Most of us depend on free web services, from Google to Facebook, but unless you’re careful, using them has a price: your privacy. Web advertisers, which keep these sites in business, track what you do online in order to deliver targeted, attention-grabbing ads. Your web browser reveals a surprising amount about you, and advertisers are keen to find out even more.
A new draft report from the Federal Trade Commission (FTC) recommends the creation of a “Do Not Track” mechanism that would let Internet users choose, with the click of a button, whether to allow advertisers to track them. While this would offer better privacy controls than exist currently, the FTC’s approach falls short, because tracking technology is interwoven into our most popular websites and mobile services. Without tracking, they simply don’t work.
Few people realize that many web ads are tailored using huge amounts of personal data collected, combined, and cross-referenced from multiple sources—an approach known as “behavioral advertising.” Advertisers ferret out clues to where you live, where you work, what you buy, and which TV shows you watch, then refine their ads accordingly.
Behavioral advertising works. A study conducted by Microsoft Research Asia found that users were up to seven times likelier to click on targeted ads than on nontargeted ones. Targeted ads earn much more for websites—an average of $4.12 per thousand views versus $1.98 per thousand for regular ads, according to a study commissioned by the Network Advertising Initiative, a trade group that promotes self-regulation.
While many people are simply opposed on principle to unrestricted tracking, there are real risks involved. Without safeguards, tracking techniques could be exploited to steal identities or to hack into computers. And the big databases that advertisers are building could be misused by unscrupulous employers or malicious governments.
Over the past 15 years the United States has developed a peculiar approach to protecting consumer privacy. Companies publish detailed “privacy policies” that are supposed to explain what information they collect and what they plan to do with it. Consumers can then choose whether they want to participate.
The FTC report says that this model no longer works (if it ever did). “Many companies are not disclosing their practices,” FTC chairman Jon Leibowitz says. “And even if companies do disclose them, they do so in long, incomprehensible privacy policies and user agreements that consumers don’t read, let alone understand.”
The FTC is trying to rein this in. It recommends, for example, that companies collect information only when there is a legitimate business need to do so, and asks them to destroy that information when they no longer need it. It also wants companies to do a better job of explaining their policies to consumers.
Of course, real choice requires more than clear information—it requires options. At the moment, that means activating the “private browsing” mode built into modern web browsers (which prevents sites from accessing cookies) or using browser plug-ins that automatically block ads and certain tracking technologies.
But there is no rule prohibiting advertisers from circumventing private-browsing modes, and many are doing so. The FTC’s solution to this problem is “Do Not Track,” loosely modeled on the agency’s popular “Do Not Call” list. Instead of a centralized list of consumers who don’t want to be tracked, however, they envision a browser setting that would transmit an anonymity request to web advertisers. If behaviorally targeted ads really are beneficial to consumers, most people will leave the feature switched off. Otherwise, websites better get used to $1.98 per thousand ads viewed.
Browser makers have started building tracking controls for their software. Google recently released an add-on for Chrome called Keep My Opt-Outs, and Microsoft has announced a similar feature for Internet Explorer 9 called Tracking Protection. These features tell websites when someone doesn’t want to be tracked. But it’s still up to companies to honor this request. And, unsurprisingly, the advertising industry fiercely opposes tracking restrictions, especially if they are enabled in browsers by default.
The real problem with “Do Not Track” is that it derives from an earlier understanding of web advertising—that ads are distributed to news sites, search engines, and other destinations that don’t necessarily need to know who you are. Nowadays many popular websites are unusable unless you let them track you.
Take Facebook: The website has seen explosive ad-revenue growth precisely because it tracks users’ interests in great detail. There’s no way to turn off tracking and still use the site. Thanks to Facebook Connect, which lets you log on to other websites with your Facebook credentials, and the “Like” button, which sends links from external pages back to your profile, Facebook now tracks you across the web. Or, more accurately, you tell Facebook where you are.
Smartphones will accelerate this trend. Already, many phones deliver ads based on your GPS-determined position. Future ads might depend on the applications you’ve installed, whom you’ve called, even the contents of your address book.
There is a way to resolve this conundrum: Create simple and enforceable policies that limit companies’ retention and use of consumer data. These could be dictated by the government or, conceivably, built into browsers and customized by users. For example, you could tell Google to archive your searches forever, but make them anonymous after six months. You could tell Facebook to keep your posts indefinitely, but use them for advertising purposes only for a year.
Unfortunately, any kind of reform will face stiff opposition from vested interests. But if the government wants to defend us from privacy-trampling advertising, it needs more than “Do Not Track.”
Simson L. Garfinkel is a contributing editor to the world’s oldest technology magazine, Technology Review, an independent bimonthly published by MIT. Excerpted from Technology Review (March-April 2011).www.technologyreview.com