On the Privacy Practices of Just Plain Sites

TL;DR

This paper investigates privacy risks on small, less prominent websites called 'Just Plain Sites', revealing they often collect, share, and track user data insecurely, highlighting a need for increased awareness and better practices.

Contribution

It provides an empirical analysis of privacy practices on JPSs, exposing prevalent insecure data collection, sharing, and tracking behaviors that are less common on high-profile sites.

Findings

Many JPSs collect extensive user data

JPSs frequently share data with third parties

Insecure security practices are common among JPSs

Abstract

In addition to visiting high profile sites such as Facebook and Google, web users often visit more modest sites, such as those operated by bloggers, or by local organizations such as schools. Such sites, which we call "Just Plain Sites" (JPSs) are likely to inadvertently represent greater privacy risks than high profile sites by virtue of being unable to afford privacy expertise. To assess the prevalence of the privacy risks to which JPSs may inadvertently be exposing their visitors, we analyzed a number of easily observed privacy practices of such sites. We found that many JPSs collect a great deal of information from their visitors, share a great deal of information about their visitors with third parties, permit a great deal of tracking of their visitors, and use deprecated or unsafe security practices. Our goal in this work is not to scold JPS operators, but to raise awareness of these facts among both JPS operators and visitors, possibly encouraging the operators of such sites to take greater care in their implementations, and visitors to take greater care in how, when, and what they share.