HighContrast

Following my post yesterday on Twitter having to think carefully about privacy, a friend pointed me to a study that shows how social networks leak deep personal information, allowing third parties to combine what you do with who you are. Read the story here.

By itself, this may be absolutely OK depending on how much of this data is collected and how it’s used by third parties. However, most of the entities (targeting companies, ad networks, etc.) operate in a rather opaque manner for most consumers. First, you often don’t even know who those third parties are because they have no visible presence on the websites you visit yet your browser makes HTTP requests to them and they typically set multiple cookies on your machine. Many of them don’t even have a web site for a consumer to visit, for example, to figure out which business sits behind the URL and read their privacy policy.

A good (random) example is ad.yieldmanager.com, requests to which are typically hidden in the HTTP redirect chain. You need a tool like Live HTTP headers for Firefox to see them. If you make a browser request to ad.yieldmanager.com or yieldmanager.com you get nothing. The WhoIs record shows that Yahoo owns the domain.  If you go to www.yieldmanager.com you’ll be redirected to the HTTPS version of the page https://www.yieldmanager.com which Firefox will refuse to display because it has an invalid security certificate. You’ll have to go through several dialog screens in Firefox to make a security exception and see the site. It will show a login screen for RightMedia (an advertising exchange bought by Yahoo) but no information for consumers. If you hit the home page of RightMedia, you’ll see a tiny link to “privacy” on the bottom which takes you to the privacy policy of the corporate site. At the end of the third paragraph, there is a link to the privacy policy on ad.yieldmanager.com. If you click on that, you’ll finally get to find out what RightMedia collects from you and what they do with it. Well, sort of.

The privacy policy says “Non-personally identifiable information is automatically sent to the Yield Manager technology by a user’s web browser. This information includes the date and time of the ad request, the user’s Internet Protocol Address, browser type, and the web page that the user is visiting.” How can they be sure that the web page I’m visiting doesn’t have personally-identifiable information? Does my Facebook URL personally identify me? Do my LinkedIn, blog, FriendFeed, Twitter URLs personally identify me? You bet they do. I have no idea whether RightMedia operates on those sites but if they do and if they can see links that can be tied to my account I’d certainly argue that their privacy policy is misleading.

Oh, one more thing. Do you know what’s the title of the privacy policy? “CONFIDENTIAL” Huh? Somebody better fix that.

<head>
<title>CONFIDENTIAL</title>
<link rel="stylesheet" href="http://my.yieldmanager.com/styles/css.php" type="text/css">
<link rel="shortcut icon" href="http://my.yieldmanager.com/images/default_icon.ico" type="image/x-icon" />
<script language="JavaScript" type="text/javascript">if (top.location != location) { // if in frame
	top.location.href = document.location.href; // break out!
}
</script>
</head>

Do you think most consumers care about their information being potentially misused? I haven’t seen the studies but I hope lots do. How many of them do you think will be able to find out that yieldmanager.com/RightMedia exist and get around to finding the privacy policy and understanding it? Right.

In a world where it’s hard to even know who these third parties are let alone what one of the them says they are going to do with your information, how can anyone one be certain whether they’ll actually do what they said they would? Is it too much to ask that consumers have an easy way to (a) find out who collects data as they browse the Web and (b) have the privacy policy of those entities at most one or two clicks away?