{"id":76545,"date":"2020-09-27T17:00:08","date_gmt":"2020-09-27T14:00:08","guid":{"rendered":"https:\/\/en.buradabiliyorum.com\/the-high-privacy-cost-of-a-free-website\/"},"modified":"2020-09-27T17:00:08","modified_gmt":"2020-09-27T14:00:08","slug":"the-high-privacy-cost-of-a-free-website","status":"publish","type":"post","link":"https:\/\/buradabiliyorum.com\/en\/the-high-privacy-cost-of-a-free-website\/","title":{"rendered":"#The high privacy cost of a \u2018free\u2019 website"},"content":{"rendered":"<p>&#8220;<strong>#The high privacy cost of a \u2018free\u2019 website<\/strong>&#8221;<br \/>\n<img decoding=\"async\" src=\"https:\/\/cdn0.tnwcdn.com\/wp-content\/blogs.dir\/1\/files\/2020\/09\/1-32-796x417.jpg\" \/><\/p>\n<div>\n<p>Kara Zajac said SPART*A, a small nonprofit serving transgender military service members and veterans, helped her begin her transition while in the Navy. To give back, she volunteered to build the group\u2019s website in her spare time after leaving the military\u2014and kept her eye on a key value: privacy.<\/p>\n<p>\u201cI don\u2019t track users,\u201d Zajac said. \u201cNot everyone in the military is wanting to be known for being trans. They might not be out yet. So any time we can protect privacy in that way, we try to do it.\u201d<\/p>\n<p>She said she only allowed three trackers on spartapride.org: <a rel=\"nofollow noopener noreferrer\" target=\"_blank\" href=\"https:\/\/www.eff.org\/wp\/behind-the-one-way-mirror#Cookies\">cookies<\/a> from Twitter and <a href=\"https:\/\/buradabiliyorum.com\/en\/category\/social-mediaa\/\" data-internallinksmanager029f6b8e52c=\"1\" title=\"Social Media\" target=\"_blank\" rel=\"noopener\">Facebook<\/a> that accompany their \u201clike\u201d buttons on the site, and one from Disqus, a commenting platform she got through a prepackaged <a rel=\"nofollow noopener noreferrer\" target=\"_blank\" href=\"https:\/\/themeforest.net\/item\/daily-news-magazine-and-blog-ghost-theme\/12849846\">website theme<\/a> she bought off the internet for $59 to build the site.<\/p>\n<p>But when The Markup scanned spartapride.org using our new instant privacy inspector, Blacklight, we found 21 different ad-tech companies tracked visitors to the site, sending possible signals about people\u2019s gender identities to advertisers\u2014without the users\u2019 knowledge or consent.<\/p>\n<p>Among them were the marketing and advertising arms of Google, Amazon, and Oracle\u2019s BlueKai consumer data division, which reported a massive data exposure this summer, <a rel=\"nofollow noopener noreferrer\" target=\"_blank\" href=\"https:\/\/techcrunch.com\/2020\/06\/19\/oracle-bluekai-web-tracking\/\">leaving billions of records<\/a>\u2014including personally identifiable information\u2014accessible to the open internet without a password. Oracle did not respond to questions about whether data gathered from spartapride.org\u2019s users was included in the exposure.<\/p>\n<p>The trackers loaded because Disqus sells ads on the free version of its commenting portal, and that ad space comes with third-party tracking. Disqus <a rel=\"nofollow noopener noreferrer\" target=\"_blank\" href=\"https:\/\/disqus.com\/data-sharing-settings\/\">discloses<\/a> those trackers on its own website, but the company wouldn\u2019t comment about tracking SPART*A\u2019s users.<\/p>\n<p><em>[Read: <span class=\"c-message_attachment__title\"><span dir=\"auto\">Are EVs too expensive? Here are 5 common myths, debunked<\/span>]<\/span><\/em><\/p>\n<p>Zajac was floored when The Markup showed her how many trackers <a href=\"https:\/\/buradabiliyorum.com\/en\/category\/download-scripts-themes-apps\/\" data-internallinksmanager029f6b8e52c=\"9\" title=\"Download Scripts &amp; Themes &amp; Apps\" target=\"_blank\" rel=\"noopener\">app<\/a>eared on the site. She said she learned a hard lesson: \u201cIf it\u2019s free, that doesn\u2019t mean it\u2019s free. It just means it doesn\u2019t cost money.\u201d Instead, it costs your website visitors\u2019 privacy.<\/p>\n<p>An array of free website-building tools, many offered by ad-tech and ad-funded companies, has led to a dizzying number of trackers loading on users\u2019 browsers, even when they visit sites where privacy would seem paramount, an investigation by The Markup has found. Some load without the website operators\u2019 explicit knowledge\u2014or disclosure to users.<\/p>\n<p>Website operators may agree to set cookies\u2014small strings of text that identify you\u2014from one outside company. But they are not always aware that the code setting those cookies can also load dozens of other trackers along with them, like nesting dolls, each collecting user data.<\/p>\n<p>To investigate the pervasiveness of online tracking, The Markup spent 18 months building a one-of-a-kind free public tool that can be used to inspect websites for potential privacy violations in real-time. Blacklight reveals the trackers loading on any site \u2014 including methods created to thwart privacy-protection tools or watch your every scroll and click.<\/p>\n<p>We scanned more than 80,000 of the world\u2019s most popular websites with Blacklight and found more than 5,000 were \u201cfingerprinting\u201d users, identifying them even if they block third-party cookies.<\/p>\n<p>We also found more than 12,000 websites loaded scripts that watch and record all user interactions on a page \u2014 including scrolls and mouse movements. It\u2019s called \u201csession recording\u201d and we found a higher prevalence of it than researchers had documented before.<\/p>\n<p>More than 200 popular websites used a particularly invasive technique that captures personal information people enter on forms\u2014like names, phone numbers, and passwords\u2014before they hit send. It\u2019s called \u201ckey logging\u201d and it\u2019s sometimes done as part of session recording.<\/p>\n<p>One of the websites doing this, SunTrust Bank, <a rel=\"nofollow noopener noreferrer\" target=\"_blank\" href=\"https:\/\/github.com\/the-markup\/investigation-blacklight-the-high-cost-of-free\/blob\/master\/data\/story-inspections\/www.suntrust.com\/raw\/inspection.json#L1100\">sent the user name and password<\/a> we entered to a third party, Jornaya, which says it encrypts and discards the data it collects. SunTrust spokesman Kyle Tarrance wouldn\u2019t answer questions about the password leak, but insisted that the company keeps \u201cclients\u2019 well-being at the forefront of everything we do.\u201d After we contacted the company, its website stopped sending data to Jornaya.<\/p>\n<p>We scanned hundreds of sensitive sites using Blacklight and found that, even there, tracking was surprisingly common:<\/p>\n<ul>\n<li>More than 100 websites serving undocumented immigrants, domestic and sexual abuse survivors, sex workers, and LGBTQ people sent data about their visitors to advertising companies.<\/li>\n<li>Eighty U.S. abortion providers loaded third-party trackers on user browsers, some of them sending data to Facebook that ended up in user profiles.<\/li>\n<li>Trackers from different companies were communicating with each other to confirm the identity of visitors to a website for victims of sexual violence.<\/li>\n<li>Health information websites like Everyday Health and WebMD sent user data about page visits to dozens of marketing companies.<\/li>\n<li>The Arizona Department of Child Safety\u2019s page on how to report child abuse sent data about site visitors to six ad tech companies.<\/li>\n<li>Various government websites providing information about COVID-19 sent information about the site visitors to advertising companies without users\u2019 knowledge.<\/li>\n<li>The Mayo Clinic used key logging to capture information about people\u2019s current medical ailments in pages where they sign up for appointments and clinical trials. Even if people changed their minds and decided not to submit the information, the captured data was still sent to an endpoint on the Mayo Clinic\u2019s server labeled \u201cweb forms for marketers\/tracking.\u201d<\/li>\n<\/ul>\n<p>Some of the operators of sensitive sites told The Markup they knew about the tracking, but others said they were unaware of the number of trackers and their pervasiveness\u2014or what happens with the data collected from their users. Most, including The Mayo Clinic, WebMD, and Everyday Health, did not respond to requests for comment.<\/p>\n<p>Some sites\u2019 privacy policies did not disclose the tracking. For instance, the Mayo Clinic did not disclose it was using invasive key logging. And the Arizona Department of Child Safety\u2019s <a rel=\"nofollow noopener noreferrer\" target=\"_blank\" href=\"https:\/\/web.archive.org\/web\/20200301232114\/https:\/dcs.az.gov\/\">privacy policy<\/a> <a rel=\"nofollow noopener noreferrer\" target=\"_blank\" href=\"https:\/\/az.gov\/policy\/privacy\">said<\/a> that it doesn\u2019t load cookies to track users\u2014but we found that it did. After we asked about it, the agency added a new link to a <a rel=\"nofollow noopener noreferrer\" target=\"_blank\" href=\"https:\/\/dcs.az.gov\/website-privacy-statement\">\u201cprivacy statement\u201d<\/a> disclosing the cookies.<\/p>\n<p>The use of cookies by websites is well known, and most Americans <a rel=\"nofollow noopener noreferrer\" target=\"_blank\" href=\"https:\/\/www.pewresearch.org\/internet\/2019\/10\/09\/americans-and-digital-knowledge\/\">understand how they work<\/a>. But even some website operators don\u2019t always know how they get there: often from free plug-ins like comments sections, social media sharing buttons, and tools that embed posts from social media\u2014conveniences people have come to expect on the internet but that small website operators don\u2019t have the resources to build themselves.<\/p>\n<p>Marketing and advertising companies are happy to provide these tools for free in exchange for user data, which is used to construct ever-more-refined profiles of internet users.<\/p>\n<p>In other words, website operators are often effectively as blind to exactly what information advertising companies and marketers are collecting from their website visitors\u2014and what they\u2019re doing with the data\u2014as the people browsing the internet are.<\/p>\n<p>\u201cI don\u2019t want to say that the majority of websites don\u2019t fully understand the data they\u2019re collecting, but a large percentage do not,\u201d said Michael Williams, a partner at Clym, a business that brings companies into compliance with online privacy laws like the European Union\u2019s <a rel=\"nofollow noopener noreferrer\" target=\"_blank\" href=\"https:\/\/gdpr.eu\/what-is-gdpr\/\">General Data Protection Regulation<\/a> and the California <a rel=\"nofollow noopener noreferrer\" target=\"_blank\" href=\"https:\/\/oag.ca.gov\/privacy\/ccpa\">Consumer Privacy Act<\/a>.<\/p>\n<p>He said when his firm scans websites, it often finds trackers the website operators did not know existed.<\/p>\n<p>U.K.-based Privacy International <a rel=\"nofollow noopener noreferrer\" target=\"_blank\" href=\"https:\/\/privacyinternational.org\/sites\/default\/files\/2019-09\/Your%20mental%20health%20for%20sale%20-%20Privacy%20International.pdf\">found<\/a> last year that some European mental health websites didn\u2019t always know about the plethora of advertising-related tracking technologies that loaded from their sites onto users\u2019 browsers.<\/p>\n<p>\u201cA lot of the small websites, they just want a website,\u201d said Eliot Bendinelli, a technologist with the group. \u201cThey\u2019re just setting up stuff so that people can access information. It might be an intern doing the website or it might be someone who is not aware of all these tracking impressions.\u201d<\/p>\n<p>But even savvy website operators like Zajac, who is studying cybersecurity at George Washington University, can get stung by what they think is a simple add-on, especially when it comes packaged in a suite of products and can be loaded with a few simple clicks.<\/p>\n<p>\u201cIt turns it on and you\u2019re like, \u2018cool, that worked\u2019 \u201d she said. \u201cBut you don\u2019t realize the implications\u2014of now there being 30 trackers on your website.\u201d<\/p>\n<p>She said whatever data the trackers on Sparta Pride were collecting, the nonprofit was never privy to it. After The Markup showed her the list of trackers that were loading with it, she removed Disqus from the site.<\/p>\n<p>Niveen Saleh, a public relations agent hired by Zeta Global, Disqus\u2019s parent company, said Disqus offers a version without ads or their related trackers to small nonprofits for free. But nowhere on Disqus\u2019s website does it explain how to get it, and neither did Saleh.<\/p>\n<p>\u201cWe do ensure that our publishers have the option to choose to have their data collected,\u201d Saleh said.<\/p>\n<p>Some small website operators say they don\u2019t have much of a choice in the matter. Most of the tools available to build a robust, functional website on the internet have user tracking built into their very functionality. Even giving users the ability to search inside a website comes with strings attached.<\/p>\n<p>\u201cGoogle Search is a great tool that can be incorporated into a website, but then all searches as conducted by site visitors can be tracked to IP address,\u201d said Fire Erowid of Erowid, the long-running nonprofit psychoactive drug information site. She said her team ended up building a \u201cfar worse\u201d search function for the site to protect user privacy.<\/p>\n<p>Google Analytics trackers loaded on 69 percent of 80,000 popular websites scanned with Blacklight. Google Analytics gives website operators insight into how many people visit a website and which pages. The catch: Google, the <a rel=\"nofollow noopener noreferrer\" target=\"_blank\" href=\"https:\/\/www.emarketer.com\/content\/global-digital-ad-spending-2019\">world\u2019s largest digital ad seller<\/a>, also gets the data. The company\u2019s <a rel=\"nofollow noopener noreferrer\" target=\"_blank\" href=\"https:\/\/policies.google.com\/technologies\/types?hl=en&amp;gl=BE\">cookie policy<\/a> allows it to connect that data to the advertising profiles it already has on people, but Google spokesperson Elijah Lawal said it doesn\u2019t do it as a policy unless the website operators agree.<\/p>\n<p>However, in order for website operators to get information from Google Analytics about the demographics of their visitors, they have to allow data collection by Google\u2019s advertising arm, DoubleClick, which adds the information to user profiles.<\/p>\n<p>The second most common tracker we found on popular sites: Facebook. Blacklight found its pixel on a third of popular sites we scanned. Facebook\u2019s trackers can follow you even if you\u2019re not logged in to Facebook and link your browsing history to your profile for ad targeting. Website operators include the pixel to measure clicks from their ads on Facebook\u2019s platforms.<\/p>\n<p>One feature commonly available for \u201cfree\u201d to website operators shows how an avalanche of trackers can end up on users\u2019 browsers: the suite of social media share buttons offered by AddThis, which was acquired by Oracle in 2016. It allows visitors to websites that load the tool to easily share the page they\u2019re visiting on their own social media feeds and lets site operators track those shares. The company brags on its website that more than 15 million websites have used its free tools and that it <a rel=\"nofollow noopener noreferrer\" target=\"_blank\" href=\"https:\/\/www.addthis.com\/about\/\">reaches<\/a> \u201c96% of the U.S. web.\u201d<\/p>\n<p>But AddThis isn\u2019t a social media company. It\u2019s a marketing company. The purpose of that free tool is to load cookies and tracking pixels on website visitors\u2019 browsers, sending the data to Oracle\u2019s advertising divisions and <a rel=\"nofollow noopener noreferrer\" target=\"_blank\" href=\"https:\/\/www.addthis.com\/privacy\/pixel-partners\/\">dozens<\/a> of marketing and advertising companies for ad targeting. These load instantly, whether or not the user clicks on the share button. <a rel=\"nofollow noopener noreferrer\" target=\"_blank\" href=\"https:\/\/fliphtml5.com\/atnl\/kjmi\/basic\">In marketing materials<\/a>, AddThis says it collects \u201cup to 30 data points per page view\u201d from each website visitor.<\/p>\n<p>AddThis\u2019s <a rel=\"nofollow noopener noreferrer\" target=\"_blank\" href=\"https:\/\/www.oracle.com\/legal\/privacy\/addthis-privacy-policy.html#section4\">privacy policy<\/a> discloses that the trackers\u00a0\u201cfacilitate online behavioral advertising across the online advertising ecosystem.\u201d<\/p>\n<p>After the European Union implemented <a rel=\"nofollow noopener noreferrer\" target=\"_blank\" href=\"https:\/\/gdpr.eu\/what-is-gdpr\/\">its 2018 law<\/a> requiring informed consent from website visitors before their data can be collected, AddThis said it couldn\u2019t meet that standard and <a rel=\"nofollow noopener noreferrer\" target=\"_blank\" href=\"https:\/\/www.adexchanger.com\/privacy\/oracle-data-cloud-kills-off-its-addthis-audience-business-in-europe\/#:~:text=\">shuttered<\/a> its audience data business in Europe. AddThis also settled a class action lawsuit in California in 2011 that alleged it was inserting tracking cookies on sites without notifying users. The company agreed to pay a monetary settlement but did not acknowledge wrongdoing.<\/p>\n<p>Using Blacklight, The Markup found AddThis trackers on more than 4,000 popular websites and four states\u2019 coronavirus information pages: Arkansas, California, Louisiana, and Minnesota.\u00a0\u00a0\u00a0 None of the states disclosed it in their privacy policies.<\/p>\n<p>Officials from California and Minnesota did not answer questions about what data the trackers were collecting and for what purpose.<\/p>\n<p>Arkansas and Louisiana officials said they used AddThis social share buttons for user convenience. Louisiana\u2019s spokesperson said they were unaware of the additional trackers on the site before The Markup brought it to their attention. Both removed the code after The Markup contacted them for comment.<\/p>\n<p>\u201cAd trackers like this are not necessary for fulfilling our mission,\u201d\u00a0said Gavin Lesnick, a spokesperson for the <a rel=\"nofollow noopener noreferrer\" target=\"_blank\" href=\"https:\/\/www.healthy.arkansas.gov\/programs-services\/topics\/novel-coronavirus\">Arkansas Department of Health<\/a>, when we asked whether sharing visitor data with marketing companies was appropriate.<\/p>\n<p>AddThis\u2019s button wasn\u2019t visible on that site when Blacklight scanned it, and Lesnick said it was part of an expired campaign, but the code containing the trackers had remained as a relic. We found it was still sending data to advertising companies until we contacted him.<\/p>\n<p>The Markup also found AddThis\u2019s trackers on websites for nonprofit groups that would have reason to protect user privacy: those that provide resources to undocumented immigrants, domestic violence survivors, and the LGBTQ community. They all had social share buttons on their sites.<\/p>\n<p>Chad Sniffen of The National Sexual Violence Resource Center said he had no idea his site was loading trackers from AddThis until he was contacted by The Markup.<\/p>\n<p>Sniffen told The Markup that he was only aware of loading a single tracker, from Google Analytics, which he uses to see what content is popular in order to serve people better.<\/p>\n<p>It turns out that the developer hired to build the center\u2019s <a rel=\"nofollow noopener noreferrer\" target=\"_blank\" href=\"https:\/\/www.nsvrc.org\/\">website<\/a> incorporated AddThis\u2019s social sharing tool, and Sniffen was unaware of the implications. As a result, his site was loading trackers from 10 online advertising companies without his knowledge.<\/p>\n<p>One of the trackers loaded on the site by AddThis communicates with ad trackers loaded by Google\u2019s advertising arm, a data triangulation that advertising and marketing companies sometimes use to confirm the identity of visitors to a site.<\/p>\n<p>Oracle did not respond to emails asking how it handles data collected through AddThis from sites serving privacy-sensitive populations, like victims of sexual violence.<\/p>\n<p>Lawal, the Google spokesperson, said in a written statement that \u201cGoogle Ads does not build advertising profiles based on sensitive categories, and we have strict policies preventing customers from using such data to target ads.\u201d <a rel=\"nofollow noopener noreferrer\" target=\"_blank\" href=\"https:\/\/support.google.com\/adspolicy\/answer\/143465?hl=en\">Those categories<\/a> include \u201cpersonal hardships\u201d and \u201cidentity and beliefs.\u201d<\/p>\n<p>Sniffen initially worried that disentangling AddThis from his group\u2019s website would take resources away from its goal of funding crucial programs, like training counselors. However, he said he found himself with time on his hands during the pandemic and learned how to s<a href=\"https:\/\/buradabiliyorum.com\/en\/category\/trip-and-travel\/\" data-internallinksmanager029f6b8e52c=\"10\" title=\"Trip &amp; Travel\" target=\"_blank\" rel=\"noopener\">trip<\/a> it out himself.<\/p>\n<p>Frederik Zuiderveen Borgesius, a professor at Radboud University in the Netherlands who has written extensively on online privacy, said the pervasiveness of tracking could wreck one of the foundations of the internet: easy access to information, particularly for those who may have no other way to get it.<\/p>\n<p>\u201cLet\u2019s say you\u2019re a Muslim in India, or a Palestinian in Israel, or a homosexual in Poland,\u201d he said. \u201cAt some point, you just feel uncomfortable looking for information about your own religion or own sexual preferences. Or you might be too uneasy about looking for information about sexually transmitted diseases because you fear that your behavior is monitored.<\/p>\n<p>Many advertisers and marketers say their profiles of internet users in most cases aren\u2019t connected to names or other \u201cpersonally identifiable information\u201d such as mailing addresses, but that doesn\u2019t mean they don\u2019t know who you are.<\/p>\n<p>\u201cIt doesn\u2019t really matter if they know your name or not,\u201d Borgesius said. \u201cThere are hundreds of thousands of people sharing the same name, so unique identifiers from a cookie are better identifiers.\u201d<\/p>\n<p>Academic research has <a rel=\"nofollow noopener noreferrer\" target=\"_blank\" href=\"https:\/\/themarkup.org\/ask-the-markup\/2020\/03\/24\/when-is-anonymous-not-really-anonymous\">repeatedly shown<\/a> that connecting supposedly anonymous marketing data to a name can be done with relative ease.<\/p>\n<p>The operators of some sensitive sites said they knew their sites load marketing trackers\u2014and they\u2019ve made peace with the trade-off.<\/p>\n<p>Domesticshelters.org connects domestic violence survivors with short-term shelters, and it allows Facebook and AddThis trackers on the site because the social sharing tools help raise awareness, said Chris McMurry, a member of the group\u2019s board of directors.<\/p>\n<p>\u201cIt\u2019s not good enough to have a website,\u201d he said. \u201cWe have to invest in making sure that what\u2019s on our website is seen by those who need it the most.\u201d<\/p>\n<p>The site also sells ad space on its site, which comes with its own trackers, but the revenue helps him provide vital services. When we scanned Domesticshelters.org with Blacklight, we found trackers from 10 companies.<\/p>\n<p>The Markup\u2019s findings underscore how the web\u2019s foundational profit source, the online advertising industry, is trying to make money from every interaction on the internet\u2014not just the obvious clicks, like visiting retailers.<\/p>\n<p>Data collected from your detailed web browsing habits\u2014what specific pages you visited, for how long, what you did there\u2014can be tied to records of products and services you purchased both online and offline and tied to your identity through things like store consumer loyalty cards. This can then be linked to information collected from an app you downloaded on your smartphone or which movie or show you streamed last night. The profiles are filled with data about each visitor, including presumed interests and geographic location.<\/p>\n<p>Companies claim this data allows them to make predictions about who is ready and able to buy certain products and provide those insights to sellers.<\/p>\n<p>The ad-targeting categories offered by marketing companies can be surprising. The <a rel=\"nofollow noopener noreferrer\" target=\"_blank\" href=\"https:\/\/support.aerserv.com\/hc\/en-us\/articles\/207148516-List-of-IAB-Categories\">list<\/a> produced by the Interactive Advertising Bureau, a prominent online ad industry trade group, has included things like \u201cIncest\/Abuse Support,\u201d \u201cSubstance Abuse,\u201d and \u201cAIDS\/HIV.\u201d\u00a0\u00a0 After this was <a rel=\"nofollow noopener noreferrer\" target=\"_blank\" href=\"https:\/\/www.irishtimes.com\/business\/technology\/new-documents-back-complaints-about-online-advertising-1.3772427\">reported publicly<\/a>, the group removed the first category, but the others remain.<\/p>\n<p>Many sites don\u2019t load just one or two trackers\u2014they load dozens of them because of a process called real-time bidding, which allows ads on a site to be personalized to whoever visits it.<\/p>\n<p>When a user visits a page offering real-time ads, advertisers compete with each other for the ad space\u2014in some cases tying users to those data-heavy profiles\u2014in the blink of an eye. Regardless of who wins the auction to show the ad, all bidders are told who visited the site.<\/p>\n<p>The global real-time bidding industry was valued at $5.79 billion in 2018 and is expected to <a rel=\"nofollow noopener noreferrer\" target=\"_blank\" href=\"https:\/\/www.businesswire.com\/news\/home\/20190920005365\/en\/Real-Time-Bidding-Market-Report-2019-Global-Market\">swell<\/a> to $28.69 billion by 2024.<\/p>\n<p>\u201cAmericans never agreed to be tracked and have their sensitive information sold to anyone with a checkbook,\u201d a group of federal lawmakers wrote in a <a rel=\"nofollow noopener noreferrer\" target=\"_blank\" href=\"https:\/\/www.wyden.senate.gov\/imo\/media\/doc\/073120%20Wyden%20Cassidy%20Led%20FTC%20Investigation%20letter.pdf\">letter<\/a> about real-time bidding to the Federal Trade Commission in July. \u201cThis outrageous privacy violation must be stopped and companies that are trafficking in Americans\u2019 illicitly obtained private data should be shut down.\u201d<\/p>\n<p>They asked the agency to open an inquiry. FTC officials declined to say whether they have.<\/p>\n<p>Websites serving people in Europe have had to get their affirmative consent before tracking users since 2018, when the European Union\u2019s privacy law went into effect. Ironically, a <a rel=\"nofollow noopener noreferrer\" target=\"_blank\" href=\"https:\/\/arxiv.org\/pdf\/1909.02638.pdf\">2019 study<\/a> looking at those consent notifications found they are largely structured to encourage users to agree to tracking they otherwise wouldn\u2019t readily allow and that they offer \u201cno meaningful choice to consumers.\u201d<\/p>\n<p>The California Consumer Privacy Act <a rel=\"nofollow noopener noreferrer\" target=\"_blank\" href=\"https:\/\/www.oag.ca.gov\/system\/files\/attachments\/press_releases\/CCPA%20Fact%20Sheet%20%2800000002%29.pdf\">requires<\/a> large, for-profit companies doing business in the state to disclose the information its website collects, allow users to opt-out of the collection, and delete users\u2019 data upon request.<\/p>\n<p>The only federal law specifically requiring websites in the U.S. to disclose user tracking <a rel=\"nofollow noopener noreferrer\" target=\"_blank\" href=\"https:\/\/www.ftc.gov\/tips-advice\/business-center\/guidance\/complying-coppa-frequently-asked-questions-0\">applies only to websites serving children<\/a>, but the Federal Trade Commission has <a rel=\"nofollow noopener noreferrer\" target=\"_blank\" href=\"https:\/\/www.ftc.gov\/news-events\/press-releases\/2012\/08\/google-will-pay-225-million-settle-ftc-charges-it-misrepresented\">gone after companies<\/a> for \u201cdeceptive\u201d practices for claiming that they don\u2019t track users when in fact they do.<\/p>\n<p>The Markup found even some government websites don\u2019t disclose tracking, including the <a rel=\"nofollow noopener noreferrer\" target=\"_blank\" href=\"https:\/\/www.usmint.gov\">U.S. Mint<\/a> and the <a rel=\"nofollow noopener noreferrer\" target=\"_blank\" href=\"https:\/\/www.sba.gov\">Small Business Administration<\/a>, which we found using a technique called canvas fingerprinting, which can track people who block cookies.<\/p>\n<p>The SBA did not respond to our requests for comment. The Mint\u2019s website has stopped using canvas fingerprinting since we reached out to the agency in late July. Mint spokesperson Michael White insisted in an email that it never used the technique, but <a rel=\"nofollow noopener noreferrer\" target=\"_blank\" href=\"https:\/\/github.com\/the-markup\/investigation-blacklight-the-high-cost-of-free\/blob\/master\/data\/story-inspections\/usmint.gov\/inspection.json#L208\">we have preserved the code that shows it was<\/a>.<\/p>\n<p>As for the ad industry\u2019s solutions to online privacy concerns, they have largely centered on allowing people to either opt out of tracking or opt out of being served targeted ads related to that tracking. <a rel=\"nofollow noopener noreferrer\" target=\"_blank\" href=\"https:\/\/www.howtogeek.com\/285835\/how-to-opt-out-of-personalized-ads-from-google\/\">Google<\/a>, <a rel=\"nofollow noopener noreferrer\" target=\"_blank\" href=\"https:\/\/datacloudoptout.oracle.com\/#optout\">Oracle<\/a>, <a rel=\"nofollow noopener noreferrer\" target=\"_blank\" href=\"https:\/\/www.digitaltrends.com\/social-media\/how-to-opt-out-of-targeted-ads-on-facebook\/#:~:text=On%20the%20app%2C%20go%20to%20Setting%20%26%20Privacy%20%3E%20Settings%20%3E,to%20target%20you%20with%20ads.\">Facebook<\/a>, and online advertising industry groups on <a rel=\"nofollow noopener noreferrer\" target=\"_blank\" href=\"https:\/\/optout.networkadvertising.org\/?c=1\">both<\/a> <a rel=\"nofollow noopener noreferrer\" target=\"_blank\" href=\"https:\/\/www.youronlinechoices.com\/\">sides<\/a> of the Atlantic offer some version of those options.<\/p>\n<p>To exercise them, people have to ask each online advertising and marketing company individually and install a cookie on their devices reminding the company in question not to track them in the future. \u00a0For some opt outs, the companies require requestors to provide their full name, email, and physical address.<\/p>\n<p>Facebook, for instance, continues to collect data on those who have opted out, spokesperson Alex Dziedzan confirmed. He said it does so for \u201cnon-ads\u201d purposes like \u201cmeasurement, security, integrity, etc.\u201d<\/p>\n<p>It\u2019s not impossible to build a tracker-free website. Encrypted email service <a rel=\"nofollow noopener noreferrer\" target=\"_blank\" href=\"https:\/\/themarkup.org\/blacklight?url=protonmail.com\">ProtonMail<\/a>, the conservative think tank <a rel=\"nofollow noopener noreferrer\" target=\"_blank\" href=\"https:\/\/themarkup.org\/blacklight?url=www.aei.org\">The American Enterprise Institute<\/a>, a wiki <a rel=\"nofollow noopener noreferrer\" target=\"_blank\" href=\"https:\/\/themarkup.org\/blacklight?url=en.bitcoin.it\">forum<\/a> about the cryptocurrency Bitcoin, the <a rel=\"nofollow noopener noreferrer\" target=\"_blank\" href=\"https:\/\/themarkup.org\/blacklight?url=getlantern.org\">website<\/a> for online censorship circumvention tool Lantern\u2014and <a rel=\"nofollow noopener noreferrer\" target=\"_blank\" href=\"https:\/\/themarkup.org\/blacklight?url=themarkup.org\">The Markup\u2019s website<\/a>\u2014all came up clean during Blacklight scans.<\/p>\n<p>ProtonMail said it has had to build workarounds, including developing its own anti-fraud system to detect potential credit card abuse before sending user card numbers to its payment processor, Stripe. That was how they got around Stripe\u2019s usual process of collecting payers\u2019 IP and email addresses, said Bart Butler, ProtonMail\u2019s chief <a href=\"https:\/\/buradabiliyorum.com\/en\/category\/technology\/\" data-internallinksmanager029f6b8e52c=\"4\" title=\"Technology\" target=\"_blank\" rel=\"noopener\">technology<\/a> officer.<\/p>\n<p>\u201cWe deliberately set up our company so it is not an option for us to sell out our users,\u201d he said. \u201cThat has come with both sacrifices \u2026 in terms of what we can do and what we can\u2019t do and what we refuse to do. Also, it came with a lot of effort on our part.\u201d<\/p>\n<p>To avoid giving website analytics market leader Google data about every visitor to his website, Butler said Protonmail built proprietary analytics software. Most websites can set up Google Analytics in an hour, he said, but ProtonMail\u2019s system took years to build, cost half a million dollars in server hardware costs alone, and requires a permanent full-time staff to continue to maintain it.<\/p>\n<p>\u201cIt shouldn\u2019t be that you have to roll your own if you want to do this stuff,\u201d Butler said. \u201cSomebody who just cares about privacy and needs privacy, but doesn\u2019t have the resources to develop their own, won\u2019t be able to do it.<\/p>\n<p>\u201cPrivacy,\u201d he added, \u201cshould be something people can care about without selling a privacy product.\u201d<\/p>\n<p><em>So you like TNW? Then join our upcoming online event, TNW2020, you don\u2019t want to miss it.<\/em><\/p>\n<p><em>This article was <a rel=\"nofollow noopener noreferrer\" target=\"_blank\" href=\"https:\/\/themarkup.org\/blacklight\/2020\/09\/22\/blacklight-tracking-advertisers-digital-privacy-sensitive-websites\">originally published on The Markup<\/a> and was republished under the <a rel=\"nofollow noopener noreferrer\" target=\"_blank\" href=\"https:\/\/creativecommons.org\/licenses\/by-nc-nd\/4.0\/\">Creative Commons Attribution-NonCommercial-NoDerivatives<\/a><a rel=\"nofollow noopener noreferrer\" target=\"_blank\"> license.<\/a><\/em><\/p>\n<p class=\"post-article-read-next\">\n    <b>Read next:<\/b><\/p>\n<p>        TimeSync Pro makes sure your schedule doesn\u2019t waste your time or screw up your day    <\/p><\/div>\n<blockquote>\n<p style=\"text-align: center;\">For forums sites go to <span style=\"color: #ff9900;\"><a style=\"color: #ff9900;\" href=\"https:\/\/forum.buradabiliyorum.com\/\" target=\"_blank\" rel=\"noopener noreferrer\">Forum.BuradaBiliyorum.Com<\/a><\/span><\/strong><\/p>\n<\/blockquote>\n<blockquote>\n<p style=\"text-align: center;\"><strong>If you want to read more like this article, you can visit our <span style=\"color: #ff9900;\"><a style=\"color: #ff9900;\" href=\"https:\/\/en.buradabiliyorum.com\/technology\/\" target=\"_blank\" rel=\"noopener noreferrer\">Technology category.<\/a><\/span><\/strong><\/p>\n<\/blockquote>\n<p><span style=\"color: black;\"><a style=\"color: #ff9900;\" href=\"https:\/\/thenextweb.com\/syndication\/2020\/09\/27\/the-high-privacy-cost-of-a-free-website\/\" target=\"_blank\" rel=\"noopener noreferrer\">Source<\/a><\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>&#8220;#The high privacy cost of a \u2018free\u2019 website&#8221; Kara Zajac said SPART*A, a small nonprofit serving transgender military service members and veterans, helped her begin her transition while in the Navy. To give back, she volunteered to build the group\u2019s website in her spare time after leaving the military\u2014and kept her eye on a key&#8230;<\/p>\n","protected":false},"author":1,"featured_media":76546,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/img-cdn.tnwcdn.com\/image\/tnw?filter_last=1&fit=1280,640&url=https:\/\/cdn0.tnwcdn.com\/wp-content\/blogs.dir\/1\/files\/2020\/09\/1-32.jpg&signature=00665a4a3b4cc26e8a8f29541795fee7","fifu_image_alt":"","footnotes":""},"categories":[18],"tags":[15047,72366,73157,73155,73156,70759],"class_list":["post-76545","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-technology","tag-privacy","tag-data","tag-investigation","tag-marketing","tag-oracle-database","tag-tech"],"_links":{"self":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts\/76545","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/comments?post=76545"}],"version-history":[{"count":0,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts\/76545\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/media\/76546"}],"wp:attachment":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/media?parent=76545"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/categories?post=76545"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/tags?post=76545"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}