An array of free website-building tools, many offered by ad-tech and ad-funded companies, has led to a dizzying number of trackers loading on users’ browsers, even when they visit sites where privacy would seem paramount, an investigation by The Markup has found. Some load without the website operators’ explicit knowledge—or disclosure to users.
Website operators may agree to set cookies—small strings of text that identify you—from one outside company. But they are not always aware that the code setting those cookies can also load dozens of other trackers along with them, like nesting dolls, each collecting user data.
To investigate the pervasiveness of online tracking, The Markup spent 18 months building a one-of-a-kind free public tool that can be used to inspect websites for potential privacy violations in real time. Blacklight reveals the trackers loading on any site—including methods created to thwart privacy-protection tools or watch your every scroll and click.
We scanned more than 80,000 of the world’s most popular websites with Blacklight and found more than 5,000 were “fingerprinting” users, identifying them even if they block third-party cookies.
We also found more than 12,000 websites loaded scripts that watch and record all user interactions on a page—including scrolls and mouse movements. It’s called “session recording” and we found a higher prevalence of it than researchers had documented before.
More than 200 popular websites used a particularly invasive technique that captures personal information people enter on forms—like names, phone numbers, and passwords—before they hit send. It’s called “key logging” and it’s sometimes done as part of session recording.
Marketing and advertising companies are happy to provide these tools for free in exchange for user data, which is used to construct ever-more-refined profiles of internet users.
In other words, website operators are often effectively as blind to exactly what information advertising companies and marketers are collecting from their website visitors—and what they’re doing with the data—as the people browsing the internet are.
“I don’t want to say that the majority of websites don’t fully understand the data they’re collecting, but a large percentage do not,” said Michael Williams, a partner at Clym, a business that brings companies into compliance with online privacy laws like the European Union’s General Data Protection Regulation and the California Consumer Privacy Act.
He said when his firm scans websites, it often finds trackers the website operators did not know existed.
U.K.-based Privacy International found last year that some European mental health websites didn’t always know about the plethora of advertising-related tracking technologies that loaded from their sites onto users’ browsers.
Some small website operators say they don’t have much of a choice in the matter. Most of the tools available to build a robust, functional website on the internet have user tracking built into their very functionality. Even giving users the ability to search inside a website comes with strings attached.
“Google Search is a great tool that can be incorporated into a website, but then all searches as conducted by site visitors can be tracked to IP address,” said Fire Erowid of Erowid, the long-running nonprofit psychoactive drug information site. She said her team ended up building a “far worse” search function for the site to protect user privacy.
Frederik Zuiderveen Borgesius, a professor at Radboud University in the Netherlands who has written extensively on online privacy, said the pervasiveness of tracking could wreck one of the foundations of the internet: easy access to information, particularly for those who may have no other way to get it.
“Let’s say you’re a Muslim in India, or a Palestinian in Israel, or a homosexual in Poland,” he said. “At some point, you just feel uncomfortable looking for information about your own religion or own sexual preferences. Or you might be too uneasy about looking for information about sexually transmitted diseases because you fear that your behavior is monitored.
Academic research has repeatedly shown that connecting supposedly anonymous marketing data to a name can be done with relative ease.
The operators of some sensitive sites said they knew their sites load marketing trackers—and they’ve made peace with the trade-off.
“It’s not good enough to have a website,” said Chris McMurry, a member of the group’s board of directors. “We have to invest in making sure that what’s on our website is seen by those who need it the most.”
The site also sells ad space on its site, which comes with its own trackers, but the revenue helps him provide vital services.
The Markup’s findings underscore how the web’s foundational profit source, the online advertising industry, is trying to make money from every interaction on the internet—not just the obvious clicks, like visiting retailers.
Data collected from your detailed web browsing habits—what specific pages you visited, for how long, what you did there—can be tied to records of products and services you purchased both online and offline and tied to your identity through things like store consumer loyalty cards. This can then be linked to information collected from an app you downloaded on your smartphone or which movie or show you streamed last night. The profiles are filled with data about each visitor, including presumed interests and geographic location.
Companies claim this data allows them to make predictions about who is ready and able to buy certain products and provide those insights to sellers.
The ad-targeting categories offered by marketing companies can be surprising. The list produced by the Interactive Advertising Bureau, a prominent online ad industry trade group, has included things like “Incest/Abuse Support,” “Substance Abuse,” and “AIDS/HIV.” After this was reported publicly, the group removed the first category, but the others remain.
Many sites don’t load just one or two trackers—they load dozens of them because of a process called real-time bidding, which allows ads on a site to be personalized to whoever visits it.
When a user visits a page offering real-time ads, advertisers compete with each other for the ad space—in some cases tying users to those data-heavy profiles—in the blink of an eye. Regardless of who wins the auction to show the ad, all bidders are told who visited the site.
“Americans never agreed to be tracked and have their sensitive information sold to anyone with a checkbook,” a group of federal lawmakers wrote in a letter about real-time bidding to the Federal Trade Commission in July. “This outrageous privacy violation must be stopped and companies that are trafficking in Americans’ illicitly obtained private data should be shut down.”
They asked the agency to open an inquiry. FTC officials declined to say whether they have.
Websites serving people in Europe have had to get their affirmative consent before tracking users since 2018, when the European Union’s privacy law went into effect. Ironically, a 2019 study looking at those consent notifications found they are largely structured to encourage users to agree to tracking they otherwise wouldn’t readily allow and that they offer “no meaningful choice to consumers.”
The California Consumer Privacy Act requires large, for-profit companies doing business in the state to disclose the information its website collects, allow users to opt out of collection, and delete users’ data upon request.
The only federal law specifically requiring websites in the U.S. to disclose user tracking applies only to websites serving children, but the Federal Trade Commission has gone after companies for “deceptive” practices for claiming that they don’t track users when in fact they do.
As for the ad industry’s solutions to online privacy concerns, they have largely centered on allowing people to either opt out of tracking or opt out of being served targeted ads related to that tracking. Google, Oracle, Facebook, and online advertising industry groups on both sides of the Atlantic offer some version of those options.
To exercise them, people have to ask each online advertising and marketing company individually and install a cookie on their devices reminding the company in question not to track them in the future. For some opt outs, the companies require requestors to provide their full name, email, and physical address.
Facebook, for instance, continues to collect data on those who have opted out, spokesperson Alex Dziedzan confirmed. He said it does so for “non-ads” purposes like “measurement, security, integrity, etc.”
Aaron Sankin
Investigative Reporter
Surya Mattu
Investigative Data Journalist
Žádné komentáře:
Okomentovat