How much online privacy do you really have? Less than you think
How much privacy do you have on the web? An independent group called PrivacyChoice has undertaken the formidable effort of assigning a numeric score to popular websites, measuring their published policies and how much tracking they allow. The results are eye-opening.
Your privacy takes a beating every time you open your web browser.
But how badly are you being pummeled? An independent group called PrivacyChoice has undertaken the formidable effort of assigning a numeric score, on a scale of 0-100, to help rate the policies and practices of website publishers and the trackers they use to monitor your activities as you move around the web.
That rating, called PrivacyScore, was officially unveiled today. And while it’s fun to look at the individual scores for some of your favorite websites, it’s sobering to consider how poorly behaved most websites are when it comes to your privacy.
I’ve had a few day’s to look at the PrivacyScore online tool and examine how various sites perform. Here, for example, is a representative slice of some top-tier news sites:
Fox News … 84
New York Post … 83
CNET/Download.com … 82
Washington Post … 82
ZDNet … 73
MSN … 72
MSNBC … 72
New York Times … 71
Huffington Post … 69
Gizmodo … 68
USA Today … 61
CNN … 43
PC World … 35
It’s odd to see two Rupert Murdoch-owned sites at the top of the list, with CNN and PC World earning truly execrable scores.
So how can you check a site’s PrivacyScore for yourself? What do the numbers mean? And, most importantly, what are you supposed to do with this information?
First things first: You can measure a site’s general awareness of and respect for its users’ privacy by typing its top-level domain name into the PrivacyScore box. You can also download browser add-ons for Firefox and Chrome, which allows you to see the rating in a toolbar when you visit one of the 1399 rated sites. You can click the toolbar button to get more details about a site. Here, for example, is a summary for ZDNet.com:
The PrivacyScore calculation is derived from two sets of subscores, each worth a maximum of 50 points. The first measures how the site publisher’s privacy policies measure up against an ideal version. The second measures the actual performance of tracking companies—advertising providers, analytics companies, and the like—whose tools are used on the site being measured. (For full details of what goes into each score, see the PrivacyScore FAQ.)
To avoid playing favorites, I’ll look at ZDNet’s score here. This site gets dinged on the privacy policies score for not having a clear policy for dealing with users who ask to have their data deleted and for not providing an assurance of notice if data is requested. It also takes some knocks for associating with third-party ad and tracking companies that don’t necessarily respect sensitive boundaries (health history, financial records, religion) or allow user opt-outs and for retaining data longer than one year.
On the PrivacyScore scale, a score of more than 90 earns a solid green rating. Among the well-known websites I looked at that earned that score, were some surprising names: Wikipedia earned a perfect 100 (as did PrivacyChoice, not surprisingly). Dropbox, Pinterest, Twitter, Tumblr, and (ahem) Go Daddy were all rated 95. Facebook earned a 94, TripAdvisor a 93, WebMD a 92, and both Apple and Zynga clocked in at a solid 90.
In the yellow zone, with scores of 80-89, are the full network of Google sites (85), Amazon (84), Travelocity and Ask (83), CNET (82), and Craigslist (80). No Microsoft-owned property was above the high 70s: Microsoft.com (78), Live.com and Skype (77), Bing (74), and MSN (72) all have work to do, privacy-wise.
(One reason Facebook and Google score so highly is that both companies have signed consent decrees with the U.S. Federal Trade Commission to provide regular audits of their privacy performance over the next few decades. In addition, both companies run their own extensive advertising and tracking networks, which means they have virtually no third-party trackers on their own sites; that gives them a big edge on the second part of the score. See the update at the end of this post.)
You can glean an interesting set of facts by peeking at the aggregated data on the PrivacyScore home page. Travel sites, for example, have an average PrivacyScore of 80. Reference sites average 77. ZDNet, at 73, is better than the average news site, which logs a 66. Shopping sites generally do worst of all at 65.
I spoke with PrivacyChoice executive director Jim Brock last week. He told me that a large part of the goal of the PrivacyScore tool is to raise awareness among web publishers, and to help web developers “get the ammunition they need to make changes” on behalf of the user. In early testing, he told me, several sites saw their PrivacyScore numbers and blanched: "We gotta get our score up before we launch," they said.
In addition, Brock said, publishers can easily increase their scores by making their policies crisp and direct and by refusing to do business with tracking companies whose scores are too low.
The generally low scores that web publishers in general earn using this tool is a sobering reminder that the balance of power is tilted in favor of those who collect and use information, often without your consent. So what should you do in response? In its FAQ, PrivacyChoice recommends using browser add-ons that limit tracking, such as its own TrackerBlock for Chrome and Ghostery (for Firefox, Chrome, Safari, Opera, and Internet Explorer). Internet Explorer 9 has tracking protection built in, which you can enable with an array of custom Tracking Protection lists.
Without superhuman measures, it’s literally impossible to keep yourself from being tracked as you move around the web. But the measurements in this tool allow users, for the first time, to see exactly what they’re facing, privacy-wise, and to make decisions accordingly.
Update: Several readers have expressed puzzlement over the high ratings for both Google and Facebook, which routinely come under fire for privacy concerns. It's worth looking at the "special privacy considerations" on each site's PrivacyScore profile.
This privacyscore does not apply to application, game and company pages, which are also subject to the privacy policies of the application providers with access Facebook profile data (with your consent). Those pages also allow data collection by tracking companies, which is not reflected in this privacyscore. We compile separate privacyscores for Facebook applications ...
This privacyscore may not reflect all privacy risks associated with sharing your profile and activities through Facebook, which is required to use many features of the service. ...
Google offers multiple services, which involve varying degrees of privacy risk based on the nature of the data collected. For example, Gmail may involve the use of more sensitive data than Google Reader; and Google's mobile services may involve collection of precise location information that is not collected on typical websites. For these reasons, depending on how you use Google's services, their overall privacyscore may not be comparable to the privacyscores of other websites.