Article

Electronic Frontier Foundation calls social networking privacy study alarming

Robert Westervelt

The Electronic Frontier Foundation is calling for urgent action to reign in advertising and tracking companies in the wake of a recent study that found social networks leaking user identities to the firms.

Requires Free Membership to View

The non-profit free speech and digital rights organization responded to research that found a dozen popular social networking websites, including Twitter, Facebook and LinkedIn, assigning a unique identifying code to an individual's account and sometimes passing the code on to third-party marketing and Web analytics firms, DoubleClick Inc., Google Analytics, Omniture Inc. and others. Those firms could then couple that identifying information with an individual's browser cookies to build a unique profile on a person.

The ability of third party tracking sites to collate extensive amounts of information on people has been an ongoing concern said Peter Eckersley, a staff technologist at the EFF.

"This is especially troubling since most people have no idea that companies such as Omniture or AdBrite or dozens of others even exist, let alone that they have an extensive record of everyone's behavior," Eckersley said

The study, "On the Leakage of Personally Identifiable Information from Social Networks," was conducted by researchers at Worcester Polytechnic Institute (WPI) and AT&T Labs Inc. The study found that in some cases, social networks are passing on a unique identifying code to the third-party firms via a referring URL. People have no way to block the passing of the identifying information besides clearing their browsing cookies or not accepting cookies, which could cause problems with certain websites.

Corporations need to be prevented from building a database of a person's browsing history unless that person gives explicit and informed consent, Eckersley said. Default settings on most social networks enable the least privacy for users. A person could change the defaults to their account, but identifying information could still enable the third-party companies to link their name and general location to their browsing habits.

"This new research shows that most of the major social networks are busy handing over strongly identifying information to these faceless advertising and tracking companies, letting them put names on the files they've been painstakingly collecting about us for years," Eckersley said. "In some cases this transfer of data looks deliberate; in other cases it's a neat side-effect of the way the social networks include advertisements and analytics code on their pages."

Third-party companies, which partner with social networks to provide them with analytics used to secure advertising, have said that they are not tracking an individual user, but an anonymous profile.Either way, little is known about what goes on behind the scenes, said Craig E. Wills, associate professor of computer science at WPI and co-author of the report with Balachander Krishnamurthy of AT&T Labs. The third-party firms have been a growing presence on social networking websites over the last five years, Wills said.

"It's possible that Facebook has been handing information about me to DoubleClick and nobody even knows about it," Wills said. "But now we have clearly identified that my identifier in Facebook is being sent to DoubleClick."