Wednesday, October 20, 2010

Update - Facebook apps leak your identity to advertisers

In an update to my previous post on the danger of "apps", a researcher has found that Facebook applications leak your identity to advertisers. Any application which displays ads to you while you use it is potentially sending your identity to their advertisers.

Why does this happen? It could be sloppy programming on the part of the application (i.e. Farmville in the article), or it could be the result of the contract between the application provider and their advertisers:

  • Sloppy programming

    Any application which displays ads by asking your browser to fetch the ad directly from the advertiser's system is running the risk that all kinds of information from your browser reaches the advertiser. A more secure way to deliver ads would be for the application to request the ad for you, then display it to you; it could then make you anonymous to the advertiser. However, advertisers may explicitly want to avoid this, which brings us to:

  • Contractual obligations to advertisers

    Advertisers are paying the application either for each ad displayed or when a user "clicks" on the ad. An advertiser would typically want to make sure that the ads actually reach the users; if they're paying for "impressions" then they probably want to count those deliveries themselves. Therefore they're less likely to trust the application developer to count for them; instead, they'll want to identify each ad request by its unique browser/requestor.

    Another consideration is that advertisers (or the ad networks that deliver the ads to the applications on their behalf) may explicitly want access to your browser so they can use cookies to track you. They therefore would not want the application to fetch the ads on your behalf; they would want your browser to make the request directly, so they can fetch and drop tracking information. In theory, this tracking information should allow you to be "semi-anonymous"; however, if it's tied to an explicit Facebook (or other social network) ID, then that anonymity vanishes.

What's the solution? Well, the easiest is: don't use "apps" in social network settings. Other solutions are a bit harder. You could use a Firefox extension to block the information from the advertisers; I don't use any so I can't personally recommend any particular one. You could configure your browser to use an anonymizer - a proxy which strips your personal information and routes your request through several machines so the web site has a harder time identifying you. Or you can run a proxy server on your local machine which modifies incoming pages and outgoing requests. You can even run a combination of all of these, so you don't have to place all your trust in any one solution.

Posted by Luigi at 10/20/2010 08:00:00 AM
Labels: ,

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)
 
Creative Commons LicenseThe copyrights in this material are held by Luigi Bai. The contents are licensed to you under a Creative Commons Attribution 3.0 United States License.