Popular websites leaking customer data

Three quarters of popular websites are leaking private information or users’ unique identifiers to third-party tracking sites, a new study has found.

The study of more than 100 popular websites, used by tens of millions of people, found many sites are leaking email addresses, physical addresses, and even the configuration of a user’s web browser.

And, says Craig Wills, professor of computer science at Worcester Polytechnic Institute (WPI), the tracking sites could then link many disparate pieces of information – the contents of searches on health and travel sites, say – to create detailed profiles of individuals.

He concludes that last year’s Federal Trade Commission (FTC) proposals on protecting consumer privacy would be largely ineffective in preventing the identified leakage and linkage.

“With the growing disconnect between the existing and proposed privacy protection measures and the increasing and increasingly worrisome linkage of personal information from all sorts of websites, we believe it is time to move beyond what is clearly a losing battle with third-party aggregators and examine what roles first-party sites can play in protecting the privacy of their users,” he says.

The researchers focused on sites that encourage users to register, since users often share personal and personally identifiable information such as name, physical address and email address, during the  process. They also looked at popular health and travel sites, as user searches on these sites can indicate health issues or reveal travel plans.

They found that information is leaked through a number of routes to third-party sites that track users’ browsing behavior for advertisers. In some cases, information was passed on deliberately, while in others it was included as part of routine information exchanges.

Depending on the site, the leakage occurred as users were creating, viewing, editing, or logging into their accounts, or while navigating the websites. The team also found sensitive search terms being leaked by health sites and travel itineraries being leaked by travel sites.

“A key failure of the FTC report is that it largely ignores the responsibility of websites in safeguarding the privacy of their users,” says Wills.

“These sites should play a custodial role in protecting their users and preventing the leakage of their sensitive or identifiable information. Third-party sites have a powerful economic incentive to continue to collect and aggregate user information, so relying on them to protect user privacy will continue to be a losing battle.”