How much online privacy do you really have? Less than you think

How much online privacy do you really have? Less than you think

Summary: How much privacy do you have on the web? An independent group called PrivacyChoice has undertaken the formidable effort of assigning a numeric score to popular websites, measuring their published policies and how much tracking they allow. The results are eye-opening.

SHARE:

Your privacy takes a beating every time you open your web browser.

But how badly are you being pummeled? An independent group called PrivacyChoice has undertaken the formidable effort of assigning a numeric score, on a scale of 0-100, to help rate the policies and practices of website publishers and the trackers they use to monitor your activities as you move around the web.

That rating, called PrivacyScore, was officially unveiled today. And while it’s fun to look at the individual scores for some of your favorite websites, it’s sobering to consider how poorly behaved most websites are when it comes to your privacy.

I’ve had a few day’s to look at the PrivacyScore online tool and examine how various sites perform. Here, for example, is a representative slice of some top-tier news sites:

Fox News … 84 New York Post … 83 CNET/Download.com … 82 Washington Post … 82 ZDNet … 73 MSN … 72 MSNBC … 72 New York Times … 71 Huffington Post … 69 Gizmodo … 68 USA Today … 61 CNN … 43 PC World … 35

It’s odd to see two Rupert Murdoch-owned sites at the top of the list, with CNN and PC World earning truly execrable scores.

So how can you check a site’s PrivacyScore for yourself? What do the numbers mean? And, most importantly, what are you supposed to do with this information?

First things first: You can measure a site’s general awareness of and respect for its users’ privacy by typing its top-level domain name into the PrivacyScore box. You can also download browser add-ons for Firefox and Chrome, which allows you to see the rating in a toolbar when you visit one of the 1399 rated sites. You can click the toolbar button to get more details about a site. Here, for example, is a summary for ZDNet.com:

The PrivacyScore calculation is derived from two sets of subscores, each worth a maximum of 50 points. The first measures how the site publisher’s privacy policies measure up against an ideal version. The second measures the actual performance of tracking companies—advertising providers, analytics companies, and the like—whose tools are used on the site being measured. (For full details of what goes into each score, see the PrivacyScore FAQ.)

To avoid playing favorites, I’ll look at ZDNet’s score here. This site gets dinged on the privacy policies score for not having a clear policy for dealing with users who ask to have their data deleted and for not providing an assurance of notice if data is requested. It also takes some knocks for associating with third-party ad and tracking companies that don’t necessarily respect sensitive boundaries (health history, financial records, religion) or allow user opt-outs and for retaining data longer than one year.

On the PrivacyScore scale, a score of more than 90 earns a solid green rating. Among the well-known websites I looked at that earned that score, were some surprising names: Wikipedia earned a perfect 100 (as did PrivacyChoice, not surprisingly). Dropbox, Pinterest, Twitter, Tumblr, and (ahem) Go Daddy were all rated 95. Facebook earned a 94, TripAdvisor a 93, WebMD a 92, and both Apple and Zynga clocked in at a solid 90.

In the yellow zone, with scores of 80-89, are the full network of Google sites (85), Amazon (84), Travelocity and Ask (83), CNET (82), and Craigslist (80). No Microsoft-owned property was above the high 70s: Microsoft.com (78), Live.com and Skype (77), Bing (74), and MSN (72) all have work to do, privacy-wise.

(One reason Facebook and Google score so highly is that both companies have signed consent decrees with the U.S. Federal Trade Commission to provide regular audits of their privacy performance over the next few decades. In addition, both companies run their own extensive advertising and tracking networks, which means they have virtually no third-party trackers on their own sites; that gives them a big edge on the second part of the score. See the update at the end of this post.)

You can glean an interesting set of facts by peeking at the aggregated data on the PrivacyScore home page. Travel sites, for example, have an average PrivacyScore of 80. Reference sites average 77. ZDNet, at 73, is better than the average news site, which logs a 66. Shopping sites generally do worst of all at 65.

This is definitely a first-generation tool, as its developers freely admit. The privacy policy measurement, for example, measures what a publisher’s policy says, and not what the site actually does. PrivacyChoice plans to evolve the tool over time by making its APIs more widely available, by including additional factors in the score, and allowing users to customize scores.

I spoke with PrivacyChoice executive director Jim Brock last week. He told me that a large part of the goal of the PrivacyScore tool is to raise awareness among web publishers, and to help web developers “get the ammunition they need to make changes” on behalf of the user. In early testing, he told me, several sites saw their PrivacyScore numbers and blanched: "We gotta get our score up before we launch," they said.

In addition, Brock said, publishers can easily increase their scores by making their policies crisp and direct and by refusing to do business with tracking companies whose scores are too low.

The generally low scores that web publishers in general earn using this tool is a sobering reminder that the balance of power is tilted in favor of those who collect and use information, often without your consent. So what should you do in response? In its FAQ, PrivacyChoice recommends using browser add-ons that limit tracking, such as its own TrackerBlock for Chrome and Ghostery (for Firefox, Chrome, Safari, Opera, and Internet Explorer). Internet Explorer 9 has tracking protection built in, which you can enable with an array of custom Tracking Protection lists.

Without superhuman measures, it’s literally impossible to keep yourself from being tracked as you move around the web. But the measurements in this tool allow users, for the first time, to see exactly what they’re facing, privacy-wise, and to make decisions accordingly.

Update: Several readers have expressed puzzlement over the high ratings for both Google and Facebook, which routinely come under fire for privacy concerns. It's worth looking at the "special privacy considerations" on each site's PrivacyScore profile.

Facebook:

This privacyscore does not apply to application, game and company pages, which are also subject to the privacy policies of the application providers with access Facebook profile data (with your consent). Those pages also allow data collection by tracking companies, which is not reflected in this privacyscore. We compile separate privacyscores for Facebook applications ...

This privacyscore may not reflect all privacy risks associated with sharing your profile and activities through Facebook, which is required to use many features of the service. ...

Google:

Google offers multiple services, which involve varying degrees of privacy risk based on the nature of the data collected. For example, Gmail may involve the use of more sensitive data than Google Reader; and Google's mobile services may involve collection of precise location information that is not collected on typical websites. For these reasons, depending on how you use Google's services, their overall privacyscore may not be comparable to the privacyscores of other websites.

This privacyscore is based on Google's revised and unified privacy policy, which will be effective on March 1, 2012.

More questions? Ask away...

Topics: Browser, CXO, Legal, Software Development

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

26 comments
Log in or register to join the discussion
  • RE: How much online privacy do you really have? Less than you think

    ... But how much will this score change with addons such as NoScript and AdBlock?
    The one and only, Cylon Centurion
    • You can exclude blocked factors

      @Cylon Centurion

      The point of this score is to measure what happens if you visit a website using a browser with nothing other than default security settings. If you use a tracking protection add-on, you can block some of those impacts, and you can adjust the score accordingly.
      Ed Bott
    • RE: How much online privacy do you really have? Less than you think

      @Cylon Centurion Yeah, it is kind of scary, how many different domains get access to your browser, when you visit a site.

      This site "only" has 10 alien domains trying to run scripts on your browser... Most of those are blocked, including Facebook, a bunch of statistic/analytic domains and advertising domains.

      They can display a static advert, that is fine, but they should not be running JavaScript on my machine, unless I explicitly visit their site.
      wright_is
    • RE: How much online privacy do you really have? Less than you think

      @Cylon Centurion Yeah, it is kind of scary, how many different domains get access to your browser, when you visit a site.

      This site "only" has 10 alien domains trying to run scripts on your browser... Most of those are blocked, including Facebook, a bunch of statistic/analytic domains and advertising domains.

      They can display a static advert, that is fine, but they should not be running JavaScript on my machine, unless I explicitly visit their site.
      wright_is
    • RE: How much online privacy do you really have? Less than you think

      @Cylon Centurion NoScript freaks me out a bit, frankly. It's why I don't use Chrome or IE. The sheer number of domains blocked by NoScript is scary.
      Aerowind
    • RE: How much online privacy do you really have? Less than you think

      @Cylon Centurion

      Or better, with TOR / Vidalia. Done.

      Next!
      Han CNX
  • RE: How much online privacy do you really have? Less than you think

    Hahahah Facebook gets a 94. That is just too good.
    mastrasza
    • RE: How much online privacy do you really have? Less than you think

      @mastrasza ... that combined with the Google/Microsoft scores have me calling BS on the whole service. How am I supposed to trust a service I'd never previously heard of when they propose that Facebook (with all its proven security/privacy failures) is one of the best-ranked sites on the Internet?
      GoodThings2Life
      • RE: How much online privacy do you really have? Less than you think

        @GoodThings2Life Entirely agree with your observation. Facebook apps are brutal.
        mjwebster@...
    • Red Flag

      @mastrasza---That raises a Red flag with me too. I have need to understand that.
      PreachJohn
    • RE: How much online privacy do you really have? Less than you think

      @mastrasza

      > Hahahah Facebook gets a 94. That is just too good.

      Probably not so good? Means they're slacking! Someone not getting a bonus this year for failing to reach 100. :)
      Han CNX
  • Consider how you conduct yourself in public

    What you do can is subject to surveillance. Drive a car even and if an agency (no name) deems you need tracking, they will slap a gps under your bumper.

    But that's a legal issue which has been answered in Federal court, now requiring a warrant.

    On the Internet, however, there are no warrants needed.
    Really, we live in an era defined by the Patriot Act and hastened by the result of heinous acts of Terrorism (9/11).

    That we should expect there will be an acceptable level of surveillance in public should also pertain to the Internet.

    I don't have a problem with that, but to raise the issue of privacy here regarding what we do 'in general' is pretty much a red herring. Your email is clear text even.

    It is what it is. Until we get back our Constitutional rights taken away by the Patriot Act, well, we live in a era where one can be taken away in the night, held indefinitely in a jail cell 'somewhere' until the authorities decide we can leave or not. There is no writ of habeas corpus, intentionally removed in the Patriot Act.

    Remember Folks, conduct yourself responsibly 'wherever' you are.
    Dietrich T. Schmitz *Your
    • Restrained

      @Dietrich T. Schmitz * Your Linux Advocate---I don't think you're overstating the case at all. in fact, you are quite diplomatic, mellow in tone, and restrained, given the gravity of some of these developing issues.
      Who was it who said something like, ' The price of Freedom is Eternal Vigilance'.
      PreachJohn
    • RE: How much online privacy do you really have? Less than you think

      @Dietrich T. Schmitz * Your Linux Advocate

      Big brother is watching. Just move along and go with the crowd. We know what is best for YOU.
      I think reading orwell's "1984" should be REQUIRED. But then if I tried to download a copy, big brother will know and start checking what else I am downloading.
      davidmpaul
      • RE: How much online privacy do you really have? Less than you think

        @davidmpaul

        Opps being tracked...
        davidmpaul
      • RE: How much online privacy do you really have? Less than you think

        @davidmpaul

        If you download "1984" to your Kindle, Big Brother will definitely know. Then they'll delete it.
        clfitz
    • RE: How much online privacy do you really have? Less than you think

      @Dietrich T. Schmitz * Your Linux Advocate
      Hear! Hear!
      eargasm
  • RE: How much online privacy do you really have? Less than you think

    What constantly amazes me is that people actually expect to have privacy on the Internet. For me it's obvious: any information I provide via my browser could potentially end up in the hands of anyone else with a browser. Privacy settings and policys can and will be overturned at some point or the other. <br><br>An example. I believe that there is really only one reason that people at, say, NSA don't read my mail: the fact that they don't care about it.<br><br>The only way to really protect your privacy is to remove your network connection. <br><br>For me, this is OK. I live in a society together with other people. My life will inevitebly be intertwined with others. I use Facebook etc etc all the time. Luv it. But I only say things there that I comfortably could say to anyone on the street, at home or at the office. <br><br>So my tip to anyone spending time and energy worrying about privacy: Relax and let it go. You can't win that battle. <br><br>If you need to talk about really private things with someone, sit down and have a cup of coffee together. Don't post it on a Facebook wall.
    torbjorn.hedberg@...
    • RE: How much online privacy do you really have? Less than you think

      @torbjorn.hedberg@... Actually, "they" do read your email. And your Twitter, and your Facebook page, and your SMS messages, and ...

      There are a variety of filters and scrapers in use that look for selected characteristics in communications traffic today. 99.99999 percent of the traffic never causes a "hit" so it never actually gets logged or looked at. Some hits are false positives, and a certain number are real data items that get logged and analyzed. Some preconditions put you on the list no matter what; using a pay-as-you-go cellphone for SMS is one of those. Is it an invasion of privacy? Technically yes, but if it never amounts to any inconvenience for you or exposes any embarrassing details of your life, then it's no big deal.
      terry flores
  • Is this all a lot of FUD?

    Privacy on the Internet gets a lot of play. There is the implication that web sites, that track visitors, know that you, John Doe, of Chicago IL, at 5 Maple Street went to Adult Fun.com. Not true. They generally could care less *who* you are. They put tracking cookies on your computer and then keep track of where you go on the Internet so they can serve up relevant ads - in hopes of getting you to* buy something*. They don't care if you are John Doe, or Sally Smith, or Brad Pitt. So although it does not hurt to take precautions, don't get into a panic about being tracked on the web. There are, of course, more unscrupulous web sites that can do harm, but that is their intent - to do harm as compared to getting you to buy the latest pair of jeans from Levis.
    jpr75_z