Despite promising that they won't reveal users' personal data, some of the most highly trafficked Web sites transmit usernames, email addresses, addresses, and even birth dates to ad networks and other third parties, a new study confirms
For the study, “Where Everybody Knows Your Username,” Stanford researcher Jonathan Mayer looked at 185 popular sites that collect registration information about users. He found that 61% of those sites “leaked” people's usernames or user IDs to one or more outside companies. Much of the leakage appears to be inadvertent; frequently it results from including usernames in the referrer headers, and other design flaws.
The report detailed some instances of leakage by well-known companies.
For instance, Home Depot reportedly transmits the first names and email addresses of users who view ads on the site to 13 different companies. The picture-sharing site Photobucket embeds the people's usernames in URLs that are transmitted to dozens of outside companies, according to the report. And the site Metacafe reportedly leaks a host of data about people who changed the user settings -- including their full names, birthdays and email addresses.
Home Depot said in a statement that it doesn't “sell or rent” users' information. “This is the first we have seen of this study, so we are researching carefully to determine if anything unusual occurred,” a spokesman said in response to questions about the Stanford report. Photobucket and Metacafe have not yet responded to messages seeking comment.
The research, unveiled on Tuesday at the National Press Club, confirms an earlier report by researchers from AT&T and Worcester Polytechnic Institute. That prior study examined 120 popular sites and found that the majority (56%) leaked data about users who had registered.
Speaking at Tuesday's event, Federal Trade Commission chairman Jon Leibowitz reiterated the agency's support for “do-not-track” -- shorthand for the proposition that Web users should be able to easily opt out of all online ad tracking.
While Tuesday's report drew much media attention, sites have been leaking data about users for at least a decade, says Jules Polonetsky, co-chair and director of the think tank Future of Privacy Forum.
“It's something that most companies should have long dealt with because of the underlying alarm that it creates,” says Polonetsky, who previously served as chief privacy officer at both DoubleClick and AOL.
Despite the fact that information gets transmitted to ad networks, most of them don't need personal data about users in order to send behaviorally targeted ads. Some of the biggest ad networks historically shed such information upon receipt, says Polonetsky.