Web sites run by the campaigns of Barack Obama and Mitt Romney are "leaking" usernames and other potentially identifiable data, according to a new report by Stanford grad student Jonathan Mayer.
"The major presidential campaigns both fell short of best practices in their Web site design and testing," Mayer wrote Thursday in a blog post outlining his findings.
Mayer reports that referrer headers on several pages from the site BarackObama.com include the usernames of people who have registered with the site. Those usernames consist of a Facebook name (with the first and last name separated by a dot), or the first part of an email address (before the @ symbol).
Referrer headers on several pages from MittRomney.com also include names, and in some cases, partial email addresses and ZIP codes.
Those referrer headers can be seen by third parties that track visitors to the campaigns' sites. Mayer reports that 10 companies receive usernames from BarackObama.com: Akamai, Amazon, BrightTag, Chartbeat, Facebook, Google, Hoefler & Frere-Jones, New Relic, Think Realtime, and Zendesk. He says 13 companies receive partial email addresses from MittRomney.com: Adobe, Akamai, Amazon, Compete, comScore, Facebook, Google, Lotame, New Relic, Optimizely, Search Discovery, ShareThis, and Syncapse.
Both of the presidential campaigns reportedly are undertaking extensive efforts to track and target potential voters who visit the official campaign sites. The New York Times reported on Sunday that Evidon recently found 76 tracking programs on BarackObama.com, and 40 trackers on MittRomney.com.
The prospect of data leakage via referrer headers has been known since at least 1999, when Internet pioneer Tim Berners-Lee warned of that possibility. More recently, researchers from AT&T and Worcester Polytechnic Institute reported that many popular sites and social networks, like Facebook and MySpace, were leaking personally identifiable data.
After those reports came out, some sites revised the way they configured referrer headers.