Websites share user data more often than previously thought
Popular websites are disclosing personal information to advertisers and others more often than previously believed, according to new research, and the finding is renewing calls to let Internet users block companies from tracking their online surfing.
Information that could easily identify you — your name, user name or email address, for instance — typically is embedded in the Uniform Resource Locator, or URL, that websites share with online advertisers and other third parties, said Jonathan Mayer, a Stanford graduate student who studied the issue and released his findings Tuesday.
The practice is pervasive, though not necessarily intentional, on some of the more popular websites, including home improvement center Home Depot’s online store and photo-sharing site Photobucket, Mayer said.
Online privacy advocates said the findings show the need for a do-not-track mechanism, similar to the popular do-not-call list to block telemarketing calls. Such a mechanism would enable consumers to opt out of online tracking, which is used to deliver advertising targeted to a person’s online behavior.
The Federal Trade Commission is pushing Internet companies to develop a do-not-track option beyond the current haphazard voluntary system. Some in Congress have proposed legislation mandating a do-not-track system.
FTC Chairman Jon Leibowitz likened companies that track people online to the paparazzi who follow celebrities. He called them “cyberazzi.”
“It is true that paparazzi know who their celebrity subjects are, while the cyberazzi may not have linked, at least not publicly, our identities to the profiles they are building, but that could happen,” he said at an online privacy forum Tuesday before the new findings were released.
“It could be traced throughout an invisible lattice of companies, snowballing into an exhaustive profile of you, available to those making critical decisions about your career, your finances, your health and your reputation,” Leibowitz warned.
Privacy advocates said widespread data leakage means that Web browsing is not as anonymous as the industry has claimed.
“That information is not anonymous and is often shared with sites,” said John Simpson, privacy project director for Consumer Watchdog.
The Future of Privacy Forum, a think tank that advocates for responsible data practices, said websites should be careful to avoid “mistaken exposure of personal information.”
“What the study fails to emphasize is that most companies targeting ads online have no use for personal information,” said the group, which is backed by major online and bricks-and-mortar companies. “If they are getting that kind of information, it is most likely because of [an] inadvertent mistake.”
Representatives of the Digital Advertising Alliance, a coalition of online advertising companies, were not available for comment on the study.
Last year, the alliance launched a self-regulatory initiative, at https://www.aboutads
.info, to let people check their Web browser for tracking code known as cookies placed by participating companies and then opt out of receiving targeted ads.
Some leading Web browsers, such as Microsoft Corp.’s Internet Explorer and Mozilla Corp.’s Firefox, have an option that enables users to send a message to websites saying they do not want to be tracked. But it is up to the sites as to whether they honor the request.
Mayer said the ability to link a person to the unique sequence of numbers of a Web browser is the key that could enable a company to connect that person’s past and future online movements.
“Many times, Web developers aren’t thinking about privacy issues, and it’s a fact of life that information is going to leak to third parties,” Mayer said. “I think we have to recognize that that’s just the way the Web works.”
The personal information is transferred because the Web address, or URL, created when a person logs on to a site is sent to third parties to deliver ads and other content on the page, he said.
For example, when a user logs on to the Home Depot website and then looks at a local ad, the person’s first name and email address is sent to 13 companies, Mayer said.
“And that email and first name get associated not just with what you’re doing right now, but get associated with what you’ve done in the past and what Web browsing activity you might have in the future,” Mayer said.
Mayer also found that even when trying to log on to the Wall Street Journal website with the wrong password, the user’s email address was sent to seven companies. Changing user settings on video sharing site Metacafe sent the person’s first name, last name, birthday, email address, physical address and phone numbers to two companies.
Mayer studied 185 of the most-visited websites that offered free individual log-ins, though he excluded the main Google, Yahoo and Facebook sites because they offered so many features that it was impractical to study them all.
He found that 61% of the sites shared a person’s user name or ID with at least one third-party website. Mayer created accounts for sites and then tracked where the information went.
On Photobucket, for instance, his study found that a user name was sent to 31 other websites.
Home Depot spokesman Steve Holmes said the company does not “trade, rent or sell our customers’ information.” But it sometimes shares information with outside companies to improve customer and product offerings, as is noted in its privacy policy.
Home Depot first learned of the data leakage study Tuesday and was checking to see whether anything unusual occurred, he said.
Representatives of Metacafe and Photobucket did not respond to requests for comment.
The Wall Street Journal said on its website: “We were made aware of a bug and have since corrected the issue. We are continuing to audit the site.”
Mayer said there was only one sure way for consumers to avoid data leakage.
“The best thing they can do is to block advertising, because the moment content is loaded on the browser there is a risk of tracking,” he said.
