The Wall Street Journal has analysed the top 50 sites in the United States plus 20 other top sites in sensitive categories like dating or health. They found that 25 of these sites — including OKCupid, Pinterest, YouTube, Yahoo — send personal data to other sites in the open, with no security encoding, using your own browser session.
The methodology looks good:
The Journal followed each site's suggested registration procedure, including email confirmation when necessary. In addition to registering, the Journal logged out of each account, logged back in, and browsed all known types of pages on the site — for instance, article pages, profile pages and setting pages. The Journal cleared its test computer of tracking files, known as cookies, between each browsing session.
During each browsing session, the Journal used mitmproxy, an open-source software program, to inspect the data being transmitted to and from the sites. This method reveals all data being passed via the Web browser. This serves as a "lower bound" for data sharing; companies can also pass data behind the scenes. Transfers of information to the sites themselves — or to domains owned by these "first-party" sites — were not counted as data leakage unless the domain served a significantly different purpose from that of the original site.
Of course, you may have agreed for other companies to contact you while registering to those sites. But did you agree for the site to transmit your personal information in the open to other sites? I don't recall seeing that checkbox. [WSJ and WSJ]