Privacy Leakage: Common & Problematic

By: Absolute Team | 7/7/2011

At the
Web 2.0 Security & Privacy conference this summer, a paper was presented by Balachander Krishnamurthy, Konstantin Naryshkin, Craig Wills (AT&T Research, Worcester Polytechnic Institute) on "Privacy leakage vs. Protection measures: the growing disconnect."

The paper defines leakage as "personal information shared with any site other than first party." Some of this may be intentional and stated in privacy policies, but other leakage may be unintentional. According to research, of the 120 popular sites examined, 56% leak personal information to third parties in the form of cookies, referrer headers, GET parameters and more.

Some of the information leaded can be identifiable information. Information found leaked ranged from username to email, full name, address and more. Health sites were found to have the highest proportion of direct leakage. The report also looked at current ways to "block" these issues from happening, finding that the techniques are not as effective as they could be.

As businesses, it's important that we keep on top of consumer privacy not only for our own practices but also to be aware of what may impact our own internal security. If user names are being easily displayed on consumer sites, we should take aims to further personalize employee usernames internally. Also good is a strong internal password policy, which we've examined at length before.

Via Canada's Privacy Commissioner

Financial Services