To Track or 'Do Not Track': Advancing Transparency and Individual Control in Online Behavioral Advertising
Summary (5 min read)
To Track or “Do Not Track”: Advancing Transparency and Individual Control in Online Behavioral Advertising
- Online advertising is greatly enhanced by the ability to analyze and measure the effectiveness of ad campaigns and by online behavioral tracking, which tracks users’ online activities in order to deliver tailored ads to that user.
- Granted, both sides of the online behavioral tracking debate may be guilty of policy laundering: the industry, for holding out users’ vacuous, uninformed consent as a basis for depicting tracking as a voluntary practice; and privacy advocates, for proposing opt-in rules in order to decimate the data-forservice value exchange.
- Rosch recently suggested that the potential downsides of regulatory initiatives include “the loss of relevancy, the loss of free content, the replacement of current advertising with even more intrusive advertising.”.
- While the only way to disable the airbag was the general deactivation by a garage several years ago, some techniques are offered today allowing the deactivation and reactivation in a simple way.
II. ONLINE TRACKING DEVICES
- Online tracking technologies have been progressing rapid- ly, from cookies to “super cookies,”20 to browser fingerprinting and device identifiers.
- In addition, today information can be collected and stored with considerable ease and at low costs.
- 23 This Part describes the main tracking technologies, 20. 23. Kenneth Cukier, Data, Data Everywhere, ECONOMIST (SPECIAL REPORT), Feb. 27, 2010, at 2 (“The amount of digital information increases tenfold every five years.”); see Ira S. Rubinstein et al., Data Mining and Internet Profiling: Emerging Regulatory and Technological Approaches, 75 U. CHI.
- Noting their relative transparency to users and how amenable they are for user control.
C. BROWSER FINGERPRINTING
- Initially deployed by banks to prevent identity fraud55 and by software companies to preclude illegal copying of computer software, browser fingerprinting also is a powerful technique lease of Flash Player, which will bring together feedback from their users and external privacy advocates.
- ALEECIA M. MCDONALD & LORRIE FAITH CRANOR, A SURVEY OF THE USE OF ADOBE FLASH LOCAL SHARED OBJECTS TO RESPAWN HTTP COOKIES 17 (2011), available at http://www.cylab.cmu.edu/files/pdfs/tech_reports.
- That could include a user’s location, time zone, photographs, text from blogs, shopping cart contents, e-mails and a history of the Web pages visited.”).
- By gathering seemingly innocuous bits of information, such as a browser’s version number, plugins, operating system, and language, websites can uniquely identify (“fingerprint”) a browser and, by proxy, its user.
D. MOBILE DEVICES
- Mobile browsing is expected to surpass fixed Internet use in the next few years, rendering the tracking of users of mobile devices, including phones and tablets, increasingly important.
- 66 Mobile apps thus replace browsers and search engines as the main entry gate to the mobile Internet.
- The logic underpinning the blanket immunity granted to online intermediaries under Section 230 of the Communications Decency Act76 applies in similar force here.
E. DEEP PACKET INSPECTION
- One technology that has created significant concern when used for online behavioral tracking is deep packet inspection (DPI).
- Steve Stecklow & Paul Sonne, Shunned Profiling Method on the Verge of Comeback, WALL ST.
- As a result, the leading United States company in the DPI business, NebuAd, folded.
F. HISTORY SNIFFING
- Browser history sniffing exploits the functionality of browsers that display hyperlinks of visited and non-visited sites in different colors (blue for unvisited sites; purple for vis- 81.
- (“Testimony this morning from AT&T, Verizon and Time Warner Cable executives were [sic] all very similar: the authors respect their customers [sic] privacy, customers should be given an opt-innot opt-out- choice . . . .”).
- Scott Austin, Turning Out the Lights: NebuAd, WALL ST.
- Jack Marshall, Phorm Shifts Focus to Brazil, Posts First Revenues, CLICKZ (July 1, 2010), http://www.clickz.com/clickz/news/1721855/phormshifts-focus-brazil-posts-first-revenues. ited).
III. USES OF TRACKING
- The collection, retention, use and transfer of information about online users come in many guises.
- In order to maintain a stable equilibrium between user expectations and the legitimate needs of online businesses, the market must reinforce mechanisms for transparency and user control over online behavioral tracking, while at the same time not overly impeding the fundamental business model of the Internet economy, fi- 86.
- Kashmir Hill, History Sniffing: How YouPorn Checks What Other Porn Sites You’ve Visited and Ad Networks Test The Quality of Their Data, FORBES (Nov. 30, 2010, 6:23 PM), http://blogs.forbes.com/kashmirhill/.
- In a recent research paper, Howard Beales, former Director of the Bureau of Consumer Protection at the FTC, asserted that the price of behaviorally targeted advertising was 2.68 times greater than the price of untargeted ads.91.
A. FIRST PARTY TRACKING
- This concept of a first party has largely been the result of users’ perception as to what constitutes a first party.
- ”95 Examples of first parties include websites that track users to support billing, complete online transactions, personalize user experience and website design, provide product recommendations and shopping cart services, tailor content and target their own products or services.
- When a user signs on to Amazon and enters a username and password, the system will match that sign-on information to saved preferences and personalize the experience for that user, maintaining her shopping cart and providing personalized product recommendations.
- The self-regulatory principles proposed by the Federal Trade Commission also exclude from their scope any non-advertising behavioral targeting, contextual advertising, and first party tracking.
- Many website owners use third-party analytics tools to evaluate traffic on their own websites.
- ”99 This activity is not considered “online behavioral tracking”—even though the data is collected by a third party— because the information collected relates exclusively to traffic on the first party’s site.
- See, e.g., OPEN RECOMMENDATIONS FOR THE USE OF WEB MEASUREMENT TOOLS ON FEDERAL GOVERNMENT WEB SITES, CTR.
- /2010/wp169_en.pdf (discussing the obligations of a processor with regard to confidentiality and security); ARTICLE 29 DATA PROTECTION WORKING PARTY, OPINION 10/2006 ON THE PROCESSING OF PERSONAL DATA BY THE SOCIETY FOR WORLDWIDE INTERBANK FINANCIAL TELECOMMUNICATION , 2006, WP 128, at 19 (U.K.), http://ec.europa.eu/justice/policies/privacy/docs/wp.
- Given that the online ecosystem is supported by advertising, websites, advertisers and ad intermediaries must use various tools to measure user engagement and the effectiveness of ad campaigns.
- Many ad networks use the same cookie for web measurement that they do for online behavioral tracking, so the opt-out they provide for tracking does limit collection for measurement as well.
D. NETWORK SECURITY
- Websites and ISPs have multiple reasons to log and track the traffic that comes through their systems, including limiting malicious activity, such as denial of service attacks, viruses and 107.
- See Zachary Rodgers, Few Google Users Are Opting out of Behavioral Targeting, CLICKZ (Dec. 13, 2009), http://www.clickz.com/.
- (“Evidon had served over 11 billion impressions.
E. FRAUD PREVENTION AND LAW ENFORCEMENT
- Various laws and regulations allow, or even require, websites and online intermediaries to track users and maintain profiles for purposes of fraud prevention, anti-money laundering, national security and law enforcement.
- ”115 In the European Union, “providers of publicly available electronic communications services or of a public communications network” must retain “traffic data and location data and the related data necessary to identify” subscribers or users for a period no less than six months and no more than twenty-four months.
- SOC’Y 761 (2006) (arguing that a mandatory two-factor authentication system would go beyond the purpose of the Act, which is to “implement minimum standards” across many financial institutions).
- CIVIL LIBERTIES UNION (Feb. 8, 2011), http://www.aclu.org/free-speech/legal-battle-over-government-demandstwitter-records-unsealed-court.
IV. REGULATING ONLINE TRACKING
- The regulatory framework for both online and offline pri- vacy is currently in flux.
- This led governments, regulators, and industry leaders in the European Union and United States to introduce new regulatory and self-regulatory frameworks applicable to online behavioral tracking.
- In Europe, the legal framework applying to online behavioral tracking consists of the European Data Protection Directive—which regulates the collection, processing, storage and transfer of personal data124—and the European e-Privacy Directive, which regulates data privacy on communication networks.
- For a demonstration, see David Naylor, EU “Cookies” Directive.
- “The Recitals are the part of the act which contains the statement of reasons for the act; they are placed between the citations and the enacting terms.
- Partly due to sparse legislation and partly a deliberate policy choice, the FTC has over the years promoted industry selfregulation in the field of online behavioral tracking.
- At this point in time, it appears that self-regulation has not yet been successful in relaxing consumers’ concerns about privacy, fulfilling businesses’ interest in clarity, and satisfying regulators’ calls for additional enforcement tools.
V. PROPOSALS FOR REGULATORY REFORM
- Additional criticism is pointed at the EASA recommended compliance and enforcement mechanism.
- Wired magazine noted in August 2009 that attempts at self-regulation by the online behavioral tracking and advertising industry “have conspicuously failed to make the industry transparent about when, how and why it collects data about Internet users.”.
- It has been anchored by the FTC Preliminary Report, followed by a swift response from industry, and reinvigorated by a slew of legislative bills.
- It included the creation for the first time of a dedicated Senate Sub-Committee on Privacy, Technology and the Law, headed by Senator Al Franken (D-MN) and charged with “[o]versight of laws and policies governing the collection, protection, use, and dissemination of commercial information by the private sector, including online behavioral advertising.
C. DRAFT LEGISLATION
- The renewed public interest in privacy and online behavioral tracking, spurred by the Wall Street Journal “What They Know” series,235 FTC and Department of Commerce engagement with the topic, and occasional front-page privacy snafu (e.g., Google Buzz,236 iPhone location tracking237), has led to an unprecedented flurry of activity and legislative proposals on the Hill.
- //online.wsj.com/public/page/whatthey-know-digital-privacy.html (last visited Oct. 7, 2011), also known as J., http.
- The bill would require a covered entity “to offer individuals a clear and conspicuous” opt-out mechanism for any “unauthorized use” of covered information, except for any use requiring opt-in consent.
VI. MOVING FORWARD
- The general public, meanwhile, often expresses in opinion polls an interest in privacy and aversion towards online behavioral tracking.
- Why force users to pay, or force them to see the ad before the content (or both).
A. DEMYSTIFYING CONSENT
- Personal data have become a primary feature of the value exchange in almost any online transaction.
- But the authors would not want the doctor to impose such additional information as the default, nor would they impose on patients an obligation to educate themselves in recent medical developments.
- ”294 Clearly, under this approach, consent—the manifestation of individual control—is inextricably tied to privacy.
B. ENHANCING NOTICE
- //www.ghostery.com (last visited Oct. 7, 2011) (“Ghostery tracks the trackers and gives you a roll-call of the ad networks, behavioral data providers, web publishers, and other companies interested in your activity.”), also known as GHOSTERY, http.
- Absent such consensus, labels and privacy notices, visceral or not, will continue to fail in the eyes of those who dispute the merit of the direction users are “nudged.”.
C. SHIFTING THE BURDEN TO BUSINESS
- A better focus for policymakers to take may be shifting the burden of online privacy from users to business, by dimming the highlight on user choice while focusing on businesses’ obligations under the FIPs.
- Consider, for example, patients’ social networking website PatientsLikeMe.com, which explicitly, conspicuously, and unmistakably holds out to its users a philosophy of openness and use of medical data not only for commercial purposes but also for medical research.349 348.
- Children are increasingly subjected to a wide array of behavioral targeting practices through social networks, games, mobile services, and other digital platforms that use techniques that evade current legal restrictions, also known as Privacy advocates note.
Did you find this useful? Give us your feedback
Cites methods from "To Track or 'Do Not Track': Advanci..."
...A user’s opt-out preference is signaled by an HTTP header field named DNT : if DNT=1, it means the user does not want to be tracked (opt out)....
...The DNT technology seems to be a good solution to privacy problems, considering that it helps users to regain the control over ‘‘who sees what you are doing online’’....
...The W3C Tracking Protection Working Group  is now trying to standardize how websites should response to user’s DNT request....
...There is no compulsion for the server to look for the DNT header and honor the DNT request....
...A major technology used for antitracking is called Do Not Track (DNT) , which enables users to opt out of tracking by websites they do not visit....
Cites background from "To Track or 'Do Not Track': Advanci..."
...The importance of privacy defaults is perhaps nowhere more apparent than in the current debate over the so-called Do Not Track list (see Tene and Polonetsky 2012)....
Cites background from "To Track or 'Do Not Track': Advanci..."
...3174006 with their potential customers, advertisers must clearly communicate their algorithmic ad curation process [51, 53]....
Related Papers (5)
Frequently Asked Questions (8)
Q1. What are the contributions in "To track or “do not track”: advancing transparency and individual control in online behavioral advertising" ?
In this paper, the authors present a review of the use of tracking devices in the context of online tracking.
Q2. What are some activities that should be allowed to exist as default options?
Some activities are value creating, socially desirable, and minimally intrusive; they should be permitted to exist as default options.
Q3. What is the value of data collection and use to broader society?
The value of data collection and use to broader society includes ease of obtaining credit, support of free web content, encouraging users to conserve energy, and more.
Q4. What did he think of the potential downsides of regulatory initiatives?
Rosch recently suggested that the potential downsides of regulatory initiatives include “the loss of relevancy, the loss of free content, the replacement of current advertising with even more intrusive advertising.”
Q5. What is the practice recommendation for online behavioral advertising?
170 In April 2011, the European Advertising Standards Alliance (EASA), a Brussels-based NGO bringing together national advertising self-regulatory organizations and organizations representing the advertising industry in Europe, submitted its own best practice recommendation on online behavioral advertising.
Q6. What is the practical method for providing uniform choice for online behavioral advertising?
It states that:[t]he most practical method of providing uniform choice for online behavioral advertising would likely involve placing a setting similar to a persistent cookie on a consumer’s browser and conveying that setting to sites that the browser visits, to signal whether or not the consumer wants to be tracked or receive targeted advertisements.
Q7. how many minutes would it take to read through all of the privacy policies she encounters online?
160 Aleecia McDonald and Lorrie Cranor calculated that it would take the average user 40 minutes per day to read through all of the privacy policies she encounters online.
Q8. What is the definition of a “Do-Not-Track like” mechanism?
In fact, in order for companies to qualify under the FTC Safe Harbor program contained in my bill, they would have to set up a ‘Do-Not-Track like’ mechanism for consumers to allow them to opt-out of having the personal information they provide, both online and offline, to third parties.”