Study: Many websites 'leaking' personal info to other firms

Websites are sharing usernames and other personal information with advertising partners, a Stanford study says

Many top websites share their visitors' names, usernames or other personal information with their partners without telling users and, in some cases, without knowing they're doing it, according to a new study from Stanford University.

Many websites "leak" usernames to third-party advertising networks by including usernames in URLs that the ad networks can see in referrer headers, said the study, released Tuesday by Stanford Law School's Center for Internet and Society. While there's a debate in legal circles whether usernames are personal information, there's a growing consensus among computer scientists that Web-based companies can use usernames to identify their owners, said Jonathan Mayer, a Stanford graduate student who led the study.

"The vast majority of usernames are unique," he said. "Given the prevalence of social networking, often times, once you have a username for a social network, you then also have a person's real name, possibly a photo, possibly more."

Other websites share first names, email addresses and other information with advertising or other partners, Mayer said at a privacy conference in Washington, D.C. Those identifiers "get associated not just with what you're doing right now, but get associated with what you've done in the past, and what Web browsing activity you may have in the future," he said.

In many cases, the large websites appear to not inform users of the personal information they're sharing, the Stanford study said. "From a legal perspective, identifying information leakage is a debacle," the study said. "Many ... websites make what would appear to be incorrect, or at minimum misleading, representations."

The Stanford researchers looked at 185 of the largest websites and found that 61 percent of them shared usernames or user IDs with third parties. The information went most often to Web analytics firms comScore and Google Analytics, advertising firms Quantcast and Google's DoubleClick and to Facebook, the study said.

At, viewing a local ad resulted in the user's first name and email address being sent to 13 companies, the study said. Signing up at weather site Weather Underground sent the user's email address to 22 companies, and interacting with sent the user's first and last names to 22 companies, the study said.

Popular photo-sharing site Photobucket sent the username to 31 other companies, the study said. Changing user settings on the video sharing site Metacafe sends the user's first name, last name, birthday, email address, physical address and phone numbers to two other companies, the study said.

The Information Technology and Innovation Foundation, a tech-focused think tank, questioned the study's assertion that it debunked the myth that digital data collection is anonymous.

"Despite the hype, the report merely identified some known technical issues that websites can address to improve privacy," said Daniel Castro, a senior analyst at ITIF. "The fact remains that the vast majority of organizations and businesses on the Internet do not abuse consumer data and have policies and practices in place to protect consumers."

Online advertising, including targeted advertising, is the foundation of the Internet economy and pays for free content and services online, Castro said. Websites are "working diligently to strengthen and improve online advertising self-regulation," he added. "Sound public policy should be guided by thoughtful commentary, not hysteria and fear-mongering."

Targeted, or behavioral, advertising is a "sliver" of all online advertising, Mayer said. "It's often talked about that getting rid of behavioral advertising is going to torpedo the entire Internet economy," he said. "I think it is uncontroversial to say, for now, that's definitely not the case."

Steve DelBianco, executive director of e-commerce trade group NetChoice, disagreed, saying a recent Massachusetts Institute of Technology study found that nontargeted ads are 65 percent less effective than targeted ads.

"Targeted ads are essential for general-audience websites that don't have inherent interests," DelBianco said. "A 65 percent loss in ad revenue for a general news or blog site is far more serious than a sliver."

If websites are sharing usernames or other information, they should be transparent about it, DelBianco added. "When a user creates a relationship with a website, they need to know whether that website intends to also read its cookie -- including the username -- when the user visits other sites. If a company reads its cookies without fully disclosing where and how, the [U.S. Federal Trade Commission] should be taking enforcement action for unfair and deceptive trade practices."

Grant Gross covers technology and telecom policy in the U.S. government for The IDG News Service. Follow Grant on Twitter at GrantGross. Grant's e-mail address is

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags governmentsecurityprivacyregulationinternetGoogleFacebookadvertisinge-commerceNetChoiceComScoreSteve DelBiancoJonathan MayerDaniel CastroQuantcast

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Grant Gross

IDG News Service
Show Comments



Sansai 6-Outlet Power Board + 4-Port USB Charging Station

Learn more >

Victorinox Werks Professional Executive 17 Laptop Case

Learn more >



Back To Business Guide

Click for more ›

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Louise Coady

Brother MFC-L9570CDW Multifunction Printer

The printer was convenient, produced clear and vibrant images and was very easy to use

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?