Cookie Trail & Social Network Identifiers Can Leak Private Data!

What if Santa Claus' identity was revealed when his cookie trail exposed his exact whereabouts on Christmas Eve? This would not only take all the fun and wonderment out of Christmas, it would be providing too much information for too many inquiring minds.

Now extrapolate from that fictional tale how we conduct ourselves on the Internet. Online, we not only create digital cookies, our attached private data is being consumed and leaving a tell-tale map of our coordinates all over the Internet. (Note: A cookie is a small amount of data, which often includes an anonymous unique identifier that is sent to your browser from a Web site's computers and stored on your computer's hard drive).

The study, "On the Leakage of Personally Identifiable Information Via Online Social Networks" was recently co-authored by Balachander Krishnamurthy, a researcher at AT&T Labs and Craig E. Wills, a professor of computer science at the Worcester Polytechnic Institute in Massachusetts. It researched several social networking sites such as Bebo, Digg, Facebook, Friendster, Hi5, Imeem, LinkedIn, LiveJournal, MySpace, Orkut, Twitter, and Xanga.

Balachander and Wills theory is based on the cookies that we create when we visit certain Web sites that are sent to third-party aggregators such as Google's DoubleClick, Google Analytics and Omniture. In turn, when we register and create an account, on... say Twitter or Facebook, we create a 'unique identifier' that is always associated with those personal accounts. From here, our cookies from the third-party aggregator can now actually link to the social network identifier allowing our personal data to become accessible and vulnerable.

In layman's terms, Wills describes this covert process as "disconcerting," because "not only do they know where (we) are visiting, they know who (we) are."

While Wills also notes that he is not "suggesting that there is a misuse of this information by third party aggregators," he cautiously warns that there should be contracts between social networking sites and these third parties that specifically states they will not use our "identifying information" for their own purposes.

Smelling potential regulation coming, third party ad networks recently agreed to an updated voluntary code of conduct, though it prohibits very little and has no enforcement mechanism attached to it.

And while Facebook recently modified their Terms of Service so our private data would remain private, if you ever decided to terminate your profile on their service, they still have the right to maintain your background intel in their databanks. And who knows in the future how that might come back to bite you!

When Wills asked Facebook to comment on his report, they did not respond to his inquiry. Talk about disconcerting!

What I believe we need to see are honest promises about user privacy. Organizations should  offer choices to users about how specific pieces of data about them are stored and shared, rather than simply making sweeping generalizations about “personal information.”   It may turn out that “personal” and “anonymous” are categories that are yet too vague. And we may need to come up with new terminology that is much more descriptive and informative, to assure that we are still in control of the information we are willing to share.