The study, "On the Leakage of Personally Identifiable Information Via Online Social Networks," was co-authored by Balachander Krishnamurthy, a researcher at AT&T Labs and Craig E. Wills, a professor of computer science at the Worcester Polytechnic Institute in Massachusetts, and presented last week at the Second ACM SIGCOMM Workshop on Online Social Networks in Barcelona, Spain.
The researchers say that social networks leak information through a combination of HTTP header information -- the Referer header and the Request-URI -- and cookies sent to third-party aggregators such as Google's DoubleClick, Google Analytics, and Omniture, among others.
As a consequence of this leakage, third-party aggregators can potentially link social network identifiers to past and future Web site visits, thereby identifying a person and his or her online activities.
"The ability to link information across traversals on the Internet coupled with the wide range of daily actions performed by hundreds of millions of user on the Internet raises privacy issues, particularly to the extent users may not understand the consequences of having their PII [personally identifiable information] available to aggregators," the study states.
The study notes that while the privacy policies of the third-party aggregators typically declare the sharing of non-indentifying information, they don't make it clear that an identity can often be derived from supposedly non-identifying information.
"What we are clearly trying to establish with this work is that these third party companies are receiving information about us from online social networks," said Wills in a phone interview. "When you or I create an account on an online social network, there's a unique identifier that's always associated with your account. That account number is being passed along to these third party aggregators. And along with the cookies these aggregators are already maintaining, they now can link that cookie to a social network identifier."
The study looked at twelve social networking sites: Bebo, Digg, Facebook, Friendster, Hi5, Imeem, LinkedIn, LiveJournal, MySpace, Orkut, Twitter, and Xanga.
"Not only do they know where I'm visiting, they know who I am," said Wills. "And that's disconcerting."
Many social networking sites provide privacy controls to limit information disclosure, but the report found that between 55% and 90% of users -- Wills suggests it's closer to 70% on the lower end -- of social networking services keep the default privacy settings for allowing strangers to view profile information and 80% to 97% keep the default privacy settings for viewing friends.
The report does not suggest that there's misuse of this information by third party aggregators and notes that contracts between social networking sites and third party aggregators may require aggregators not to use identifying information.
Facebook did not respond to a request for comment.
InformationWeek has published an in-depth report on managing risk. Download the report here (registration required).