Very interesting research report at KnowPrivacy.org on the current state of web privacy, data collection, and information sharing. The project was to compare users' expectations of privacy online and the data collection practices of web sites, identify specific practices that may be harmful or deceptive and attract the attention of government regulators, and to produce recommendations for policymakers.
The key takeaways for me were:
- Users are concerned about data collection online (duh!), want greater control over their personal information, yet lack the awareness or initiative to do anything about it. (I found it interesting that the report seemed to focus on personally-identifiable information (PII) and not distinguish that from non-PII.)
- Web bugs/beacons are ubiquitous. All of the top 50 websites contained at least one web bug at some point in a one month time period. Some had as many as 100.
- Google is the dominant player in the tracking market; it operates the top three trackers and four of the top 10. Among the top 100 websites this project focused on, Google Analytics appeared on 81 of them. When combined with the other trackers it operates (AdSense, DoubleClick, FriendConnect, etc.), Google was on 92 of the top 100 websites and 348,059 of 393,829 distinct domains reviewed -- that's 88.4% reach across the Web!!
- Most of the top 50 websites collect information about users and use it for customized advertising.
Other various data points and comments I noted:
- The number of user complaints made to the various organizations is extremely low relative to the number of Internet users. The FTC had only 6,713 for five years (in the General Privacy category), the PRC had 2,202 for the same period and the COPP had 1,152. TRUSTe had 7,041 that it categorized as privacy related. The largest numbers of complaints at all four of the institutions we received data from were concerned with public displays of personally-identifiable information.
- Only 23 of the top 50 affirmatively stated that users could have access to some portion of the information the website had collected about them. The remaining 27 policies lacked mention of access or their statements about access were unclear. None of them explicitly offered users the ability to view or delete click stream data.
- Only 27 of the top 100 Web sites provided a P3P policy, and only a subset of those were valid according to the P3P standard.
The final recommendations as a result of the research?
- Regulation by which both websites and third-party trackers must allow users to see all the data that has been collected about them, not just user-provided information. Additionally, users should also be allowed to see with whom their data has been shared.
- That companies request permission from users before sharing data about them with any outside party, regardless of affiliation.
- Privacy policies should be readable for average users.
- Users be given clear and proper notice as to whom the data will be passed, regardless of affiliation or method of sharing.
- That the practice of third-party tracking be made more transparent.
- That the FTC create an opt-in standard for enhancement -- the practice of buying information about users from outside sources.
- That all browser developers provide a Ghostery-like function in their browsers that alerts users to the presence of third-party trackers.