By now, it's no secret that social networks (or really any websites) are sharing some of your usage data with advertising partners in order to provide more targeted ads. Most of the time, this data gets anonymized when it gets passed on so that there's no personally identifiable information attached to your browsing history. Or does it? I turns out that some social networks—including the majors that we all know and love—have an interesting definition of "anonymous," essentially making it possible for lots of personally identifiable information to be exposed in connection to browsing habits.

Facebook, MySpace, LinkedIn, Digg, and LiveJournal (among others) are all guilty of "leaking" personally identifiable information (PII) to partners, according to a recent study by Worcester Polytechnic Institute researcher Craig E. Wills and AT&T Labs' Balachander Krishnamurthy. A "leakage," by the study's definition, is the opportunity for a third party to link the information they get from the social networks (either in the form of logs or browser cookies) to someone's PII—your name, phone number, and dog's favorite treat aren't passed on directly, but can easily be pieced together.

How is that possible? Not through your name, but through your profile's unique identifier, which is apparently included in the data given advertisers from most social networks. "We found that when social networking sites pass information to tracking sites about your activities, they often include this unique identifier. So now a tracking site not only has a profile of your Web browsing activities, it can link that profile to the personal information you post on the social networking site," Wills said. "Now your browsing profile is not just of somebody, it is of you."

Through an examination of the 12 social networks they included in the study, Wills and Krishnamurthy found that a personal photo, location, gender, and name were almost always available to those who have a unique profile identifier on hand. Further, a list of friends, activities, other photo sets, age, schools, employers, and location are available by default from most networks. (Just imagine if you had clicked on a number of Cialis and Viagra ads from MySpace, only to have those ad people go back and find out what you look like, where you work, who your friends are, and what you like to do for fun?) Only things like a zip code, phone number, and e-mail address were usually unavailable by default.

The researchers note that there are reasons why this should be a concern—aside from mere embarrassment. Not only can this information, when linked directly to you, constitute an invasion of privacy, it can also affect very real parts of your life. "Tracking sites don't have the ability to know if, for example, a site about cancer was visited out of curiosity, or because the user actually has cancer," Willis warned. "Profiling is worrisome on its own, but inaccurate profiling could potentially lead to issues with employment, health care coverage, or other areas of our personal lives."

This is not to say that third parties are actually doing anything with the unique identifiers they are receiving, but the door is wide open for abuse. We attempted to contact several social networks for comment, but did not hear back by publication time—it seems the only thing users can do to protect themselves right now is lock down as much information as possible. Still, the researchers noted that the easiest way to prevent this kind of data leakage is for the social networks themselves to stop passing on unique identifiers, whether accidental or not.

Update: Facebook spokesperson Simon Axten responded to the paper by reiterating that Facebook has granular privacy controls that allow people to decide how much information is public. "This means that anyone who doesn’t match those criteria can’t access it, regardless of whether he or she knows the person’s identifier. Given this, even if a site could link a URI, referrer, or cookie to a specific user, it would only be able to access information that the person had made public. While we don’t believe there’s any danger here, we take all reported privacy issues seriously and are investigating further to determine what, if any changes, we can make," Axten told Ars.

Further reading: