC is making it apparent they will go after anyone intentionally or unintentionally disclosing personal information without consent. And two, this is yet another example of why information security professionals have to understand privacy laws. The professionals reviewing Myspace's code must have known the ID was available to advertisers. I have to believe they just didn't think it was a problem, and that is a problem.
If you want to learn how to prevent these sorts of mistakes with your own business, check out Startup Privacy coming this July.