Beware of Privacy-Policy Loopholes

"We won't share your information with third parties." You've no doubt seen that common phrase in Web site privacy policies many times. You might think that the site in question won't divulge details about your visit to other companies or organizations. But according to a study by privacy researchers at the University of California, Berkeley, sites have a huge amount of wiggle room with that promise.

The in-depth study dug into the privacy policies and tracking practices of the 50 most visited Web sites as listed by Quantcast. The researchers discovered that loopholes such as affiliate sharing and tracking code allowed for much more data sharing than you might expect.

Sites often reserve the right to share your data with affiliates, including entities owned by the same parent, or even outside contractors. But you probably don't know how many affiliates a site has. According to the researchers, News Corporation, the parent of MySpace and Photobucket, has 1578 affiliates; CBS (parent of Download.com) has 637 affiliates. Likewise, a site may not actively share data with an unrelated company, but it might let that company place a "Web bug" image or code on a site that can effectively track you.

Many sites do try to protect data such as e-mail addresses and personal information, and some restrict the data that Web bugs can collect. For example, the report's authors were careful to note that Google does not automatically aggregate the data that its many Google Analytics trackers gather, though it does offer incentives to share that info.

All of that aside, the fundamental issue is that many users don't want digital bloodhounds sniffing their tracks, even if those tracks are tied only to an IP address or some other numerical code. Right now, users have little say in what information is collected and what it can be used for.

While there's no one simple solution, you can take some steps with browser settings and add-ons to help retain your privacy--steps that don't require deleting all your cookies after every browsing session, which effectively throws the baby out with the bathwater by removing the cookies you may want (say, those that remember passwords or form data).

Internet Explorer 8's InPrivate Filtering monitors content from third parties that frequently appears on other sites (something that often, but not always, signals a tracker) and either blocks such content by default or allows you to select it for blocking. Click on Safety, InPrivate Filtering to enable it. You'll need to enable InPrivate Filtering each time you start the browser.

Firefox users can try a wide array of privacy-protecting add-ons. BetterPrivacy gets rid of Flash cookies, which some advertisers use and normally can't be deleted. TACO creates behavioral-advertising opt-out cookies (the good kind) that will stick around even if you get rid of your other cookies. CookieSafe allows for fine-grained management of all cookies.

The excellent Ghostery add-on alerts you to hidden trackers but doesn't stop them. To block common JavaScript trackers, you can use NoScript. Keep in mind that while the other add-ons mentioned above won't significantly change your browsing habits, NoScript will, as it prevents many sites from working properly until you manually approve them.

One option is to set NoScript to allow all JavaScript, and then, when Ghostery reports a tracker, right-click on the NoScript icon to set the tracker source (which Ghostery also reports) as untrusted. Allowing all JavaScript nullifies NoScript's protection against potential JavaScript attacks from unknown sites, but it means far less hassle in your day-to-day browsing. You can also go to the advanced options for untrusted sites and click a check box to forbid Web bugs.

To pick up any of these add-ons, see my "Privacy Add-Ons" collection. And for more, see the Mozilla site's huge selection of privacy and security add-ons for Firefox.

Subscribe to the Daily Downloads Newsletter

Comments