Websites 'leak' personal information about visitors, US researchers claim

Out-Law News | 12 Oct 2011 | 4:24 pm | 1 min. read

Some popular websites leak personal information about visitors to advertisers and other third-party websites without explaining the activity in privacy policies, US researchers have claimed.

Researchers at Stanford University said that usernames or user identification was "leaked" by 61% of the websites they tested. Other personal information such as email addresses was also leaked, the academics said. Websites tested included LinkedIn, the New York Times, MySpace and eBay. 'Leaked' data refers to the intentional or unintentional flow of information, the academics said.

"We identified username or user ID leakage to a third party on 113 websites, 61% of the websites in our sample," Jonathan Mayer, one of the Stanford researchers, said in a blog.

"Some websites leaked the username or user ID to dozens of third parties. For example, popular photo sharing website Photobucket embeds username in many of its URLs, and includes advertising on most of its pages; we observed the username [got] sent to 31 third-party [web addresses]," Mayer said.

The researchers set up accounts to collect and record the data the individual websites recorded about their interaction with the sites, Mayer said.

Mayer said the Wall Street Journal, Home Depot and Metacafe websites were among those that leaked personal data but did not disclose the practice in policy information.

"Viewing a local ad on the Home Depot website sent the user's first name and email address to 13 companies," Mayer said in his blog.

"Entering the wrong password on the Wall Street Journal website sent the user's email address to 7 companies. Changing user settings on the video sharing site Metacafe sent first name, last name, birthday, email address, physical address, and phone numbers to 2 companies," he said.

It would be "better practice for all first-party and third-party websites" to admit that personal information is leaked and may be shared with others, Mayer said.

Last year US consumer protection watchdog the Federal Trade Commission proposed that web users be able to use a 'do not track' facility to block any use of their browsing habits for advertising purposes. Opponents of that view have argued that the measures are not required as the information they record is anonymous.

The Stanford researchers said that there was "overwhelming evidence" of tracking of personally identifiable information.

"We believe there is now overwhelming evidence that third-party web tracking is not anonymous," Mayer said in his blog. "It is a legitimate policy question whether, on balance, 'do not track' should be enforced by law. But the difficult weighing of competing privacy risks and economics can't be short-circuited by claims of anonymity."