Social Networks May 'Leak' Personally Identifiable Information
A recent study is calling attention to how much data online ad networks collect and whether that data really is anonymous.
For the report, "On the Leakage of Personally Identifiable Information Via Online Social Networks," two computer scientists from AT&T and Worcester Polytechnic Institute examined the type of information transmitted to ad networks from Facebook, MySpace and other social networking services.
The researchers concluded that many social networking sites "leak" personally identifiable information by including it in the HTTP header information that is automatically sent to ad networks.
"In some cases, the social networking pages include a unique identifier as part of the URL for that page," says study co-author Craig Wills of the Worcester Polytechnic Institute. That information can then be tied to the "anonymous" cookies that ad networks use to track users throughout the Web.
The result, according to the report, is that most social networking site users "are vulnerable to having their ... identity information linked with tracking cookies."
For instance, an ad network could serve an impression to a Web user while he/she is at, say, the page Facebook.com/John. The ad network could then theoretically tie the anonymous cookie on that user's browser to the Facebook URL and piece together the user's identity.
But the process doesn't appear to be foolproof. A Facebook representative says that the referring URL, in this scenario Facebook.com/John, doesn't indicate whether the visitor is John or another user who clicked on that page.
"This paper understates the difficulty of linking a URI [uniform resource identifier], referrer, or cookie to the specific profile of the person who's browsing," says Facebook spokesperson Simon Axten. "The average Facebook user views a number of different profile pages over the course of a session, all of which contain a unique identifier in the URL. It's thus difficult for a tracking website to know whether the identifier belongs to the person being tracked, or whether it instead belongs to a friend or someone else whose profile that person is viewing."
In addition, it's not clear that third parties retain all of the information that they receive from social networks or whether they truncate and/or discard the data.
This leakage issue isn't new or limited to social networking sites, says Jules Polonetsky, co-chair and director of the think tank Future of Privacy Forum. But the vast amount of information that people post to social networking sites exacerbates the privacy issues. "It's the latest variation on a very old problem -- but on steroids," he says.
Facebook's Axten adds that the privacy controls set by users will determine how much information other companies can view. "Even if a site could link a URI, referrer, or cookie to a specific user, it would only be able to access information that the person had made public," he said.
He says that Facebook is investigating further to determine what changes, if any, it can make.