Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Privacy Businesses The Internet

Nine Out of Ten of the Internet's Top Websites Are Leaking Your Data 133

merbs writes: The vast majority of websites you visit are sending your data to third-party sources, usually without your permission or knowledge. That's not exactly breaking news, but the sheer scale and ubiquity of that leakage might be. Tim Libert, a privacy researcher, has published new peer-reviewed research that sought to quantify all the "privacy compromising mechanisms" on the one million most popular websites worldwide. His conclusion? "Findings indicate that nearly 9 in 10 websites leak user data to parties of which the user is likely unaware."
This discussion has been archived. No new comments can be posted.

Nine Out of Ten of the Internet's Top Websites Are Leaking Your Data

Comments Filter:
  • wrong term (Score:2, Informative)

    by Anonymous Coward

    Not leaking it so much as shooting out of a firehouse.

    • by gl4ss ( 559668 )

      leaking also would indicate that it is unintentional. the websites are mainly leaking through ad networks and are doing it on purpose to get money(or analytics).

    • ... don't have my data.

      And you think Slashdot doesn't share it for some reason? Don't give me this "they didn't say they would share" excuse...

      If you do ANYTHING on the big "I" net, you are giving up information, like it or not... It's worse for you, you are posting on Slashdot for Pete's sake....

      • by mark-t ( 151149 )
        What makes you think slashdot is in the top ten?
      • by amicusNYCL ( 1538833 ) on Wednesday November 04, 2015 @06:23PM (#50867249)

        And you think Slashdot doesn't share it for some reason?

        Ghostery is blocking the following on Slashdot:

        Doubleclick (advertising)
        Google Adwords Conversion (advertising)
        Google Analytics
        Janrain
        Scorecard Research Beacon
        Taboola

        It's on Slashdot, and everywhere else.

        Here's a quote from TFA:

        Most troubling is that if you use your browser setting to say 'Do Not Track' me, the explicitly stated policy of nearly all the companies is to flat-out ignore you

        What we need is 9 out of 10 users to start explicitly blocking tracking and advertising, and then flat-out ignore the companies who complain about their bottom line. That article from the advertising industry group talking about how they screwed up rings a little hollow when they are obviously not interested in respecting the requests of consumers to not track them. Enabling Do Not Track is fine, but that only works with the good actors. For everyone else, see below.

        https://www.ghostery.com/ [ghostery.com]
        https://www.ublock.org/ [ublock.org]
        https://adblockplus.org/ [adblockplus.org]

        • by Phusion ( 58405 )

          Doesn't Adblock/Plus whitelist companies that pay them?

          • As far as I know they give you the option of seeing "trusted" ads (or whatever the terminology is), but last I knew they ask if you want to enable or disable that during setup. At this point I don't think they're turning it on without telling you, and they don't hide the option to turn it off.

        • What we need is 9 out of 10 users to start explicitly blocking tracking and advertising, and then flat-out ignore the companies who complain about their bottom line.

          I'll tell you exactly what sort of response that would evoke from pretty much everyone, because I've already seen it: They start moving actual content and functionality for their sites to the same servers that are serving ads and things to track you, leaving you with two choices: accept their ads and tracking, or don't use their site at all. What's your response going to be when >90% of the Internet is denied to you, because you won't give in to their ads and tracking techniques? That's likely what's com

          • What's your response going to be when >90% of the Internet is denied to you, because you won't give in to their ads and tracking techniques? That's likely what's coming.

            We'll have to find out what will happen when >90% of the internet sees large drops in their traffic. People in general are becoming more aware to ad-blockers, it's no longer relegated to niche Firefox extensions. That day is coming. I expect to see new revenue models, which may be a way to continue the tracking, e.g. you pay a monthly subscription to a single "content network" that provides access to thousands of sites if you're logged in, rather than paying sites individually. Obviously that parent

            • This. In addition, the ad networks like this because they can build a profile on you. I've never had an issue with a side bar or banner ad or whatever being served up from teh same machine as the content I am reading.

              Of course, if it gets too bad, since 99% of my web browsing is *reading* I can go back to a plain old text based browser like elinks

            • We'll have to find out what will happen when >90% of the internet sees large drops in their traffic. People in general are becoming more aware to ad-blockers, it's no longer relegated to niche Firefox extensions. That day is coming.

              Pretty much this. I've installed it on a lot of regular folks computers, usually after a demonstration of the difference in loading times enabled and disabled. I'm usually looking at them in the first place because of compliaints of slow loading.

              And I'm pretty certain it is having some effect already, as a number of sites that I no longer ever go to pop up screens that tell me to disable my ad blocker software......

              Umm no folks, you'll never have even the chance to infect my machine ever again. ESAD bab

            • by Alumoi ( 1321661 )

              I expect to see new revenue models, which may be a way to continue the tracking, e.g. you pay a monthly subscription to a single "content network" that provides access to thousands of sites if you're logged in, rather than paying sites individually. Obviously that parent network would be able to track which of its sites you're on because you need to authenticate.

              Hmm, seems like what the ISPs are doing righ now. Your point is?

              • My point is that what I suggested is completely different from what ISPs are doing right now. When you host a site, does some random ISP pay you when their customer visits it? No? Then it's not the same thing, is it? What I suggested is more along the lines of what cable TV was supposed to be when it started, not ISPs that provide access to the internet in the first place. I don't expect an ISP to create what I'm talking about, that's not their job.

          • by jandrese ( 485 )
            As a longtime user of NoScript, this has not even come close to happening yet. I'm not even against ads, but I'm not going to let them run Javascript. If they want to show a banner then be my guest, if they want fingerprint my browser so they can track me across different websites then no thanks.
          • They start moving actual content and functionality for their sites to the same servers that are serving ads and things to track you, leaving you with two choices: accept their ads and tracking, or don't use their site at all.

            I've already been experiencing this already, not so much because a site is commingling its content and ads, but because my suite of advertisement/tracker/flash blockers break a small portion of the internet. Specifically, I've noticed:
            * forbes: I can never click past their "quote of the day"
            * politico: the drop down menu bar doesn't work
            * lots of sites have comment boxes disabled
            * occassionally I come across a video that won't load.

            So, my response: some sites just fall off my radar like forbes, but I don't

          • I'll tell you exactly what sort of response that would evoke from pretty much everyone, because I've already seen it: They start moving actual content and functionality for their sites to the same servers that are serving ads and things to track you, leaving you with two choices: accept their ads and tracking, or don't use their site at all. What's your response going to be when >90% of the Internet is denied to you, because you won't give in to their ads and tracking techniques? That's likely what's coming.

            Good. Then I'll usse the ten percent of the sites that are left. Or not at all. Teh intertoobz are mighty damn sick these days, and are rapidly losing any semblance of usefulness. So if it reaches that point, then it will reach zero usefuness for many. Then business and the trackers will have won - sorta.

            All I know is I already don't go to sites that demand I turn off my adblocker software.

        • Even better, install Privacy Badger and it will block player.ooyala.com and the cookies it uses to track you from one site to another.
        • What we need is 9 out of 10 users to start explicitly blocking tracking and advertising, and then flat-out ignore the companies who complain about their bottom line.

          Yes, and this is part one of the strategy. Already, if I go to a site, and see "We see you are using an ad blocker. Please unblock to access our content.

          NONONONONONO assholes! You can just go out of business for all I care. I just click back to where I was, and move on. If enough of them analyze how many people just say a collective "Eat shit mofo's!", that will be the first stage.

          The second stage is to give them what they want. lots and lots and lots of data, all spoofed, all the time. Enough to make t

        • Ghostery is blocking the following on Slashdot:

          Doubleclick (advertising)
          Google Adwords Conversion (advertising)
          Google Analytics
          Janrain
          Scorecard Research Beacon
          Taboola

          ...which means it's failing to block ooyala.com, ntv.io, and rxpnow.com. You might want to get a better browser extension (such as RequestPolicy).

          • by Anonymous Coward

            Ghostery is blocking the following on Slashdot:

            Doubleclick (advertising)
            Google Adwords Conversion (advertising)
            Google Analytics
            Janrain
            Scorecard Research Beacon
            Taboola

            ...which means it's failing to block ooyala.com, ntv.io, and rxpnow.com. You might want to get a better browser extension (such as RequestPolicy).

            Privacy Badger from EFF catches them all.

    • by gstoddart ( 321705 ) on Wednesday November 04, 2015 @09:06PM (#50868167) Homepage

      Are you so sure of that? Are you actually taking steps to stop it? Are you verifying it?

      Right now on Slashdot as I type this, there are 12 external domains being referenced, 8 of which want to run scripts. All of them are ad or analytics companies.

      A massive amount of sites have references to the big ad sites (usually multiple), as well as references and/or cookies to social media sites ... which means a lot of ad companies trivially track you across sites, know where you visit, how often, and the pages you're reading.

      Unless you are actively blocking this crap, and unless you're looking at the sites which are being blocked and adding which you've missed ... and clearing any cookies and shit they've added as you go ... you should really assume that these sites are seeing your data even if you don't subscribe to them or realize you're interacting with them.

      You have to be fairly aggressively blocking this shit to believe those companies aren't seeing some of your data.

      And, quite frankly, if you are aggressively blocking this shit, your friends and family are probably tired of you ranting about how fucked up the internet is. I know mine are.

      The problem is so many people don't know this, and even if you try to tell them they don't care.

  • Just skimmed the paper -- and it's talking about the "10 most common top-level domains" -- not websites.

    • That's not what the paper says, they aren't saying that .com is tracking you or leaking your data. It says that they ran their numbers on the entire pool of ~1 million sites, and then ran sub-analysis for the 10 most popular TLDs (plus edu and gov) - com, net, org, ru, de, uk, br, jp, pl, and in. Table 1 in the PDF shows those findings. For the entire data set, 9.47 external domains were contacted on average. Among those TLDs, Brazil had the highest with 11 domains on average, and gov the lowest with 3.

  • Once the data became a, and sometimes the, marketable commodity, what did you think for-profit companies might do?

    It was clearly not a long-contemplated ethical conundrum for the bigger share of them.

  • by hey! ( 33014 ) on Wednesday November 04, 2015 @05:46PM (#50867013) Homepage Journal

    One out of ten of the Internet's top web sites doesn't leak your information!

    • I want to know which one of the 10 is it?

      Actually, what the researcher says is that 9 out of 10 websites leak information about who visits them to third parties, but if you think about it, ANY site that accepts banner ads does this... So if you are surprised by this revelation, I feel sorry for you..

    • - YET! A little time and it'll be hacked!
  • Stop typing your own fucking personal information into websites! It's not like they're kicking in your door and raiding your house. STOP HANDING IT TO THEM!
    • You need to shut the fuck up. We won't tolerate common repeated sense in this forum. Consider your karma ultra negative from this point forward.
    • Some ARE kicking down the door.... But we usually call that malware and viruses..

      Personally, I hand out "personal information" for a person who is totally fiction beyond the name to any website who requires I give up information to them and I still want to use their website. There are exceptions, of course, but I only share what is required and stick to the identity I invented as much as possible.

    • by dmomo ( 256005 )

      If you think that the data they are collecting is predominantly a result of things being typed into a form... you have no business acting so self-righteous. Instead, you should step back and re-think what privacy is, and how it pertains to the Internet.

      • If you think that the data they are collecting is predominantly a result of things being typed into a form... you have no business acting so self-righteous. Instead, you should step back and re-think what privacy is, and how it pertains to the Internet.

        Erm, privacy is fucking pulling down the curtains to cock-block anybody getting information that I do not want them to have?

        I'm not being self righteous at all - I'm being a master of my own fucking information. Please master yours, or stop bitching about your loss of privacy. If you want to sell your info to get an app, have a nut, but don't bitch if you sold out yourself for a new shiny app.

        • ok if your an internet engineer than you undestand that the vast majority of internet data mining is tracking footsteps and breadcrumbs as people travel aroudn the internet and interact with sites, then doing various cross correlations and linking to find insights into what products these people may buy, then showing them ads for this product? And you understand that info about you is leaked by your browser, your computer, your IP address, and your IP?

          So even if a user never types in a single thing, lots of

          • So even if a user never types in a single thing, lots of info is logged, enought to

            Oh God, the internet demons got him. Fuck. They're probably anally probing him as we speak in Guantanamo. Bastards! Life isn't fair.

            So, as I said, don't put your personal shit out on the web, or you'll get butt-probed at Guantanamo. Just like Noah.

            • So, as I said, don't put your personal shit out on the web

              The point is that, short of logging off entirely and becoming a luddite hermit, it's incredibly hard to actually accomplish that! I have literally six different anti-tracking browser extensions going (BetterPrivacy, Lightbeam, RefControl, RequestPolicy, Self-Destructing Cookies and uBlock), and whitelisting cross-site requests extremely judiciously, and I still doubt I'm stopping all the tracking!

    • Don't have to give out personal information...

      For example go to TireRack (don't log in), look for tires for your car, then come to Slashdot (don't log in), and the first ad you see is an ad for the tires you just looked at on TireRack. Gee either someone is looking at cookies that they shouldn't be or both sites use the same analytics engine and that engine is tracking you across the sites.

  • Code that just still works as it was never updated.
    The heat saved, the cooling not needed as the intensive new encryption was not turned up.
    The cash saved in not having expert staff add new encryption that only modern browsers could really use.
    All that tracking adds to deeper understanding of the consumers and earns a profit.

    All a browser can do is load up on the more useful add ons to try and block most of the more direct site based tracking.
  • Here [archive.is] is an alternate link that won't feed Vice and here [timlibert.me] is the linked article. (pdf) The study is very broad but they consider as much as a Google tracking cookie to be "leaking your data", so it doesn't really say much.
    • they consider as much as a Google tracking cookie to be "leaking your data"

      Well it is, so they're right. Shit man, it's right there in the name. It's not the Google Friendly Cookie, it's not the Google Helpful Cookie, it's not the goddamned Google Blowjob Cookie. It's tracking you. It's the very definition of leaking your data. Maybe what you're confused about is the definition of "your data". Hint: "your data" includes where you go online.

  • by Chas ( 5144 ) on Wednesday November 04, 2015 @06:00PM (#50867115) Homepage Journal

    Especially with your mobile site with three rows of full-page-height (at 1920x1200 even) ads and a script popping an ad at the bottom that's almost comically impossible to retract?

  • All reported on (Score:5, Insightful)

    by Holi ( 250190 ) on Wednesday November 04, 2015 @06:08PM (#50867167)
    All reported on a site with links to Facebook Pinterest, Twitter, Tumblr, YouTube, and is most definitely using Google Analytics.
    • Re:All reported on (Score:4, Interesting)

      by amicusNYCL ( 1538833 ) on Wednesday November 04, 2015 @06:49PM (#50867403)

      Ghostery blocked the following on motherboard.vice.com:

      Alexa Metrics
      ChartBeat
      Facebook Connect
      Google Ajax Search API
      Google Analytics
      Google+ Platform
      Krux Digital
      Netratings Sitecensus
      Pinterest
      Quantcast
      Sailthru Horizon
      Scorecard Research Beacon
      Twitter Button

  • One story [here] just answered another on [slashdot.org]

  • This is a crap article and just pushing for the tool the guy built.

    All the tool tells you is that the site makes 3rd party requests (Ghostery does a lot better job at this than some random bundle of python scripts). It does not tell what any of those 3rd party requests are doing, nor whether any personal data is being "leaked" by the site itself. Nor does it tell you if the site is pushing data wholesale on the backend to 3rd parties.

  • The website isn't the leak. It just politely asks your browser to leak, and the browser naively complies. FWIW, people are sort of finally on this (e.g. PrivacyBadger) though we're still in the very early days of people-giving-a-fuck.

  • Pretty soon instead of blackholing domains I don't trust, I'm going to to have to start whitelisting the few that I do trust. Nice job corporate assholes, you ruined the internet.

  • That returns randomly generated crap when websites retrieve their cookies?
  • by account_deleted ( 4530225 ) on Thursday November 05, 2015 @12:02AM (#50868725)
    Comment removed based on user account deletion
    • If everybody did this there would be no value in your data. Sour the milk.

      You're confusing data quality and data marketability. While your proposal would diminish data quality, data quality is already pretty low as far as I can tell based on the supposedly "target" ads I see. But despite the fact that it's already unreliable at best, the companies collecting the data are still able to monetize it quite thoroughly, and will continue to do so no matter how bad the data gets. The companies (and governments) buying the data just want an excuse to do more of what they're doing. They d

  • For instance Slashdot: (orginally posted as AC)

    jadserve.postrelease.com
    cdn.taboola.com
    The following domains don't appear to be tracking you
    www.googleadservices.com
    cdn-social.janrain.com
    cdn.quilt.janrain.com
    player.ooyala.com
    widget-cdn.rpxnow.com
    slashcdn.com
    s.ntv.io

  • I just moved from an address where I was finally getting a handle on the junk mail is was getting. It had been a nightmare! Junk mail would find it's way into my mailbox yet the truly important stuff would get lost or delayed! Perhaps this is a result of the specific postal office for that address - bad local management, et al... HOWEVER - since I invoked permanent forwarding to my new address, I am getting deluged with junk mail again! Obviously, the default is for the USPS to opt-in my 'new' address to
  • ...why not every other entity. After all, isn't the government now a corporate entity?!

Keep up the good work! But please don't ask me to help.

Working...