I heard a rumor that I hope isn’t true. Specifically, I heard that opting out of behavioral profiling may not stop advertising companies from tracking you as you travel across the Web. Rather, according to the rumor, in many cases you merely opt out of seeing the tailored ads your web history might otherwise trigger.
The ability to opt out of behavioral profiling essentially underpins the argument for self-regulation by the industry. The idea is that (1) people like tailored ads and (2) those that worry about the practice, for instance, from a privacy perspective, can opt out of it. Setting aside the apparent frailty of cookie-based opt out (when you delete your cookies, you delete your opt out as well) and the availability of other means to track users (like flash cookies), this seems pretty straightforward and convincing.
But what does “opting out” mean, exactly? A close look at the Network Advertising Initiative website, which offers an opt out tool on behalf of most major online advertisers, turns up no guarantee that opting out will stop a company from logging where a user has traveled.
In the NAI's words:
The NAI Opt-out Tool replaces a network advertiser's unique online preference marketing cookie on your browser with a general opt-out cookie. It does not delete individual cookies nor does it necessarily replace other cookies delivered by network advertisers, such as those that are used for aggregate ad reporting or mere ad serving purposes. Such cookies allow network advertisers to change the sequence of ad banners, as well as track the aggregate number of ads delivered (impressions).
You don’t need to be Derrida to see that this carefully crafted language comes apart upon reflection. How can the tool "replace[] a network advertiser's unique online preference marketing cookie" but at the same time not "delete individual cookies [or] replace other cookies delivered by network advertisers, such as those that are used for … mere ad serving purposes”? Where I come from, "replace" means "to put something new in the place of" something else. You take the cookie that tracks me away, and you replace it with a cookie that says not to.
So does opting out stop tracking or not? Lawyer and blogger Sarah Bird wrote about the NAI’s opt out cookie about a year ago after attending a conference at Berkely Law School. Specifically, she wrote:
The audience was extremely interested in cookies and how they work. ... People were surprised and confused to learn that the NAI’s opt-out program doesn’t prevent advertisers from collecting information about you; it only prevents advertisers from serving you targeted ads. The companies still get to benefit from your information, you still have to see ads, but the ads aren’t targeted towards your preferences. Somehow, I have a feeling that most consumers who bother to use the NAI's opt-out program don't realize this. After all, I have to imagine that it is the tracking itself that bothers privacy-sensitive people, not the targeted ads.
I have to agree with Sarah here.
To be clear, I’m not convinced that behavioral advertising is all that dangerous a practice from the perspective of personal privacy. Advertisers don’t really care who you are and much of the tracking that occurs is anonymous. True blocking is easy—for a veritable buffet of privacy enhancing technologies, visit our wiki database—and the government can go directly to users’ Internet service providers if they want access to web surfing habits.
But still, this rumor bothers me. Have advertisers allowed the misapprehension to persist that opting out of behavioral profiling stops the practice of tracking? If so, for shame. The industry should confront the harms of tracking, real or imagined, head on, instead of lulling users into a false sense of control over their browsing history.
This is a great post, and highlights an issue I have often wondered about in the course of creating the privacychoice wizard (http://www.privacychoice.org). Having studied the "cookie laying" processes of the scores of ad networks we cover in the wizard, here's what I would say:
- Lots and lots of cookies are written by the ad networks, many of which are "session" cookies or have short expiration dates. It's almost a matter of boilerplate coding that these are written. One example: even if you don't have any Yahoo! cookies on your machine, if you use their opt-out function, you get both an opt-out cookie AND their so called "B" cookie. You're trusting Yahoo! not to use that B cookie for profiling if you have an opt-out cookie in place.
- Usually the "opt out" cookie such as the NAI offers (and there are many networks with opt-out cookies that are not in the NAI) are clearly labeled and maintained. So at least you can know that it is or isn't present.
- For most ad networks (75%), the opt-out cookie is non-unique (it has text like "OPT_OUT", which means that it technically cannot be used for targeting (even if other separate cookies could be). We have a system at privacychoice that routinely checks on sample machines to make sure that these non-unique cookies are staying in place, and not replaced with unique targeting cookies.
- Because of the complexity of cookies, and the fact that other cookies are written all the time, it is definitely possible that an unscrupulous ad network could ignore their own opt-out cookie. Without access to their internal systems, it is probably practically infeasible to determine when this is happening. But given that the number of consumers actually opting out is quite small (at least so far) I'd be surprised if ad networks were willing to take that risk.
- What is feasible is a combination of monitoring (as we do -- to make sure opt-out cookies are non-unique and to see what the networks do in the wild) and auditing (annual surprise reviews by NAI, TRUSTe, FTC or anyone else who can ask tough questions).
Personally, I'd feel comfortable with such an approach, since the large ad networks (who really have the reach to profile effectively) will need to be accountable to big advertisers, and advertisers won't want to be associated with non-compliant networks.
Thanks for your very helpful note.
How would you know if you are being tracked ?
I don't really know if there is a way right now, to tell if you are being tracked. I mean, the way that the powers that be track you, is getting tougher all the time. the wave of the future is MORE Internet tracking, in an effort to control people, and monitor their every move. Hence, they will likely make it virtually impossible to track. Just be careful what sites you are visitng and what groups you are joining, that's all I can really say.
http://www.goarticles.com/cgi-bin/showa.cgi?C=1594365
I think the language is technically accurate although it needs a lot of clarity added.
In most cases, the opt-out just adds a marker to the cookie that tells the ad network to ignore the cookie when building profiles and in serving behavioral advertisements. In other words, it replaces the current cookie (e.g. cookie: 123abc) with another cookie with an opt-out code appended (e.g. cookie: 123abc,00). The method used differs between ad networks but seems to work similarly for each. "Replace" is likely a compromise term that best encompasses what the various companies do. Some might zero out the cookie, others might replace the cookie ID with a whole new number, while others just append a code to the end. We might also not be able to tell since some ad networks create a hash of each ID to obscure it for security or other reasons. In addition, ad networks like Google and Yahoo! get data from your accounts that are not behaviorally related so they will not zero out the cookies.
The last time I looked at the "opt-out tool" it did not actually replace ad network cookies, rather it called an ad network web service which did the actual cookie replacement.
Moreover, regardless of the company, the ad networks need to compile some transaction information to get paid and for auditing purposes. Your seeing an advertisement means that an ad network will receive data about your visit around the web or that you click. I do not think behavioral tracking would include a number of innocuous tracking items such as how many times you have seen an advertisement. Also, ad networks will still need to track unique users viewing a particular ad, which is one of the most important pieces of information in online advertising. For that reason, I can see a cookie tracking the ads you've seen and the number of times you've seen each even after you've opt-out from behavioral targeting.
Use Firefox and install Live HTTP Headers. Visit web sites before and after opting out from an ad network and then compare. Each file that makes up a web page will provide one entry in Live HTTP Headers. There are about 40 files that make up your blog post so 40 headers.
*****
http://cyberlaw.stanford.edu/comment/reply/6170#comment-form
GET /comment/reply/6170 HTTP/1.1
Host: cyberlaw.stanford.edu
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.10) Gecko/2009042513 Ubuntu/8.04 (hardy) Firefox/3.0.10
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: http://cyberlaw.stanford.edu/node/6170
Cookie: SESS88a227445bb32d7def6e61e387fbd69d=ce37fad65fd99cba7c7be5d1b0333dc7; has_js=1
If-Modified-Since: Mon, 04 May 2009 19:14:07 GMT
Cache-Control: max-age=0
HTTP/1.x 200 OK
Date: Mon, 04 May 2009 19:15:51 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Last-Modified: Mon, 04 May 2009 19:14:08 GMT
Etag: "a97bacad9f4972f3519bbe81a470bbbb"
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: must-revalidate
Content-Encoding: gzip
Content-Length: 6757
Keep-Alive: timeout=2
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
In many ways the tracking can be good for the user experience, because we may be interested in the relevant ads showing up. However, privacy is certainly still a big '?'
Mother of the Groom dresses
Is not there a privacy concerns regarding this? If someone opts out from this behavioral profiling and still gets tracked then who will be responsible? We netizens need to be more careful. For tracking purpose websites use cookies. So clear your browser cookes daily.
Yes John you are right. We ourself need to be more informative about online security and privacy.
Health Symptoms
Post new comment