• by Wendy Davis  @wendyndavis, June 4, 2009

Web "bugs" reside everywhere, privacy policies mislead users, and most people have no way of knowing which companies are tracking them. That's according to a new report by the UC Berkeley School of Information.

For the paper, researchers examined tracking practices and privacy policies at the 50 top Web sites. The authors found that most of those sites collected data about users, but offered only the haziest of disclosures.

"Most contained unclear statements (or lacked any statement) about data retention, purchase of data about users from other sources, or the fate of user data in the event of a company merger or bankruptcy," the report states. "Sharing of information presents particular problems. While most policies stated that information would not be shared with third parties, many of these sites allowed third-party tracking through web bugs." (The report defined "bugs" as small graphics embedded in Web pages' HTML code.)

An FTC report on behavioral targeting issued in February said that companies who track users anonymously and send them targeted ads should, at a minimum, notify people and allow them to opt out. Many companies say they already do so, but the Berkeley report calls into question whether the current notifications are adequate.

This report couldn't come at a worse time for the online ad industry, given that policymakers already appear exasperated by privacy practices. Rep. Rick Boucher (D.-Va.) is expected to introduce new legislation next week that could require that users affirmatively consent to online ad targeting. In addition, Federal Trade Commission chair Jon Leibowitz has expressed a preference for opt-in consent. And Jessica Rich, an attorney with the Federal Trade Commission, said Wednesday at a conference in Washington, D.C. that the agency might consider a proposal for a national do-not-track list.

The authors found that 46 of the top 50 sites say in their privacy policies that they share data with affiliates, but the extent of disclosure ended there. Researchers contacted the sites to ask for a list of those affiliates, but were not able obtain such a list from anyone. "Based on our experience," the report states, "it appears that users have no practical way of knowing with whom their data will be shared."

Thirty-six of the Web sites examined acknowledged in their privacy policies that visitors to their sites are tracked by third companies, but those sites' privacy policies state they don't apply to those outside parties. "This appears to be a critical loophole in privacy protection," states the report.

Industry observers have long criticized privacy policies as too dense for many people to decipher. But in some ways, the study shows that the problem isn't just that the written policies that are complex, but that the data collection practices themselves are extremely complicated. "The report illustrates how incredibly jumbled, interlocked and chaotic the online advertising and data system is," says Jules Polonetsky, director of the think tank Future of Privacy Forum. That group recently said it would try to tackle at least a portion of the problem by asking ad agency WPP to come up with some new ways of notifying users about behavioral targeting.

The Berkeley paper also specifically mentioned Google, saying that with five trackers -- Analytics, DoubleClick, AdSense, FriendConnect and Widgets -- the company "is the dominant player in the tracking market." The researchers say that Google Analytics alone appeared on 81 of the top 100 Web sites.