On the Privacy Practices of Just Plain Sites

In addition to visiting popular sites such as Facebook and Google, web users often visit more modest sites, such as those operated by bloggers, or by local organizations such as schools. Such sites, which we call \"Just Plain Sites\" (JPSs), are likely to inadvertently present greater privacy risks than highly popular sites, because they are unable to afford privacy expertise. To assess the prevalence of the privacy risks to which JPSs may inadvertently be exposing their visitors, we examined privacy practices that could be observed by analysis of JPS landing pages. We found that many JPSs collect a great deal of information from their visitors, and share a great deal of information about their visitors with third parties. For example, we found that an average of 7 third party organizations are informed when a user visits a JPS. Many JPSs additionally permit a great deal of tracking of their visitors. For example, we found that third party cookies are used by more than 50% of JPSs. We also found that many JPSs use deprecated or unsafe security practices. Our goal is not to scold JPS operators, but to raise awareness of these facts among both JPS operators and visitors, possibly encouraging operators to take greater care in their implementations, and visitors to take greater care in how, when, and what they share.