Many top websites share their visitors' names, usernames or other personal information with their partners without telling users and, in some cases, without knowing they're doing it, according to a new study from Stanford University.
Many websites "leak" usernames to third-party advertising networks by including usernames in URLs that the ad networks can see in referrer headers, said the study, released Tuesday by Stanford Law School's Center for Internet and Society. While there's a debate in legal circles whether usernames are personal information, there's a growing consensus among computer scientists that Web-based companies can use usernames to identify their owners, said Jonathan Mayer, a Stanford graduate student who led the study.
"The vast majority of usernames are unique," he said. "Given the prevalence of social networking, often times, once you have a username for a social network, you then also have a person's real name, possibly a photo, possibly more."
Other websites share first names, email addresses and other information with advertising or other partners, Mayer said at a privacy conference in Washington, D.C. Those identifiers "get associated not just with what you're doing right now, but get associated with what you've done in the past, and what Web browsing activity you may have in the future," he said.
In many cases, the large websites appear to not inform users of the personal information they're sharing, the Stanford study said. "From a legal perspective, identifying information leakage is a debacle," the study said. "Many ... websites make what would appear to be incorrect, or at minimum misleading, representations."
The Stanford researchers looked at 185 of the largest websites and found that 61 percent of them shared usernames or user IDs with third parties. The information went most often to Web analytics firms comScore and Google Analytics, advertising firms Quantcast and Google's DoubleClick and to Facebook, the study said.
At HomeDepot.com, viewing a local ad resulted in the user's first name and email address being sent to 13 companies, the study said. Signing up at weather site Weather Underground sent the user's email address to 22 companies, and interacting with Classmates.com sent the user's first and last names to 22 companies, the study said.
Popular photo-sharing site Photobucket sent the username to 31 other companies, the study said. Changing user settings on the video sharing site Metacafe sends the user's first name, last name, birthday, email address, physical address and phone numbers to two other companies, the study said.
The Information Technology and Innovation Foundation, a tech-focused think tank, questioned the study's assertion that it debunked the myth that digital data collection is anonymous.
"Despite the hype, the report merely identified some known technical issues that websites can address to improve privacy," said Daniel Castro, a senior analyst at ITIF. "The fact remains that the vast majority of organizations and businesses on the Internet do not abuse consumer data and have policies and practices in place to protect consumers."
Online advertising, including targeted advertising, is the foundation of the Internet economy and pays for free content and services online, Castro said. Websites are "working diligently to strengthen and improve online advertising self-regulation," he added. "Sound public policy should be guided by thoughtful commentary, not hysteria and fear-mongering."
Targeted, or behavioral, advertising is a "sliver" of all online advertising, Mayer said. "It's often talked about that getting rid of behavioral advertising is going to torpedo the entire Internet economy," he said. "I think it is uncontroversial to say, for now, that's definitely not the case."
Steve DelBianco, executive director of e-commerce trade group NetChoice, disagreed, saying a recent Massachusetts Institute of Technology study found that nontargeted ads are 65 percent less effective than targeted ads.
"Targeted ads are essential for general-audience websites that don't have inherent interests," DelBianco said. "A 65 percent loss in ad revenue for a general news or blog site is far more serious than a sliver."
If websites are sharing usernames or other information, they should be transparent about it, DelBianco added. "When a user creates a relationship with a website, they need to know whether that website intends to also read its cookie -- including the username -- when the user visits other sites. If a company reads its cookies without fully disclosing where and how, the [U.S. Federal Trade Commission] should be taking enforcement action for unfair and deceptive trade practices."
Grant Gross covers technology and telecom policy in the U.S. government for The IDG News Service. Follow Grant on Twitter at GrantGross. Grant's e-mail address is [email protected]