The press has performed admirably in reporting on privacy violations by the National Security Agency and major internet companies. But news sites often expose users to the same surveillance programs and data-collection companies they criticize. Even stories that explained how the N.S.A. was using Google cookies to “pinpoint targets for hacking” often included the exact same cookies revealed by Edward Snowden. Likewise, stories about Facebook and Cambridge Analytica often include Facebook tracking code, allowing Facebook to keep tabs on what people read.
Surveillance on news websites is particularly problematic because the news you consume may reveal your political leanings or health interests — information that is not just exploited by corporations to sell you things, but could also be abused by governments. And because news organizations benefit from the surveillance economy by running advertisements targeted to reader interests, they may be less likely to report on their own tracking practices.
A recent article on The Times, “Can an Abortion Affect Your Fertility?”, provides a useful example of how privacy is infringed on news websites. I used my software platform, webXray, to load the page 10 times in a row with the Chrome browser. During each page load the software kept track of data transfers made to outside companies and generated a summary of what happened.
This type of tracking is standard practice in the news industry, and The Times is far from the worst offender.
In a recent study I conducted with Reuben Binns, we compared 4,000 United States-based news sites with 4,000 non-news sites. The news sites exhibited a significantly higher reliance on outside companies to manage a range of site functions such as advertising and hosting fonts. These outside companies often maintain vast databases of personal web browsing habits, which they may sell or use for targeting advertisements.
Some of these companies, like Google and Facebook, have cooperated with the N.S.A. and may be legally required to disclose user data to law enforcement. Some may do so voluntarily. Worse, only 10 percent of these outside parties are disclosed in privacy policies of the news sites we studied, meaning even diligent readers will never learn who collects their data. From a privacy perspective, news websites are among the worst on the web.
News organizations did not create the surveillance-for-profit system that exists today. At the dawn of the internet era, advertisers demanded tracking to ensure that ads were being shown to humans, not bots. Then, as advertisers pushed for ways to better target ads, adtech companies created vast networks to harvest user data and broker ads on billions of web pages, providing a one-stop shop for advertisers to reach web users.
At the same time that adtech networks began to dominate web advertising, traditional forms of advertising and subscription revenue for newspapers began to dry up. In a rush to stop the bleeding, many news outlets partnered with adtech companies to gain entry to their expanding networks. These early decisions put news organizations on a path whereby they sacrificed reader privacy, reduced their ability to maintain direct relationships with advertisers and ultimately put their survival in the hands of middlemen like Google.
The result is that as online advertising networks become more highly centralized, the old model of a distributed and independent press is being replaced by one where giant technology companies control user data and the purse strings.
While the problems are significant, two approaches, both mandated by Europe’s General Data Protection Regulation, or G.D.P.R., might benefit news outlets and readers. The first, data protection impact assessments, requires organizations to engage with users so their needs may be understood and considered. This could involve creating a digital ombudsman or public editor to represent the privacy concerns of readers.
[If you’re online, chances are someone is using your information. We’ll tell you what you can do about it. Sign up for our limited-run newsletter.]
A second G.D.P.R.-mandated approach, privacy-by-design, requires tech companies to develop software that makes privacy the default mode of operation, embedded at all levels of a system. In privacy-by-design, respect for users is paramount. Instead of tracking users as the default, requiring them to “opt-out,” the default in privacy-by-design is that users must “opt-in” to tracking used for advertising. The result may be less precisely targeted advertising — and much greater privacy.
Like any piece of large legislation, G.D.P.R. is complicated. But improving user privacy can be quite simple. When I loaded “Can an Abortion Affect Your Fertility?” in the European Union, I discovered that The Times has a cookie called “nyt-gdpr.” When readers load an article on the Times website, those protected by G.D.P.R. get a page that better protects their privacy. In comparison to the nearly 50 companies tracking users on that article in the United States, I found only 16 in the European Union. On the United States version of the Times website, I also found over 100 cookies placed by outside companies, compared to just 28 in Europe.
Jean-Christophe Demarta, an advertising executive at The Times, recently told Digiday that even with G.D.P.R.-related changes, The Times’s “digital advertising business continues to grow nicely.” If people everywhere should have the same fundamental rights to privacy as Europeans, and if providing privacy is not unduly harming revenue, why shouldn’t The Times provide enhanced privacy to all its readers?
Readers everywhere could then be more confident that their interests in politics, health and other sensitive topics would not be subject to government surveillance or sold to the highest bidder. In the same way The Times leads in high-quality news coverage, it could also lead in respecting reader privacy.
Dr. Timothy Libert is a faculty member in computer science at Carnegie Mellon University, where he teaches in the privacy engineering program.