Websites fail to protect personal data, researchers contend

The study found that on 185 heavily visited websites, a user name or user ID provided by consumers was shared with another website 61 percent of the time. In many cases, the study said, that data "leakage" would appear to violate websites' privacy policies, which typically promise not to share personal information with other parties.

Many of the sites receiving consumer information were online data-collection services that help target online ads, including Quantcast and Google's DoubleClick.

Federal Trade Commission Chairman Jon Leibowitz praised the study as "absolutely terrific work" and said at the forum that the findings would help in the agency's efforts to protect consumers' online privacy. The FTC last year backed the creation of "do not track" features, now available on some Web browsers, that allow consumers to block online data-collection and advertising companies from following their movements on the Web.

"Once you enter cyberspace, software placed on your computer, usually without your consent or even knowledge, turns your private information into a commodity out of your control," Leibowitz said. "Your computer is your property, and people shouldn't be putting things in it without your permission."

The study, released at an online privacy forum at the National Press Club in Washington, did not say how those data collection companies use the personal information they receive from popular websites. Among the "first party" websites that Stanford computer science researchers examined were NBC, the sports site Bleacher Report, the Home Depot, and the weather site Weather Underground.

By logging into an account at many popular websites or sometimes by just viewing an ad, consumers sent all or part of their names or email address to multiple "third party" data collection sites, the study found. In some cases, the leaked data included detailed personal information such as gender, age, ZIP code or relationship status.

But Jonathan Mayer, the study's author, said many of the sites say in their privacy policies that they do not share personally identifiable information with other sites.

"From a legal perspective, personal information leakage is a debacle," Mayer wrote in a blog post about the study. "Many first-party websites and third parties make what would appear to be incorrect representations about not sharing or collecting 'personally identifiable information.' "

The study found that clicking on a local ad on the Home Depot website sent a user's first name and email address to 13 data collection companies, while signing up for an account on Weather Underground sent the email address to 22 companies.

Weather Underground said Tuesday that "we currently have our team resolving this issue." Home Depot said its website does not trade, sell or rent consumer information but was "researching carefully to determine if anything unusual occurred."

Google, one of the sites that the study said received user information, maintained it does not use any personally identifiable information for any software product. "We've never attempted or wanted to parse out personal information" received by Google, the company said.

But Mayer said in an interview that the purpose of the study was to show that data collection and tracking companies have the ability to link anonymous tracking data with a person's real identity.

"It's a very different claim to say, 'Yeah, we know who you are, but we don't act on it,' to 'We don't know who you are,' " he said.

The study did not investigate the sites of Google, Yahoo or Facebook because there are so many different features that the researchers could not take a reasonable sample. The findings led to calls by members of a coalition of 10 consumer, privacy and civil rights groups for more investigation by the FTC about whether the identified companies violated their privacy obligations to consumers. The coalition organized the privacy forum.

The online advertising industry "tries to lull consumers by claiming that online tracking gathers behavioral data anonymously," John Simpson, privacy project director at the advocacy group Consumer Watchdog, said in a written statement. "This study proves that personally identifiable information is regularly shared without consumers' knowledge. We can't rely on industry promises to protect consumer privacy; clearly we need 'do not track' legislation, and we need it now."

(c)2011 the San Jose Mercury News (San Jose, Calif.)
Distributed by MCT Information Services