July 22nd, 2011
Stanford study shows online consumer privacy tools flawed
A new study by Stanford researchers has found many online advertising companies continue to follow people’s Web activity even after users believe they have opted out of tracking.
The preliminary research has sparked renewed calls from privacy groups and Congress for a “Do Not Track” law to allow people to opt out of tracking, like the Do Not Call list that limits telemarketers.
While some online advertisers acknowledged the problem, an industry trade group criticized the study by “a Stanford graduate student” and said self-regulation by the industry was better than a new law.
“I think industry self-regulation is a joke,” shot back U.S. Rep. Jackie Speier, D-Hillsborough, who has proposed legislation allowing the Federal Trade Commission to regulate online tracking. “It’s precisely why we need the FTC to regulate them. For those who say, ‘Privacy, get over it,’ I absolutely reject that.”
Stanford’s research looked at 65 online advertising companies, including big companies such as Google (GOOG), Yahoo (YHOO), Microsoft and AOL and smaller, lesser-known companies such as [x+1], eXelate and Cupertino-based BlueKai. It found that half the companies continued tracking even after consumers opted out. In online tracking, advertisers follow a Web user’s movements to glean personal details to develop profiles and deliver targeted advertising.
“All too often, it’s easy to misread these programs as a way to opt out of tracking when that’s not what they are,” said Jonathan Mayer, the computer science and law graduate student who led the research for Stanford Law School’s Center for Internet and Society, and the Stanford Computer Security Lab. “There is not a lot of clarity about what’s going on. I think one of the aims of self-regulation was that it was supposed to be to bring clarity to this area.”
The study has prompted a privacy group, Consumer Watchdog, to ask the FTC to investigate whether eight online advertising companies engaged in deceptive trade practices by saying they would delete “tracking cookies” but actually left them in place.
Cookies are a necessary component of the modern dynamic Web. The small software files are what allows your bank or Amazon.com to recognize your browser, for example, when you return to their website.
At issue are “third-party cookies” placed in a user’s browser by advertising data companies. The cookies are invisible to users and are embedded in their browser when they visit any of hundreds of thousands of unrelated websites. Those cookies then log their future travels across the Web.
Since the study’s release, several online advertising companies have abruptly revised their privacy policies to acknowledge that they may continue to collect data even after consumers opt out at an advertising industry website, or enable “Do Not Track” features in the newest versions of Mozilla’s Firefox browser or Microsoft’s Internet Explorer 9.
A group representing online advertisers, the Network Advertising Initiative, said its opt-out site, at http://www.network advertising.org/managing/opt_out.asp, is intended to allow consumers to opt out of advertising, not the data-collection it says is needed. At the site, consumers can check an opt-out box, which produces a message that says: “You have opted out of this network.”
For customers who opt out, NAI and companies like Yahoo and Microsoft say these cookies are collecting data only to make sure advertising on websites works properly—not to target ads.
“Online advertising companies may need to gather data to prove to advertisers that an ad has been delivered and should be paid for; to limit the number of times a user sees the same ad; or to prevent fraud,” Chuck Curran, executive director of NAI, wrote in a blog post last week.
Curran did not respond to repeated interview requests. But Mayer and Speier, along with other critics in Congress and several Internet privacy groups, said the industry does a poor job of explaining the difference between stopping targeted ads and blocking data collection entirely.
“Self-regulation is deliberately designed to not be effective,” said Jeff Chester, executive director of the Center for Digital Democracy in Washington. “It’s designed to give the appearance of protecting privacy, while actually enabling data collection to proceed full force.”
Speier said people can be hurt by tracking, whether it is used for advertising or not. “The public often doesn’t realize that this dossier that is being created on them is a powerful tool which is purchased by other companies, which then make assumptions about each of us, and often discriminate against us because of it,” she said in an interview. One example, she said, would be a person denied insurance because they visited medical or extreme sports websites.
Yahoo says that while its cookies remain active even after an opt-out at the NAI, it uses data only for non-advertising purposes like auditing ad delivery or billing. Yahoo and other companies are working on a definition for what “Do Not Track” actually means, and under what circumstances limited data collection could be allowed when a consumer has opted out.
“Yahoo believes that consumers need a simple and consistent definition of ‘Do Not Track’ to avoid confusion and simplify online privacy choices,” said Anne Toth, the company’s chief trust officer.
Read more: http://trap.it/NzBdGL