It’s no longer a surprise to learn that websites are tracking your every move, but many people are under the impression sites that handle sensitive personal data are a respite from the data-hungry destinations like social networks and search engines.

Unfortunately, a study that looked at the tracking habits of major financial institutions suggests users may not be as private as they assume.

According to eBlocker, a German company that manufactures tools for online privacy, there are more than 110 third-party trackers snooping on users every time they visit the homepage of 10 of the most popular financial institutions in the United States.

Read: Mobile Banking Apps Now Let You 'Turn Off' Debit Cards To Fight Fraud

PNC Financial Services, which operates in 19 states and the District of Columbia, was the largest offender, with 33 trackers identified on its website. PNC did not respond to a request for comment on its trackers, but the institution’s privacy policy makes relatively clear the company’s position.

While the company insists it is “committed to treating and using personal financial information about you responsibly,” it also notes that visitors to its site on both desktop and mobile devices may have their data collected by third-party companies and makes no guarantees that recorded information will be anonymized. “Such data may or may not be personally identifiable to you,” the privacy policy states.

In a privacy notice issued to customers last revised this month, PNC note that it shares information for business purposes, marketing purposes and its affiliates—much of which its customers have no option to opt out. For the few instances customers can opt out, they have to do so by calling an 800 number.

Read: Millennials And Money: How Fintech Will Help Lower The Risks In A Cashless Society

While PNC has the most trackers, it is far from the only companies implementing the third-party data collection tools. According to eBlocker’s research, TD Bank—which boasts more than 8.5 million customers in the U.S.—has 20 trackers on its site. BNY Mellon, which operates in the U.S. and the United Kingdom, has 14 trackers.

US Bank and JPMorgan Chase each have nine trackers, while Bank of America, Citigroup and Capital One have six while Wells Fargo has five. HSBC, which serves 37 million customers worldwide, had the fewest number of trackers of the bunch with just two identified on its website.

What exactly are these trackers taking from users when they visit their bank’s website? It’s hard to say for sure without going under the hood of each tacker—there is no requirement for complete disclosure of what is recorded and how it’s used, so most sites don’t provide such details—but eBlocker CEO Christian Bennefeld has a pretty good idea of just what the trackers may take.

Prior to starting eBlocker in 2013, a company dedicated to providing users with privacy solutions, Bennefeld was playing for the other team. He founded eTracker, a web analytics tool that tracks user behavior on websites.

Bennefeld told International Business Times he left that part of his career behind him to "give my life a better meaning," but he is still quite familiar with just how much information is collected by tracking services like the one he started.

He said sites running eTracker could record just about every way a person interacts with a website, down to their mouse movements—information that website owners use to determine how their site is being used and how to improve its functionality.

Included in the data recorded from each user’s session on a site is the information entered into forms. On a financial site, this could include sensitive personal information. “Imagine you're entering your salary into a form for a loan,” Bennefeld said. “That can be aggregated or grabbed from the website from a tracking firm.”

Depending on the tracker and the type of technology it utilizes, it’s even possible for it to record a user’s information displayed on screen. For those who do their banking online, that could mean their credit score or even account balances could be collected.

"If you're accessing your account using online banking, technically we can easily see your account balance on the tracking website,” Bennefeld said. “Technically speaking, it's easy and is being done by trackers all over the world."

These practices, along with the practice of “fingerprinting,” in which sites and trackers gather information about a user’s computer including seemingly innocuous details like battery status or browser window size to identify them, make it increasingly easy for services to pinpoint a visitor.

That type of data tracking is likely of particular concern for any user who expects their online banking experience to be private and secure. But for banks, there is considerable value in allowing third-party trackers to leech information from each person who visits their website.

Structure Security
Newsweek is hosting a Structure Security event Sept. 26-27 in San Francisco. Newsweek Media Group

Bennefeld suggested the banks likely use the aggregated data collected by third parties to help make risk assessments on customers.

With information gathered by the trackers, which can follow a user’s experience around the web as they land on page after page with the same trackers running behind the scenes, financial institutions can already have an idea if an applicant for one of their services—be it a loan, mortgage or savings account—will be a good fit before they even fill out the forms.

There is also little to discourage financial institutions from engaging in the practice, especially in the U.S. Bennefeld said in Europe, disclosure laws require companies to name third-party services operating on their sites and include data policies for how the information is collected and used.

Rules regarding those types of disclosures are considerably more lax in the U.S., which is why many of the trackers spotted on the top banks in America aren’t found on financial institutions in the European Union.

For example, nine of the 10 sites examined by eBlocker included a tracker from Google. Bennefeld said it’s “really, really rare” to see such a tracker from the search giant operating on a financial website in the EU, in part because disclosure requirements discourage companies from lacing their site with trackers.

The likelihood of similar privacy disclosure laws making their way across the Atlantic to the U.S. seems low. One needs to look no further than the decision Congress made earlier this year to kill a regulation passed by the Federal Communications Commission that would have required internet service providers to ask customers before collecting and selling personally identifiable information from their web browsing behaviors.

Instead, users of financial sites have to take privacy into their own hands—a task that is easier said than done. While virtual private networks (VPNs) are becoming an increasingly common tool for online privacy and are valuable to counteract some trackers, it only serves to obscure a user’s IP address. That won’t totally anonymize a user—especially if they log in to the site, effectively making their visit personally identifiable to trackers.

Bennefeld suggests users concerned with their privacy make use of browser plugins that serve to counteract trackers and other data-collecting tools that operate on the website of their bank of choice.

He suggested tools like Ghostery, a plugin available for most major browsers that can identify and block most tracking services online. According to Trackermap, a service operated by Evidon, which Ghostery licenses its tracker library from, PNC’s website has 25 trackers—fewer than the 33 identified by eBlocker.

In addition, Bennefeld advised users to use tools like ad blockers that can help restrict the data collection practices of many ad networks—though he warned in the case of most plugins, information about browsing activity is still collected and made available to the plugin creators. In some cases, this can be prevented but in general it’s a choice to trust they have the user’s best interest in mind.

That is likely a safer bet than trusting that information to third-party trackers, who Bennefeld warned do not always play by the rules.

A previous study conducted by eBlocker that examined trackers on websites targeted at children found that, despite laws restricting the amount of data that can be collected on children under the age of 13, sites and trackers often skirt these requirements by claiming they are targeting kids over the age of 14—even when their product clearly skews toward a younger audience.

Financial institutions in the U.S. have a legal obligation to ensure the finances of their patrons. Until there is a similar requirement for the protection of customer information, visitors to banking websites should feel no shame for doing the data equivalent of keeping their money under their mattress.

Newsweek’s Structure Security conference on Sept. 26-27 in San Francisco will highlight the best practices that security professionals are using to protect some of the world's largest companies and institutions, join us for two days of talks, workshops and networking sessions with key industry players - register now.

RELATED STORIES
Security Security Privacy