Companies use users' Web information to their advantage

Such leaks leave users of these sites vulnerable to being tracked unknowingly and unwillingly by companies who can build and share profiles with our names, our friends’ names and other personal information.

So, not only do advertisers know what Web sites we visit, they can know who we are and who our friends are. A recent study was able to track personal information leaks from 12 networking sites: Bebo, Digg, Facebook, Friendster, Hi5, Imeem, LinkedIn, LiveJournal, MySpace, Orkut, Twitter, and Xanga.

“There’s a certain amount of a creepiness factor,” said the study’s co-author, Craig Wills, an associate professor at Massachussetts’ Worcester Polytechnic Institute. “And at the worst case, they have information that’s basically out of our control.”

In December, Roger Thompson, a chief research scientist with software security company AVG, blogged that information from his social networking page had somehow leaked to his credit card company. When he called to re-open an account, one of the security questions was about his sister-in-law, information he says he hadn’t given them and was available only on his private social networking page.

“Someone, other than the government, has a honking-great database on me. And that probably means that they have a similar amount of data on you, Dear Reader,” Thompson writes in his blog. “Someone is seriously invading our privacy.”

Internet privacy advocates have been trying to help consumers plug these holes or encourage the Federal Trade Commission to get involved. The FTC is hosting a series of discussions about issues such as behavioral advertising, tracking and social networking. The first was in December in Washington and the second last month in Berkeley, Calif. The third is in the works.

Typically, social network users post these tidbits to “friends” or “connections” voluntarily, but usually the information is limited to select groups with controls that keep the information contained. Or so we think.

Many consumers already know about tracking. Through the use of files on our computers, called cookies, traveling from site to site creates a kind of Web profile for advertisers. But pair that with a social networking site, Willis said, and it gets trickier. When we create our private page, it is assigned a unique string of numbers, a kind of identification number for that individual account.

What Wills and his co-author, AT&T Labs researcher Balachander Krishnamurthy, found is that “identifier” also is being leaked to third-party advertisers.

“All social networking sites have is information,” said Wills, who attended the FTC’s first discussion. “The key thing we found is the possibility of information being leaked is not just a possibility, but we confirm it is happening.”

The social networks are not actively harvesting and selling this personal identifying information. But they are, inadvertently or not, passing it along.

Advertisers and these other third-party companies that make money by providing content and ads for Web sites also pay to be a part of social networking sites, so that they can glean user information there, as well. Wills says that along with that transfer of typically anonymous behavior data is this leak of information that identifies users specifically. One of the primary “identifiers” is this unique account code.

“They are at least obtaining the information on who these individual users are,” Wills said. “Do we know exactly what they are doing with this information? No. But do we know the social networking sites are passing it along? Yes.”

Facebook, the world’s biggest social networking site with 350 million active users, goes to great lengths to protect user privacy, said spokesman Andrew Noyes. “We’re industry leaders on this front and are proud of our achievements.”

The company does not and has never given out anyone’s data or personally identifiable information to advertisers, he said. “While we don’t believe there’s any serious danger here, we take all reported privacy issues seriously and are investigating further to determine what, if any, changes we can make.”

Generally, behavioral advertising is expanding and becoming more sophisticated. Digital marketing companies like Omniture, Yield Manager, and AdSense and DoubleClick, owned by Google, gather user information from Web site use all over the Internet to create behavior patterns and predict how consumers will respond and what they will buy or research. It’s a growing source of the marketing revenue pie.

A poll this month from e-commerce consultant Econsultancy and digitial marketer ExactTarget says digital marketing will account for 24 percent of overall advertising money spent this year, and 28 percent of firms are shifting at least some of their marketing budgets from traditional to digital channels. The study polled 1,000 companies in the U. S. and Britain.

Web sites have a responsibility to be more aware and careful about who they allow to collect information on their domains, said Jim Brock, a former Yahoo! executive. He created privacy.org to help consumers know who is tracking them online.

In a letter to the FTC, Krishnamurthy wrote that consumers are being followed all over the Web: “A handful of companies are able to track users’ movement across almost all of the popular Web sites. Virtually all the protection techniques have significant limitations highlighting the seriousness of the problem and the need for alternate solutions.”

Facebook, for example, has a few applications – privacy protector and privacy guard – meant to guard information. But Willis and Krishnamurthy show in their study the protection can be inconsistent.

So, be wary of TMI. Too Much Information.

“Any picture, any piece of information you make available to these sites, you lose control of,” Wills warns. “If there’s something you would rather an employer or future employer or someone else down the line not to know about. ...Unless there’s a real need to [share it], my clear advice is to not.”

Check our sources

Here are a few Web sites to become more aware and turn the tables on the trackers:

• The Worcester Polytechnic Institute's research project, What They Know About You, shows consumers how their Web browsing habits are being tracked by third-party sites for advertising. These third party sites often are invisible to users on the pages they visit.

• This is the link to the study by Craig Wills and Balachander Krishnamurthy about social network information leaks.

• The Network Advertising Initiative, formed by a group of online marketing companies, including Google, Yahoo! and AOL, says it's committed to building consumer awareness and reinforcing responsible business and data management practices. NAI hosts an "opt-out" page that allows consumers to choose not to receive behavioral ads from its members. Using their tool, you can examine your computer to see which member companies have placed an advertising cookie file on your computer.

• "See which advertising companies collect information on your favorite Web sites. See what they do with the information about your interests and activities."

• This Web site describes a research project from the Electronic Frontier Foundation, helping consumers determine how unique – and trackable – our computers are. The site gathers portions of your browser's device fingerprint and estimates how identifiable it makes you.

• Watch this short video for tips from AVG researcher Roger Thompson on how to keep your identity safe on social networking sites.

Have a news tip?

If you have a tip about government waste, consumer rip-offs or threats to your health and safety, contact us by e-mail or phone 404-526-5041.