Privacy Backlash Over Ad Tracking Debated

Tom Spring: Advertisers' Online Tracking Is Bad

Note to advertisers who want to track me online: Buzz off.

My privacy is sacrosanct to me, both in my home and online. I have already made enough compromises to accommodate the digital world that I live in. Giving advertisers the green light to profile me, follow me around on the Internet, and show me ads based on my behavior is wrong, and flat-out creepy. It’s also potentially dangerous, and it could lead to virtual forms of redlining, leaving the lone consumer at the mercy of powerful companies more interested in their bottom line than my well-being.

Online privacy
Current do-not-track legislation working its way through Congress, and other initiatives put forth on the state level, such as in California, are important first lines of defense against an unchallenged advertising industry willing to test the limits of my personal privacy in exchange for a dime. I applaud these do-not-track efforts, as well as similar ones by Microsoft and the Mozilla Foundation with their respective browsers, Internet Explorer 9 and Firefox 4, both of which empower the consumer with do-not-track features (albeit flawed ones).

Right now advertisers have the upper hand. In the United States we have few limits on how Web-based companies can track consumers online, and with whom they share that data. Without legal limits--and because do-not-track controls within IE and Firefox rely on the voluntary participation of Websites--consumers are caught in privacy purgatory and have no way to say "no" to tracking.

1. Opting in versus opting out: Consumers, at a minimum, deserve the right to choose whether to be tracked--to opt-in. All I'm arguing for is the real option to tell advertisers to go away, not to track me, and to stop displaying ads based on my online behavior.

That’s what the do-not-track measures proposed in Congress and in California provide. Both call for Websites to get opt-in permission from users before collecting personal data. Proposed regulations would also require Web companies to inform users of their data collection and tracking efforts, and would allow civil lawsuits against companies that failed to comply with the regulations.

It’s not time to be whistling in the dark, arguing “I love playing Plants vs. Zombies online for free, so screw my own privacy.”

2. I’m not paranoid--the threat is real: New methods of data harvesting, coupled with new online advertising techniques, push the privacy envelope way too far. At the heart of these privacy-busting trends is advertisers' desire to track your interests on the Web and display what are called behavior-based ads.

Advertisers have gone way beyond cookies, and are collecting the “public” data we post on social networks such as Facebook and LinkedIn to target ads more effectively. But might your Facebook status ever be used by a credit agency, health-care provider, or future employer to determine if you are a good bet? See my May 2010 story called "Good-Bye to Privacy?" for a list of companies engaged in such practices today.

Advertising firms bristle at the notion that your credit card issuer could jack up interest rates based on a tweet in which you announce that you just got laid off. But privacy experts say that this scenario may become a reality in coming years (see "Can Your Online Life Ruin Your Credit?").

As a result of online tracking, connections between your offline and online worlds can be made through an e-mail address kept on record by a company that you do business with. That e-mail address could create a link to a composite profile made up of your online activities at social networks and other sites. By cross-referencing that e-mail address, advertisers can show you banner ads tailored to your spending habits, to your health problems, and to your political views expressed on Twitter.

The rise of online tracking and data harvesting has created cunningly effective advertising campaigns customized to a Web surfer's household income, interests, and online activity. The Center for Digital Democracy's Jeffrey Chester tells me he believes that this type of advertising fosters predatory ads. Examples might include dubious health cures or high-interest loans for HDTVs.

The examples above clearly show that online tracking, unlike other forms of online advertising, can be used to identify people surfing online. Patrick says sites "don't store any personally identifiable information." He misses the point. Individual sites (that you haven't registered with) don't store personal identifiable information, but online advertisers that track you do. Sometimes they may have your name. Other times they may know every single thing about you (down to your household income, address, political slant, sports you like, and etc) but just not your name. What's the difference? Lastly, for the determined, such as a government, scammer, or advertiser, it's easy to extrapolate a name from the anonymous data collected online. It's been done many times before.

Online privacy

3. Mythbusting the "Who cares about tracking" argument: The other side of the argument, as Patrick describes, says that prohibiting advertisers from tracking us online would cause the amount of free content (news, games, services, Web apps) to dry up.

Do-not-track doesn't threaten the free Internet - not by a longshot. Patrick is flat out wrong claiming it will and so are others that argued Facebook will have to charge $20 a month if advertisers can't display these type ads. According to the Interactive Advertising Bureau (PDF) "In 2009, overall revenue from all types of Internet advertising was $22.661 billion, while spending on behaviorally targeted ads was $925 million." That's less than 5 percent.

But in a world where Web surfers can choose to opt out from being tracked online, contextual advertising and nontracking forms of interest-targeted advertising are unaffected. Advertisers can still show Patrick those awesome relevant ads he likes; they just can't use his browsing history on other sites. Non-behavior based forms of online advertising, such as contextual, demographic, search, and social network advertising, would not be impacted by do-not-track measures and can still serve up relevant ads.

Patrick also argues he doesn't care about advertising tracking him because it's "not the kind of privacy (he is) worried about." This smacks of a very narrow "I don't care because it doesn't affect me" attitude. I do care about advertisers tracking me, but more importantly about those seeking loans, life insurance, and health information. I worry about the woman who spent the last six months scouring the Web for information on breast cancer that could have her IP address flagged by a health insurance provider's Website when she requests information for a new policy.

Other Web-focused trade groups argue that do-not-track restrictions are too hard for the advertising industry to implement. That is not true. Microsoft and Mozilla both have proved that implementing do-not-track flags (as an HTTP header) is possible.

Still other parties, such as the Interactive Advertising Bureau, say that doing away with behavioral ads based on tracking data will lead to more-obtrusive ads. In my experience nothing has ever stopped advertisers from squeezing more-obtrusive ads into my browser. If advertisers can do it, they will--do-not-track laws or not.

The just-because-advertisers-can-they-should mentality is a bad one. Unfortunately, most Web surfers don’t have the time or energy to understand the byzantine and technically cunning way they are being taken advantage of. It’s time to shed a little light on the problem, take a stand, and enforce some limits on the “Internet-advertising industrial complex."

Where do you stand on advertisers' tracking users online? Is it an undue invasion of privacy, or are you fine with behavioral ads? Sound off with your thoughts in the comments area below.

Subscribe to the Security Watch Newsletter

Comments