1. This work was supported by the TRUST Center (NSF award number CCF-0424422) Third Party Information Sharing Disclosure Practices Cody Rigney – Youngstown State University Faculty Mentors: Chris Hoofnagle J.D., Nathan Good Ph.D Results Methods We collected data cards (a page that describes the mailing list being sold) from lists.nextmark.com using a python script. To ensure we had accurate provenance information, we only focused upon data cards that sold data from a particular, named website, such as "whisperfromwallstreet.com." A Clear Violation: Unambiguously Promises Not to Sell Data Ambiguous Policy No Violation: Clearly States that Data will be Shared Example from adammesh.com Example from smartmoney.com Example from writersdigest.com Methods(cont.) We categorized them as follows: Example of a data card from Nextmark’s website Introduction There are many companies that sell personal information, such as email addresses or any other information they have, to various third parties for marketing purposes. These third parties could consist of anyone who has internet access and the money to purchase the information. A free search engine for this data exists at lists.nextmark.com. In 1995, Culnan explained that ethical sale of consumer information should reflect “knowledge, notice, and no.” This means that consumers should know about data selling practices, receive notice of them, and be able to object.[1] We focus here on notice—our project explores how companies inform consumers that they will sell data to third parties for marketing purposes. After removing duplicate data cards and URLs, we had 499 unique domain names in these data cards. We then went through each data card to make sure that the domain name was the actual source of the information on the list. We discarded any data cards with domain names that were not. We used a database to store the privacy policies of all the leftover domain names from the data cards. We also discarded any that did not have privacy policies, dead websites, and marketers. This left us with 271 websites to analyze. We went through each website and analyzed how they disclosed their information sharing practices. Significant Findings: 12 Companies were dishonest in their privacy policies by stating clearly that they did not share information, when we have data cards demonstrating their offer to sell this data. 122 Companies were ambiguous about information sharing practices. This means that we could not be certain about their information sharing policies. 137 Companies were honest by stating that users’ information is being shared to 3 rd parties. We also examined how many of the analyzed websites were in Quantcast’s top million or ten thousand most popular websites, respectively. Results(cont.) 172 of the 271 websites were listed in the top million websites. 65 of the 271 websites were listed in the top ten thousand websites. Note: There are over 350 million websites in existence to date for comparison. Flesch–Kincaid readability test on Privacy Policies Mean Kincaid of sharing policies: 14.239 Standard Deviation: 4.7188 Mean Kincaid of non sharing parts of policy: 12.074 Standard Deviation: 1.9222 As one can see, it seems as though 3 rd party information sharing policy is written at a higher level, on average, than the rest of the privacy policy, but this finding is within the standard deviation, so it is not significant. Conclusion A large number of the websites studied are relatively popular, so the practice of information sharing affects a wide population. Information sharing remains a controversial topic with consumers, yet the websites we analyzed presented their data selling policies with complex language. Mandatory use of readable and direct language on information sharing could address the problems we demonstrated. References [1] Mary Culnan, Consumer Awareness of Name Removal Procedures: Implications for Direct Marketing, 9 Journal of Direct Marketing 10 (Spring 1995). A similar framework was explored using teleological and deontological theories by Ellen R. Foxman & Paula Kilcoyne in Information Technology, Marketing Practice, and Consumer Privacy: Ethical Issues, 12 Journal of Public Policy & Marketing 106 (Spring 1993). This framework seems to originate with Cathy Godwin in Privacy: Recognition of a Consumer Right, 10 Journal of Public Policy & Marketing 149 (Spring 1991).