2009-2010

New Study Shows that Mobile Online Social Networks Add a New Dimension to Privacy Leakage Concerns

WPI researcher shows that 20 such sites share users' private information, including their location, with third-party tracking sites

WPI Researcher Shows that 20 Mobile Online Social Networks Share Private Information, Including a User's Location, with Third Party Tracking Sites

After documenting for the first time in a 2009 study that online social networking sites leak personally identifiable information to third-party advertising tracking companies (making it possible to connect a user's previously anonymous browsing profile to his or her identity), a new study co-authored by a researcher at Worcester Polytechnic Institute (WPI) shows that mobile online social networks add a new dimension to online privacy leakage by providing tracking sites and other social networking services with users' physical locations or the unique identifiers for their mobile devices, among other types of personal information.

Craig Wills, professor of computer science at WPI, co-authored the study, "Privacy Leakage in Mobile Online Social Networks," which was presented at the 3rd Workshop on Online Social Networks on June 22, 2010 in Boston.

In the study, the researchers examined 13 mobile online social networks, including popular services like Brightkite, Flickr, Foursquare, Gowalla, Loopt, Radar, and Urbanspoon, and seven traditional online social networks that allow users to access them with mobile devices; these included Facebook, Linkedin, MySpace, and Twitter. They looked at the kinds of personal information users can—or in some cases, must—post on these sites and at the sites' privacy policies. They also monitored what the sites transmit to third-party tracking sites.

The researchers found that all 20 sites leaked some kind of private information to third-party tracking sites. In many cases, the leakage consisted of a user's unique social networking identifier, which could allow the third-party sites to connect the records they keeps of web users' browsing behavior with the their profiles on the social networking sites. Since mobile online social networks offer services and applications that capitalize on the ability of smart phones and other mobile devices to pinpoint their exact geographic location, the researchers looked to see if the sites passed this location information to the third-party tracking sites, but found that only two do so directly, though several use a third-party map service to show the location on a map. However, they discovered that six sites transmit a unique identifier for the user's phone, potentially making it possible for third-party sites to continue to track a user's actions as he or she uses the phone for other applications.

Beyond the leakage from individual mobile online social networking sites, the researchers found that the connections that are increasingly being forged between these sites and traditional social networking services are creating new and troubling channels for privacy leakage. For example, many mobile sites encourage users to "check in," or register their location, as they go through their day. Typically, those check-ins are shared with all users of the mobile networking site, though some sites allow users to share their location information only with their friends. A number of traditional social networking sites allow users to automatically post their check-ins on those sites, as well. The researchers found that even when mobile online network users choose to share their check-ins only with their friends, when that information is reposted on sites like Facebook, it becomes available by default to all users of that site.

The researchers also discovered that as information is shared among social networking sites, it can find its way to additional third-party tracking sites, greatly increasing the potential that these sites may accumulate multiple types of personally identifiable information about individuals and gain the ability to connect users with their personal information not only to their web browsing behavior, but to the physical places they go and the activities they engage in with their phones and other mobile devices. "The combination of location information, unique identifiers of devices, and traditional leakage of other personally identifiable information all conspire against protection of users' privacy," the researchers note in the paper.

"This initial look at mobile online social networks raises some serious concerns, but there is more work to be done," Wills said. "The fact that third-party sites now seem to have the capacity to build a comprehensive and dynamic portrait of mobile online social network users argues for a comprehensive way to capture the entire gamut of privacy controls into a single, unified, simple, easy-to-understand framework, so that users can make informed choices about their online privacy and feel confident that they are sharing their personal, private information only with those they choose to share it with."

Read more about Professor Wills’ research here.

June 22, 2010

Contact: Eileen Brangan Mell, Director of Public Relations, +1-508-831-6785, ebmell@wpi.edu