Privacy advocates Center for Digital Democracy and the Electronic Privacy Information Center are urging the Federal Trade Commission to investigate Facebook's alliance with Datalogix.
The groups today sent a letter to the FTC, questioning whether the Facebook-Datalogix deal violates a consent decree that the agency recently signed with the social networking service. That settlement requires Facebook to obtain people's express consent before sharing their information more broadly than in the past.
The Facebook-Datalogix deal is an analytics initiative, aimed at determining whether ads seen online affect people's offline purchases. Datalogix has loyalty-card information about people's offline purchases; those cards are often tied to email addresses. Facebook also has its users' email addresses. The two companies are now going to compare enough information to figure out how many users who view particular ads go on to make purchases.
Facebook says that the data will all be aggregated and that no individual's information will be shared between the companies. Instead, the companies will "anonymize" the information by hashing the email addresses.
But the privacy groups question whether hashing will guarantee privacy. Their letter refers to an April blog post by former FTC Chief Technologist Ed Felten, which calls hashing a "vastly overrated" anonymization technique. "The casual assumption that hashing is sufficient to anonymize data is risky at best, and usually wrong," Felten wrote.
The advocates also argue that Facebook didn't adequately notify users about the Datalogix deal, and that the opt-out method is "confusing and ineffective." It's also relatively cumbersome: To opt out, people must go to a Datalogix page and submit their name, address and email address.
It's not yet known whether the FTC will investigate. But Facebook isn't doing itself any favors in the court of public opinion by requiring users to go through these kinds of hoops to opt out of the program.