10 likes | 101 Views
Opt-in Procedures of Web Sites Selling Information to Third Parties. Ryan Kaczowka – Youngstown State University Chris Hoofnagle, J.D. Nathan Good, Ph.D. Background
E N D
Opt-in Procedures of Web Sites Selling Information to Third Parties Ryan Kaczowka– Youngstown State University Chris Hoofnagle, J.D. Nathan Good, Ph.D. Background In order to subsidizefree services to consumers, web sites often need to sell customer information to third parties including advertisers, aggregators, and direct marketers. NextMark (lists.nextmark.com) is a leading exchange for such information, whichboasts a database of over 60,000 telephone, postal, and email lists available to search through and purchase. NextMark maintains a “datacard” for each list. The datacard describes the list, including the privacy rules that governed collection of information about the consumer. This is important because list buyers can be liable for knowingly using information from a company that promised not to sell customer data (see In re Datran Media). In this study, we focused upon representations to list buyers about the privacy rules governing consumer information. Methods We started by crawling the NextMark database for consumer e-mail lists matching “.com”, “.net”, and “.org” datacards that could be traced to their source web sites. This narrowed down the set from 60,000+ to 3,653 items. After scanning for valid URLs, we were left with only 499 unique domains. We created a Gmail account, using plus notation to generate unique addresses for each domain. We signed up for each site and noted both the stated privacy on the datacard, highlighted in green in the sample datacard, and the real privacy employed by the web site. We discarded data brokers, broken web sites, missing web sites, and web sites that required purchases, leaving us with 197 sites we were able to analyze. Definitions We found four categories of privacy on the NextMarkdatacards we used: Opt-in is the lowest level of privacy. According to the NextMark glossary, opt-in usually involves a checkbox that must be checked to enable third-party information sale. However, many web sites consider clicking a register button on a site with a privacy policy to be sufficient to opt-in a user. Confirmed opt-in refers to web sites that send a confirmation e-mail after a person signs up. Double opt-in refers to a web site that requires a user to create an account, log in, and manually opt in to third-party information sharing. Out of the web sites we tried, only one used this method. Unknown can be any of the three above. Almost half of the datacards had “unknown” privacy. In our observed procedures, we further categorized confirmed opt-in into plain e-mail confirmations and e-mail confirmations with activation links. Sample Datacard Results (cont.) Stated DMA members were also more likely to have opt-in privacy than non-DMA members. Results Out of the datacards with “unknown” privacy, over half of them were confirmed opt-in or confirmed opt-in with a confirmation link. Only one was double opt-in, and the rest were simply opt-in. Sites with a larger number of names on mailing lists are more likely to be opt-in. Sites employing confirmed opt-in have slightly over half the average total universe as opt-in. Sites using confirmed opt-in with an activation link have less than half the average total universe as confirmed opt-in. The one double opt-in site has a very low total universe relative to the others. Web sites stated by NextMark to be DMA members were much more likely to have an “unknown” stated privacy procedures. Conclusion and Future Work The study did not find significant correlations between stated and observed procedures. Many of the stated procedures were incorrect, but they were just as likely to employ a higher level of privacy as a lower level of privacy. Still, we found that many websites consider that by merely signing up for an email list, the user also consents to unrelated, third party advertising, and as lists get larger, they are more likely to have weaker privacy protections for users. A future study could look deeper into the opt-in process, keeping track of opt-in checkboxes and whether they are checked by default. Further research could also include checking whether the sites respect opt-in/opt-out.