Hundreds of websites share usernames sans permission

[InfoSec News <alerts () infosecnews org>]

http://www.theregister.co.uk/2011/10/11/websites_share_usernames/

By Dan Goodin in San Francisco
The Register
11th October 2011

Home Depot, The Wall Street Journal, Photobucket, and hundreds of other 
websites share visitor's names, usernames, or other personal information 
with advertisers or other third parties, often without disclosing the 
practice in privacy policies, academic researchers said.

Sixty-one percent of websites tested by researchers from Stanford Law 
School's Center for Internet and Society leaked the personal 
information, sometimes to dozens of third-party partners. Home Depot, 
for example, disclosed the first names and email addresses of visitors 
who clicked on an ad to 13 companies. The Wall Street Journal divulged 
to seven of its partners the email address of users who enter the wrong 
password. And Photobucket handed over the usernames of those who use the 
site to share images with their friends.

The report comes as US officials have proposed a mandatory Do Not Track 
option for all websites. Some operators have argued such measures are 
unnecessary because their systems for tracking visitors' browsing 
histories aren't linked to a user's specific identity.

In the report, Jonathan Mayer, a Stanford graduate student who led the 
study, argued against the claim that the online tracking is anonymous. A 
username alone, he explained, is often more than adequate to identify 
the owner, and when it's combined with other information, such as his 
geographic location or first name, even widely used usernames can be 
uniquely assigned to an individual.

[...]


_____________________________________________________________
FINAL CALL to register #HITB2011KUL - Asia's premier
deep-knowledge network security event now in it's 9th year!
http://conference.hitb.org/hitbsecconf2011kul/