A recent study conducted by researchers at Stanford University’s Center for Internet and Society found many websites “leak” information in referrer headers sent to third parties. The researchers looked at 185 websites (selected from the Quantcast top 250) to see if what personal information, if any, those websites leaked to third parties via referrer headers and request URIs. The results of the study showed that the most frequently leaked information was a username or userID (leaked to third parties on 113 of the 185 websites studied). The study also found that websites leaked other identifying information, e.g., email address, first and last name, birthday, address, gender, and, in a few cases, even passwords, to third parties.
The researchers also reviewed the posted privacy policies and statements of several first party websites and third party trackers. In several cases, the policies and statements contained representations about not sharing personally identifiable information that appear to be contradicted by the results of the study.
News of the study and the results has received widespread coverage in the technology and mainstream press. While no class action lawsuits have been filed (yet), companies should review their websites to ensure that personal information is not being leaked or otherwise disclosed to third parties in violation of the company’s privacy policy.
