Obama and Romney websites leak user data to third parties

Representatives of both the Romney and the Obama campaigns have put their foot down: no data on their respective website users will be released. In fact, “safeguards” have been put in place to protect against that very possibility.

But those safeguards apparently weren’t sufficient to keep supporters of the two campaigns from being tracked online.

As Natasha Singer reported on the New York Times Bits blog, both camps are leaking information to third parties.

Jonathan Mayer of Stanford has released a new report putting the lie to the campaigns’ assertions of security.

“Leaking” in this case is not someone consciously, purposefully slipping info to a shady fellow in a parking garage. Mayer, a grad student in computer science, explains the mechanism in a blog post.

Leakage most commonly occurs when a website includes identifying information in a page URL or title. Embedded third parties receive the identifying information if they receive the URL (e.g. referrer headers) or the title (e.g.document.title). Even a little identifying information leakage thoroughly undermines the privacy properties of web tracking: once a user’s identity leaks to a tracker, all of the tracker’s past, present, and future data about the user becomes identifiable.

Some of these third party groups, according to Mayer, include companies who provide services for “advertising, analytics, social network integration, and more.”

When such services can identify the identify of individual visitors to BarackObama.com or MittRomney.com,they can then follow and target those users across services.

This cyber-stalking worries privacy advocates because, on top of being creepy, it can also bring the profound irritation of a never-ending spam avalanche.

As Mayer says, “Even a little identifying information leakage thoroughly undermines the privacy properties of web tracking: once a user’s identity leaks to a tracker, all of the tracker’s past, present, and future data about the user becomes identifiable.”

Photo by Eli Christman/Flickr

Curt Hopkins

Curt Hopkins

Curt Hopkins has over two decades of experience as a journalist, editorial strategist, and social media manager. His work has been published by Ars Technica, Reuters, Los Angeles Times, and San Francisco Chronicle. He is the also founding director of the Committee to Protect Bloggers, the first organization devoted to global free speech rights for bloggers