In a report by the University of Denver in conjunction with the Privacy Foundation, researchers found that consumers unknowingly give up personal and often sensitive information in exchange for certain products.
The data is then used to direct advertisements that speak to a person's tastes.
"I think consumers are confused when they find out what they have to give up" for some products, said David Martin, a professor at the University of Denver who spearheaded the report. "They learn that it may be free of charge, but it's not a free gift."
For his report, Martin looked at 16 browser extensions designed to make surfing easier. Since the study began, however, three have gone out of business, and a few others have drastically changed their business models so the findings no longer apply.
Some of the products studied still exist, and the practice of software providers culling personal data without spelling it out to consumers has raised a few eyebrows in privacy circles.
All of the products examined for the report failed to provide clear notice to the consumers. Most transmitted more personal information than necessary. A few either didn't give people choices about which details would be collected or stored the data in systems that weren't secure, the report said.
The greatest concern, however, was the practice of monitoring search queries, which can be sensitive and personal. For example, if a person using some of the free software looked up information about AIDS, that query could then be stored as part of a consumer profile.
Zack Network, a San Mateo, Calif.-based company, appeared to be the most egregious offender, according to the report. Martin and the other researchers concluded that Zack collected more personal information than necessary, didn't tell customers the extent of the company's data gathering, offered no opt-out choices, and lacked security.
Representatives at Zack disputed those claims and charged that the findings are outdated. They say the company has since changed its business model and focuses on working with other businesses rather than with consumers.
"We don't log data, and we don't pay attention to the information," said Kristie Lolje, public relations manager at Zack. "Never do we coordinate Web surfing habits to a person's name."
Ray Everett-Church, chief privacy officer at Hayward, Calif.-based AllAdvantage.com, said some of the information in the report was useful--such as breaking down privacy policies into subgroups such as choice, notice, security and access.
But he said criticisms of privacy policies being too long or too difficult to understand were "contradictory and confusing."
AllAdvantage was knocked in the report for not giving consumers notice.
Other companies and products mentioned included SurfMonkey, NeoPlanet, CueCat and Flyswat.
Martin said he believes many companies didn't intend to collect sensitive data, but it became an unintended consequence when developing products.
An easy way to remedy the problem after the fact, he said, is to rewrite privacy policies that explain exactly what kind of information is being gathered from a consumer and how it will be used.