How do you feel about your Web-browsing activity being tracked?
During a visit to any given website -- including this one -- the average user's browser may execute a dozen or more tracking scripts, each with its own associated tracking cookie, stored on the user's computer. This enables website publishers and ad distribution networks to record a visitor's online activity and then serve up "interest-based" or "behaviorally targeted" ads -- customized messaging based on that activity.
The benefit to website producers is that targeted ads can be sold to advertisers at higher rates because, presumably, they will be more effective than the traditional banner ads that have long been used on websites. Ad networks generally do the tracking by placing a cookie on consumers' computers when they visit a participating publisher's website. The industry refers to these as "third-party cookies" because the ad network is a third party to the relationship between the user and website publisher. Users are typically unaware that they're being tracked -- and that has made the practice controversial.
[Concerned about your privacy? Check out our three-part series: The paranoid's survival guide.]
There are disagreements even among those who depend on website advertising. While digital ad networks and many website publishers push forward with the practice, some publishers remain cautious. "They get more money from more targeted ads, but they also have brand [reputation] considerations," says Justin Brookman, director of consumer privacy at the Center for Democracy and Technology. He's also co-chair of the World Wide Web Consortium's (W3C) Tracking Protection Working Group, which is developing a Do Not Track (DNT) standard for the industry.
"Do they want to be seen as enabling third party tracking?" Brookman asks. "They're a little more cautious around perceptions than are the third-party ad networks."
Here's how the practice of tracking affects both consumers and website publishers -- and what each side of the equation is doing to try to fix matters.
Whys and wherefores of Do Not Track
In 2011, Do Not Track (DNT) technology was introduced as a method to ensure user privacy. DNT is an optional browser feature that signals advertisers to not track the user's Web activity. It does this by sending an HTTP header with the syntax DNT:1 to every website the browser visits.
The W3C working group was supposed to develop a standard to define what DNT means and how ad networks should respond, but made little progress for the first two years. So while the DNT signal was eventually adopted by most major browsers, many Web publishers and advertisers have been ignoring any privacy requests sent by the signal.
As user awareness has increased, so has the level of discomfort with the idea of having all of one's online browsing activity recorded.
That has left consumers who don't want to be tracked with a more drastic option: Turn on the third-party cookie blocking setting in the browser and install special browser add-on software that prevents tracking scripts from running (because not all tracking is cookie-based).
It's not a complete solution, however. Anti-tracking tools defend against tracking only by third-party advertising networks that deliver ads through the content publisher's website -- although the tools do block all third-party requests, whether from ad networks, social media or analytics companies. The tools don't prevent any tracking by a "first party" -- the publisher of the site or any affiliated advertising networks it owns.
In addition, most anti-tracking tools won't work on mobile devices (although one, Disconnect Kids, claims to work on iPhones). Because mobile devices don't use cookies, the operating systems are locked down and mobile apps are isolated from each other, it's difficult to create a mobile app that globally blocks the tracking of your browsing and app activity, says Casey Oppenheim, co-CEO at Disconnect, maker of Disconnect Kids and the Disconnect anti-tracking browser add-on.
Replacing the cookie
While cookies assign a unique identifier to a user's browser, they can't easily be used to track the user's activity across different devices or even across different browsers running on the same computer. New techniques, such as those recently disclosed by Facebook, Google and Microsoft, will assign a unique identifier to each type of device the user has and link those together to track activity across all of the devices the person uses. These new tracking mechanisms, if they catch on, could be used across each vendor's ecosystem -- and beyond.
Other advertising networks have also been working with statistical identification methods -- browser and device "fingerprinting" techniques -- that don't require the presence of a cookie file.
Meanwhile, as user awareness has increased, so has the level of discomfort with the idea of having all of one's online browsing activity recorded -- particularly by third-party advertising networks that consumers don't know and with whom they have no relationship.
And as the number of tracking scripts has increased, so has the bandwidth consumed when the user attempts to load the page. "Up to 26% of bandwidth goes to loading trackers," says Sarah Downey, privacy advisor at Abine, the distributor of a free anti-tracking add-on program called DoNotTrackMe. According to Downey, the percentage comes from a 2012 Web crawling exercise conducted by Abine.
"As the industry moves toward stealthier methods of tracking [such as device and browser fingerprinting], the only way we can reliably prevent tracking is to block entire requests," says Brian Kennish, co-CEO of Disconnect. Tools like Disconnect take the draconian step of blocking requests to third-party ad networks to deliver an ad when the user visits the site -- which means even a non-targeted ad can't be delivered to the user.
In contrast, a universally accepted Do Not Track mechanism would still allow third-party advertising networks to substitute a contextually appropriate ad for a behaviorally targeted one (e.g., a game ad for users on a gaming site) rather than cutting off the request entirely. "We'd prefer a more subtle solution where we don't have to throw out the entire request," Kennish says.
"It's a very blunt tool. That's why we're trying to find a middle ground with Do Not Track," says the Center for Democracy and Technology's Brookman.
The DNT controversy
W3C formed the Tracking Protection Working Group in 2011. Its mission is "to improve user privacy and user control by defining mechanisms for expressing user preferences around Web tracking and for blocking or allowing Web tracking elements."
But debate among the members of the organization -- which include privacy advocates, Web publishers, advertising networks and many others -- has been contentious, culminating last year with some well-publicized resignations on both the consumer and advertiser sides of the debate.
The industry has created a default where you're followed wherever you go by hundreds of companies. Sarah Downey, privacy advisor, Abine
More recently, the group has been making slow progress on its Tracking Preference Expression standard, which determines the syntax and meaning of the DNT signal. This specification should be ready to be released this spring, according to Brookman. But that may turn out to be the easy part. The group still needs to agree on the Tracking Compliance and Scope specification, which deals with what actions ad networks must take to comply with the DNT request -- and that is still controversial, he says.
For the third-party advertising networks in particular, the DNT discussions represent a potential crisis. Eliminating all tracking is unfair, says Mike Zaneis, senior vice president of public policy at the Interactive Advertising Bureau (IAB), a trade organization for website publishers and online ad sellers; Zaneis is also the IAB representative to the W3C Tracking Protection Working Group.
Advertisers increasingly pay based not on whether users view an ad but whether they respond to it. "You need a way to track user interactions, both on the publisher page and throughout the purchase process. This represents basic accounting and measurement practices for digital advertising," he says.
Not unexpectedly, privacy advocates disagree. "We don't want to break the Web," Abine's Downey says, but adds that users should have a choice as to whether to share -- and with whom. "The industry has created a default where you're followed wherever you go by hundreds of companies."
And the information gathered isn't used to just deliver behaviorally targeted ads, she says, but can be used in other ways, resulting in lower credit scores, price discrimination on e-commerce sites based on your tracking profile or higher insurance premiums. (Downey keeps a running list of examples of such abuses.) "You don't have a say in any of this," she says. Users, she explains, should have a choice when it comes to tracking.
But they do have a choice, argues Zaneis. While no global Do Not Track program is available yet, many publishers and advertising networks allow users to opt out of interest-based advertising for individual sites and services. In addition, the Digital Advertising Alliance's Ad Choices program lets consumers opt out of receiving interest-based advertising from the trade group's 118 members, which include third-party ad networks. And when users opt out, he says, members also agree to stop tracking their online activity.
Is the W3C working group working?
What the W3C's working group was supposed to deliver is that global option -- a choice for users in the form of a universally recognized Do Not Track option that, when turned on, would enable the browser to communicate a Do Not Track signal to publishers and ad distribution networks. The browser vendors were to offer the feature and the working group was to develop the standards dictating what Do Not Track means and how advertisers should respond.
All organizations would then be obligated to honor the user's request, following the specifications laid out by the working group. For instance, Brookman says, "you can't [manually] opt out of every single tracking company. You need a global opt out."
But the effort has bogged down. Since its founding, the working group's membership has ballooned to more than 100 voting participants that represent a wide range of competing constituencies -- including consumers, Web publishers, ad networks, browser vendors, ISPs, cable companies and others.
Until recently, the group hadn't even been able to agree on the basic definitions behind Do Not Track, says group member Mark Groman, president and CEO of the Network Advertising Initiative, a self-regulatory industry association that counts 95 advertising companies as members.
"What does it mean to track -- or not track? What is a first party versus a third party?" And, he adds, does Do Not Track mean "don't gather any information on the user at all," or "don't deliver behaviorally targeted advertising based on that data"?
Last fall, Groman says, they were still having discussions over how to define the words "collection" and "sharing." "That presents a real problem when you're trying to develop a standard," he says.
"Instead of defining what we wanted to control, we delved right into the minutiae," says the IAB's Zaneis. But Brookman, who joined the group in 2011 and became co-chair in September, says the group finally has agreed upon definitions, including the terms "tracking," "collect" and "share." The group has "only a couple unresolved issues that we're working out in the technical document, and then we'll proceed to last call," which is the last opportunity for public input before the standard is approved, he says.
"Perhaps those should have been nailed down earlier, but they are the first things we are settling under the new plan to move forward," he says.
The gathering of some tracking data, such as screen resolution, IP address and referring URL, is required for the basic operation of the Web. But how much information is acceptable to users, and needed or just wanted by the advertisers who are funding commercial websites? "We're trying to walk through what is the least amount you can collect and retain while still allowing the third-party ad ecosystem to work," Brookman says.
"We don't need to tell the Web server nearly so much as we do right now," says Jonathan Mayer, a Stanford University grad student and former working group member. "We can limit it to the bare bones required for the Internet to do its thing."
Mayer has a strong bias against the retention of tracking data by third-party ad networks and has been at the center of some of the more contentious exchanges within the working group. "I don't want companies I've never heard of keeping track of where I go on the Web," he says flatly.
"One side wants the cessation of data collection for any purpose. The other side wants the status quo. It's difficult to rectify those positions, particularly when those tend to be the loudest voices in the room," says Alan Chapell, president of Chapell & Associates, a consumer privacy law firm serving the advertising industry, and working group member.
Then there's the issue of what actions would be required when the ad network receives a Do Not Track signal -- and at what point DNT policy actually applies. For example, should a Do Not Track policy pertain to tracking for all purposes, including market research by firms such as The Nielsen Company, or just for the delivery of those behaviorally targeted ads?
Big players vs. smaller ones
Suggestions that DNT policy only apply to third-party advertising networks have advocates for those organizations crying foul. Chapell, for one, thinks this gives big players such as Amazon, Facebook and Google a free pass at the expense of independent ad networks and the smaller publishers that use them.
For example, a large Web publisher may have dozens of sites and brands -- Google even has its own third-party ad networks in AdSense and DoubleClick -- but as long as all of those are connected through a common privacy policy they are classified as a first party. "They can take whatever data they have and use it to target ads across the Internet, even when DNT is turned on," Chapell says.
According to the IAB's Zaneis, there is also more potential for privacy violations when you're dealing with the big ecosystems. Major players like Google and Amazon know the identity of each user once that user self-identifies through online account registrations and transactions. They can then combine online data with offline data from aggregators to serve highly targeted behavioral advertising.
According to the IAB's Zaneis, there is more potential for privacy violations when you're dealing with the big ecosystems.
In contrast, Zaneis argues, the tracking data that most third-party digital advertising companies collect contains no personally identifiable information.
In addition, Facebook's "Like" buttons -- and other social network buttons that appear on many websites -- actively track user activity on those pages and send data back to the social networks. "It's unclear whether the mere presence of a button on a page gives Facebook or Google first-party status," Chapell says. "We've created these artificial distinctions, but there's no real privacy gain. You'd think the bigger companies would be the ones you'd want to target [with Do Not Track]."
Further complicating matters, the opt-in nature of the DNT program has been "hijacked" by some routers and security packages that automatically turn on the DNT header by default, such as the anti-malware software from AVG, says Zaneis. "Anything that sits between the browser and the website can inject the DNT signal. It no longer represents a consumer choice," he adds.
Zaneis sees Microsoft's decision to turn on DNT by default when users install Internet Explorer in a similar fashion. For this reason, he says, at least one major Web publisher that honors DNT signals from other browsers has declined to do so for IE users.
In the meantime, Mozilla and other browser vendors let users decide whether or not to turn on the DNT signal. "We have no plan to turn on DNT by default in Firefox. It is a representation of the user's preference and not Mozilla's," says Alex Fowler, head of privacy and public policy at Mozilla.
The issues regarding who should be allowed to set a DNT signal -- including the level of explanation that must be provided before a user is deemed to have intended to turn it on -- have been resolved within the emerging technical standard that's about to be put forward, Brookman says.
So what happens next?
Efforts in the W3C working group are continuing, but Zaneis thinks the most likely scenario is that the industry will work with "a few key players" to develop a policy that's an extension of a self-regulatory program developed by the Digital Advertising Alliance (DAA), an industry consortium.
Last fall, when frustrations over the W3C Tracking Protection Working Group's lack of progress came to a head, the DAA quit the group and formed its own DNT subcommittee. "We are working with key interest groups to develop principles to incorporate browser signals into the existing DAA program. Think of it as the compliance piece that will be lacking from the W3C process," Zaneis says.
Mozilla's Fowler thinks that DAA parallel effort, which industry groups need to pursue anyway for their own internal self-regulatory programs, might bear fruit. "If they get it right, the opportunity for the W3C to move quickly on a spec is there. It will make the job for the W3C a lot easier," he says.
Jonathan Mayer thinks a solution will need to come from elsewhere. He is now working on Tracking Not Required, a project that stores browsing history data locally "instead of [on] some site you've never heard of," and enables users to determine who gets to see that data.
Increasing numbers of users have been taking matters into their own hands by using anti-tracking browser add-on tools such as Disconnect, based on the add-on download statistics from the major browser vendors. And Mozilla recently released Lightbeam for Firefox, an add-on that attempts to raise consumer awareness by letting users see visually who is tracking them as they surf the Web.
Lightbeam for Firefox lets users see visually who is tracking them as they surf the Web.
In addition, Fowler says that Mozilla has been debating different approaches to blocking third-party cookies -- cookies placed by parties other than the publisher of the site -- including turning the feature on by default in Firefox. According to Alan Chapell, a similar move by Firefox or another major browser vendor would represent a tipping point that could break down the current system. (Apple's Safari browser, which has a relatively small market share, already blocks third-party cookies by default.)
Fowler adds that Mozilla is looking at a range of options, including limiting blocking in certain contexts. For example, third-party cookies might be blocked except when used in conjunction with a shopping cart, or when the user has a relationship with a given third-party site. Or it might create and use a third-party tracking protection list that ships with the browser. "It really is pretty open," he says.
However, Zaneis believes that third-party cookie blocking will only make matters worse. "If they turn off cookies today," he says, "tomorrow you will have a less transparent identifier out there. Companies will switch to statistical identification techniques, which are invisible to the user." And that, he adds, would undermine what Mozilla is trying accomplish.
Mayer isn't too worried. "The consumer control train has left the station," he says. "It's clear that we're heading for something very different, and I'm optimistic about it."
Downey, on the other hand, sees the newer, more sophisticated tracking methods such as browser fingerprinting as a big concern. "There are unique identifiers out there today and it's getting worse. We can't protect against that," she says. Only the browser vendors are in a position to solve the problem, she argues.
If at first you don't succeed...
A Do Not Track policy with all parties as signatories would be a good first step toward addressing these issues across all platforms, and Brookman remains optimistic that a negotiated agreement still can be hammered out. To force movement, the working group has actively pursued a process that allows the co-chairs to "declare definitive positions on contentious issues based on which [positions] have the least strong objections," he says.
But this change has left industry groups that are on the losing end of some decisions feeling disenfranchised. "It is an outrage," Zaneis says of the current process.
Brookman thinks that those browser vendors who implemented the Do Not Track feature in their products and are deeply committed to the idea are positioned to push the group to consensus. "If their DNT signals are being rejected and ignored, they have a lot of options at their disposal to disadvantage non-compliant third parties. That alone may be sufficient incentive for the trade associations to adopt a meaningful DNT standard," he says.
Zaneis says advertisers won't be coerced into an agreement. "The $40 billion U.S. ad industry will not be strong-armed by advocates into agreeing to a standard that does nothing to further privacy or allow the Internet to prosper," he says. "We remain committed to finding a balanced approach that supports privacy and economic growth."
Fowler remains confident. "Since the end of last year we're seeing pretty good progress. We're hopeful that we'll see industry groups in this year moving forward with broader support for DNT," he says.
But while the working group may finally have regained its footing over the last few months, a final resolution still could be a long ways off. In the meantime, users will have to decide whether to live with the status quo, pursue the various opt-out mechanisms available to them, or simply block everything using an anti-tracking program.
Robert L. Mitchell is a national correspondent for Computerworld. Follow him on Twitter at twitter.com/rmitch, or email him at rmitchell@computerworld.com.
This article, Ad tracking: Is anything being done?, was originally published at Computerworld.com.
Read more about privacy in Computerworld's Privacy Topic Center.