Report Says 75% of Websites are Leaking Your Information

Jun 14, 2011

Lately, it seems like nobody's information is safe on the web. From CitiGroup, Inc., to Google's Gmail, to Sony's Playstation Network, hackers have been running amuck on the web. Dastardly hackers aren't the only ones getting access to your information, however. Rarely discussed is the information that's being doled out by websites to third parties, on purpose.

A recent study titled "Privacy Leakage vs. Protection measures: the growing disconnect," released from Worcester Polytechnic Institute, co-authored by Professor Craig Wills, shows that of 100 popular websites studied, nearly 75% are leaking personal and sometimes sensitive data about users. The report, initially presented at the May 26, 2011 Web 2.0 Security and Privacy conference in Oakland, Calif., surveyed sites ranging from employment and travel focused sites, to dating and social networking services. The information being collected and leaked, sold, or given to third parties ranges from user names, physical addresses, phone numbers, and e-mail addresses to search history and browsing data.

The study also identifies measurable and somewhat disconcerting gaps in the protection of the leakage of private information on the user-side. "Most privacy protection measures are not effective in preventing many types of leakage and linkage. The technique that provides protection in most scenarios is, oddly enough, an advertisement blocker," the study outlines. However, the study goes on to detail that even an ad-blocker is not 100% effective in protecting information a user shares with a first party site.

Ad-blocking services generally work by blocking tracking cookies or keeping Java Script from running thereby hindering personal data from leaking to third party sites. However, the WPI study explains, "these actions can have negative usability consequences in terms of sites not working properly or pages not rendering properly." So, when a user relaxes the settings of the ad-blocking service in favor of site functionality, the service becomes ineffective.

In December, 2010 the Federal Trade Commission (FTC) released a staff report on protecting consumer privacy titled, "Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework for Businesses and Policymakers;" however, the WPI study notes, "A key failure of the FTC report is largely ignoring the role of first-party sites in safeguarding consumer privacy."

The first party websites may not be the only ones to blame for leaked user information as there may be some complacency on the part of the user themselves. "We didn't explicitly go and look at all the privacy policies of these companies" says Wills, "some of them may say 'we're handing off your information to third parties, you need to agree to do this,' so do users really understand that they have agreed to that? I think many users simply ignore what they've been asked to agree to."

The study highlights among other things that the bits and pieces of leaking information can be re-assembled to create a profile of the user. Wills says, "Beyond direct leakage of private information, we examined how seemingly disparate pieces of information can be linked together by aggregators. This linkage can be primarily done through unique identifiers attached to some of these records. Uniquely assigned cookies are used by third parties for such linkage, but as shown below, other identifiers and methods can be used even in the absence of cookies."

While it appears that the leaked information being collected by third parties is not being done so for a purpose more nefarious than providing marketing tailored to the site user, Wills admits little is known about who is collecting the info and exactly for what purpose, but he underscores the ultimate issue: "There's a lot of information that floats around and these third parties end up with excess information that they really don't need or that the user is unaware they have."

Asked if he foresaw a forthcoming FTC mandate concerning the role of first party sites and the duty to protect user information, Wills says, "Certainly I think it would be in the FTC's interest to look into and to follow up with what we're reporting." In the meantime, though, users would do themselves a service by actually reading the privacy agreements so many blithely sign off on.