In Red Flag Raised Over Websites Leaking Private Information, the Globe and Mail states The Office of the Privacy Commissioner of Canada has found that websites operated by major companies from retail, travel and media sectors have been giving user information they collected to other companies, without site visitors knowledge or agreement. They examined 25 of “the most popular sites targeted to Canadians,” and found that roughly one-quarter of them raised “significant privacy concerns.” They didn’t name the websites or companies and there are calls to name the companies.
In our earlier post Surprising Privacy Gaffes, we described 3 instances where personally identifable information (PII) was being stored in URL query strings. It’s likely that such incidences accounted some of the situations found by the Commissioner. We didn’t identify the situations we found. However, all companies were shocked when we showed them what was happening, and took action immediately to rectify the situation and improve process governance. The companies had strict internal PII governance but had not included external development companies.
The Globe and Mail article mentions that the Commissioner’s review was triggered by other studies, such as Privacy Leakage vs Protection Measures: The Growing Disconnect. Marketers should review this study. The reason these leakages occur is probably lack of knowledge (yes, I know, no excuse). This study is worth reviewing because it shows examples of the problems as information is passed from originating site via referrer links and describes data mining situations where information can be pieced together via 3rd party cookies or email IDs only from multiple sites. These examples can contribute to the education of developers so that these situations are prevented. For example, the following was sent from an employment category site to a doubleclick.net server, apparently daisy-chained from a nexac.com server (see p.6), where the na_ parameters contain PII:
The study also classified the ‘bits’ of information leaked and graphed the sensitivity against identifiability of the information. A total of 120 sites were reviewed and the numbers in the graph (see Fig.8 on p.5) show the number of sites in the study who leaked the bit of information.
It is unfortunate that it takes a publicized crisis to trigger risk-management action. However, a few ‘real stories’ may be necessary to raise the priority of this issue within organizations so that it gets the attention it deserves.