Social network privacy study finds identity link to cookies

By Robert Westervelt, News Editor 26 Aug 2009 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

Two researchers have discovered a method in which third parties could couple a person's identity with the cookies in their browser.

SearchSecurity.com: To get security news and tips delivered to your inbox, click here to sign up for our free newsletter.

The finding, the first of its kind to describe a way by which tracking sites could directly link browsing habits to specific individuals, further erodes the privacy of users of popular social networking websites, such as Twitter, Facebook and LinkedIn.

The study, "On the Leakage of Personally Identifiable Information from Social Networks," was conducted by researchers at Worcester Polytechnic Institute (WPI) and AT&T Labs Inc. It looked at a dozen social networks and found that the networks assign a unique identifying code to an individual's account. That code is sometimes passed on via a referring URL to third-party marketing and Web analytics firms, DoubleClick Inc., Google Analytics, Omniture Inc. and others. The firms also collect browser cookies and potentially could couple the identifying information linking a person's browsing habits to their true identity.

"When you have a unique identifier in the presence of cookies it can be very dangerous," said Craig E. Wills, associate professor of computer science at WPI and co-author of the report with Balachander Krishnamurthy of AT&T Labs. "These online social networks virtually give user info away; they have very permissive default settings and they're making sure that whatever information you give on their website goes to a lot of people."

Internet privacy: VIDEO - Mozilla security chief on Firefox improvements: Mozilla's "human shield" Johnathan Nightingale discusses Firefox browser privacy and security issues at the recent Black Hat briefings in Las Vegas. Researchers say search, seizure protection may not apply to SaaS data: Researchers examining cloud computing security issues presented a number of technical and legal hurdles that Software as a Service users could face.

The study has irked some Internet privacy rights experts, who have been hot on the heels of social networks for failing to disclose all their collection and distribution methods in privacy notices. The latest use of so-called "super cookies," a form of flash cookie that is not controlled through cookie privacy controls in a browser, has also raised concern. Experts have developed specific Flash cookie removal apps to address the issue, but privacy experts believe social networks and marketers will continue to collect as much information as possible and couple that information with a person's true identity.

"This seems to be the direction that companies are going as far as behavioral marketing," said Paul Stephens, director of policy and advocacy for the privacy advocacy organization, Privacy Rights Clearinghouse. "There seems to be a trend where marketers are aware of the fact that people are becoming savvy about cookies and trying to delete them and so the marketers are trying to get around it."

Companies, such as DoubleClick and Omniture have gone on the record stating that they are not tracking an individual user, but an anonymous profile. The firms are contracted by social networking sites to provide data on their users. The information the companies collect is used to provide content and advertisements for webpages.

But the fact that the unique identifier is available for those firms to track and store should raise concern, Wills said, because the information could take away the anonymity of a person's browsing habits. It also could potentially expose anything a person posts on the site, such as their name, gender, date of birth, their photograph and other personal information.

SearchSecurity radio:

The WPI study found that people have virtually no way to block the passing of the identifying URL. They could constantly clear their browsing cookies or not accept cookies, but that could cause problems with certain websites, he said. A person could also tweak the default settings to restrict viewing of their social network page, but even at most, the practice could still, at a minimum, link their name and general location to the browsing habits.

"It's hard for users to fix this," Wills said. "It would help a lot if the social networking sites would not show this unique identifier as part of their URL."

Wills said the issue could have been caused by poor coding practices. The identifying code goes back to specific underlying database tables, where a person's account information is stored. There is a way to mask or drop the identifying code altogether. In some cases Facebook and several other social networks drop the identifying code from the URL, but the researchers noted that many times it is ultimately passed on via the referring URL to the third-party marketing and Web analytics firms that they partner with.

All of the social networking sites studied were informed about the privacy leakage, but so far they have not responded to the research.

"The scary part is that once the information is out there, it's very hard to pull back," Wills said.

Tags: Web Application and Web 2.0 Threats,  Web Browser Security,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Web Application and Web 2.0 Threats New Facebook worm propagates using sexy model Web security firm ranks Firefox, Safari browsers as flaw prone Web application vulnerability assessment shows patching progress Layoffs prompt insider threat fears, cybersecurity survey finds Botnet masters turn to Google, social networks to avoid detection Computer worm infections up, scareware antivirus down, Microsoft says Web-based attacks skyrocket, pirating sites surge, security firms say Kaspersky system analyzes malicious URLs on Twitter for malware Pushdo botnet uses Facebook to spread malicious email attachment Do Facebook URL security concerns justify blocking social networks? Web Browser Security Exploit code targets Internet Explorer zero-day display flaw InZero Systems launches hardware-based security gateway Web security firm ranks Firefox, Safari browsers as flaw prone Microsoft fixes security update that breaks Internet Explorer Mozilla update repairs Firefox buffer overflow vulnerabilities Kaspersky system analyzes malicious URLs on Twitter for malware Silon malware intercepts Internet Explorer sessions, steals credentials Do Facebook URL security concerns justify blocking social networks? Phishing attacks to remain a major problem, say security experts Adrian Perrig: Improve SSL/TLS Security Through Education and Technology Web Browser Security Research

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary content filtering  (SearchSecurity.com) Web filter  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary