Online Advertisers Are Selling You Out

Online Advertisers are Selling You Out
Big Brother is watching. And he wants to sell you toothpaste and get you to vote for the candidate of his choice.

The Wall Street Journal's Emily Steel has an excellent piece today detailing just how much Internet data mining firms know about you. The answer? A lot more than you realize. Like: your political affiliations, religious activities, income level, various likes and interests, and your activity on online dating sites, to name but a few.

[ Also on InfoWorld: Cringely exposes the gaffes of candidates running for elected office in "Social media and politics make strange bedfellows." | For a humorous take on the tech industry's shenanigans, subscribe to Robert X. Cringely's Notes from the Underground newsletter. ]

And though they claim to be collecting this data without tying it to you personally, it turns out this information is not so anonymous after all.

Today's WSJ story is all about Rapleaf, one of the companies that benefitted from Facebook's latest "inadvertent" data leak, where it received personally identifiable information for people who clicked on advertisements inside Facebook apps.

Rapleaf builds profiles of Web surfers by dropping tracking cookies on its clients' websites, then matching the email addresses of registered users to data it has scraped from social networking sites. Rapleaf then sells this information to companies that want to target ads. This election year, Rapleaf's clients also include at least 10 political campaigns.

Like every Internet company whose business revolves around siphoning data out of people without their realizing it, Rapleaf is very pious when it comes to talking about user privacy. CEO Auren Hoffman wrote a blog post last month that hit all the right notes:

"One of the most important principles of individual privacy is the ability to act anonymously. When people are driving to a store or reading a book at home, they have a reasonable assumption that nobody is monitoring their behavior and attaching it to their name and address.

The same should be true on the internet: when you are online, there should be a presumption of anonymity. Nobody -- including websites, ad networks, ad exchanges, widgets, outside analytics services, etc. -- should know who you are and what you do unless you sign up or log in.

In a better world with sufficient anonymity online, your search history and the sites you visit should not be matched back to personally-identifiable information (like your name, address, email, etc.) so it cannot be stolen, used to discriminate against you, or subpoenaed by the government."

Hoffman recommends making it "technically impossible" to store personally identifiable information about you, unless you're logged into the site you're visiting. Unfortunately, it appears the geeks at Rapleaf did not get the memo.

Using Rapleaf data, the Wall Street Journal managed to identify at least two individuals in the company's database, along with a trove of information about them:

"In the weeks before the New Hampshire primary last month, Linda Twombly of Nashua says she was peppered with online ads for Republican Senate hopeful Jim Bender.

It was no accident. An online tracking company called RapLeaf Inc. had correctly identified her as a conservative who is interested in Republican politics, has an interest in the Bible and contributes to political and environmental causes.

The Journal decoded RapLeaf's information on Gordon McCormack Jr., a 52-year-old who lives in Ashland, N.H. RapLeaf correctly identified Mr. McCormack's income range, number of cars (one), his interests in gardening and the Beatles, and his interest in playing the online game Mafia Wars, among other topics....

RapLeaf also identified Mr. McCormack as someone with an interest in online personals. He says he isn't currently active in online dating, but might have a couple of profiles 'lurking on the Internet.'"

It turns out that -- surprise! -- Rapleaf was violating its own privacy policies by collecting some of this information:

"RapLeaf's privacy policy states it won't 'collect or work with sensitive data on children, health or medical conditions, sexual preferences, financial account information or religious beliefs.'

After the Journal asked RapLeaf whether some of its profile segments contradicted its privacy policy, the company eliminated many of those segments."

I for one am tired of companies that keep getting caught with their hands in the browser cookie jar, then act astonished that their breath smells like Oreos. How many more "mistakes" are we expected to tolerate before we realize we're being conned?

After the latest Journal report, Hoffman posted another blog entry that is almost smug in its non-apologeticness:

"Rapleaf's customers are helping millions of people have better lives. We love that.

We realize that even with the best of intentions, we sometimes make mistakes; especially in an industry with technology advances moving so quickly. Earlier this month, it was found that dozens of companies including Rapleaf were inadvertently passing Facebook and MySpace IDs to ad networks in a small minority of cases. While dozens of companies made the same mistake Rapleaf did, we were the first company to fix it.

The aggregation of data has big potential upsides and downsides. The bar for data aggregation companies like Rapleaf is very high."

Those are not the words of somebody who knows he screwed up bad and wants to do better next time. That post is practically Zuckerbergian in its arrogance.

Contrast that, for example, with Google's response after discovering its Google Street View vans had accidentally slurped up email and Web surfing information from open Wi-Fi networks:

"We work hard at Google to earn your trust, and we're acutely aware that we failed badly here. So we've spent the past several months looking at how to strengthen our internal privacy and security practices....

We are mortified by what happened, but confident that these changes to our processes and structure will significantly improve our internal privacy and security practices for the benefit of all our users."

Online Advertisers are selling you out
I suspect Rapleaf will soon be on the business end of some privacy lawsuits. I also predict that after the dust settles it will quietly change names and continue collecting data in more or less the same fashion -- until somebody else uncovers more data "mistakes" or Congress does something real about Internet privacy. (Don't hold your breath for that one.)

Can Congress possibly pass a law on Internet privacy that doesn't simply make things worse? Post your thoughts below or email me:

This article, "Online advertisers are selling you out," was originally published at Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog.


Subscribe to the Best of PCWorld Newsletter