The two leading presidential campaigns are exposing website visitor data to third parties via URL and page title information, according to Jonathan Mayer, a privacy advocate and Stanford graduate student. Mayer examined the information made available on the two candidates’ campaign websites, and found “both leak.” What’s more, he says the information visible to third parties such as Google, Optimizely, Amazon and others is personally identifiable or could end up that way by hashing it with first party, third party, or publicly available data.
In a blog post, he says Obama’s site reveals the following on various landing pages after a person logs in: a website visitor’s actual name, their site username, their street address and zip code. On Romney’s site, the unconcealed data includes name, partial email address, user ID and zip code.
Mayer’s post gets very granular on which data is exposed to which third parties. For instance, here is his itemized list of third parties hooked into Obama’s site that he believes can obtain street address and zip code information: “Akamai (CDN used by Chartbeat), Amazon (Amazon Web Services used by the campaign and New Relic), Chartbeat, Facebook, Google (Analytics), Hoefler & Frere-Jones (typography.com), New Relic, Optimizely, and Zendesk. ZIP code also leaked to BrightTag and Google (Maps API).”
The post calls to mind a two-year-old episode in which Facebook was found to be surfacing user data through referral URLs, allowing third parties – RapLeaf was frequently mentioned – to “scrape” ID numbers and then link them to its own database, which it then sells to advertisers and others. The data leakage, which Facebook acknowledged but said was inadvertent, was first reported by the Wall Street Journal (Oct 2010 story) and was among the first digital privacy investigations in the paper’s “What They Know” series.
In concluding his post Mayer scoffs at the notion of anonymous data tracking online:
“The greatest takeaway is that the myth of web tracking’s anonymity has proven remarkably resilient—despite compelling research results and practical experience to the contrary. Companies and trade groups in the tracking business community frequently invoke unfounded claims of anonymity. Policymakers, website operators, and journalists all-too-often repeat those claims—even, apparently, when they’re of the highest caliber.”
The report comes in the wake of an Oct. 28 New York Times story detailing the rise of online data gathering and retargeting efforts by the presidentials campaigns. Reporters Natasha Singer and Charles Duhigg used information from Evidon’s Ghostery browser plug-in to identify tracking tags on both candidates’ sites. BarackObama.com was host to 76 tracking tags in September, and MittRomney.com had 40.
Mayer is the West Coast equivalent to Ben Edelman, the Harvard associate professor who has dedicated his post-graduate life to tracking fraudulent and privacy-abusive advertising. But whereas Edelman has spent considerable time on risks to advertisers, Mayer’s focus is primarily dedicated to the consumer privacy issue. He worked with Federal Trade Commisision consultant (formerly its chief technologist) Ed Felten on the report.
