Study: Private Data Often Leaks From Popular Websites

When websites require you to register, they usually promise to protect your private information. But do they?

A study of more than 100 popular websites used by tens of millions of people has found that three quarters directly leak either private information or users' unique identifiers to third-party tracking sites.

The study, co-authored by Craig Wills, professor of computer science at Worcester Polytechnic Institute (WPI), also demonstrated how the leakage of private information by many sites, including email addresses, physical addresses, and even the configuration of a user's web browser—so-called browser fingerprints—could permit tracking sites to link many different pieces of information, including browsing histories contained in tracking cookies and the contents of searches on health and travel sites, to create detailed profiles of individuals.

Privacy problem getting worse

"Despite a number of proposals and reports put forward by researchers, government agencies, and privacy advocates, the problem of privacy has worsened significantly," Wills said.

So far, says Wills, privacy efforts have focused mainly on the third-party aggregators who obtain the private data. It's time, he maintains, that efforts focus on the first-party websites who obtain the data in the first place. He would like to see their role in protecting privacy get more examination.

Wills' study concludes that efforts to curb the leakage of personal information from websites and online social networking sites, including proposals made in a 2010 Federal Trade Commission (FTC) report on protecting consumer privacy, would be largely ineffective in preventing the identified leakage and linkage. Wills says that websites need to take greater responsibility for privacy protection.

User data valuable to advertisers

The study found that information is leaked through a number of routes to third-party sites that track users' browsing behavior for advertisers. In some cases, information was passed deliberately to the third-party sites. In others it was included, either deliberately or inadvertently, as part of routine information exchanges with these sites.

Depending on the site, the leakage occurred as users were creating, viewing, editing, or logging into their accounts, or while navigating the websites. They also observed sensitive search terms (such as pancreatic cancer) being leaked by health sites and travel itineraries being leaked by travel sites.

Some private data is more sensitive than others. For example, a user's name, phone number, or email address could be used to identify who the user is. Health information and travel itineraries can be very sensitive.

Easy to connect the dots

While the majority of leaked information rated low on both the identifier and sensitivity scales, the authors said this does not necessarily suggest that users need not be concerned about privacy leaks from websites. They noted that third-party tracking sites receive a wide range of information from popular websites that could be used to connect diverse bits of leaked information and connect them to an individual user's identity.

These include the user ID that a website assigns to a user (leaked by nearly half of the sites studied), unique identifiers like email addresses or home addresses, and browser fingerprints—information on how an individual browser is configured, including the list of installed plugins, which the authors found is leaked by a number of sites.

While the FTC has studied the online privacy issue, Wills believes the agency has missed a key point; websites that receive user data should be held more accountable for maintaining privacy.

"These sites should play a custodial role in protecting their users and preventing the leakage of their sensitive or identifiable information,” Wills said. “Third-party sites have a powerful economic incentive to continue to collect and aggregate user information, so relying on them to protect user privacy will continue to be a losing battle. It is time to put the focus on what first-party sites can and should do."