Obama and Romney websites leak user data to third parties

The campaigns' websites have failed to protect their users' data from third-party trackers.

Mar 3, 2020, 1:07 am*

Tech

Curt Hopkins 

Curt Hopkins

Representatives of both the Romney and the Obama campaigns have put their foot down: no data on their respective website users will be released. In fact, “safeguards” have been put in place to protect against that very possibility.

But those safeguards apparently weren’t sufficient to keep supporters of the two campaigns from being tracked online.

As Natasha Singer reported on the New York Times Bits blog, both camps are leaking information to third parties.

Jonathan Mayer of Stanford has released a new report putting the lie to the campaigns’ assertions of security.

“Leaking” in this case is not someone consciously, purposefully slipping info to a shady fellow in a parking garage. Mayer, a grad student in computer science, explains the mechanism in a blog post.

Leakage most commonly occurs when a website includes identifying information in a page URL or title. Embedded third parties receive the identifying information if they receive the URL (e.g. referrer headers) or the title (e.g.document.title). Even a little identifying information leakage thoroughly undermines the privacy properties of web tracking: once a user’s identity leaks to a tracker, all of the tracker’s past, present, and future data about the user becomes identifiable.

Some of these third party groups, according to Mayer, include companies who provide services for “advertising, analytics, social network integration, and more.”

When such services can identify the identify of individual visitors to BarackObama.com or MittRomney.com,they can then follow and target those users across services.

This cyber-stalking worries privacy advocates because, on top of being creepy, it can also bring the profound irritation of a never-ending spam avalanche.

As Mayer says, “Even a little identifying information leakage thoroughly undermines the privacy properties of web tracking: once a user’s identity leaks to a tracker, all of the tracker’s past, present, and future data about the user becomes identifiable.”

Photo by Eli Christman/Flickr

Share this article
*First Published: Nov 2, 2012, 3:54 pm