Press Release

Web privacy report finds widespread data sharing, 'Web bugs'

| 02 June 2009

Researchers at the University of California, Berkeley's School of Information released a report late Monday (June 1) showing that the most popular Web sites in the United States all share data with their corporate affiliates and allow third parties to collect information directly by using tracking beacons known as "Web bugs" - despite the sites' claims that they don't share user data with third parties.

Chart of user complaints about web privacy, showing user control and public display to be the top concernsResearchers Joshua Gomez, Travis Pinnick and Ashkan Soltani spent a year analyzing the data collection and data sharing practices of the 50 most visited Web sites. They were advised by Brian W. Carver, an assistant professor at the Information School. In their report just posted on a new Web site called "Know Privacy," the researchers call for significant changes in Internet privacy policies.

First, they recommend that Web site operators and third-party trackers tell users all of the information that has been collected about them and with whom they have shared it. Second, they recommend that users be allowed to choose whether or not Web sites can share information about them with corporate affiliates.

Additionally, the researchers want Web site privacy policies to be more readable, contradictory Web site statements about third-party sharing eliminated and links set up from Web site privacy policies to the online complaint form for the U.S. Federal Trade Commission (FTC).

A key focus of the School of Information report is the use of Web bugs. Web analytics companies and advertising servers use Web bugs to track users for improved marketing or behavioral profiling. A Web bug is typically a small graphic embedded in a Web page, usually in the form of a 1-by-1 pixel image that is invisible to the naked eye.

Privacy researchersPrivacy researchers (L to R) Joshua Gomez, Travis Pinnick and Ashkan Soltani
It turns out that a handful of tracking companies operating Web bugs have an incredible breadth of coverage, the researchers said. For example, five tracking companies were represented on more than half of the top 100 Web sites examined in the study, while Web bugs from Google and its subsidiaries were found on 92 of the top 100 Web sites and 88 percent of the approximately 400,000 unique domains examined in the study.

"Web bugs are ubiquitous," said Soltani.

During the month of March 2009, the researchers found at least one Web bug on each of the top 50 Web sites, while most sites had several Web bugs and some had as many as 100.

Although Internet data-sharing practices are widespread, the problem has yet to generate investigations by government organizations such as the FTC, which continues to rely on industry self-regulation to protect consumer privacy. Gomez said that is also because the commission has framed online privacy issues in terms of harm, rather than because of consumers' lack of control over personal information.

An assessment by the researchers of users' expectations of privacy online showed that they want control over the collection and use of their personal information, and that Web bugs are virtually invisible to consumers and difficult to block. Analysis and comparison of user complaint data from the FTC and privacy watchdog organizations such as the Privacy Rights Clearinghouse, the California Office of Privacy Protection and TRUSTe indicated that 40 percent of users are mostly concerned with a lack of control over data collection and the public display of personal information.

"Third-party tracking and affiliate-sharing are clearly at odds with user expectations," Pinnick said.

Graph of privacy policy contents for 50 most visited sitesThe researchers found that all of the top 50 Web sites do state on those sites that they may share collected data with affiliates. But, they said most statements are unclear about - or lack any information about - data retention, the purchase of data about users from other sources, or the fate of user data in the event of company acquisition or bankruptcy.

They said Web sites don't identify the affiliates that they might share information with and added that they got no useful responses when they asked representatives of the Web sites for a list of those companies. The researchers' own examination of the publicly-traded companies operating popular Web sites revealed that the Web sites had an average of 297 subsidiaries and a median of 93.

The researchers' full report and additional information is online at: http://www.knowprivacy.org.