Beyond the Weiner Twitter 'Prank': Privacy? What Privacy?

i-17ada596ca529fc45624c40d3f4e1aeb-internet-safety1-thumb-415x305-65749.jpg
Source.

The recent news media storm about Rep. Anthony Weiner (D-NY) and the "Twitter prank" highlights the importance of internet safety and security. It is not surprising that someone could hack into a public official's Twitter account and post an embarrassing picture. But online social networks are only part of the story, and ad blockers may be your best ally.

A study recently presented at the Web 2.0 Security and Privacy conference in Oakland, California is, well, terrifying. Consider this, from the AT&T Labs and Worcester Polytechnic Institute researchers' abstract, testing more than 100 popular sites other than online social networks:

We examined over 100 popular non-OSN {online social networks} Web sites across a number of categories where tens of millions of users representing diverse demographics have accounts, to see if these sites leak private information to prominent aggregators. Our results raise considerable concerns: we see leakage in sites for every category we examined; fully 56% of the sites directly leak pieces of private information with this result growing to 75% if we also include leakage of a site userid.

Here's a sampling of how such leakage of private information occurs:

1. Email Leakage in Account Confirmation

...these sites also employ what we refer to as hidden thirdparty servers where a given server appears to belong to a first-party domain, but actually belongs to a thirdparty.

2. Email, Name and Zip Code Leakage Via First-Party Cookies to Hidden Third Party

We also observe leakage of information to a thirdparty server via the Request-URI when a user has logged into a site.

3. Gender, Zip, and Interests Leakage in Navigation

4. Full Name Leakage Via Page Title

5. Age, Zip and Gender Leakage Via Input

6. Searching for Sensitive Terms:

Search terms are highly sensitive in some categories (e.g., Health) where users expect them to stay entirely within the site.

7.

We also saw a few cases where one site leaks the identifier of a user on a different site. For example, when a user on two different News sites shares a story with their Facebook account, that user's Facebook userid is stored in the respective first-party site's cookies and later leaked via these sites to hidden third parties. This leaked Facebook userid is a GUID {globally unique identi er} and can be used to link together records received by the third parties.

Their conclusions:

The growing disconnect between the protection measures and increasing leakage and linkage suggests that we need to move beyond the losing battle with aggregators and examine what roles first-party sites can play in protecting the privacy of their users.

Ad blockers, it turns out, can be highly effective for protective measures:

Most privacy protection measures are not effective in preventing many types of leakage and linkage. The technique that provides protection in most scenarios is, oddly enough, an advertisement blocker.

While that battle rages on, I'm going to think twice the next time I share a story via FaceBook or Twitter.

For more information, see press release here.

More like this

I'm very proud of the Know Privacy team, a group of three students who performed a broad analysis of online privacy issues for their master's project at UC Berkeley's School of Information. The study is featured today on the New York Times Bits blog. Several findings are notable: They found: "From…
From Google: We're getting rid of over 60 different privacy policies across Google and replacing them with one that's a lot shorter and easier to read. Our new policy covers multiple products and features, reflecting our desire to create one beautifully simple and intuitive experience across…
Imagine a newspaper oped with half a dozen fallacies. Such a thing could appear in any newspaper in the US. But now imagine that the author is a Rhodes Scholar and you’re left with the Wall Street Journal’s L. Gordon Crovitz. For years I’ve followed the bizarre arguments of L. Gordon Crovitz, who…
Mika Tan is a 30-something biochemistry graduate working in the United States. She also happens to be a successful porn actress. Tan helped me out when I was looking for a security expert to provide some context on an article about hacking luxury cars; since then I've been following her on…

The only answer is an SSL certificate. Search for protected sites, SSL encrypts names, addresses, passwords, account and credit card numbers and more so hackers and other online criminals can't read them. Never leave any important information on unprotected website.