Facebook's privacy policy says they can provide "any of the non-personally identifiable attributes we have collected" to advertisers. But a new report shows that they actually sent data that can easily be tied to your name.

According to the Wall Street Journal, Facebook (and other sites like MySpace and Xanga) provided to advertisers data "that could be used to find consumers' names and other personal details," in violation of their own privacy policy. This information was the address of the page on which a user clicked a specific ad. The address led directly to a profile, meaning advertisers could easily identify the name (and whatever other data they could see) of the person from whose profile their ad was being clicked. Facebook went furthest, "in some cases signaling which user name was clicking on the ad as well as the user name of the page being viewed. By seeing what ads a user clicked on, an advertiser could tell something about a user's interests."

The Journal's report jumps off a 2009 study that suggested just this kind of personal data "leaking" might be occurring. But this is the first time Facebook actually acknowledged that they shared personally identifiable data with advertisers. Shortly after being contacted by the WSJ, Facebook revamped their code to hide the usernames in URLs.

We already knew that Mark Zuckerberg knows when you're going to break up with your girlfriend. Now imagine that the last time you clicked on that Papa John's Pizza ad, some bored Papa John's advertising exec was looking at a picture of you all flabby on the beach and laughing his ass off. (via Ars Technica)