Tracking, Targeting & Trade-Offs
Balancing the benefits of personalization with the worries over online privacy
The Web Behind the Web
In a disheveled cubicle deep inside the data center of a major consumer products company – call it Company Z – a "quant" (quantitative analyst) squints at rows and rows of numbers scrolling up his screen. Captured there in percentages and decimal points is a detailed portrait of the people buying his company's products. The quant is finding the patterns, uncovering the dependencies, statistically validating the data points that determine who their next customer will be.
Far away on the West Coast, in a loft-style office that houses Company Z's digital marketing agency, a buyer is working a bank of monitors like a Wall Street trader. Armed with the quant's data profile, she makes bids and buys screen space on very specific computers. Who's online right now that meets A, B and C criteria? Who's put product Q in a shopping cart in the last 24 hours? Who has a Facebook friend with a birthday coming up in the next three days? X dollars are bid here, Y dollars there. The money flows out, the data flows in, the marketing wheels churn.
Sipping a latte in a coffee shop near a suburban office park, Mr. A-B-C flips open his laptop and visits his usual sites. On the first, he sees an ad for a Company Z gizmo. On another site, there's a different gizmo, again from Company Z. On a third, an offer of product reviews for gizmos that ultimately leads to Company Z's online storefront. Before long, Mr. A-B-C decides to look around and see what he can find out about gizmos.
This oversimplified, hypothetical scenario illustrates the data dynamic that's increasingly fueling the engine of commerce. Online data has become the lingua franca for a number of industries – retail, banking and finance, insurance, media and entertainment and more. The use of online data for targeting consumers – also called "online behavioral targeting," or OBT – is one of the fastest growing commercial phenomena of our times. And seemingly every day, that data grows more and more specific, to the point where it's not unrealistic to anticipate finding specific individuals in a company's marketing crosshairs.
The leveraging of personal data, both for marketing and personalization, is arguably a major factor in the evolution of the online experience as we know it today. But the exploding scale of its collection and use – and increasing consumer awareness of the practice – has launched a debate about how best to collect and use data to enhance the Web experience while protecting the privacy rights of consumers.
A Glimpse Into the Tracking Ecosystem
Scores of companies are in the online data business. Some collect data from individuals' Web browsers and offline sources like auto registration and real estate records. Others aggregate and analyze the data – sometimes down to semantic analysis of what a user writes in comments or social media updates. Still others package it and offer it for auction on online exchanges to still other companies that place online ads, or to websites themselves, who use it to tailor content, offers, and even pricing based on the profile of the person sitting on the other side of the browser.
The moment a consumer puts an item in a shopping cart, makes a bid on an auction site, or takes any number of innocuous actions, that information is put up for sale – virtually instantly – often for just fractions of a penny. (It adds up, quickly, though; targeted advertising commands a 100+ percent premium over non-targeted ads.)
This is happening hundreds of millions, even billions of times a day. BlueKai, a major vendor of online data, claims to have "actionable" audience data on more than 200 million users – "that's over 80% of the entire US Internet population at your fingertips," according to its website. It claims to transact over 75 million auctions daily. 1www.bluekai.com
Lotame, another major player, offers advertisers and publishers profile data based on "over 240 billion monthly collected interests, actions, and attributes." 2http://www.lotame.com/solutions/advertisers/ In their trademarked "Crowd Control" platform, one finds categories including "Reach & Frequency – How often and when people express interests and/or actions," and "Sentiment & Exposure – What people say, what they read, and when and how they say and read." 3http://www.lotame.com/solutions/audience-data/ Eric Porres, Lotame's chief marketing officer, told The Wall Street Journal, "We can segment it all the way down to one person." 4The Wall Street Journal, “The Web’s New Gold Mine: Your Secrets,” by Julia Angwin, 7/30/10
OpenAmplify is a company that performs semantic analysis of text input by users, claiming to understand "exactly what's being said: the topics being discussed, the sentiment towards those topics, the actions, intentions and emotions being expressed." Specifically for social media, "OpenAmplify understands what's really being said: it understands where the focus of the conversation lies, and how the author is emotionally engaged with each of the topics." 5http://openamplify.com/adnetworks_targeting And it claims to perform that analysis and deliver results in milliseconds.
Tracking Is a Good Thing
Since the advent of direct mail marketing more than a century ago, advertisers have recognized the value of being able to target the individuals most likely to buy their products. As consumer data became more available in the second half of the 20th century – public home ownership and motor vehicle data, for example – advertisers were able to narrow their targeting to smaller and smaller pools of more and more promising prospects, increasing the efficiency and effectiveness of their efforts.
Apply that same dynamic to the Internet, with its treasure trove of easily collected and parsed data, and you have a direct marketer's dream come true at a heretofore unimaginable scale. Advertisers can zero in on consumers that match a number of criteria in a company's "likely buyer" profile, no matter where they are, with an immediacy never before possible in any medium.
Granted, the impact of an online banner ad is unlikely to match that of a full-page spread in Time magazine or a 30-second commercial in the SuperBowl. But still, the ability to target large numbers of likely prospects for a relatively low cost-per-thousand is clearly a boon to advertisers.
It's also a boon to online publishers, many of whom are still working out their revenue models. Income from targeted advertising is often more than double that of non-targeted advertising. That revenue pays for the news stories, the sports features, the maps and directions, the videos, the weather forecasts and the social media connections that users depend on and get for free.
The other benefit that certain online tracking brings to users is the ability to have streamlined, focused experiences – to be served relevant content and recommendations, for example. Under the proposed privacy controls being discussed in Washington, anything beyond the first-party domain typed in the address bar would likely be unavailable.
The bottom line is that a certain level of tracking brings benefits to both website owners and to users. It's not all about users being stalked by shady outfits with questionable intent. But there are concerns being raised that about the potential consequences of extensive tracking.
Tracking Is A Worrisome Thing
Concern about online privacy has grown with each new advance in business's ability to track, follow and profile online users, though the scale and pervasiveness of that tracking and profiling only gained wide public visibility last year.
Back in 2009, Google, the Internet's biggest and favorite target, drew scrutiny when it introduced its new ad exchange, which provided very specific data on individuals for advertising targeting.
For many, it was the first glimpse into a vast underworld of agents hidden in browsers and stock market-like exchanges where personal data is bought and sold real-time.
Consumer advocacy organizations have become more vocal, especially last year, about online privacy issues. While they are concerned about online behavioral targeting for ads and advocating more consumer control in that area, many are more concerned with potential non-advertising uses of detailed online user data.
"What is the problem with having dozens or hundreds of companies know all of these things about your private life, your business life, your health, etcetera?" asks Peter Eckersley, senior staff technologist at the Electronic Frontier Foundation, in an interview with Benchmark. "There are different scenarios where that turns out to be problematic. One is, some law enforcement agent goes and obtains a copy. Another is, some lawyer, a divorce lawyer or party in a civil lawsuit, sends subpoenas and starts moving around in this data. Another example would be insurers. You certainly might not want insurers having access to your online search terms because they could use that to say, 'wait, we can find grounds to deny you coverage.'"
There's Money in Watching & Tracking
"We just did a survey of the top one thousand websites," Rob Shavell, co-founder of Abine, one of the only companies that offers consumers a full suite of online privacy tools, told Benchmark. "Our crawler visited the home pages – just the home pages – of the top one thousand websites. Our software looks at all of the requests that go out from those websites when you visit the home page.
"Keep in mind you haven't clicked on anything. You haven't indicated that you want to read an article, that you want to register at the site – you haven't done a thing except go there. Now, out of those 1,000 sites, we found 38,633 requests silently going from those sites to third parties."
That's more than 38 calls going out just from the act of visiting a single website and doing nothing else. Some of those calls are for legitimate content – assets from content distribution networks, content feeds from other sites – and some are for analytics. Some are the ads you see displayed on the page. But many are from trackers that want to get inside your browser and find out where you've been, where you go, what you think and do, and what you might buy.
The Wall Street Journal ran similar tests last summer and found an average of 64 tracking files or tools installed for the top 50 U.S. websites; a dozen sites, including msn.com and comcast.net, installed over 100. Dictionary.com installed 234. Two-thirds of the tools installed were from companies that track users and sell the data. 6The Wall Street Journal, “Sites Feed Personal Details To New Tracking Industry,” by Julia Angwin and Tom McGinty, 7/30/10
"[These sites] get more money for their advertising because they [allow tracking], and they get more clicks on the ads, ostensibly," Shavell says. "They wouldn't be doing it if they didn't make money. But if you really want to follow the money, it's all in the middle, that hidden middle set of what the industry calls advertising networks."
"Venture capitalists are pouring money into these advertising networks," Shavell continues, adding "it's a huge, new bet that these companies are going to revolutionize and completely change and make lots and lots of money around online advertising.
"And that is one of those things that's driving the speed and pace of change in this industry faster than you would ever imagine, because if you think about hundreds of smart venture capitalists spending billions of dollars in a very short span of time on a bunch of innovative entrepreneurial companies that are all designed with one thing in mind – to do this better, faster, more accurately than all of their competitors – you get waters with a lot of sharks in them."
We are, in fact, talking real money, and it's no surprise that companies are scrambling to get a piece of it. The Interactive Advertising Bureau reports that Internet advertising revenues were on pace to break records in 2010 – $12.1 billion for the first six months of the year, an 11.3 percent jump over 2009. 7Interactive Advertising Bureau press release, “Internet Ad Revenues Break Records, Climb to More Than $12 Billion for First Half of ’10,” New York, New York, 10/12/10, http://www.iab.net/about_the_iab/recent_press_releases/press_release_archive/press_release/pr-101210 The IAB also claims, based on a study it conducted, that the ad-supported Internet contributes $300 billion to the U.S. economy. 8Interactive Advertising Bureau press release, “Ad-Supported Internet Contributes $300 Billion to U.S. Economy, Has Created 3.1 Million U.S. Jobs, Confirms Groundbreaking Study,” Washington, D.C., 6/10/09, http://www.iab.net/about_the_iab/recent_press_releases/press_release_archive/press_release/pr-061009-value The U.S. Department of Commerce puts global online transactions at $10 trillion a year. 9The New York Times, “A Call for a Federal Office to Guide Online Privacy,” by Tanzina Vega, 12/16/10
Tracking Technology: How You’re Being Followed
HTTP Cookies: Invented by Lou Montulli and John Giannandrea at Netscape in 1994, an HTTP cookie is simply a bit of text stored in a Web browser used to store data. 15Wikipedia, “HTTP Cookies” Cookies are one of the primary means by which users are tracked. They can be deleted by the user, and preferences can be set to not accept cookies from third parties.
Super Cookies: These are cookies or cookie-like objects that are stored outside the browser's control, and therefore are difficult for users to manage. The most prominent – and insidious – of these are Flash cookies, created by Adobe's Flash program to manage its controls, but also used by third-party trackers. Flash cookies can be set to regenerate HTTP cookies deleted by the user, circumventing user efforts to stop being tracked.
Beacons. These small pieces of code run on a Web page and track user activity, including mouse movements and keystrokes. Comments, social media posts, or anything else the user is typing can be captured and sent for semantic analysis.
Fingerprinting. Every computer, smartphone, and set-top TV box has a virtually unique fingerprint – the combination of preference settings, clock, fonts, software and other characteristics that make it distinguishable from every other device of its kind. Companies are already using this data to identify individual users and track their behavior. As of now, there are no practical ways for users to block it. 16The Wall Street Journal, “Race Is On to ‘Fingerprint’ Phones, PCs,” by Julia Angwin and Jennifer Valentino-Devries, 11/20/10
Unique Device Identifier. An iPhone exclusive! But also existing as the Android ID on phones running Google's OS. It's unique to each phone, can't be changed on the iPhone and only with a system reset on the Android. Can be used to collect identifying and location information from users. Apple and a number of app makers were recently sued for using it to secretly profile users without their consent. 17Wired.com Epicenter, “Apple, App Makers Sued Over User-Tracking,” by Ryan Singel, 12/27/10
The Need for Stronger Tools
Concerns about privacy have not gone unnoticed by browser developers. They've provided some limited privacy controls, but as yet, none provide a unified, user-friendly solution, though it's a sure bet they're working on it. Microsoft will debut a powerful new Tracking Protection feature in Internet Explorer 9 (see the accompanying Benchmark interview). And Internet entrepreneurs such as Abine are seeing the opportunity and jumping in with their own privacy solutions, inside and outside the browser.
Today, most browser give users the option to control cookies and to have so-called "private" browsing sessions. But these limited tools can lull users into a false sense of security. Turning off cookies, for example, is a good idea, but it does not stop certain kinds of beacons and Flash or "super" cookies, which are beyond the reach of the cookie preference setting. And blocking cookies wholesale can make for a rocky browsing experience, requiring usernames and passwords to be reentered, undermining personalization settings, and breaking some site functionality.
The "private browsing" or "incognito" mode merely keeps the local browser from remembering history and search. As the Google Chrome disclaimer indicates, "Going incognito doesn't affect the behavior of other people, servers, or software. Be wary of: Websites that collect or share information about you; Internet service providers or employers that track the pages you visit."
The ad networks themselves have made limited privacy controls available. Google, Microsoft and Yahoo! offer preferences managers that enable users to correct or tailor their profile so they can receive ads that are more relevant, or to opt-out of personalized ads altogether. Some of the ad networks and associations are banding together to offer a single point of opt-out, but it's still early in those efforts. And at least some of the tracking companies offer opt-outs, but a user would have to first know who those companies are, and then visit each individually to set preferences.
The bottom line is that, without some sort of unified preference or opt-out system, users are faced with the daunting, if not impossible task of tracking down the trackers and individually setting dozens – or hundreds – of preferences.
As is so often the case in the online world, where a challenge exists, entrepreneurs will step in with solutions. One of the first to offer consolidated privacy management is Abine, at www.abine.com, a free service that installs in the browser and prevents tracking in the first place, and also blocks ads. Abine also offers a service called DeleteMe that helps users to remove unwanted data about themselves that's already on the Internet.
The Push For Better Privacy
The FTC and Commerce Department proposals are ripe for near-term action and have sparked lively discussion. Both reference the Fair Information Practice Principles first put forth by the FTC in 1998. The five principles, excerpted from FTC documents, are:
1. Notice/Awareness: Consumers should be given notice of an entity's information practices before any personal information is collected from them.
2. Choice/Consent: Giving consumers options as to how any personal information collected from them may be used, particularly, secondary uses beyond those necessary to complete the contemplated transaction.
3. Access/Participation: An individual should have the ability both to access data about him or herself –i.e., to view the data in an entity's files – and to contest that data's accuracy and completeness.
4. Integrity/Security: To assure data integrity, collectors must take reasonable steps, such as using only reputable sources of data and cross-referencing data against multiple sources, providing consumer access to data, and destroying untimely data or converting it to anonymous form. Security involves both managerial and technical measures to protect against loss and the unauthorized access, destruction, use, or disclosure of the data.
5. Enforcement/Redress: Privacy protection can only be effective if there is a mechanism in place to enforce it. Among the alternative enforcement approaches are industry self-regulation; legislation that would create private remedies for consumers; and/or regulatory schemes enforceable through civil and criminal sanctions. 10Federal Trade Commission, “Fair Information Practice Principles,” http://www.ftc.gov/reports/privacy3/fairinfo.shtm
The Commerce Department Proposal: Privacy Bill of Rights
The Commerce report, officially a "green paper," meaning it carries no commitment to action, takes a collaborative stance. "The government can coordinate this process, not necessarily by acting as a regulator," it says, "but rather as a convener of the many stakeholders – industry, civil society, academia – that share our interest in strengthening commercial data privacy protections." 11U.S. Department of Commerce, “Commercial Data Privacy and Innovation in the Internet Economy: A Dynamic Policy Framework,” The Department of Commerce Internet Policy Task Force, http://www.ntia.doc.gov/internetpolicytaskforce/index_test12162010.html Indeed, it was such a convening by Commerce that produced the current Domain Name System governance.
The FTC Proposal: Do Not Track
The FTC, on the other hand, proposes to beef up regulation of online privacy, to the consternation of many in the online tracking and advertising industry. Its report states, "many companies – both online and offline – do not adequately address consumer privacy interests. Industry must do better." And later, "industry efforts to address privacy through self-regulation have been too slow, and up to now have failed to provide adequate and meaningful protection." 12Federal Trade Commission, “Protecting Consumer Privacy in an Era of Rapid Change, A Proposed Framework for Businesses and Policymakers,” preliminary FTC staff report, December 2010
FTC Chairman Jon Leibowitz was more blunt in his call with reporters following release of the report. "Self-regulation of privacy is not working for American consumers," he said, and added, "A legislative solution will surely be needed if industry doesn't step up to the plate." 13Wired.com Epicenter, “FTC Backs ‘Do Not Track’ Browser Setting,” by Ryan Singel, 12/1/10
If those statements didn't get the attention of industry, the contents of the proposed framework surely did, most specifically, the Do Not Track feature. As described in the report:
One way to facilitate consumer choice is to provide it in a uniform and comprehensive way. Such an approach has been proposed for behavioral advertising, whereby consumers would be able to allow the collection and use of data regarding their online searching and browsing activities. The most practical method of providing such universal choice would likely involve the placement of a persistent setting, similar to a cookie, on the consumer's browser signaling the consumer's choices about being tracked and receiving targeted ads. Commission staff supports this approach, sometimes referred to as 'Do Not Track.'
Industry's reaction has ranged from mild disapproval to cries that the sky is falling. Alarms have been sounded that, if Do Not Track is implemented, consumers will lose their free content and tailored experiences, and the Internet's economic model will be broken.
"Those who sign up for a do-not-track registry would find they'd been sold a bill of goods," writes Steve Sullivan, the Interactive Advertising Bureau's vice president/supply chain, in The Hill's Congress Blog and elsewhere, "and they will instantly become the targets of cheap and irrelevant advertising...Furthermore, sites could all be forced to move to a paid subscription model for some consumers, charging only those who opt out for the same content that everyone else would receive for free."
Sullivan adds, "Consumers would actually have to give up anonymity in order to register for the service. To be effective, the list must be available to the whole online advertising ecosystem, effectively turning those who do not want to be 'tracked' into a valuable 'targeting segment' for unscrupulous marketers." 14The Hill’s Congress Blog, “Do-Not-Track: A bigger threat,” by Steve Sullivan, 12/2/10
In reality, though, the FTC is not proposing a list, because it would be difficult to make a list work. Unlike the Do Not Call list, which deals with one or two fixed phone numbers per individual, consumers use various computers, connected devices, and browsers, and their IP addresses are often dynamically assigned. The FTC suggests just the opposite of a list. They would turn the tables and arm consumers with their own cookies – for each user/browser – that would tell all or some trackers, at the user's discretion, to back off. The Interactive Advertising Bureau declined Benchmark's request for comment.
Industry, Regulate Thyself?
The IAB's and other industry group's response has been to emphasize their ability to regulate themselves, and expand the tools they offer to give consumers the choice, transparency and options called for in the proposals from both Commerce and the FTC. Lotame and BlueKai, for example, as well as the major ad players, offer users ways to customize their preferences or opt-out altogether.
The Digital Advertising Alliance, which includes the IAB, the Network Advertising Initiative, and the leading advertising associations, has introduced the "Self-Regulatory Program for Online Behavioral Advertising," and the consumer "advertising option icon." This group promises consumers, "You can now visit the beta version of the Program's Consumer Opt Out Page, which allows users to conveniently op-out from online behavioral ads served by some or all of our participating companies."
Not everyone is convinced that these efforts will result in robust consumer privacy protection; a simple, unified solution is still elusive. But, as was the case with CAN-SPAM, there's a healthy debate going on, and the door is open for entrepreneurs such as Abine and others like them to introduce more comprehensive solutions that consumers will embrace. CAN-SPAM brought on significant investments in creating and implementing 'subscribe/unsubscribe' marketing systems. Do Not Track is likely to spur its own investment and innovation boomlet.
"If we have a Do Not Track rule, the advertising industry will find great ways of doing privacy-friendly targeted advertising," the Electronic Frontier Foundation's Eckersley says. "At the moment, they have no incentives to do that. But under a Do Not Track rule, they would. Actually, I think that this rule will spur innovation in that industry."
Conclusion: A New Gold Rush?
If there's going to be a viable mechanism to enhance online privacy, it's going to have to happen at the individual browser level – either with new functionality built into the browser, or add-on functionality through a service like Abine or others that are likely to arise.
The online tracking and ad industry is too broad, with too many unknown players, for user opt-out or self-policing to work, even when companies band together to offer "universal" opt-out. There is simply no way to account for the unknown companies who have the intent to gather data regardless of privacy concerns.
Microsoft promises a Tracking Protection feature in its next browser release, Internet Explorer 9. It will be based on Tracking Protection Lists maintained by the user (and also available from anyone who wants to create them) that determine which sites can or cannot be called. By default, however, Tracking Protection will be off, so it will have to be activated by the user. Once set, though, it is active on all browsing sessions.
"The Web lacks a good precise definition of what tracking means," says Dean Hachamovitch, Microsoft corporate vice president/Internet Explorer in his blog post. "Until we get there, we can make progress by providing consumers with a way to limit or control the data collected about them on sites they don't visit directly."
"This step forward may be too much for some even as it is not enough for others," he adds. "As an industry we will continue to have incomplete solutions until we agree on a clear definition of tracking, how it is and can be done, and what should be done in response."
For now, it is in the hands of the FTC and the Commerce Department to decide what will be required to protect consumer privacy online, and for private industry to innovate solutions that address the concerns of regulators and consumers – all while protecting the commerce that has been central to creating the Web as we know it today.