Website privacy policies: What aren't they telling you!

Web traffic analysis suggests most information is passed onto unamed partners.

If you want to know how a website shares your personal data, you might be tempted to slog throughits online privacy policy. Be prepared for disappointment. Website privacy policies explicitly disclose only a fraction of sites' data sharing-practices, according to new research that casts doubt on whether users can make informed decisions about their online activity.

The research, presented April 25th at the Web Conference in Lyon, France, investigated the data-sharing disclosures of more than 200,000 websites - the Arkansas state government homepag, for instance, and the Country Music Association site. In specific, it looked at how these sites shared data with third parties, such as advertisers and data brokers, as well as how these sites described their privacy policies.

For this analysis, privacy researcher Timothy Libert used a software tool called webXray to trace data transmissons from each website to third-party collectors. Of 1.8 million data transmissions tracked, only 14.8 percent were sent to third parties specifically mentioned in thse sites' privacy policies. The rest of the data went to third parties that users wouldn't know about even if they read the sites' policy statements.

Even if website policies listed all the third parties they shared data with, users still may not know exactly how their information gets spread around, says Libert, of the University of Oxford. That's because third parties that receive user information from websites can then share that data with other entities. Getting online is "sort of like tossing coffetti in the air," Libert says. "There's no way to know where your data ends up".

Data-sharing relationships between sites and third parties change so rapidly that its virtually impossible for privacy policy authors to keep up, says Christo Wilson, a computer scientistat Northeastern University in Boston not involved in the work. "The only true disclosure is, 'We sell your data, and we don't know where it goes", he says.

Internet users can try to keep their data out of advertisers' hands "with things like hardcore ad-blocking", says Wilson. but ad-blocking software may not ward off all advertisers, he adds. "It just gets more and more clear that we need things like GDPR", or General Data Protection Regulation. This new set of rules that restricts how tech companies can collect and use personal data takes effect across the European Union in May.