Facebook, MySpace and other social networks have apparently been sending personal and identifiable information about users to advertisers without consent, despite assurances to the contrary.

Large advertising companies including Google's DoubleClick and Yahoo's Right Media have received information including usernames and ID numbers that could be traced back to individual profiles as users clicked on ads. The data could potentially be used to look up personal information about the user, including real name, age, occupation, location and anything else made public on the profile. Both of the aforementioned companies denied being aware of the "extra" data they were receiving and claim they have not made use of it.

The Wall Street Journal reports that since questions were raised about the practice with Facebook and MySpace, both companies have since rewritten at least some of the code that allowed transmission of identifiable data. Beyond those two companies, LiveJournal, Hi5, Xanga and Digg made the list of sites who have sent identifiable information back to advertisers when a user clicked on individual ads.

The WSJ found that Facebook went farther than most in sharing identifiable data by sending the username of the person clicking the ad as well as the username of the profile he or she was viewing at the time. This news could hardly come at a worse time for Facebook, a company that currently faces a privacy backlash potent enough to make the cover of Time Magazine this month.

Outside of Facebook, the other companies named in the article maintain the data they send to advertisers contains the user ID of the profile a user is visiting when he or she clicks on an ad, and not the user ID of the individual visitor. Both Google and Yahoo strongly refuted the idea that they would ever make use of any such personally identifiable data. Yahoo VP of Global Policy Anne Toth said of the allegations, "We prohibit clients from sending personally identifiable information to us. We have told them. 'We don't want it. You shouldn't be sending it to us. If it happens to be there, we are not looking for it.'"

What do you think: Is this another privacy-related stain on Facebook as well as other social networks, or much ado about nothing?

UPDATE: Digg contacted us to clarify what they do and do not do with respect to personally identifiable information sent to advertisers. Chas Edwards, Publisher & Chief Revenue Officer at Digg, indicated that although the URL of the page the user is currently visiting is passed through (note that this is normal behavior — essentially how URLs function on the web), no personally identifiable information about the user themselves is passed through: "We don't share user data or any other personally identifiable information with any advertisers or ad networks, even if a user clicks on an ad; we only provide URLs of pages being visited. For site analytics purposes, we do share user data — that is *encrypted* so that it can't be tracked to PII on an individual user — with 3rd party research suppliers such as Omniture."