Privacy policies don’t reveal much about how websites share a user’s data.
People often feel anonymous on the internet. They believe their browsing behaviors and what they buy or write can be a private as they want. In fact, that’s far from true, a new study finds.
Websites usually offer a statement that describes what they may or may not do with data about a user’s activities. You might be tempted to read through that entire document. But be prepared for disappointment. These documents tend to list only a small share of the sites allowed access to your data.
This new discovery suggests it may be all but impossible for website users to make informed judgments about how private their online activities are.
The new research probed disclosures on data-sharing by more than 200,000 websites. These included, for instance, the Arkansas state government homepage and the Country Music Association site. The study focused on how these sites shared data with so-called third parties. Such recipients of your data could be advertisers or companies that make money selling personal data (such as buying behaviors). The study also examined how those sites had described their policy for protecting the privacy of a user’s data.
Timothy Libert works in England at the University of Oxford. There, he studies data privacy. For this analysis, he used a software tool called webXray. It traced data shared by each of those websites with third-party data collectors. In all, it tracked 1.8 million sharings of data. Only 14.8 percent of those data shares went to third parties that were named in the sites’ privacy policies. The rest of the data went to unnamed third parties.
Data transfers to widely familiar third parties — Google, Facebook and Twitter, for instance — were more likely to be disclosed than transfers to obscure entities. Take Google. Libert found that 38.3 percent of data transmissions sent to it had been disclosed. In contrast, the disclosure rate for data shared with data-broker Acxiom was only around 0.3 percent.
Information on tracked data transfers between a few of the more than 200,000 tracked websites and third-party data collectors are depicted here. They show that the websites rarely disclose in their privacy policies exactly where they are sending your data. The data collector most likely to be disclosed was Google. Fifteen data collectors tracked in the study didn’t even disclose where 1 percent of your data might be shared. Graph source: T. Libert; T. Tibbetts
Even if a website listed all of the third parties it shared your data with, users still might never learn how widely their data had been shared. The reason? Third parties that receive user data from websites can themselves later share those data again. Think of your data now moving on to anonymous fourth and fifth parties. Getting online is “sort of like tossing confetti in the air,” Libert concludes. “There’s no way to know where your data ends up.”
