When you sign up at many of the most popular websites, your name, email address and other personal information may be provided to advertisers, data-collection firms and others more often than you think — and perhaps unintentionally.
That's from a new Stanford University study that finds that nearly two-thirds of the 185 most popular websites share user names and other information with third-party companies. Nearly half provide user data to at least four outside parties.
See also: What happens to stolen personal data?
At HomeDepot.com, for instance, the first names and emails of account holders who click on local ads are sent to at least 13 companies, says study author Jonathan Mayer of Stanford Law School's Center for Internet and Society.
At Classmates.com, first and last names go to 22 companies, while the Wall Street Journal's website was sharing users' email addresses with seven other companies.
Web browsing patterns can leak
Google and Facebook are among the top recipients of leaks of personal information. Most often it consists of user names, but sometimes it includes more personal information, as well as a person's Internet surfing practices.
Many websites provide personal preference data to advertisers that want to target people likely to buy their products. For instance, a person who has expressed an interest in skiing when creating an account at a website might see ads for skiing equipment. Sensitive information to directly identify a person, such as a home address, is not provided to the advertiser.
But the study found that clues to identity can "leak" to the advertiser, perhaps inadvertently. This may happen when the website shares with the advertiser the personalized Internet address or page name that goes with a Web page that only a particular member will see — the user's email address may be embedded in the Internet address, for instance.
Sometimes, this exchange of data occurs even when websites claim they do not share users' information with others.
This identity information can signal not just "what you're doing right now, but … what you've done in the past, and what Web browsing activity you may have in the future," Mayer explained when presenting his study on Oct. 10 at a privacy forum in Washington.
From a legal perspective, leakage of identifying information is "a debacle," Mayer said in a blog. "Many first-party websites make what would appear to be incorrect, or at minimum misleading, representations about not sharing" what the industry calls "personally identifiable information."
The do-not-track option
The Federal Trade Commission and consumer-protection groups are citing the study in an effort to push websites to offer a do-not-track option, similar to the do-not-call list to stop unwanted telemarketing calls.
A handful of companies — including Microsoft, Apple and Mozilla — have already included a do-not-track feature on their browsers.
FTC Chairman Jon Leibowitz, speaking at the forum that presented Mayer's study, likened the practice of leaked personal information and tracking people online to the paparazzi who hound celebrities.
"A host of invisible cyberazzi — cookies and other data catchers — follow us as we browse, reporting our every stop and action to marketing companies that, in turn, collect an astonishingly complete profile of our online behavior," he said.
"Paparazzi know who their celebrity subjects are, while the cyberazzi may not have linked — at least publicly — our identities to the profiles they are building. But that could happen."
Also of interest: Protect yourself against email and Web scams. >>
Sid Kirchheimer writes about consumer and health issues.