The research, presented April 25 at the Web Conference in Lyon, France, investigated the data-sharing disclosures of more than 200,000 websites — the Arkansas state government homepage, for instance, and the Country Music Association site. In specific, it looked at how these sites shared data with third parties, such as advertisers and data brokers, as well as how those sites described their privacy policies.
For this analysis, privacy researcher Timothy Libert used a software tool called webXray to trace data transmissions from each website to third-party data collectors. Of 1.8 million data transmissions tracked, only 14.8 percent were sent to third parties specifically mentioned in those sites’ privacy policies. The rest of the data went to third parties that users wouldn’t know about even if they read the sites’ policy statements.
Libert also found that data transfers to widely familiar third parties, like Google, Facebook and Twitter, were more likely to be disclosed than transfers to obscure entities. For instance, while 38.3 percent of data transmissions sent to Google were disclosed, the disclosure rate for the data broker Acxiom was about 0.3 percent.
Even if website privacy policies listed all the third parties they shared data with, users still may not know exactly how their information gets spread around, says Libert, of the University of Oxford. That’s because third parties that receive user information from websites can then share that data with other entities. Getting online is “sort of like tossing confetti in the air,” Libert says. “There’s no way to know where your data ends up.”
Those still inclined to read privacy policies may want to set aside some time; it takes nearly 90 minutes on average to read a website’s privacy statement along with the policies of its known third-party data collectors, Libert found. “The idea that users can keep track of this, read policies, and make decisions is pure fiction,” he says.
Internet users can try to keep their data out of advertisers’ hands “with things like hardcore ad-blocking,” says Wilson. But ad-blocking software may not ward off all advertisers, he adds. “It just gets more and more clear that we need things like GDPR,” or General Data Protection Regulation. This new set of rules that restricts how tech companies can collect and use personal data takes effect across the European Union in May (SN Online: 4/15/18).
Libert says the United States needs an agency to oversee the data-sharing ecosystem, similar to how the U.S. Food and Drug Administration monitors pharmaceutical industry activity. “I can buy medicine at the store and not have to sit down with a chemistry textbook and look up every compound and see its effects — somebody at the FDA does that,” he says.