"Sites which leak user data contact an average of nine external domains, indicating users may be tracked by multiple entities in tandem. By tracing the unintended disclosure of personal browsing histories on the Web, it is revealed that a handful of American companies receive the vast bulk of user data. Finally, roughly one in five websites are potentially vulnerable to known NSA spying techniques at the time of analysis," the study said. Libert used the webXray open-source software platform that was modified for the study, and was used to detect tracking on the sites selected.
Explaining further, Libert told Motherboard, "There is one Web users see in their browsers, but there is a much larger hidden Web that is looking back at them. I always find it funny when old TV shows will have a gag where somebody on the screen can 'see' into your living room-it's obviously silly with old technology, but that's really how the Web works! For every two eyes looking at a screen there are probably ten or more looking back at them."
Another notable finding of the study showed that around 78.07 percent of the websites listed in the Alexa top million initiate third-party HTTP requests to a Google-owned domain. "While the competitiveness of Google is well known in search, mobile phones, and display advertising, its reach in the Web tracking arena is unparalleled. The next company, Facebook, is found on a still significant 32.42 percent of sites, followed by Akamai (which hosts Facebook and other companies' content) on 23.31 percent of sites, Twitter with 17.89 percent, comScore with 11.98 percent, Amazon with 11.72 percent, and AppNexus with 11.7 percent," detailed the study.
Notably, the study even found that users can be tracked by websites despite opting for a 'Do Not Track' policy. "If you visit any of the top one million sites there is a 90 percent chance largely hidden parties will get information about your browsing. Most troubling is that if you use your browser setting to say 'Do Not Track' me, the explicitly stated policy of nearly all the companies is to flat-out ignore you," Libert told Motherboard.
The study also pointed that the only website in the top ten list that respected 'Do Not Track' was Twitter. "It is important to note that Twitter follows the reasonable definition of opt-out, namely user data is not collected," said the study.
Libert also suggested NSA was spying on the companies that spied on people. "The other take-away goes back to the Snowden revelations on the NSA spying programs. What we really learned wasn't that the NSA was spying on people-it's that the NSA was spying on companies that were spying on people-which is way easier as there are a handful of companies (like those in the PRISM slide) who need to have their arms twisted into cooperating," he said.