Glen White

Many major social networking sites are leaking information that allows third party advertising and tracking companies to associate the Web browsing habits of users with a specific person, researchers warn. The findings (PDF document) , which appears to have received scant public attention so far, was presented by the study's two researchers at a conference in Barcelona more than a month ago. That's the conclusion of a study on the leakage of personally identifiable information on social networks done at AT&T Labs and the Worcester Polytechnic Institute.

Earlier this week, civil liberties group Electronic Frontier Foundation (EFF) referred to the study in a blog post. Wills told Computerworld that he and Krishnamurthy surveyed 12 of the biggest social networks for the study. The research, by Craig Wills of Worcester Polytechnic and Balachander Krishnamurthy of ATT, presents "some interesting technical details" on how social networking sites are leaking personal data, the EFF blog post said . "In some cases, the leakage may be unintentional, but in others, there is clever and surreptitious anti-privacy engineering at work," the EFF said. They discovered that 11 of them were leaking personal identity information to third-parties including data aggregators, which track and aggregate user viewing habits for targeted ad-serving purposes. The information allows aggregators to relatively easily scoop up personal data from a user's social network page and to track that user's movement's across multiple Web sites across the Internet. What the study shows is that most users on social networking sites are vulnerable to having their identity information from their profiles, associated with tracking cookies used by data aggregators, he said.

While aggregators have typically claimed that a person's movement on the Internet is tracked just as an anonymous IP address, the information from social networking sites allows them to attach a unique identity to each profile, Wills said. He said personal identity data or unique identifiers that point to a person's real identity are often relayed by social networking sites to third parties via so-called HTPP referrer headers. What is not known, however, is if data aggregators are actually recording any of the personal identity information being relayed to them from social media sites, Wills said. HTTP headers basically identity to a Web page the URL of any resources that link to it. When a user's page is being loaded on such sites, third-party tracking and advertising services that have a relationship with the site get not only the data from their tracking cookies but also the data containing the users unique identifier from the HTTP header, he said.

In the case of the social networks surveyed, all of the URLs being relayed via such HTTP headers included the user's unique identifier, he said. Another way in which identity data is leaked to third-party providers is when a social networking site contains objects from a server that appears to be part of the site, but in reality belongs to the third-party. Also, five of the 12 social networks surveyed were also leaking unique user identifiers via so-called Request-URIs, which identify pages or objects on a Web site. "We don't know what the specific practice of a third-party tracking site," when it comes to using the information, Wills said. "But this information is available to them. At least two of the social networks surveyed were relaying personal identity data to such hidden third-party servers, the report said. It is particularly worrisome because third party aggregators are creeping into a lot of sites that you and I visit." EFF staff technologist Peter Eckersley noted in the blog post that there appears to be no easy way for users of such sites to avoid being tracked in this fashion.

Certain Firefox extensions are also available that allow users to control when third-party sites can include content or run code on their browsers and plug-ins are available to help them opt out of targeted advertising cookies, he wrote. To mitigate the risk, users of social networking sites need to disable flash cookies and ensure that all other cookies are deleted when the browser is closed, Eckersley wrote. But the steps can be hard to follow and can limit browser functionality. "We're fearful that the vast majority of Internet users will continue to be tracked by dozens of companies - companies they've never heard of, companies they have no relationship with, companies they would never choose to trust with their most private thoughts and reading habits," he wrote.

The European Union is not the only one antsy about Oracle taking possession of the open source MySQL database should the commercial database giant's merger with Sun Microsystems get final approval. On its Web site, Oracle merely notes that "MySQL will be an addition to Oracle's existing suite of database products." "I wish that Oracle would broadcast its intentions a little bit more" on the Sun acquisition, says Duane Kimble, a Linux technologist who works in the banking industry. So are MySQL users. (The E.U.'s executive arm has held up approval of the merger, fearing that Oracle's acquisition of MySQL could reduce competition in the database market, as well as harm the open source nature of MySQL. Sun's stockholders and the U.S. Justice Department have approved Oracle's $7.4 billion acquisition of Sun.) "We've got a fair number of databases and Web applications that use those databases in MySQL. If Oracle does something that sort of makes it look like MySQL's days are numbered or something is going to change that we don't like, we'll probably look at alternatives," says Ernest Joynt, a contractor for the National Oceanic and Atmospheric Administration. [ Relive Sun's storied history in InfoWorld's slideshow "The rise and fall of Sun Microsystems." | Learn why attendees at the JavaOne conference were skeptical of Oracle's buyout of Sun. ] Anand Babu Periasamy, CTO of clustered storage technology company Gluster, expresses doubts that Oracle would add enterprise capabilities to MySQL. "I hope that they will retain MySQL. [But] I am doubtful [that] they will ever improve MySQL to take it mid-enterprise level, but at least it will help them compete with Microsoft SQL Server on the low end," he says. (Gluster uses MySQL for its Web site operations.) Thus far, Oracle has said little about its intentions for MySQL and declined to discuss the issue with InfoWorld.

For him, Oracle's ownership of MySQL is a specific cause for caution. His firm has begun looking at other enterprise-scale open source databases such as EnterpriseDB's Postgres database in case it has to replace MySQL. Standing to reap a harvest from unease about the Oracle-MySQL pairing are open source database vendors EnterpriseDB and Ingres. MySQL users start looking at alternatives A key issue is that Oracle is a main competitor to MySQL, notes Timothy Dion, CTO of mobile and Web apps builder Sensei. "I'm very concerned about what that means," he says. EnterpriseDB, which builds its products on the PostgreSQL open source database, has been hearing from concerned MySQL users, says Larry Alston, EnterpriseDB's vice president of product management and marketing. "They're telling us that they're nervous" about the future of MySQL, he says. Doubts remain over the fate of other Sun technologies Users remain concerned over the fate of other Sun technologies such as Java and Solaris, not just of MySQL. "We are rethinking our Solaris deployments," says Linux technologist Kimble. "We are moving swiftly toward more of an AIX and Linux environment, depending on the size or the scale of the project." Although Kimble notes it is "too early to say whether we'll move off [Solaris] or not," he does say his employer is rethinking its Solaris commitment: "Certainly, we're not going full-bore with Solaris as we were before the merger." Kimble does see a positive side to the Sun acquisition: "I think it kind of simplifies the platform offering somewhat.

Ingres also sees opportunities. "The phones ring a lot," says Ingres CEO Roger Burkhardt. Oracle is a strong company and if they keep Sun Java, which I'm sure is what they bought [Sun] for, I think it will make Java a better product." But Bryce Pier is not so sure. Another large company buying another large company reduces competition," he says. The senior systems engineer at Target sees no benefits of the buyout - at least not yet. "I'm not really certain that it's going to be good for anybody. Pier expects the acquisition to cause Target to move away from Solaris to Red Hat's Linux over time. Oracle, said Craig Muzilla, Red Hat's vice president for middleware, was very active in the Java Community Process for updating Java and has strived for openness in Java. "We don't see anything from Oracle that [would indicate that] they would do anything" that would differ with the past, he said.

One reason is the uncertainty: "We're just not sure what Oracle's commitment is going to be to the Java stack and to maintaining it as an open source project." Another is Oracle's reputation for extracting revenues from customers: "We certainly fear that all of the subscription fees are going to change for everything from Sun." At its recent conference, Red Hat sought to reassure customers about the continued openness of Java-based JBoss technology, which Red Hat owns, now that Oracle is buying Java founder Sun.

Oracle Corp. ended it silence Thursday on its post-merger plans for Sun Microsystems Inc.'s Unix systems in an advertisement aimed at Sun customers to keep them from leaving the Sparc and Solaris platforms. Ever since Oracle announced in April its plans to acquire Sun, its competitors - notably IBM and Hewlett-Packard Co. - have been relentlessly pursuing Sun's core customer base, its Sparc and Solaris users. Oracle's ad to "Sun customers," makes a number of promises that includes spending more "than Sun does now," on developing Sparc and Solaris, as well as boosting service and support by having "more than twice as many hardware specialists than Sun does now." Analysts see Oracle's ad as a defensive move that doesn't answer some of the big questions ahead of the $7.4 billion merger with Sun . In fact, there may be a lot of room for skepticism and parsing of Oracle's claims, despite their apparent black and white assertions.

Among the top hardware makers, Sun registered the biggest decline in server revenue in the second quarter, offering evidence that this protracted merger may be eroding Sun's value. Europe is allowing until mid-January to sort this out, which keeps the merger in limbo for another quarter. Oracle wanted the acquisition completed by now but the European Commission this month said it would delay its antitrust review because of "serious concerns" about its impact on the database market. Analysts point out that Oracle's plans to spend more "than Sun does now," may be a little hallow because Sun's spending on developing Sparc and Solaris is probably at a low. "The ad sounds convincing - but perhaps being a word nitpicker, the Sun does now' might not mean much if Sun has drastically cut back due to plummeting sales," Rich Partridge, an analyst at Ideas International Ltd., said in an e-mail. "I think someone at Oracle suddenly realized that Sun was bleeding so badly that what would be left when Oracle finally got control would be worth a small fraction of what they paid and no one would buy the hardware unit," Rob Enderle, an independent analyst, said in an e-mail. But Enderle said the ad's claims do not preclude Oracle from selling its hardware division, and says the company "will have to support the unit for a short time after taking control; during that short time they can easily outspend Sun's nearly non-existent budgets." Gordon Haff, an analyst at Illuminata Inc., said if it was Oracle's plan to start on day one of the merger to shop the Sparc processor around, "would they have put this ad out? Taken at face value, the ad seems to indicate that Oracle will keep Sun's hardware and microprocessor capability and not spin it off, as some analysts believe possible.

Probably not," he said. "Does it preclude Oracle from changing their mind? Indeed, Oracle's major competitive concern was indicated in the ad in a quote by Oracle CEO Larry Ellison: "IBM, we're looking forward to competing with you in the hardware business." No. Companies change their mind all the time." An erosion of Sun's customer also hurts Oracle, because a lot of Sun customers are also Oracle customers, and Oracle doesn't want its existing customer to go to IBM and move away from Oracle's platform, Haff said.

A group of Linux proponents will purchase patents formerly held by Microsoft in an effort to defend distributors of the open-source OS against the ongoing threat of patent litigation from the software giant.

The Open Invention Network (OIN), whose members include IBM and Red Hat, is set to purchase a set of 22 patents once held by Microsoft from Allied Security Trust, (AST) sources close to the OIN confirmed Tuesday following a report in The Wall Street Journal. According to the newspaper, the patents are said to pertain to technologies found in Linux.

AST was founded by a group of technology companies to purchase patents to protect interested parties from patent litigation. Its members include Hewlett-Packard, IBM and Verizon. The Journal said that AST acquired the patents in a private auction held by Microsoft.

OIN is expected to release a statement and more details about the purchase Tuesday afternoon, a spokesman from its public relations firm said.

Microsoft has a storied rivalry with Linux and has been quietly striking deals with companies that distribute Linux or components of it to license technology in the OS for which Microsoft claims to hold patents. Microsoft executives have said that Linux violates more than 235 patents the company holds, a claim open-source proponents have refuted.

Microsoft usually strikes patent deals with companies before bringing cases to court, but a case earlier this year against GPS navigation device vendor TomTom, which uses Linux in its devices, was a notable exception.

TomTom eventually agreed to pay Microsoft to settle the case, which Microsoft insisted was a mere patent disagreement rather than an attack against Linux.

Not all Linux and open-source proponents felt the same way about it, however, though most open-source companies - which are much smaller players than Microsoft - would rather pay the proprietary software company to protect themselves against litigation than try to fight its deep pockets in court.

"With the current patent system in place, it is to be expected that various parties with competing interests will continue to acquire patents and patent portfolios for defensive purposes, if nothing else," said Stephen O'Grady, an analyst with Red Monk.

O'Grady said that until more is known about what is covered in the patents OIN is purchasing, it's "impossible to assess the implications" of Tuesday's move. However, if the group is going through the trouble to acquire them, "presumably they at least believe they will be useful to Linux, either offensively or defensively," he said.