Websites often don’t disclose who can have your data

Analyses suggest most data actually get shared widely with unnamed partners

860_main_website_policies.png

The idea that people can learn who tracks where they go on the internet just by reading a website’s privacy policies “is pure fiction,” reports the author of a new data-privacy study.

oatawa/iStockphoto

People often feel anonymous on the internet. They believe their browsing behaviors and what they buy or write can be a private as they want. In fact, that’s far from true, a new study finds.

Websites usually offer a statement that describes what they may or may not do with data about a user’s activities. You might be tempted to read through that entire document. But be prepared for disappointment. These documents tend to list only a small share of the sites allowed access to your data.

This new discovery suggests it may be all but impossible for website users to make informed judgments about how private their online activities are.

The new research probed disclosures on data-sharing by more than 200,000 websites. These included, for instance, the Arkansas state government homepage and the Country Music Association site. The study focused on how these sites shared data with so-called third parties. Such recipients of your data could be advertisers or companies that make money selling personal data (such as buying behaviors). The study also examined how those sites had described their policy for protecting the privacy of a user’s data.

Timothy Libert works in England at the University of Oxford. There, he studies data privacy. For this analysis, he used a software tool called webXray. It traced data shared by each of those websites with third-party data collectors. In all, it tracked 1.8 million sharings of data. Only 14.8 percent of those data shares went to third parties that were named in the sites’ privacy policies. The rest of the data went to unnamed third parties.

Data transfers to widely familiar third parties — Google, Facebook and Twitter, for instance — were more likely to be disclosed than transfers to obscure entities. Take Google. Libert found that 38.3 percent of data transmissions sent to it had been disclosed. In contrast, the disclosure rate for data shared with data-broker Acxiom was only around 0.3 percent.

Story continues below graph.

042518_MT_website-privacy-policy_inline_730.png
Information on tracked data transfers between a few of the more than 200,000 tracked websites and third-party data collectors are depicted here. They show that the websites rarely disclose in their privacy policies exactly where they are sending your data. The data collector most likely to be disclosed was Google. Fifteen data collectors tracked in the study didn’t even disclose where 1 percent of your data might be shared.
Graph source: T. Libert; T. Tibbetts

Even if a website listed all of the third parties it shared your data with, users still might never learn how widely their data had been shared. The reason? Third parties that receive user data from websites can themselves later share those data again. Think of your data now moving on to anonymous fourth and fifth parties. Getting online is “sort of like tossing confetti in the air,” Libert concludes. “There’s no way to know where your data ends up.”

Web world evolving ever faster

Data sharing between websites and third parties change so rapidly that it’s almost impossible even for the people who craft a site’s privacy policies to keep up. That’s the assessment of Christo Wilson. He’s a computer scientist at Northeastern University in Boston, Mass., who was not involved in the new work. “The only true disclosure,” he says, “is, ‘We sell your data, and we don’t know where it goes.’”

People still inclined to read privacy policies will have to set aside a lot of time. Reading a website’s privacy statement (along with the policies of its known third-party data collectors) takes nearly 90 minutes, on average, Libert found. “The idea that users can keep track of this, read policies and make decisions is pure fiction,” he concludes.

Internet users can try to keep their data out of advertisers’ hands, says Wilson. Programs offering “hardcore ad-blocking” do exist, he notes. But such software may not ward off all advertisers, he adds. “It just gets more and more clear that we need things like GDPR.” Those initials refer to a new European law known as the General Data Protection Regulation. Beginning this month, it sets rules that restrict how tech companies can collect and use personal data.

Libert says the United States needs an agency to oversee the rapidly evolving data-sharing environment. He likens this to how the U.S. Food and Drug Administration monitors prescription-drug makers. “I can buy medicine at the store and not have to sit down with a chemistry textbook and look up every compound and see its effects,” he says. “Somebody at the FDA does that.”

Libert shared what he just learned at the 2018 World Wide Web Conference on April 25 in Lyon, France. That’s where he described these challenges to data-privacy on the internet.

Maria Temming is the Assistant Managing Editor at Science News Explores. She has bachelor's degrees in physics and English, and a master's in science writing.