Facebook, Twitter and Google are monitoring web links sent in private communications, a Swiss IT security services firm has found.
High-Tech Bridge set up an experiment to test the confidentiality of 50 of the largest social networks, web services and free emails systems by using them to send secret URLs in private communications.
The firm set up a dedicated server to see which of the services picked up and used the unique URL created for each.
During the 10 days of the experiment, only six services out of the 50 took the bait, but they included four of the biggest and most used social networks: Facebook, Twitter, Google+ and Formspring.
The remaining two were URL shortening services: bit.ly and goo.gl.
While it could be argued that such behaviour may be part of the legitimate functionalities for URL shortening services, that is not the case for social networks such as Facebook and Twitter.
Read more on privacy
- Privacy, security and control: The consumerization of the personal cloud
- Facebook to boost privacy controls
- #Compliance: Online privacy debate prompts closer look at surveillance laws
- Google closer to action from European privacy regulators
- NSA surveillance leads to tighter data privacy policies
- #Compliance: NSA program sparks discussion on online privacy issues
- Google may soon face action by EU privacy regulators
- When planning enterprise BYOD policy, beware employee privacy concerns
- ICO to probe privacy concerns about Tesco website
Taking into consideration that some of the services may have legitimate robots to verify and block spam links that use every user-transmitted link automatically, High-Tech Bridge also created a robots.txt file on its web server that restricted bots accessing the server and its content.
Only Twitter respected this restriction, all other social networks simply ignored it, accessing the secret URL, the company said.
Marsel Nizamutdinov, chief research officer at High-Tech Bridge the four trapped social networks justify their activities by “automated verifications”.
However, he notes that it is technically impossible to verify what is really going on and how the information obtained on the user-transmitted URLs is being used.
“Today, quite a lot of web applications omit authentication and rely on temporary or unpredictable URLs to hide some content and, when users transfer such URLs via social networks, they cannot be sure that their information will indeed remain confidential,” he said.
Nizamutdinov concludes there is no way to keep a URL confidential while transferring it via social networks.