Guess Which Websites Are Sharing Your Personal Data With the World Without Telling You?

You know that “Of COURSE we won’t share your personal data with anyone! Why ever would we do that?” message you get from a lot of websites when you sign up for an account with them? Well, bad (if somewhat unsurprising) news: They’re probably lying, and the Wall Street Journal has the cold, hard facts to back it up.

WSJ.com put out an interactive over the weekend that details which websites might be sharing your personal information without your knowledge. Here’s how they did it: First, the Journal made their picks as to which sites to test by drawing on data from Web measurement firm ComScore’s list of the 1,000 most popular sites on the Internet. From there, they narrowed it down to the top 50 sites that allowed users to create accounts (excluding sites that require an IRL account, like banking sites).

For each site — including their own — WSJ created an account that included a name, username, email address, birth date, location, and password. Then, they logged out, logged back in, and surfed around for a bit, making sure to clear out their cookies between each browsing session. While they browsed, they used an open-source program called mitmproxy to take a look at the data coming into and going out of each site.

So which sites are guilty of doing it? Rather a lot, it turns out — many of which most of us use on a daily basis. Online dating sites were the worst offenders; Match.com sends email addresses, dates of birth, zip codes, and other data to four companies, while OKCupid sends all of those types of data plus usernames to a whopping ten companies. At least OKC is transparent about it; according to their CEO, Sam Yagan, “None of this information is personally identifiable” — email addresses sent to Rapleaf, for example, are coded, or “hashed.” The site collects large amounts of data for advertising purposes; says Yagan, “Advertising is and always will be part of the business model. It allows the product to be free.”

Surprisingly, though, the online image sharing service Photobucket is one to watch out for — hashed email addresses, usernames, ages and birth years, and zip codes go to 11 companies; the company also didn’t respond to the Journal for comment, so hmmm. Hmmmmmmmmmm. If I had a beard, I would be stroking it in a thoughtful fashion right now.

At least it’s not as bad for some sites which may be favorites of yours; Pinterest, for example, used to send uncoded email addresses and names to Facebook, Google, and Google Analytics, but stated that they no longer do this. For their part, Google and Facebook say they don’t want, use, or keep any personally identifiable information sent by companies. YouTube passes age and birth year to Google Analytics for advertising purposes, and WebMD does the same thing with Lotame.

Want a look at the full list? Head on over to WSJ.com—if, that is, you don’t mind the fact that your email address, name, and birth date might be passed along to someone else if you have an account on the site. Just, y’know… FYI.