Two researchers have discovered a method in which third parties could couple a person's identity with the cookies in their browser.
The finding, the first of its kind to describe a way by which tracking sites could directly link browsing habits to specific individuals, further erodes the privacy of users of popular social networking websites, such as Twitter, Facebook and LinkedIn.
The study, "On the Leakage of Personally Identifiable Information from Social Networks," was conducted by researchers at Worcester Polytechnic Institute (WPI) and AT&T Labs Inc. It looked at a dozen social networks and found that the networks assign a unique identifying code to an individual's account. That code is sometimes passed on via a referring URL to third-party marketing and Web analytics firms, DoubleClick Inc., Google Analytics, Omniture Inc. and others. The firms also collect browser cookies and potentially could couple the identifying information linking a person's browsing habits to their true identity.
"When you have a unique identifier in the presence of cookies it can be very dangerous," said Craig E. Wills, associate professor of computer science at WPI and co-author of the report with Balachander Krishnamurthy of AT&T Labs. "These online social networks virtually give user info away; they have very permissive default settings and they're making sure that whatever information you give on their website goes to a lot of people."
Researchers say search, seizure protection may not apply to SaaS data: Researchers examining cloud computing security issues presented a number of technical and legal hurdles that Software as a Service users could face.
The study has irked some Internet privacy rights experts, who have been hot on the heels of social networks for failing to disclose all their collection and distribution methods in privacy notices. The latest use of so-called "super cookies," a form of flash cookie that is not controlled through cookie privacy controls in a browser, has also raised concern. Experts have developed specific Flash cookie removal apps to address the issue, but privacy experts believe social networks and marketers will continue to collect as much information as possible and couple that information with a person's true identity.
"This seems to be the direction that companies are going as far as behavioral marketing," said Paul Stephens, director of policy and advocacy for the privacy advocacy organization, Privacy Rights Clearinghouse. "There seems to be a trend where marketers are aware of the fact that people are becoming savvy about cookies and trying to delete them and so the marketers are trying to get around it."
Companies, such as DoubleClick and Omniture have gone on the record stating that they are not tracking an individual user, but an anonymous profile. The firms are contracted by social networking sites to provide data on their users. The information the companies collect is used to provide content and advertisements for webpages.
But the fact that the unique identifier is available for those firms to track and store should raise concern, Wills said, because the information could take away the anonymity of a person's browsing habits. It also could potentially expose anything a person posts on the site, such as their name, gender, date of birth, their photograph and other personal information.
The WPI study found that people have virtually no way to block the passing of the identifying URL. They could constantly clear their browsing cookies or not accept cookies, but that could cause problems with certain websites, he said. A person could also tweak the default settings to restrict viewing of their social network page, but even at most, the practice could still, at a minimum, link their name and general location to the browsing habits.
"It's hard for users to fix this," Wills said. "It would help a lot if the social networking sites would not show this unique identifier as part of their URL."
Wills said the issue could have been caused by poor coding practices. The identifying code goes back to specific underlying database tables, where a person's account information is stored. There is a way to mask or drop the identifying code altogether. In some cases Facebook and several other social networks drop the identifying code from the URL, but the researchers noted that many times it is ultimately passed on via the referring URL to the third-party marketing and Web analytics firms that they partner with.
All of the social networking sites studied were informed about the privacy leakage, but so far they have not responded to the research.
"The scary part is that once the information is out there, it's very hard to pull back," Wills said.