What are websites doing with your personal information?

What are websites doing with your personal information?

You have likely noticed that the banner ads and other forms of advertisements on many of the webpages you visit appear to “coincidently” be for many of the same items that you have recently searched for online. In some cases, you may also see online ads for direct competitors of previously visited websites, offering many of the same or similar products that you have looked at on other sites. It should not be surprising that the owners of many websites, as well as many third-party advertisers, use a variety of tracking technologies to gather information on you, the types of websites that you visit, and the products and services viewed. While many users find this targeted advertising interesting and useful, and even possibly necessary in order to support free websites and online services, many others consider the gathering of such personal information a gross violation of personal privacy.

Some of the more common methods of compiling and distributing this personal information and shopping preferences are the placement of “tracking cookies” on the user’s device; Web bugs or Web beacons (small graphic files which transmit information when opened, often 1 pixel in size); and the dissemination (sale) of personal information entered on a website. Cookies are small, alpha-numeric and text based pieces of data that are, by default, placed on the hard drive or other storage of the device being used to view a website; while some types of cookies are benign and necessary to compile shopping carts, store passwords and other login information, and save other information that can speed the Web process, some other types of cookies may not be so desirable. The most common type of unwanted cookies is often known as “tracking cookies,” which are typically placed on the hard drive or other storage medium, just as other cookies, but these cookies can also be read by third parties as a method of gathering information about the user, mostly for targeted marketing purposes. There are many companies that have a lucrative and highly profitable business selling access to the tracking cookies that they have previously been placed in storage, most often by simply visiting a webpage. Almost all browsers give the users the option to control what cookies can be saved and accessed, but the default is to accept all cookies. Tracking cookies that are currently saved in the device storage can often be easily and quickly removed by most of the reputable (and often free) security scanners, such as Malwarebytes (malwarebytes.org) and SuperAntiSpyware (superantispyware.com).

What many users might find shocking is that they unknowingly and explicitly allowed many of the websites that they visit to place tracking cookies and other marketing information on their computers and smart devices. When I mention this to users at some of my security and privacy presentations, some of those present get very agitated, and vehemently deny that they ever gave permission for websites to place such information on their computers and other devices. My typical response is something to the effect of “Did you ever read the privacy statement on those websites when displayed, or simply click on the ‘I Agree’ box when first visiting them?” Most of the honest, but still aggrieved users acknowledge that they never fully read the privacy statements, with the typical response being that the privacy statement is too long to read, or it is written in “legalese” they cannot readily understand, so they simply “agree” in order to get access to that particular website.

Complex privacy statements, often blindly agreed to, have been a popular tool to legitimize the placement of that website’s or other third party’s commercial tracking information on your computer, smart phone, tablet or other device. These tracking devices are often a significant source of revenue for the website owner, and are often utilized by some of the largest and most reputable online vendors. In a recent article by Omar L. Gallaga of the Austin American-Statesman and reprinted by “Government Technology,” Gallaga wrote, “A new tool in Google Chrome puts website privacy policy language in plain English, letting you easily know whether your e-mail address is shared or the site has access to your Social Security number, and if it tracks your location.”

This free new tool, currently only available for Google’s Chrome browser, is “PrivacyCheck,” a Chrome browser extension (plug-in) developed by the Center for Identity at the University of Texas at Austin (identity.utexas.edu). According to the Center for Identity, “PrivacyCheck is a browser add-on intended to provide consumers an overview of the ways in which companies use their personal data in a graphical, ‘at-a-glance’ format. ... PrivacyCheck surpasses existing add-ons, apps, and certifications by using a Data Mining algorithm to access the text of any webpage. The user provides the URL for the company’s privacy policy and PrivacyCheck searches the page, returning icons that indicate the level of risk for several types of PII (Personally Identifiable Information).” PrivacyCheck can be downloaded for Chrome from the Chrome Web store at chrome.google.com/webstore, and entering “PrivacyCheck” in the search box. The latest version of PrivacyCheck, as I am typing this, is version 1.0.5, dated May 14. It is important to know that federal and state laws require businesses with a Web presence to post their privacy policies, and there are often harsh penalties for violating those posted privacy policies.

To use PrivacyCheck to determine the degree of privacy risk on a particular website, download and install PrivacyCheck from the Chrome Webstore (chrome.google.com/webstore). Once installed, open the selected website using the Chrome browser, and locate the privacy statement, often linked at the very bottom of the Webpage; open the privacy statement page. On the top right of the Chrome address bar is a small icon which is light brown in color, and has what appears to be a lower case “i” within a brown circle; click on that icon. Once clicked, “Browse to a privacy policy and click Start.” Within seconds a series of 10 larger icons will appear, with an easy to comprehend green, yellow, and red coloration, indicating the degree of privacy risks associated with that privacy policy and website.

Moving the cursor over each of the large icons will explain what it represents: the “envelope” icon represents what the website does with the user’s e-mail address, red indicating that the website uses, sells and shares the e-mail address to others; the second icon represents the magnetic stripe on a credit card, and indicates what the site does with credit card information; the three asterisks “***” represent what is done with the user’s social security number, green indicating that it is not collected or otherwise used; the “megaphone” indicates the marketing use of your private information, red indicating that the website sells your information to others for marketing purposes; the “compass” icon indicates what the website does with detected location information, red indicating that the website sells the user’s location information to third parties; the sixth icon, circular with two eyes, indicates the policy on information gathered from children; the “badge with star” icon indicates the distribution of information to law enforcement, red indicating that the site will provide information to law enforcement without a warrant or subpoena; the “open book” indicates the policy on posting privacy policy changes and giving the opportunity for users to opt-out; the “pie chart” icon indicates whether or not the user can modify his own information; the tenth icon, which looks like a cloud with directional arrows, indicates what the website does with aggregated information, yellow indicating that aggregated information is distributed, but personally identifiable information has been removed.

PrivacyCheck is an excellent method to determine what commercial websites are really doing with your personally identifiable information (PII), but its major weakness is that it (currently) only works with the Chrome Web browser. Users of other browsers may find some privacy utilities that provide significant privacy protection while online.

On all of my PCs, as a browser add-on, I have been using a free, popular browser extension called “Ghostery” (www.ghostery.com), which will seamlessly run on computers using any of the major and popular browsers including Firefox, Chrome, Opera, Safari, and Internet Explorer, as well as on mobile devices running the Android and iOS operating systems. According to its website, Ghostery claims to have, “The largest tracker database on the Internet, constantly growing; Ghostery has the largest tracker database available on the Web. We meticulously select, profile and cull over 2,000 trackers and 2,300 tracking patterns.” Ghostery displays the tracking information on almost every Web page opened, and gives the user the ability to allow or block trackers as desired.

Our personal privacy should be taken very seriously. Once third parties have access to our personal information, it is virtually impossible to get it back. Most of the browsers offer an option or setting to control privacy, which may be called “Do Not Track,” “Reject Third Party Cookies,” or some similar name. By using PrivacyTracker, Ghostery, browser privacy settings, and other utilities, our individual privacy may be better protected.