You’ve probably scanned phrases like these as you’ve logged in to your favorite Web sites:
“Our privacy policy is to share personal information only with the owner’s consent.”
or
“We will not trade, rent or sell your personal information, without your prior consent, except as otherwise set forth herein.”
When I read these lines, I used to think they meant that my personal information doesn’t leave the company that owns the particular site I’m using.
Wrong.
A new study from Johnathan Mayer, of Stanford University’s Center for Internet and Society, shows just what happens to your personal information when you sign up, join, or just browse at any of 185 heavily-trafficked Web sites. Here’s a sampling of what he found:
- Viewing a local ad on the Home Depot Web site sent the user’s first name and email to 13 companies.
- Entering the wrong password on the Wall Street Journal Web site sent the user’s email address to seven companies.
- Changing the user settings on the video-sharing site Metacafesent the user’s first name, last name, birthday, email address, physical address, and phone numbers to two companies.
- Signing up on the NBC Web site sent the user’s email address to seven companies.
- Signing up on the Weather Underground Web site sent the user’s email address to 22 companies.
- Clicking the validation link in the Reuters signup email sent the user’s email address to five companies.
- Using the classmates.com Web site sent the user’s first and last names to 22 companies.
- Web site OkCupid appears to make a wide range of data about its users available to two different data providers. That data includes users’ ages; whether or not they have cats, dogs, or children; how often they drink or use drugs; their ethnicity; their income; their relationship status; and their religion, among other traits.
How does this happen?
In his paper, Mayer explains that most Web sites do not consider a username or user ID to be personally identifying information, even though many people use a variation of their name, or something close to it, as a user ID. When you sign up for a Web site, the site often generates a URL that contains your user name. Mayer uses this example of a URL that might be generated when a Leland Stanford signs up to use a Web site called example.com.
http://example.com/register?username=GoCardinal&name=Leland%20Stanford&email =Leland%40stanford.edu&…
Any third party embedded in that Web page-an advertiser, perhaps, or a company that serves ads, such as doubleclick, can write a script to capture this URL. From there, it’s pretty easy to simply grab “GoCardinal” as Leland Stanford’s username, and tie any Web activity on the part of “GoCardinal” back to Leland Stanford.
Personal information can also be revealed by a site’s so-called landing page for its registered users. When Leland Stanford goes to example.com, he might very well be greeted by a page saying, “Welcome Leland Stanford!” Any embedded third-party scripts can report back with the page title, which in this case would include Leland Stanford’s name.
Linking “private” information to publicly-available data
From there, the third-party company may buy identifying information from a so-called matching service, or to try to match it up the bits and pieces they’ve collected against a larger stream of data they already have access to.
Mayer points out that legally, the Web sites he visited for his research seem to be on the right side of the law. Technically, they’re not sharing or selling the information. They’re just not being very careful with it. In the industry, this is referred to as “information leakage,” and while the term may implies that such leakage is inadvertent, Mayer says “information leakage” is actually a bit of a term of art.
Do you care how much of your personal information is available online? Do you try to restrict it in any way?
No comments:
Post a Comment