Track Me Not
“Do not track” legislation could simply accelerate the monopolization of Internet advertising.
Last week, Microsoft announced that it would build something called “Tracking Protection” into the next edition of its Internet Explorer Web browser (IE9). Although Microsoft’s proposal got a lot of coverage, including a favorable comment from Federal Trade Commission Chairman Jon Liebowitz, the new feature is a step in the wrong direction for privacy on the World Wide Web.
IE’s Tracking Protection is technically flawed—it can’t stop websites from tracking you—and its existence will give corporate interests a powerful tool for arguing against government regulations that might actually resolve the problem of pervasive Internet tracking.
Microsoft’s announcement comes amid mounting concern over the ability of advertisers to track people across the Web. The Federal Trade Commission recently endorsed the idea that users should be able to opt out of having their online activity tracked. But the technological and legal frameworks that would make it possible to opt out remain far from clear.
People who haven’t been following the controversy regarding Internet tracking often have a hard time understanding just how invasive today’s Internet has become—and why they should care. Much of the press coverage has just confused the situation further by focusing on the role of third-party Web analytics and advertising companies, rather than on the tracking and tabulation done by industry advertising giants like Google, Yahoo, and Facebook. A paradoxical but entirely possible outcome of Microsoft’s new browser feature might be to increase the ability of such companies to track and record everything you do online.
Over the past decade, the Web’s infrastructure has changed in fundamental but invisible ways. No longer do venture firms or subscriptions fund popular information-oriented websites (with the exception of a few outliers like the Wall Street Journal and Technology Review’s premium content). The vast majority of the Web is funded by advertising. Google, for instance, got 97 percent of its $7.3 billion in revenue for this year’s third quarter from advertising.
The reason advertising on the Web has become such an effective moneymaker is that the Web is a two-way communications environment. It is possible to know not just how many times an ad is viewed, but how many times it was seen by the same person, where that person is physically located, and whether he or she saw the ad at home or at work. Advertisers can run multiple ads and see which ones lead to sales—and the value of each specific sale. This gives the Web a tremendous advertising advantage over other media. In effect, advertising dollars have been sucked out of thousands of print magazines and pumped into Google’s coffers.
Now Internet advertising is embarking on its next big step—a push into something called behavioral advertising, in which the ads you see are selected according to the totality of your online behavior. Publishers are excited about behavioral advertising because it brings in dramatically more money—an average of $4.12 per 1,000 displays of a behaviorally targeted ad, versus $1.98 per thousand for an untargeted ad, according to one study. But according to Susan Grant, director of Consumer Protection at the Consumer Federation of America, most Americans find the very idea of behavioral advertising creepy. At a hearing December 2 of the House Subcommittee on Commerce, Trade and Consumer Protection, titled “Do-Not-Track Legislation: Is Now the Right Time?” Grant cited a 2009 survey by researchers at the University of Pennsylvania in which 84 percent of respondents said they did not want advertisements they saw on one site to reflect what they had done on other sites. “More than 90 percent agree that there should be a law that requires Web sites and advertising companies to delete all stored information about an individual if the person requests them to do so,” she said at the hearing.
Internet tracking is the underlying practice that makes behavioral advertising possible. After all, in order to deliver a highly targeted ad, a website needs to know as much about the person on the other side of the browser as possible. Tracking started with cookies from companies like DoubleClick (now part of Google), which were used to correlate what individuals searched for with the websites that they ended up visiting. Then it was expanded to include Web bugs (also called Web beacons). One of the latest technologies is browser fingerprinting, which makes use of the fact that most Web browsers provide an astonishing amount of information about your machine, including the installed fonts, the installed browser plug-ins, the screen size, and the time zone, which can be used to create a unique fingerprint. (Find out if a fingerprint has been created for your browser by visiting http://panopticlick.eff.org). A surprising number of websites even reach into your browser and download your entire browsing history, according to an academic paper published this past October.
All these technologies work together to track people on the Web—their interests, their income level, what products they’ve purchased, what ads they’ve seen, where they are, and other information as well. Of course, no single company has all this information. But Google comes pretty close, especially for people who leave themselves logged into their Gmail accounts when browsing the Internet or who make use of Google’s cloud services from an Android-based cell phone. Google can correlate what you search for with what Web pages you visit (provided that they contain Google ads), with where you are (thanks to your phone), and with which e-mail messages you read and which you ignore.
Most of today’s Internet tracking practices will be completely unaffected by the new Internet Explorer Tracking Protection feature, at least according to the way Microsoft has described it. According to Dean Hachamovitch, head of Microsoft’s Internet Explorer development team, the Tracking Protection in IE9 will be little more than a blacklist of websites that Internet Explorer won’t communicate with, even if another website requests that it do so:
“Tracking Protection in IE9 puts people in control of what data is being shared as they move around the Web. It does this by enabling consumers to indicate what websites they’d prefer to not exchange information with. Consumers do this by adding Tracking Protection Lists to Internet Explorer. Anyone, and any organization, on the Web can author and publish Tracking Protection Lists. Consumers can install more than one. By default, there are no lists included in IE9, which is consistent with our previous IE releases with respect to privacy.” “Providing Windows Customers with More Choice and Control of Their Privacy Online with Internet Explorer 9,” Microsoft News Center, December 7, 2010.
There are two things wrong with this model. First, no matter how many Tracking Protection Lists consumers install in their copies of IE9, there’s no way to guarantee that the user isn’t being tracked, because the tracking services can always spin up a new website with a new domain name. More important, the new feature won’t stop the websites you access from tracking you. And since you won’t block the websites you are using, you won’t block the tracking.
As it turns out, the idea of Congress passing a law isn’t so far-fetched. The recent Congressional hearing was announced a day after the Federal Trade Commission released a 122-page preliminary staff report, “Protecting Consumer Privacy in an Era of Rapid Change,” which endorsed the creation of a national “do not track” mechanism.
“Do not track” is at the beginning of the policy cycle. Interest groups are still trying to figure out how to explain tracking, figure out where they stand, and then phrase their arguments. But surprisingly, at the hearing, there was near unanimous agreement among the speakers on one point: consumers should have the right to chose whether or not they are tracked.
Alas, the rhetoric of “consumer choice” may ultimately render anti-tracking technology or regulation meaningless. That’s because the companies that are among the best at tracking consumers, such as Google and Facebook, generally have already extracted their users’ consent to be tracked as a precondition to using their services.
If simple solutions to Internet tracking won’t work, what do we need instead? First, we need true transparency by Internet advertisers and technology providers—we shouldn’t have to rely on academics and journalists to figure out what these companies are up to. Second, we need an intent-based system of regulations that, rather than focusing on tracking or blocking techniques, describes what kind of data may be collected, who is allowed access to the data, and how it may be used.
Internet users should also have the legal right to see what information has been collected about them online and the right to have that information selectively deleted. (Being able to delete your Google tracking profile is not really an option if you also have to delete all of your e-mail and find another place to house your calendar.) Simply put, we need to have the Code of Fair Information Practice extended to the Internet—something that business interests have successfully blocked until now.
Current proposals to limit tracking are unlikely to address the core problem—the use of collected information in undisclosed ways. Indeed, the proposals will do little more than put other companies at a disadvantage relative to advertising companies like Google and Facebook, which attract eyeballs with compelling Web-based social networking, messaging, and personal-information-management applications. Thus “do not track,” unless it’s done correctly, will simply accelerate the centralization and monopolization that’s already under way on the Internet.