Many top websites share their visitors' names, usernames, or other personal information with their partners without telling users and, in some cases, without knowing they're doing it, according to a new study from Stanford University.
Many websites "leak" usernames to third-party advertising networks by including usernames in URLs that the ad networks can see in referrer headers, said the study, released Tuesday by Stanford Law School's Center for Internet and Society. While there's a debate in legal circles whether usernames are personal information, there's a growing consensus among computer scientists that Web-based companies can use usernames to identify their owners, said Jonathan Mayer, a Stanford graduate student who led the study.
"The vast majority of usernames are unique," he said. "Given the prevalence of social networking, often times, once you have a username for a social network, you then also have a person's real name, possibly a photo, possibly more."
Other websites share first names, email addresses, and other information with advertising or other partners, Mayer said at a privacy conference in Washington, D.C. Those identifiers "get associated not just with what you're doing right now, but get associated with what you've done in the past, and what Web browsing activity you may have in the future," he said.
In many cases, the large websites appear to not inform users of the personal information they're sharing, the Stanford study said. "From a legal perspective, identifying information leakage is a debacle," the study said. "Many ... websites make what would appear to be incorrect, or at minimum misleading, representations."
The Stanford researchers looked at 185 of the largest websites and found that 61 percent of them shared usernames or user IDs with third parties. The information went most often to Web analytics firms comScore and Google Analytics, advertising firms Quantcast and Google's DoubleClick and to Facebook, the study said.
At HomeDepot.com, viewing a local ad resulted in the user's first name and email address being sent to 13 companies, the study said. Signing up at weather site Weather Underground sent the user's email address to 22 companies, and interacting with Classmates.com sent the user's first and last names to 22 companies, the study said.
Popular photo-sharing site Photobucket sent the username to 31 other companies, the study said. Changing user settings on the video sharing site Metacafe sends the user's first name, last name, birthday, email address, physical address and phone numbers to two other companies, the study said.
The Information Technology and Innovation Foundation, a tech-focused think tank, questioned the study's assertion that it debunked the myth that digital data collection is anonymous.
"Despite the hype, the report merely identified some known technical issues that websites can address to improve privacy," said Daniel Castro, a senior analyst at ITIF. "The fact remains that the vast majority of organizations and businesses on the Internet do not abuse consumer data and have policies and practices in place to protect consumers."