German report points to online privacy violations

Downloading software is fraught with risk. Even if a download is malware-free, companies often use the software to collect user data. And reselling that data can translate into big money, not to mention a violation of privacy.

But what if the privacy agreement and terms of use appear sound? According to a report by German broadcaster NDR, even seemingly legitimate websites might be misleading users about the level of protection they're offering them.

For the report, which aired on Thursday night, journalists from the show "Panorama" approached a third-party company that resells user data. Claiming to be a company that also deals in data sharing, the "Panorama" team was offered a free trial: a data set containing 10 billion URLs from roughly 3 million computers in Germany.

The results of their investigation purportedly show that the data set contained enough detail to identify individuals and uncover sensitive information about them, such as their profession, health status and, in some cases, their sexual preferences.

Moreover, the investigative team noticed that a significant amount of data came from Web of Trust (WOT), an add-on which claims to offer "free tools for safe search and web browsing" to over 140 million people.

Politicians in the data set

Among the 50 individuals identified by the NDR team were several German politicians, one of whom has close ties to German Chancellor Angela Merkel.

In reaction to the report, Greens politician Valerie Wilms, whose name appeared in the report, echoed concerns that puzzling together online activity could damage many politicians: "You're absolutely susceptible to blackmail."

Helge Braun, who acts as Minister of State to the Federal Chancellor, also appeared on the list, as did politician Frank Junge, of the center-left Social Democrats (SPD), who sits on the financial committee for the federal budget.

Speaking to the "Panorama" team, digital policy spokesperson for the SPD Lars Klingbeil called for tougher laws.

"I didn't know that these types of things are identifiable. Maybe people are naive in those situations, but we definitely need information about which data is being collected and what then happens to it."

The fine print

Under German law it is illegal to collect private information about an individual without consent. However, WOT stipulates in its privacy agreement that it "may disclose or share" information with third parties. This includes internet protocol addresses, geographic location, type of device, the date and time stamp, browsing usage, the browser identifier and user ID.

It further claims that the information is anonymized before being sold to a third party.

According to an explanation by German online activist group Netzpolitik.org, WOT and other companies create profiles based on the saved information and then package these profiles to sell.

Whatever the company's intention, "Panorama" argues that WOT's practice of selling even something as a simple as an email address and user name is enough to violate someone's privacy. And given that the data is saved on servers outside the country, users have not only unwittingly handed over private information, but they also are subject to the privacy laws of a country not their own.