A new study has found that social networking sites including Facebook, MySpace and Digg are making personal information available to companies that track web users' habits and allows them to link anonymous browsing habits to specific people.
The report by researchers at Worcester Polytechnic Institute is the first to show how tracking sites could directly link browsing habits to specific individuals using information leaked in HTTP headers, referrer headers, cookies and applications.
"When you sign up with a social networking site, you are assigned a unique identifier," says Craig Wills, professor of computer science at WPI. "This is a string of numbers or characters that points to your profile. We found that when social networking sites pass information to tracking sites about your activities, they often include this unique identifier."
Yes, we know all about you, Mr Wiggins of Solihull
"So now a tracking site not only has a profile of your browsing history, it can link that profile to the personal data you post on the social networking site. Now your browsing profile is not just of somebody, it is of you."
Social networks use third-party tracking sites, called aggregators, to learn about the browsing habits of visitors using tracking cookies. Online networking sites have gone a step further by allowing for transmission of unique identifiers. This is a troubling practice for two reasons, Wills says. "First, users put a lot of information about themselves on social networking sites. Second, a lot of that information can be seen by other users, by default. There are mechanisms users can use to limit access to their information, but we found through previous research that most users don't take advantage of them."
With a unique identifier, a tracking site could gain access to a user's name, physical address, email address, gender, birth date, educational and employment information, and much more. Wills says he does not know what, if anything, tracking sites do with the identifiers that social networks transmit to them.
Not malicious, just ignorant?
"We are not saying that they are necessarily trying to leak private information," he says. "But once someone is in possession of your unique identifier, there is so much they can learn about you. And even if tracking sites do not use the information themselves, can they guarantee that it will never find its way into other hands? For these reasons, we feel this issue is something that we should to be concerned about."
Wills notes that while users can protect themselves to some degree by limiting the amount of information they post and using the protections available o limit access to their information, the easiest way to prevent privacy leakage would be for social networking sites to stop making unique identifiers visible.
You can download the full study from here.