Tech Companies Continue To Make Privacy Missteps
Companies have moved very quickly to develop mobile apps. But when it comes to complying with privacy laws, they haven't acted quite as fast.
That's hardly the only example. Just today, the Federal Trade Commission said that mobile app developers still aren't informing parents about how apps collect data from children -- despite the fact that the FTC told app developers in February to do so.
In the non-mobile space, Web publishers don't appear to be racing to improve their privacy practices. As far back as 2009, researchers from AT&T and Worcester Polytechnic Institute made headlines by reporting that social networks leaked users' names. The team behind that report followed it up with other studies about data leakage, including a May 2011 study showing that popular sites (other than social networks) leaked registration data -- including names or email addresses -- via referrer headers.
Several months later, Stanford grad student Jonathan Mayer issued a similar report. After examining 185 popular sites that collect registration information about users, he found that 61% of those sites leaked usernames or user IDs to one or more outside companies.
Yet, despite all of those reports, some popular Web sites apparently still leak users' names and other data to third parties. The Wall Street Journal wrote this weekend that it conducted a survey of 51 popular sites, including its own, and found that 12 passed along email addresses, full names or other identifying information to third parties. WSJ.com was among that group.
In their defense, the companies that leak this data often do so accidentally, by including it in their site's referrer headers. Once that occurs, the data can be transmitted to third parties with a presence on the page. (The Journal article said that a newspaper spokesperson called the data leakage from WSJ.com unintentional.)
But that excuse only goes so far. At this point, given the attention the tech press has paid to this issue in recent years, Web site operators really should know if they've designed their sites in a way that will transmit information that users thought was confidential.