We have been following recent cases where online social networks have been accused of leaking personal information to third parties. The leakage is caused by the networks’ use of referrer headers (information about where on the web a user is coming from) that can include the username, allowing automatic linking to profile information if it is available.
New research from AT&T and Worcester Polytechnic shows that it is not just online social networks that are leaking information. In fact, more than half of the popular web sites examined in this study are also leaking personal information. The research was presented at the Web 2.0 Security and Privacy 2011 Workshop and the paper is available.
The major finding of the research is that 56% of the 120 popular web sites examined leak personal information to third parties in a variety of ways. This includes cookies, referrer headers, GET parameters, etc. The authors also show how identifying information can be used to link users across different sites.
The report is notable because it goes beyond online social networks to look at the practices of a variety of web sites that simply require people to create accounts. Leakage of private information, some of it identifying and/or sensitive, seems to be a common issue.
The authors also argue that the source of the problems is often the practices of the first parties, either through neglect or deliberate practices, and yet the current focus has been on third-parties. They show that the tools currently being debated, developed deployed, such as do-not-track headers in web browsers, will do little to solve the problem.
We continue to be interested in the privacy practices of web sites and online services, and we are monitoring the development of new web privacy practices and tools.