Study: Many websites 'leaking' personal info to other firms

Websites are sharing usernames and other personal information with advertising partners, a Stanford study says

Many top websites share their visitors' names, usernames or other personal information with their partners without telling users and, in some cases, without knowing they're doing it, according to a new study from Stanford University.

Many websites "leak" usernames to third-party advertising networks by including usernames in URLs that the ad networks can see in referrer headers, said the study, released Tuesday by Stanford Law School's Center for Internet and Society. While there's a debate in legal circles whether usernames are personal information, there's a growing consensus among computer scientists that Web-based companies can use usernames to identify their owners, said Jonathan Mayer, a Stanford graduate student who led the study.

"The vast majority of usernames are unique," he said. "Given the prevalence of social networking, often times, once you have a username for a social network, you then also have a person's real name, possibly a photo, possibly more."

Other websites share first names, email addresses and other information with advertising or other partners, Mayer said at a privacy conference in Washington, D.C. Those identifiers "get associated not just with what you're doing right now, but get associated with what you've done in the past, and what Web browsing activity you may have in the future," he said.

In many cases, the large websites appear to not inform users of the personal information they're sharing, the Stanford study said. "From a legal perspective, identifying information leakage is a debacle," the study said. "Many ... websites make what would appear to be incorrect, or at minimum misleading, representations."

The Stanford researchers looked at 185 of the largest websites and found that 61 percent of them shared usernames or user IDs with third parties. The information went most often to Web analytics firms comScore and Google Analytics, advertising firms Quantcast and Google's DoubleClick and to Facebook, the study said.

At, viewing a local ad resulted in the user's first name and email address being sent to 13 companies, the study said. Signing up at weather site Weather Underground sent the user's email address to 22 companies, and interacting with sent the user's first and last names to 22 companies, the study said.

Popular photo-sharing site Photobucket sent the username to 31 other companies, the study said. Changing user settings on the video sharing site Metacafe sends the user's first name, last name, birthday, email address, physical address and phone numbers to two other companies, the study said.

The Information Technology and Innovation Foundation, a tech-focused think tank, questioned the study's assertion that it debunked the myth that digital data collection is anonymous.

"Despite the hype, the report merely identified some known technical issues that websites can address to improve privacy," said Daniel Castro, a senior analyst at ITIF. "The fact remains that the vast majority of organizations and businesses on the Internet do not abuse consumer data and have policies and practices in place to protect consumers."

Online advertising, including targeted advertising, is the foundation of the Internet economy and pays for free content and services online, Castro said. Websites are "working diligently to strengthen and improve online advertising self-regulation," he added. "Sound public policy should be guided by thoughtful commentary, not hysteria and fear-mongering."

Targeted, or behavioral, advertising is a "sliver" of all online advertising, Mayer said. "It's often talked about that getting rid of behavioral advertising is going to torpedo the entire Internet economy," he said. "I think it is uncontroversial to say, for now, that's definitely not the case."

Steve DelBianco, executive director of e-commerce trade group NetChoice, disagreed, saying a recent Massachusetts Institute of Technology study found that nontargeted ads are 65 percent less effective than targeted ads.

"Targeted ads are essential for general-audience websites that don't have inherent interests," DelBianco said. "A 65 percent loss in ad revenue for a general news or blog site is far more serious than a sliver."

If websites are sharing usernames or other information, they should be transparent about it, DelBianco added. "When a user creates a relationship with a website, they need to know whether that website intends to also read its cookie -- including the username -- when the user visits other sites. If a company reads its cookies without fully disclosing where and how, the [U.S. Federal Trade Commission] should be taking enforcement action for unfair and deceptive trade practices."

Grant Gross covers technology and telecom policy in the U.S. government for The IDG News Service. Follow Grant on Twitter at GrantGross. Grant's e-mail address is

Join the Good Gear Guide newsletter!

Error: Please check your email address.

Tags advertisingSteve DelBiancoe-commerceregulationQuantcastNetChoiceinternetDaniel CastroprivacyFacebookComScoreGoogleJonathan Mayersecuritygovernment

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Grant Gross

IDG News Service
Show Comments

Cool Tech

Crucial Ballistix Elite 32GB Kit (4 x 8GB) DDR4-3000 UDIMM

Learn more >

Gadgets & Things

Lexar® Professional 1000x microSDHC™/microSDXC™ UHS-II cards

Learn more >

Family Friendly

Lexar® JumpDrive® S57 USB 3.0 flash drive 

Learn more >

Stocking Stuffer

Plox Star Wars Death Star Levitating Bluetooth Speaker

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest News Articles


GGG Evaluation Team

Kathy Cassidy


First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni


For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell


The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi


The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott


My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?