Does NAI’s Opt Out Tool Stop Consumer Tracking?

I heard a rumor that I hope isn’t true. Specifically, I heard that opting out of behavioral profiling may not stop advertising companies from tracking you as you travel across the Web. Rather, according to the rumor, in many cases you merely opt out of seeing the tailored ads your web history might otherwise trigger.

The ability to opt out of behavioral profiling essentially underpins the argument for self-regulation by the industry. The idea is that (1) people like tailored ads and (2) those that worry about the practice, for instance, from a privacy perspective, can opt out of it. Setting aside the apparent frailty of cookie-based opt out (when you delete your cookies, you delete your opt out as well) and the availability of other means to track users (like flash cookies), this seems pretty straightforward and convincing.

But what does “opting out” mean, exactly? A close look at the Network Advertising Initiative website, which offers an opt out tool on behalf of most major online advertisers, turns up no guarantee that opting out will stop a company from logging where a user has traveled.

In the NAI's words:

The NAI Opt-out Tool replaces a network advertiser's unique online preference marketing cookie on your browser with a general opt-out cookie. It does not delete individual cookies nor does it necessarily replace other cookies delivered by network advertisers, such as those that are used for aggregate ad reporting or mere ad serving purposes. Such cookies allow network advertisers to change the sequence of ad banners, as well as track the aggregate number of ads delivered (impressions).

You don’t need to be Derrida to see that this carefully crafted language comes apart upon reflection. How can the tool "replace[] a network advertiser's unique online preference marketing cookie" but at the same time not "delete individual cookies [or] replace other cookies delivered by network advertisers, such as those that are used for … mere ad serving purposes”? Where I come from, "replace" means "to put something new in the place of" something else. You take the cookie that tracks me away, and you replace it with a cookie that says not to.

So does opting out stop tracking or not? Lawyer and blogger Sarah Bird wrote about the NAI’s opt out cookie about a year ago after attending a conference at Berkely Law School. Specifically, she wrote:

The audience was extremely interested in cookies and how they work. ... People were surprised and confused to learn that the NAI’s opt-out program doesn’t prevent advertisers from collecting information about you; it only prevents advertisers from serving you targeted ads. The companies still get to benefit from your information, you still have to see ads, but the ads aren’t targeted towards your preferences. Somehow, I have a feeling that most consumers who bother to use the NAI's opt-out program don't realize this. After all, I have to imagine that it is the tracking itself that bothers privacy-sensitive people, not the targeted ads.

I have to agree with Sarah here.

To be clear, I’m not convinced that behavioral advertising is all that dangerous a practice from the perspective of personal privacy. Advertisers don’t really care who you are and much of the tracking that occurs is anonymous. True blocking is easy—for a veritable buffet of privacy enhancing technologies, visit our wiki database—and the government can go directly to users’ Internet service providers if they want access to web surfing habits.

But still, this rumor bothers me. Have advertisers allowed the misapprehension to persist that opting out of behavioral profiling stops the practice of tracking? If so, for shame. The industry should confront the harms of tracking, real or imagined, head on, instead of lulling users into a false sense of control over their browsing history.

Comments

This is a great post, and highlights an issue I have often wondered about in the course of creating the privacychoice wizard (http://www.privacychoice.org). Having studied the "cookie laying" processes of the scores of ad networks we cover in the wizard, here's what I would say:
- Lots and lots of cookies are written by the ad networks, many of which are "session" cookies or have short expiration dates. It's almost a matter of boilerplate coding that these are written. One example: even if you don't have any Yahoo! cookies on your machine, if you use their opt-out function, you get both an opt-out cookie AND their so called "B" cookie. You're trusting Yahoo! not to use that B cookie for profiling if you have an opt-out cookie in place.
- Usually the "opt out" cookie such as the NAI offers (and there are many networks with opt-out cookies that are not in the NAI) are clearly labeled and maintained. So at least you can know that it is or isn't present.
- For most ad networks (75%), the opt-out cookie is non-unique (it has text like "OPT_OUT", which means that it technically cannot be used for targeting (even if other separate cookies could be). We have a system at privacychoice that routinely checks on sample machines to make sure that these non-unique cookies are staying in place, and not replaced with unique targeting cookies.
- Because of the complexity of cookies, and the fact that other cookies are written all the time, it is definitely possible that an unscrupulous ad network could ignore their own opt-out cookie. Without access to their internal systems, it is probably practically infeasible to determine when this is happening. But given that the number of consumers actually opting out is quite small (at least so far) I'd be surprised if ad networks were willing to take that risk.
- What is feasible is a combination of monitoring (as we do -- to make sure opt-out cookies are non-unique and to see what the networks do in the wild) and auditing (annual surprise reviews by NAI, TRUSTe, FTC or anyone else who can ask tough questions).
Personally, I'd feel comfortable with such an approach, since the large ad networks (who really have the reach to profile effectively) will need to be accountable to big advertisers, and advertisers won't want to be associated with non-compliant networks.

Thanks for your very helpful note.

Add new comment