The data transmitted was primarily a username or a user ID, and was most commonly sent to Google, Facebook, comScore, and Quantcast.
The study, “Tracking the Trackers: Where Everybody Knows Your Username,” said it is not clear how many companies that receive the data are actually using it or for what purpose. But researcher Jonathan Mayer, a Ph.D. student at Stanford University’s computer security lab, said that the study proved that online tracking is not anonymous.
“The web is suffused with identity,” said Mayer. “And it’s a fact of life that that identity will get sent to third parties at some point.”
On some sites, the shared information includes much more than just a username: the study found that the free online dating site, OKCupid, sent the gender, age, zip code, relationship status and ‘drug use frequency’ to two companies that sell personal data in auctions, BlueKai and Lotame.
Mayer presented his results at a press conference in Washington, D.C. held by a coalition of privacy advocacy groups. The title of the conference was: “Yes, They Really Know it’s You: The Digital Collection of Personal Information from Consumers and Citizens.”
As part of his research Mayer set up new user accounts on many different Web sites and surfed each one for about 15 minutes. He found that 61% of the Web sites transmitted identifying information to at least one outside web domain. But he did not check whether those outside domains were owned by the same company (such as YouTube sending data to its parent company Google, for instance).
The sites that transmitted the most data were Rottentomatoes.com, a movie-rating site, which sent identifying information to 83 domains and Cafemom.com, an online community for moms, which sent data to 59 domains.
For more on Mayer’s research, visit http://cyberlaw.stanford.edu/node/6740.