OPC “web leakage” research project
International studies have found that many websites disclose users’ personal information to third-party sites. (For example, see: http://w2spconf.com/2011/papers/privacyVsProtection.pdf.)
Those findings prompted the Office of the Privacy Commissioner of Canada (OPC) to conduct research into the practices of some websites popular with Canadians in order to assess the degree to which web leakage may be a privacy issue in Canada.
The research identified significant privacy concerns with one in four of the sites tested. Some websites were disclosing information to third parties, apparently without the knowledge or consent of the people affected – and possibly in violation of federal privacy law.
“Web leakage” involves the disclosure of a website user’s personal information to third-party sites – without proper knowledge or consent. Websites that do not take care to limit disclosure can leak a wide range of personal information and other data to third parties.
When a person visits a website belonging to a specific organization, the content on that site might come from different sources outside of that organization.
For example, many websites obtain revenue by allowing third-party organizations to place advertisements within their site.
The steps to displaying these ads are as follows: When a page on a participating website is loaded, the website operator sends a request to the advertiser (an “ad call”) requesting that an ad be placed on the web pages. Through the process of making these requests for ads, personal information about the users may be disclosed by the website to third-party organizations. Requests for third-party web content, such as ads, can be simple, or they can contain extra information – sometimes personal information – that is passed along to other organizations.
When the ad call is made, the third party may be sent information about the page the user is currently visiting (called the Referer page.)
In addition, websites may set a cookie in a user’s browser, and that cookie can contain personal information. If that cookie is shared with a third party, there will be a disclosure of the personal information contained in the cookie.
These forms of online disclosure to third parties, through such methods as web requests and cookies, have been referred to as “web leakage.”
Earlier this year, the social networking site MySpace agreed to settle charges by the U.S. Federal Trade Commission that it had misled millions of users about the sharing of personal information with advertisers. MySpace was disclosing users’ “Friend ID” (a unique numeric identifier), age, and gender to third-party advertising networks. The settlement required MySpace to divulge its sharing practices, and develop a comprehensive privacy program with independent assessments.
It is important to note that the websites, not the third parties, control the online disclosure of personal information. Although third-party websites such as ad networks and analytics companies receive the information, the first-party services are in control of what information is collected from consumers, how it is used, and how it is disclosed.
The research did not examine whether personal information disclosures were intentional (for example, a website was being paid for the personal information) or unintentional (for example, a disclosure was the result of a lack of attention.)
- Why is web leakage a privacy concern?
A tenet of good privacy is to allow individuals to make informed choices about whether to share – or not share – their personal information.
It is a privacy concern if websites are disclosing personal information without making users aware of this practice and seeking their consent.
As well, inappropriate sharing practices by websites can undermine users’ efforts to protect their privacy – for example, by enabling privacy-protective browser settings.
How websites we tested were selected
The OPC’s research project involved a sample of websites that met the following criteria:
- The website has a high volume of Canadian traffic; and
- The website either targets Canadians, generates revenues from interactions with Canadian users, or is operated by an organization with an office located within Canada; and
- The site involves the input of personal information, such as the creation of user accounts; and
- The site includes third-party marketing tools, for direct advertising or other purposes, such as analytics.
From sites that met these criteria, we selected examples from a broad range of sectors, including media, shopping and travel services.
- Why hasn’t the OPC named the websites it tested?
The Privacy Commissioner of Canada has not exercised her discretion to publicly name the tested organizations at this time. The research was designed to offer a snapshot of the Canadian context and it is likely that a significant number of other sites may also be leaking personal information.
Key research findings
The researchers tested 25 sites. At the time tests were conducted (July and August 2012), researchers identified significant privacy concerns with six sites. They had questions about the practices of a further five sites. The remaining 14 sites tested did not appear to be leaking personal information.
The organizations receiving this information fell into three main categories:
- Advertising companies (which are responsible for supplying third-party ads);
- Analytics companies (which measure, collect, analyse and report website usage data for purposes such as improving aspects of a website, including marketing); and
- Electronic flyer (e-flyer) services (which provide such services as weekly flyers to websites including special promotions, often tailored to a specific region).
Most of the receiving organizations were large international companies involved with Internet advertising, but others were smaller Canadian organizations.
Examples of websites leaking information
- A shopping site based in Canada asked people to register to receive promotions, and then disclosed the username and/or email address to 11 organizations, including advertisers and analytics companies.
- A well-known Canadian media site, where users register to manage subscriptions and post comments, disclosed the username, email address, and postal code to a content delivery and marketing service, an advertising network, and a news content provider.
How the websites were tested
The OPC researchers used a software tool (web proxy) called Charles (www.charlesproxy.com) to capture and analyze data being sent between a user’s browser and a website, and data sent between the user’s browser and third-party sites.
This data consisted of personal information provided by users who created an account on the website. Test accounts were created and an analysis was conducted to check if this data (such as contact information) was being sent to third parties after it was submitted to the website.
Software for testing web leakage is readily available online and many of these tools do not require a high level of technical expertise to install and use.
The Privacy Commissioner has sent letters to 11 organizations identified in the research as having websites that were leaking personal information. The Commissioner has asked them to provide information about their practices, and, where appropriate, to explain how they will correct problems to ensure compliance with privacy law.
As well, the OPC is contacting industry associations to request that they work to raise awareness of the issue of web leakage amongst their members.