Web Privacy Census

Popular Web sites are far more aggressive in their consumer-tracking practices than most people suspect, according to the first report of UC Berkeley Law School's Web Privacy Census, and consumers are trapped in an escalating privacy crisis with limited control over their personal information.

The main goal of the census is to "define and quantify vectors for tracking consumers on the Internet," in essence to create a critically needed evaluation component to measure the ever-changing and often-evasive methods companies use to track visitors.

Not surprisingly, the quarterly report released yesterday saw that all of the top 100 sites use cookies to track users and visitors, though overall cookie use appeared to be on the decline.

What it found instead is that Web sites are increasing their use of HTML5 local storage -- objects like tracking software placed on a user's computer -- and that the use of this tracking method has doubled in the past year.

To conduct the census, Nathan Good, chief scientist of Good Research, and Chris Jay Hoofnagle, director of information privacy programs at the Berkeley Center for Law and Technology, worked with privacy company Abine to collect data from the top 100, 1,000, and 25,000 most popular Web sites.

The technical collaborator for the census, Abine is a consumer-level privacy company with a suite of tools and products that help individuals take control of their online data privacy. Its specialty is understanding and monitoring how people are tracked online. But Abine is also a company that regularly takes data-mining companies to task when they abuse people's privacy rights, distributes anti-tracking tools (such as browser plug-ins), and prides itself on privacy activism.

Sarah Downey, a lawyer and privacy analyst for Abine, told me:

The Web Privacy Census shows that tracking is not just on sketchy websites you've never heard of. It's on ALL of the most popular Web sites in one form or another, sites that consumers know and trust. In fact, there's an alarming increase in the volume of tracking on the most popular Web sites.

According to the Web Privacy Census:

Google had cookies on 105 of the top 1,000 sites; the company's ad tracking network, doubleclick.net, had cookies on 685. Combined, we detected that Google has a presence on 712 of the top 1,000 websites. Only 285 lacked some type of Google cookie.

Also in the top trackers were BlueKai (often the top tracker, whose clients include six of the Fortune 20 companies), Quantserve (Quantcast, with its stormy privacy track record), ScoreCardResearch (ComScore), and Adnxs (a seeming vector for malware).

Downey explains:

The harms of online tracking are real and growing. This isn't about targeted advertising, like the ad industry wants everyone to believe. This is about the collection and use of your personal information in ways you can't even imagine. Some of the real, demonstrated harms include price discrimination (the WSJ just covered how Orbitz targets Mac users with more expensive hotels), lowered credit scores and limits, denial of insurance coverage/more expensive coverage, lost job opportunities, identity theft, filter bubbles, censorship of speech and association due to fear of later repercussions, and erosion of the 4th Amendment right to privacy (particularly society's collective understanding of when an expectation of privacy is "reasonable" in the face of all this tracking).

Establishing benchmarks for evaluating online tracking is going to be crucial as lawmakers and policymakers begin to take steps to address internet privacy. The timing of the Web Privacy Census report is, in fact, just before the first open meeting to begin implementation of President Obama's Privacy Bill of Rights.

Abine is working on further analysis of the Web Privacy Census, and Downey promises it will include "data that will name names."