By signing onto many of the most popular sites on the Web, you may be unknowingly sharing your email address or name with other websites and data collection companies that help target online advertising, according to a study by Stanford computer science researchers that sparked new calls for "Do Not Track" laws after its release Tuesday.
The study, released at an online privacy forum at the National Press Club in Washington, found that on 185 heavily visited websites, a user name or user ID provided by consumers was shared with another website 61 percent of the time. In many cases, the study said, that data "leakage" would appear to violate websites' privacy policies, which typically promise not to share personal information with other parties.
Federal Trade Commission Chairman Jon Leibowitz praised the study as "absolutely terrific work" and said at the forum that the findings would help in the agency's efforts to protect consumers' online privacy. The FTC last year backed the creation of "Do Not Track" features now available on some Web browsers that allow consumers to block online data-collection and advertising companies from following their movements on the Web.
"Once you enter cyberspace, software placed on your computer, usually without your consent or even knowledge, turns your private information into a commodity out of your control," Leibowitz said. "Your computer is your property, and people shouldn't be putting things in it without your permission."
The study, for Stanford's Computer Security Lab, did not say how those data collection companies use the personal information they receive from popular so-called "First Party" websites. Among the websites the Stanford study examined were NBC's main site, the sports site Bleacher Report, the Home Depot and the weather site Weather Underground.
The study found that at many popular websites, by logging into an account or sometimes by just viewing an ad, consumers are sending all or part of their names or an email address to multiple third party data collection sites. In some cases, the personal information that leaked went far beyond a name, user ID or email address, including gender, age, ZIP code and relationship status.
However, Jonathan Mayer, the study's author, said many of the sites say in their privacy policies that they do not share personally identifiable information with other sites.
"From a legal perspective, personal information leakage is a debacle," Mayer wrote in a blog post about the study. "Many first-party websites and third parties make what would appear to be incorrect representations about not sharing or collecting 'personally identifiable information.' "
The study found that clicking on a local ad on the Home Depot website sent a user's first name and email address to 13 data collection companies, while signing up for an account on Weather Underground sent the email address to 22 companies.
Weather Underground said Tuesday that "we currently have our team resolving this issue." Home Depot said its website does not trade, sell or rent consumer information but was "researching carefully to determine if anything unusual occurred."
Google, one of the sites that the study said received user information, maintained it does not use any personally identifiable information for any software product. "We've never attempted or wanted to parse out personal information" received by Google, the company said.
But Mayer said in an interview that the purpose of the study was to show that data collection and tracking companies have the ability to link anonymous tracking data with a person's real identity.
"It's a very different claim to say, 'Yeah we know who you are, but we don't act on it,' to 'We don't know who you are,' " he said.
The study did not investigate the sites of Google, Yahoo (YHOO) or Facebook because there are so many different features that the researchers could not take a reasonable sample. The findings led to calls by members of a coalition of 10 consumer, privacy and civil rights groups for more investigation by the FTC about whether the identified companies violated their privacy obligations to consumers. The coalition organized the privacy forum.
The online advertising industry "tries to lull consumers by claiming that online tracking gathers behavioral data anonymously," John Simpson, privacy project director at the advocacy group Consumer Watchdog, said in a written statement. "This study proves that personally identifiable information is regularly shared without consumers' knowledge. We can't rely on industry promises to protect consumer privacy; clearly we need Do Not Track legislation and we need it now."