On May 8, the Federal Trade Commission agreed to settle allegations that Myspace misrepresented its data practices regarding the use and sharing of its users’ personally identifiable information, a deceptive act or practice in violation of Section 5 of the FTC Act.
The primary data practice at issue was Myspace’s sharing of the unique identifier assigned to the profile of each Myspace user (called a “Friend ID”) with third-party advertisers, who could then use the identifier to access that user’s profile (and the PII maintained on that profile), a practice which the FTC alleged was contrary to Myspace’s representations regarding its use and sharing of PII.
The FTC focused on the fact that the Friend ID, despite being non-PII, was linked to a user’s Myspace profile so that third-party advertisers could use the Friend ID to easily obtain the PII resident on a user’s profile. In effect, the FTC took the position that by sharing the Friend IDs with third parties, Myspace also constructively shared all of the PII accessible from a user’s Myspace profile with those third parties. As such, this enforcement action may signal that a business can’t get around promises not to share PII with third parties by simply sharing a piece of non-PII that enables a third party to subsequently obtain access to PII maintained by that business.
In this case, the non-PII at issue was directly linked to PII – as the unique Friend ID was the only information needed to locate a user’s online profile – so the FTC alleged that Myspace should have foreseen that the third-party advertisers would be able to obtain access to users’ PII. However, it remains to be seen if the FTC will apply this concept of constructive sharing of PII to situations where the downstream linkage of non-PII to PII by third parties is less foreseeable (e.g., if a third party employs a sophisticated de-anonymization algorithm to re-identify an individual based on non-PII obtained from a business).
Myspace assigned each user profile a unique Friend ID, and a user’s online profile could be accessed by typing the Friend ID assigned to that profile in the URL after the slash in “www.myspace.com/”. By pulling up a user’s Myspace profile, one could obtain access to “basic profile information,” including the user’s profile picture, location, gender, age, display name, and full name (unless the user has elected to opt out of making his or her full name public, an election which the FTC reported, as of July 2010, was made by only approximately 16% of Myspace users). In addition, if a user had chosen to make his or her profile available to anyone, the Friend ID could be used to obtain access to any information or content – such as photos, videos, messages, and comments – on the user’s Myspace profile. Thus, the Friend ID was the key which enabled anyone to obtain access to a significant amount of PII about a Myspace user.
Myspace displays advertisements on its site that are served by third-party advertisers, and the FTC alleged that Myspace shared the Friend IDs (as well as the ages and genders) of users that clicked on these advertisements with the third-party advertisers. Due to this data sharing, a third-party advertiser would be have been able to use the Friend IDs to access users’ Myspace profiles and gather the PII noted above, such as the users’ full names, which the third-party advertiser could combine with any information obtained via cookies in order to target ads to those users.
The FTC noted that Myspace failed to always fully encrypt the Friend IDs and other information provided to third-party advertisers. Although the FTC did not elaborate on this point, the reference to encryption raises the question of whether the FTC would have deemed Myspace’s data sharing practices to be in compliance with federal law if the Friend IDs had been encrypted in the hands of both Myspace and the third-party advertisers at all times.
The FTC’s Complaint – Myspace Misrepresented Its Data Practices
In pertinent part, Myspace represented that: (1) it would not use or share a user’s PII with third parties without first providing notice to and obtaining consent from users; (2) the customization of advertisements on the Myspace site did not allow third-party advertisers to obtain a user’s PII or to individually identify the user; and (3) a user’s web browser activity was anonymized when shared with third-party advertisers. However, in its complaint (PDF), the FTC alleged that Myspace’s practice of sharing Friend IDs with third-party advertisers was contrary to these representations. To this point, the FTC noted in its news release that “[a]dvertisers could use the Friend ID to locate a user’s Myspace profile to obtain personal information publicly available on the profile and . . . could combine the user’s real name and other personal information with additional information to link broader web-browsing activity to a specific individual.” As such, these representations were false or misleading, and constituted deceptive acts or practices in violation of Section 5 of the FTC Act.
The FTC also alleged that Myspace failed to comply with the substantive privacy requirements of the US-EU Safe Harbor Framework ("Safe Harbor"), which was contrary to its representations that it was in compliance with Safe Harbor. This misrepresentation also constituted a deceptive act or practice in violation of Section 5 of the FTC Act.
Terms of the Proposed Settlement
The proposed consent decree (PDF) prohibits Myspace from misrepresenting its data practices, including the extent to which it shares certain information with third parties and the extent to which it complies with the US-EU Safe Harbor Framework. In addition, Myspace is required to implement a comprehensive privacy program, obtain biennial assessments of its comprehensive security program for a period of 20 years, and comply with several reporting and administrative requirements.