Edward Snowden’s exposure of the U.S. National Security Agency’s surveillance practices sent the world reeling. On Dec. 10, 2013, The Washington Post reported: “The National Security Agency is secretly piggypacking on the tools that enable Internet advertisers to track consumers, using ‘cookies’ and location data to pinpoint targets for government hacking and to bolster surveillance.”
For Tim Libert, a doctoral student at the Univ. of Pennsylvania’s Annenberg School for Communications, the revelation harkened back to a warning from U.S. Senator Frank Church, who said technology has the ability “to make tyranny total in America,” and crossing such a line brings society to an “abyss from which there is no return.”
Published in the International Journal of Communications, Libert’s new study found that of the top 1 million websites (ranked by Alexa), 88% leaked information to third parties. Further analysis revealed the sites leaking information contacted, on average, over nine external domains.
“There’s some suggestion that it’s anonymous data,” said Libert,” but when you have big data sets that can be combined with other big data sets, you can be identified pretty easily.”
According to the study, the top collectors of user data were Google, Facebook, Twitter, ComScore and Amazon. Google tracked user data on 78.07% of the websites studied, Facebook tracked data on 32.42% of websites, Twitter on 17.89%, ComScore on 11.98% and Amazon on 11.72%. While the monitoring is not strictly indicative of nefarious behavior, Libert warned vast sharing of data creates potential points of failure where user data can be hacked or leaked.
Documents leaked by Snowden “revealed that a Google cookie named PREF was being used to track targets online,” Libert writes. “Additional documents provided to The Guardian by Snowden detailed that another Google cookie (DoubleClick’s id), was also used by the NSA—in this case, to attempt to compromise the privacy of those using the anonymity-focused Tor network.”
Of the website studied, 81,699 spawned cookies with the name PREF, and 180,212 spawned cookies with the DoubleClick id name.
“It is unclear whether the identified cookies are being used to surveil users today, and companies such as Google are working admirably hard to improve security,” Libert writes. “However, it is clear that the widely deployed tracking mechanisms identified in this article are of interest to more than just advertisers.”
Libert suggests legislation may help users preserve their anonymity by enforcing Do Not Track mechanisms, which are available on all major Web browsers. Currently, a Do Not Track request is merely that, a request. Some trackers, such as ComScore, state in their privacy policies that they do not heed such requests, according to Libert. “The only company in the top 10 to respect the (Do Not Track) header is Twitter,” he writes
“If these users were able to have their wishes given the force of law—as should be possible in democracies—the behavior of Twitter would not represent a benevolent exception but a legally enforced rule,” Libert writes.