A study released Tuesday shows that 45% of the top 185 U.S. websites transmit identifying details about their visitors to at least four outside websites.
The data transmitted was primarily a “username” – which is the name a person uses to log into a website – or a user ID assigned by the website to a user. It was usually transmitted through referrers – which is information about the web page transmitted automatically.
In some cases, the data went much further: the study found for instance that the online dating website OKCupid sent the gender, age, zip code, relationship status and ‘drug use frequency’ to two companies that sell personal data in auctions, BlueKai and Lotame.
Lotame confirmed that it has a data licensing relationship with OKCupid, but said it does not use data in the “drug use category.”
BlueKai told Digits that it does not buy or sell data attributes like “drug use frequency” from OKCupid. “We do capture standard demographic attributes like zip, age and gender from several publishers,” a spokesperson said.
It’s not clear how many companies that received the data used the identifying information. But researcher Jonathan Mayer, a PhD student at Stanford University’s computer security lab, said that the study proved that online tracking is not anonymous.
“The web is suffused with identity,” Mr. Mayer said. “And it’s a fact of life that that identity will get sent to third parties at some point.”
Mr. Mayer presented his results at a press conference in Washington, D.C. held by a coalition of privacy advocacy groups. The title of the conference was: “Yes, They Really Know it’s You: The Digital Collection of Personal Information from Consumers and Citizens.”
Federal Trade Commission Chairman Jon Liebowitz spoke at the conference, but didn’t address the study’s results. He described online trackers as “cyber-azzi” that “follow us as we browse … every time we click so do they.”
He said the FTC is looking for ways to “cap the lenses of the cyber-azzi.” through tools such as the do-not-track feature that has been added to several Web browsers.
The Interactive Advertising Bureau, which represents the online ad industry, did not immediately respond to requests for comment.
In the Stanford study, Mr. Mayer said he set up new accounts at each site and surfed each website for about 15 minutes.
He found that 61% of the websites transmitted identifying information to at least one outside web domain. But he did not check whether those outside web domains were owned by the same company (such as YouTube sending data to its parent company Google).
He found that 45% of sites transmitted to at least four separate domains – which he said was a more robust representation of the amount of data sent to outside companies.
The websites that transmitted the most data were Rottentomatoes.com, which sent identifying information to 83 domains and Cafemom.com, which sent to 59 domains.
Both Rottentomatoes.com and Cafémom.com did not immediately respond to a request for comment.
The top recipients of identifying information were ComScore’s scorecardresearch.com, which received it from 81 sites, Google’s google-analytics.com, which received it from 78 sites and Quantserve.com, which received it from 63 websites.
ComScore says it uses the information it receives for “market research reporting” and that any personal data it receives is destroyed after it is “aggregated.”
Google told Digits, “We’ve never attempted or wanted to parse out personal information in any URL schema provided by a third party site.”
A spokeswoman for Quantserve, which owns the web traffic service Quantcast, said, “Quantcast does not use UserIDs and never has.”
Mr. Mayer also found that the Wall Street Journal’s website transmitted user’s e-mails to seven outside companies when a user entered the wrong password.
A Wall Street Journal spokeswoman said: “We were made aware of a bug and have since corrected the issue. We are continuing to audit the site.”