Over the past several months researchers at the Stanford Security Lab have been developing a platform for measuring dynamic web content. One of our chief applications is a system for automated enforcement of Do Not Track by detecting the myriad forms of third-party tracking, including cookies, HTML5 storage, fingerprinting, and much more. While the software isn't quite polished enough for public release, we're eager to share some unexpected early results on the advertising ecosystem. Please bear in mind that these are preliminary findings from experimental software; our primary aims at this stage are developing the platform and validating the approach to third-party tracking detection. Many thanks to Jovanni Hernandez and Akshay Jagadeesh for their invaluable research assistance.
We began with a list of advertising companies that participate in the self-regulatory Network Advertising Initiative (NAI). By navigating popular websites we identified a piece of tracking content (primarily ads and beacons) from 64 of the 75 NAI member companies. We performed the following tests on each company's content:
1) Load the content.
2) Load the content, opt out of the company on the NAI website, and then reload the content.
3) Load the content, enable Do Not Track, and then reload the content.
We manually identified tracking cookies (cookies that appeared to contain a unique identifier or substantially unique information) and how they were altered throughout each test. A spreadsheet of results is available. Please email if you would like a copy of the data we logged while testing a particular company's content.
1. At least two NAI members are taking overt steps to respect Do Not Track.
Media6Degrees, an advertising data provider, deletes its tracking cookies and sets an opt-out cookie upon receiving a Do Not Track request.
BlueKai, a data provider and management platform, does not set tracking cookies in response to a Do Not Track request, but it does not delete any existing tracking cookies.
Over half Half of the NAI members we tested did not remove their tracking cookies after opting out.
NAI member companies pledge only to allow opting out of behavioral ad targeting, not tracking. Of the 64 companies we studied,
33 32 left tracking cookies in place after opting out.
3. At least eight NAI members promise to stop tracking after opting out, but nonetheless leave tracking cookies in place.
We compared our results to a survey of NAI member privacy and opt-out policies recently conducted by Carnegie Mellon's CyLab. We identified seven companies that (in the study's reading) promise to stop tracking when a user opts out, but nonetheless leave their tracking cookies in place.
[See below for an update from AudienceScience.]
4. At least ten NAI members go beyond their privacy policies and remove their tracking cookies.
In comparing our results to the Carnegie Mellon study of privacy policies we found that ten NAI members remove their tracking cookies upon opting out, even though they promise to only stop behavioral targeting of ads. The companies are: BlueKai (retains city-level geolocation), Dapper (bought by Yahoo!), FetchBack, Google, Invite Media, Media6Degrees, Mediaplex, Quantcast, TidalTV, and YuMe.
These early results scarcely scratch the surface of what we aim to learn with our new web measurement platform. We look forward to sharing new insights in the coming weeks and opening the software in the coming months. If you have experience in the web measurement field and would like to participate in testing the platform, please reach out. And please send web measurement questions — we're looking for new ways to put the system through its paces!
[If you would like us to add a statement from your company, please reach out.]
You may also simply opt out of receiving interest-based advertising by clicking here.
AddThis contacted us about our findings. After a reevaluation, we discovered we had mislabeled a unique session cookie associated with AddThis's opt-out process as a tracking cookie. The post and spreadsheet have been updated. Our apologies to AddThis for the error.
AudienceScience reached out to clarify its practices. Its cookies store a compressed and encrypted data structure. When a user opts out, AudienceScience removes all interest segments and the unique ID from the data structure, but it continues to update the last time the browser contacted its servers. We have confirmed that AudienceScience now entirely removes its data structure after opting out.
BlueKai confirmed it is taking steps to honor Do Not Track.
Media6Degrees confirmed it is taking steps to honor Do Not Track.
If you select the "opt out" button there for Netmining, we will delete your existing netmng.com or netmining.com online behavioral advertising cookie(s) and try to place a new cookie that instructs us not to track your future activities for the purposes of serving online behavioral advertising when we detect that cookie.
The Network Advertising Initiative has posted a response to the study.
TARGUSinfo submitted the following statement.
Undertone has posted a statement responding to the study.
Vibrant Media submitted the following statement.
We drop a user ID cookie when a user initiates engagement with one of our ad units. This collects non-personally identifiable information on keywords a user has engaged with. If the user doesn't visit a site in our network for 10 days, we delete this data. If someone opts out, we add a do-not-track cookie.
We had been deleting any data associated with the user ID, but had not been deleting the cookie itself (this is acceptable for NAI compliance). When we encounter someone with a do-not-track cookie, we completely ignore the user ID and therefore don't use their information to serve ads. Although the cookie was remaining, we do not reference or use the ID in any way and we completely delete all data, be it in logs or storage devices for that particular user ID. Going forward, in order to prevent any misunderstanding we will also be deleting that cookie.
We have always been vigilant about adhering to industry best practices and NAI compliance policies.
Online Behavioral Advertising (OBA) is the process of targeting specific advertisements to each individual user, based on browsing history. If you opt out of OBA from our service by clicking the link below, the OBA cookie we use to contain this information will be emptied and changed to a placeholder signaling that you have done so. . . . Opting out does not necessarily delete or replace all cookies from our domain; others may remain which are used for aggregate reporting on the performance of the advertisements we serve.