Beyond the Weiner Twitter 'Prank': Privacy? What Privacy?

Source.

The recent news media storm about Rep. Anthony Weiner (D-NY) and the "Twitter prank" highlights the importance of internet safety and security. It is not surprising that someone could hack into a public official's Twitter account and post an embarrassing picture. But online social networks are only part of the story, and ad blockers may be your best ally.

A study recently presented at the Web 2.0 Security and Privacy conference in Oakland, California is, well, terrifying. Consider this, from the AT&T Labs and Worcester Polytechnic Institute researchers' abstract, testing more than 100 popular sites other than online social networks:

We examined over 100 popular non-OSN {online social networks} Web sites across a number of categories where tens of millions of users representing diverse demographics have accounts, to see if these sites leak private information to prominent aggregators. Our results raise considerable concerns: we see leakage in sites for every category we examined; fully 56% of the sites directly leak pieces of private information with this result growing to 75% if we also include leakage of a site userid.

Here's a sampling of how such leakage of private information occurs:

1. Email Leakage in Account Confirmation

...these sites also employ what we refer to as hidden thirdparty servers where a given server appears to belong to a first-party domain, but actually belongs to a thirdparty.

2. Email, Name and Zip Code Leakage Via First-Party Cookies to Hidden Third Party

We also observe leakage of information to a thirdparty server via the Request-URI when a user has logged into a site.

3. Gender, Zip, and Interests Leakage in Navigation

4. Full Name Leakage Via Page Title

5. Age, Zip and Gender Leakage Via Input

6. Searching for Sensitive Terms:

Search terms are highly sensitive in some categories (e.g., Health) where users expect them to stay entirely within the site.

7.

We also saw a few cases where one site leaks the identifier of a user on a different site. For example, when a user on two different News sites shares a story with their Facebook account, that user's Facebook userid is stored in the respective first-party site's cookies and later leaked via these sites to hidden third parties. This leaked Facebook userid is a GUID {globally unique identi er} and can be used to link together records received by the third parties.

Their conclusions:

The growing disconnect between the protection measures and increasing leakage and linkage suggests that we need to move beyond the losing battle with aggregators and examine what roles first-party sites can play in protecting the privacy of their users.

Ad blockers, it turns out, can be highly effective for protective measures:

Most privacy protection measures are not effective in preventing many types of leakage and linkage. The technique that provides protection in most scenarios is, oddly enough, an advertisement blocker.

While that battle rages on, I'm going to think twice the next time I share a story via FaceBook or Twitter.

For more information, see press release here.