Consumer Reports: Facebook Leaks Personal Info

Note: Consumer Reports has no relationship with the advertisers on this site.

In our 2009 State of the Net survey, roughly 13% of people using social networks such as Facebook and MySpace reported being subjected to some kind of abuse and 17% of all online users reported having recently experienced identity theft online.

Now a new study raises another, possibly more serious threat to users of social networks: the leaking of their personal information to third-party tracking sites that run banner ads on those social networks.

Such tracking sites are known to compile, over a period of years and using cookie files on people's home computers, anonymous records of users' online behavior. For example, they track which Web sites people visit. Having the ability to tie those anonymous records to the identities of social network users would all but eliminate their anonymity.

The study, co-authored by a researcher at the Worcester Polytechnic Institute, examined the practices of 12 social networking services, including Bobo, Digg, Facebook, Friendster, Hi5, Imeem, LinkedIn, LiveJournal, MySpace, Orkut, Twitter and Xanga.

Those social networks tag each user by assigning him or her a unique identifier. Normally, such a tag is used internally by the social network to access the user's personal profile. But if an outside tracking site were to obtain that tag, it could easily locate personal information in an individual's social network profile.

What the researchers found is this: When a social network communicates with a third-party tracking site, typically for the purpose of displaying a banner ad on the user’s screen, the social network is disclosing the user’s tag to the tracking site. It's not known whether any tracking site has abused such a disclosure. But one could, by combining the personal information obtained from the social network with its own records of that user’s online behavior to compile a dossier on that individual, including his or her name.

Many social network users have access to privacy controls that can protect their personal information from such tracking sites. But, the study found, on some services such sensitive information as the user’s name, gender, age and location remain unprotected by privacy controls. The study also estimated that between 55% and 90% of the users of the social networks hadn't taken advantage of privacy controls to limit access to their profile information. As a result, much of their personal information was widely exposed. (Besides being of use to third-party tracking sites, such detailed information could be useful to online scammers and other criminals.)

The bottom line: Social networks should offer users a wide range of privacy protections and make sure those are enabled by default. Users of social networks shouldn't assume their identity and personal information is private from advertisers and scammers, and should take all necessary precautions to protect themselves.

I'll cover those recommended steps in a follow-up blog.