Web "bugs" reside
everywhere, privacy policies mislead users, and most people have no way of knowing which companies are tracking them. That's according to a new report by the UC Berkeley School of Information.
For the paper, researchers examined tracking practices and privacy policies at the 50 top Web sites. The authors found that most of those sites collected data about users, but offered
only the haziest of disclosures.
"Most contained unclear statements (or lacked any statement) about data retention, purchase of data about users from other sources, or the fate of user data in
the event of a company merger or bankruptcy," the report states. "Sharing of information presents particular problems. While most policies stated that information would not be shared with third
parties, many of these sites allowed third-party tracking through web bugs." (The report defined "bugs" as small graphics embedded in Web pages' HTML code.)
An FTC report on behavioral targeting
issued in February said that companies who track users anonymously and send them targeted ads should, at a minimum, notify people and allow them to opt out. Many companies say they already do so, but
the Berkeley report calls into question whether the current notifications are adequate.
This report couldn't come at a worse time for the online ad industry, given that policymakers already
appear exasperated by privacy practices. Rep. Rick Boucher (D.-Va.) is expected to introduce new legislation next week that could require that users affirmatively consent to online ad targeting. In
addition, Federal Trade Commission chair Jon Leibowitz has expressed a preference for opt-in consent. And Jessica Rich, an attorney with the Federal Trade Commission, said Wednesday at a conference in
Washington, D.C. that the agency might consider a proposal for a national do-not-track list.
The authors found that 46 of the top 50 sites say in their privacy policies that they share data with
affiliates, but the extent of disclosure ended there. Researchers contacted the sites to ask for a list of those affiliates, but were not able obtain such a list from anyone. "Based on our
experience," the report states, "it appears that users have no practical way of knowing with whom their data will be shared."
Thirty-six of the Web sites examined acknowledged in their privacy
policies that visitors to their sites are tracked by third companies, but those sites' privacy policies state they don't apply to those outside parties. "This appears to be a critical loophole in
privacy protection," states the report.
Industry observers have long criticized privacy policies as too dense for many people to decipher. But in some ways, the study shows that the problem isn't
just that the written policies that are complex, but that the data collection practices themselves are extremely complicated. "The report illustrates how incredibly jumbled, interlocked and chaotic
the online advertising and data system is," says Jules Polonetsky, director of the think tank Future of Privacy Forum. That group recently said it would try to tackle at least a portion of the problem
by asking ad agency WPP to come up with some new ways of notifying users about behavioral targeting.
The Berkeley paper also specifically mentioned Google, saying that with five trackers --
Analytics, DoubleClick, AdSense, FriendConnect and Widgets -- the company "is the dominant player in the tracking market." The researchers say that Google Analytics alone appeared on 81 of the top 100
Web sites.