Study: Many websites 'leaking' personal info to other firms

Websites are sharing usernames and other personal information with advertising partners, a Stanford study says

Many top websites share their visitors' names, usernames or other personal information with their partners without telling users and, in some cases, without knowing they're doing it, according to a new study from Stanford University.

Many websites "leak" usernames to third-party advertising networks by including usernames in URLs that the ad networks can see in referrer headers, said the study, released Tuesday by Stanford Law School's Center for Internet and Society. While there's a debate in legal circles whether usernames are personal information, there's a growing consensus among computer scientists that Web-based companies can use usernames to identify their owners, said Jonathan Mayer, a Stanford graduate student who led the study.

"The vast majority of usernames are unique," he said. "Given the prevalence of social networking, often times, once you have a username for a social network, you then also have a person's real name, possibly a photo, possibly more."

Other websites share first names, email addresses and other information with advertising or other partners, Mayer said at a privacy conference in Washington, D.C. Those identifiers "get associated not just with what you're doing right now, but get associated with what you've done in the past, and what Web browsing activity you may have in the future," he said.

In many cases, the large websites appear to not inform users of the personal information they're sharing, the Stanford study said. "From a legal perspective, identifying information leakage is a debacle," the study said. "Many ... websites make what would appear to be incorrect, or at minimum misleading, representations."

The Stanford researchers looked at 185 of the largest websites and found that 61 percent of them shared usernames or user IDs with third parties. The information went most often to Web analytics firms comScore and Google Analytics, advertising firms Quantcast and Google's DoubleClick and to Facebook, the study said.

At, viewing a local ad resulted in the user's first name and email address being sent to 13 companies, the study said. Signing up at weather site Weather Underground sent the user's email address to 22 companies, and interacting with sent the user's first and last names to 22 companies, the study said.

Popular photo-sharing site Photobucket sent the username to 31 other companies, the study said. Changing user settings on the video sharing site Metacafe sends the user's first name, last name, birthday, email address, physical address and phone numbers to two other companies, the study said.

The Information Technology and Innovation Foundation, a tech-focused think tank, questioned the study's assertion that it debunked the myth that digital data collection is anonymous.

"Despite the hype, the report merely identified some known technical issues that websites can address to improve privacy," said Daniel Castro, a senior analyst at ITIF. "The fact remains that the vast majority of organizations and businesses on the Internet do not abuse consumer data and have policies and practices in place to protect consumers."

Online advertising, including targeted advertising, is the foundation of the Internet economy and pays for free content and services online, Castro said. Websites are "working diligently to strengthen and improve online advertising self-regulation," he added. "Sound public policy should be guided by thoughtful commentary, not hysteria and fear-mongering."

Targeted, or behavioral, advertising is a "sliver" of all online advertising, Mayer said. "It's often talked about that getting rid of behavioral advertising is going to torpedo the entire Internet economy," he said. "I think it is uncontroversial to say, for now, that's definitely not the case."

Steve DelBianco, executive director of e-commerce trade group NetChoice, disagreed, saying a recent Massachusetts Institute of Technology study found that nontargeted ads are 65 percent less effective than targeted ads.

"Targeted ads are essential for general-audience websites that don't have inherent interests," DelBianco said. "A 65 percent loss in ad revenue for a general news or blog site is far more serious than a sliver."

If websites are sharing usernames or other information, they should be transparent about it, DelBianco added. "When a user creates a relationship with a website, they need to know whether that website intends to also read its cookie -- including the username -- when the user visits other sites. If a company reads its cookies without fully disclosing where and how, the [U.S. Federal Trade Commission] should be taking enforcement action for unfair and deceptive trade practices."

Grant Gross covers technology and telecom policy in the U.S. government for The IDG News Service. Follow Grant on Twitter at GrantGross. Grant's e-mail address is

Join the PC World newsletter!

Error: Please check your email address.

Tags advertisingSteve DelBiancoe-commerceregulationQuantcastNetChoiceinternetDaniel CastroprivacyFacebookComScoreGoogleJonathan Mayersecuritygovernment

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Grant Gross

IDG News Service
Show Comments

Most Popular Reviews

Latest News Articles


PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?