Where is the boundary? Conflicting standards on health-related ad targeting

A spooky experience with drug-ad targeting was the initial inspiration for the PrivacyChoice project, so it won’t surprise you that I support the call for an FTC investigation into pharmaceutical ad targeting. There’s a big difference between building a profile about what kind of car you want to buy and a profile that infers that you’ve just been diagnosed with cancer. Ask consumers and they would overwhelmingly say that this kind of targeting should be opt-in, not opt-out.

Here’s a key point: There’s a major conflict between the two published industry standards for ad targeting based on health conditions.

In the Network Advertising Initiative 2008 Principles (pdf), “sensitive” health information is defined as: “Precise information about past, present, or potential future health or medical conditions or treatments, including genetic, genomic, and family medical history.”

On the other hand, the DAA’s 2009 self-regulatory principles (pdf) say that prior consent is only necessary before collecting “pharmaceutical prescriptions or medical records related to a specific individual.” This standard is much narrower, and permits collection of online behavior to infer medical conditions, so long as personal prescriptions or medical records are not involved.

The DAA should promptly adopt the NAI rule, which appropriately gives consumers the choice of whether to have health-related behavior tracked. It’s not only the right thing to do; without protective and consistent standards, health-based profiling could rightly become a flashpoint that sinks the overall self-regulatory effort. Protecting the fortunes of pharmaceutical marketers isn’t worth it.

The new opt-out page: a missed opportunity

The new centralized industry opt-out page is now in beta on the aboutads.info site, which is a production of the new Digital Advertising Alliance. The new page consolidates opt-outs for the tracking companies participating in the self-regulatory program (at this point, the NAI member list). This is the page that websites can now point to as part of providing enhanced notice and choice. Over time it may supplant the NAI’s current group opt-out experience.

Unfortunately, it’s not an upgrade. Here’s why:

1. Don’t make me read. Like the NAI page, the new page is text heavy, and choices are largely below the fold (particularly on a laptop). The site does not explain the process visually or with video (NAI’s site does).
2. Don’t make me scroll. It’s admirable that the page has a global opt-out button (in addition to the ability to “check all”); but why bury that button at the very bottom of the page?
3. Make it easy to see where I stand. Like the NAI page, a user sees which of three states they are in for each company: opted-out, not opted out and with active tracking cookies, or not opted out and with no tracking cookie. But unlike the NAI page, the user has to click through different tabs to see to see status. And gone are the NAI’s reassuring green checkmarks that provide unambiguous confirmation of success.
4. Don’t make me do this again. There’s no instruction as to how to make the opt-out choice survive cookie-clearing (through a browser add-on or bookmark). At least the NAI built an add-on for this purpose, although it has never moved out of beta and was never offered as part of the opt-out process. It seems like a considered decision has been made that durability is not a requirement for the program. This won’t inspire confidence in the advocates of a meaningful “Do Not Track” option.
5. Tell me this really works. As with the NAI site, the opt-out is billed only as terminating the use of behavioral information, not the collection of behavioral data. The new page could have been an opportunity to state that no behavioral profile data will be collected about consumers who have opted out.

A trade organization like DAA has limited funding and too many committee inputs, so perhaps it’s not fair to expect a delightful privacy experience for consumers. Assuming the opt-out platform is open, independent companies should and will build better versions. Recent research confirms that the privacy experience has a big impact on brand impression, so hopefully advertisers will push for “a little more Steve Jobs” when it comes to privacy design.

Are privacy add-ons effective? Surprising results from our testing

There’s no shortage of browser add-ons for consumers who want to block tracking by data and marketing companies. However, based on our testing, there is a wide variation in the actual effectiveness of these tools.

Methodology

We separately tested four different Firefox add-ons, AdBlock Plus, Better Advertising’s Ghostery, Abine and our own TrackerBlock, by running them on a clean test machine at full blocking. In each case, after visiting all webpages linked from the top page of Google News, we looked at the browser cookie file to see which tracking companies from our Index had been able to write unique cookies on the machine. This sequence was also repeated without any add-on enabled.

We estimated effectiveness based on the number of unique tracking-company cookies allowed by each tool, relative to the number of such cookies present with no add-on installed. We assumed that any unique cookie could be used for tracking and should be counted, because companies do not specify which cookies are used for tracking purposes. We did not test versions of these add-ons for Internet Explorer, Chrome or other browsers.

Results

Here are the results:

Observations

• No add-on provided perfect blocking.
• Many people view AdBlock Plus as not only a streamlining tool, but also a privacy tool. It’s not clear that it delivers fully on that expectation.
• Ghostery’s approach of disabling “web bugs” versus cookie interactions appears to provide incomplete coverage. The companies slipping through included widely installed networks like DoubleClick, Right Media and Audience Science, perhaps compounding the privacy exposure.
• Abine’s combination of opt-out cookie retention and selective domain blocking appears to provide the least effective results when it comes to cookie blocking.

More detail on methodology and the raw cookie output is available here. Due to the dynamic nature of ad delivery, we expect results to vary from test to test and across a different set of pages and sites. However, in repeat testing, we observed consistency as to those tracking companies able to avoid blocking by each add-on.

Ghostery’s team reported results of their own run of this test, indicating a maximum of 19 cookies making it through, out of 232 in their own database. This may reflect a difference in the classification of tracking domains, among other factors.

We invite comment on this methodology and are happy to assist anyone who wants to repeat the test on their own machine. Please send any suggestions for other ways to measure effectiveness (we’re also looking at cookie reading, not just writing).

“Do Not Track” in browser headers? Six concerns

It’s great to see smart minds turned to the question of how to empower consumers when it comes to online tracking, so you have to appreciate the announcement of donottrack.us. This effort from Stanford is giving new life to the  notion of modifying browsers to transmit a “do-not-track” preference with each header. When compliant tracking firms see the header, they would be required to recognize the opt-out preference and, presumably, ignore any other information transmitted with that request.

The chief benefit of this approach is that it is universal and potentially more scalable than collecting opt-out cookies on a user’s computer. Scalability is an important concern, particularly as the tracking company universe expands from a few hundred ad companies to thousands of brands with their own pools of user cookies.

Here are the issues:

1. Adoption by Browser Makers. Like any other browser based solution, it requires adoption by the browser companies. This seems unlikely in the absence of a new law that requires it. The FTC today doesn’t have the authority to order it, and browser functionality seems like a difficult thing for Congress to legislate directly.

2. Opt-out Framework Still Required. Even if adopted as standard equipment by one or more browser makers, consumers on unsupported browsers still need to be able to opt-out. The system would not become more simple.

3. What would be the default? Even if it were adopted as standard equipment by all browser makers, the default settings would largely determine consumer awareness and adoption. It’s hard to see the industry accept “off” as the default setting. The worst outcome would be a powerful but buried feature that no one knows about.

4. No connection or context. In the current opt-out framework, the consumer’s opt-out decision can be made directly and immediately from the notice of tracking. Because it’s a browser setting, there’s no simple way to connect header selection with the ad and online notice that provide valuable context.

5. Inferior to blocking. Compared with actually blocking interactions between the browser and the tracking company, an approach based on headers is less verifiable for the user, since it does not prevent unique identifiers from being written or read. If you’re going to modify your browser to control tracking, you should modify it not only for compliant companies, but also those who don’t comply. Given that less than a third of tracking companies are enrolled in the self-regulatory system now, incomplete coverage is likely to be an issue for a long time to come.

6. Less choice. The donottrack.us header is elegant because it is universal. But as the primary means to control tracking, that actually restricts choice in important ways. Consumers should have the ability to control which companies to block based on policies, oversight or even whether a tracking company has given them an incentive not to do so. In this way, donottrack.us is at odds with the consumer’s opportunity to influence and even have a stake in tracking.

Given these challenges, I’m not sure that the donottrack.us approach would meaningfully enhance the consumer experience compared to the current framework, flawed as it is. The current system, with some simple enhancements and much greater visibility to consumers, still seems like the right starting point. From there, browser enhancements that actually block tracking — hopefully built in and visible — provide the best upgrade for privacy-concerned consumers.

What if Apple designed the new privacy notices?

If Steve Jobs was the Privacy Czar, maybe the new ad notices would look something like this (click to enlarge):

Unlike current approaches in testing, the call to action is right on top. Instead of the choices being another click away, the details are another click away. There’s no room for platitudes about privacy. Less is more.

Only testing can tell you how a more direct approach affects consumer satisfaction and attitudes about brands and privacy. But I would be surprised if consumers liked it less. There’s little doubt that regulators who favor “Do Not Track’ would like it better.

How would advertisers and ad-delivery companies like it? A more direct approach seems likely to lead to more opt-outs. But at the same time, the research so far reveals strong consumer curiosity in profiles and control. Putting choices right on top would also lead to more clicks through to “See and Edit Profile,” which is an engagement opportunity.

The takeaway for folks designing privacy experiences:  It’s always worth asking, “What would Steve do?”

Thanks to Eric at Cosmic Design Group for helping me channel the Apple design aesthetic for this thought exercise.

The PrivacyChoice Policy Wishlist

Intensified interest in federal privacy policy seems likely to result in either new laws affecting online tracking or efforts to boost the self-regulatory program. With privacy lobbying now in full swing, it seems like a good time to throw in some policy requests on behalf of consumer choice. (Each suggestion is linked to a prior post on the topic.)

Compliance criteria and failures should be transparent.

Behavioral data collection is opaque to consumers. This makes back-end oversight the lynch-pin to enforce consumer choice. Back-end privacy compliance standards should be published, just like public accounting standards. Every consumer has a stake, so failures must be visible. If advertisers consider it important enough, independent companies, not just industry-controlled organizations like the NAI, will provide compliance reviews.

Opt-outs should block data collection, not just data use.

It’s technically simple to separate tracking cookies from cookies that are used for non-behavioral purposes, and to overwrite each tracking cookie with a non-unique cookie when the user opts-out. By doing so, a consumer can have  greater assurance that their behavior is not being tracked. Companies must support that assurance by certifying the list of domains and cookies that they use for tracking.

Global opt-outs and status should be available at all choice points.

The current “opt-in” framework is fair to consumers only if they can opt-out of all tracking at once, rather than chase down the opt-outs of individual companies. That choice and the user’s current opt-out status should appear whenever notice of tracking is provided (and not multiple clicks away). Anyone in the ad business who says anything like, “We can’t do that because it  makes it too easy to opt-out” just doesn’t get it.

The consumer should see the characteristics in their profile just like an advertiser can.

In terms of fairness, it’s hard to understand the notion that data companies can trade in information about you that you can’t even see. If you can show that information for ad buying, then you can show it to the consumer. Opponents of this are short-sighted; this is a great opportunity to talk directly with the consumer about what interests them.

Consumer privacy choices should be durable.

The way browsers work now, consumers can’t make durable privacy choices with just a click; opt-outs are swept away each time they clear their browser history. They may need to drag and drop a bookmark or install an add-on. But whatever the mechanism, durability options should be provided and explained at each choice point. Since this is a wishlist, perhaps I can also ask that ad companies use local storage via html5 or Flash to ensure the durability of opt-out choices. This would require a retooling of ad-company systems, but is quite do-able.

No company should be considered compliant if they transact in data with non-compliant companies.

Outliers from privacy best practices and certification should find it hard to do business. Given the certification backlog at the NAI, prehaps this can’t happen immediately, but the deadline should be measured in months, not years. Adoption will accelerate if the big players (like Google’s ad exchange) embrace the idea. This is also where big websites need to pitch in to better control who they invite to the party when they place tags on their pages.

The incredible vanishing icon

If you’re following the roll-out of the new ad-industry push to provide greater disclosure for ad targeting, you’ve probably noticed this icon starting to appear in or around ads you see online. Under the new rules, an icon like this needs to appear whenever behavioral data are collected or used in the course of delivering an ad. The icon leads to opt-out functionality where the user can choose not to see more behavioral ads.

It turns out that for many privacy-concerned people, it will be the absence of the icon that matters most of all. This is because, theoretically, once you’ve opted out from behavioral targeting from any company you shouldn’t see the icon again from them because, by definition, they can’t be using profile information to target ads to you. Someone who has opted out globally shouldn’t ever see the icon. If they do see it, it means that a new company is tracking them, or they’ve cleared all of their browser cookies (removing their opt-out, too).

That’s a win for consumers who decide to opt-out, since they will always know if there’s a problem with their status, and the icon offers an easy way to get back to the opt-out function again. But this also makes it very important that the icon only be delivered when behavioral targeting is in action and the user hasn’t opted out. Operationally, this means ad companies can’t take a belt-and-suspenders approach by over-delivering the icon with every ad to every consumer. If icons appear when they’re not supposed to, this will become a point of irritation for consumers, and a source of complaints to manage.

It’s a separate question whether people will understand that the absence of the icon does not guarantee that behavioral data is not being collected; an opt-out only stops ad targeting and not necessarily underlying data collection. Given the inherent power of the icon as a consumer communications tool, ad companies need to be crystal clear about the underlying substance of what it means (or doesn’t).

Do Not Track? Three Possibilities

Today’s news of a looming showdown between the FTC and the Commerce Department over privacy appears to involve an important question: Will there be a “Do Not Track” option for consumers when it comes to behavioral targeting?

Here’s my take on three possible ways Do Not Track might be implemented:

1. Browser-based blocking

It’s not difficult to engineer browsers to implement functionality like TrackerBlock, which literally stops selected data companies from accessing cookies on your computer (and deletes other identifiers they may leave behind). For the consumer, this kind of “Do Not Track” is even more effective than “Do Not Call.” Marketers aren’t just prohibited from calling, you can actually make them forget your number.

How would this be different from just turning off third-party cookies, as you already can in your browser controls?  Turning off all cookies is a blunderbuss — lots of cookies are beneficial and not used for behavioral tracking, so that turning them all off degrades the rest of your browsing. By identifying which domains and cookies are used for tracking (something companies would need to certify), the browser can differentiate between tracking cookies and non-tracking cookies. In TrackerBlock the user can select individual companies to block, or with one click can block all companies or just those without best practices and oversight. (Take a look at the TrackerBlock control panel to see what I mean.)

This might be the most effective way to implement “Do Not Track,” but it’s not obvious that the FTC’s mandate stretches to browser design, which is one step removed from ad targeting practices. But the FTC does have sway over the ad targeters themselves, who could be required to offer Do Not Track browser add-ons as part of the notice-and-choice experience.

Is this approach to Do Not Track really practical, given that most users won’t install an add-on? Based on my own experience, installing a browser add-on for Do Not Track actually takes less time than registering your phone number for Do Not Call. Many users still fear any sort of software installation, but this will remain a barrier unless and until Do Not Track becomes embedded in native browser controls.

2. Opt-out cookies

The current framework of opt-out cookies might be seen as a form of “Do Not Track,” in that it allows a consumer to signal their privacy preference to each company through an opt-out cookie. These can be offered in aggregate, and industry groups and volunteers even offer browser add-ons that make opt-out cookies permanent.

Unfortunately, today’s opt-out cookies serve only to indicate the consumer’s preference not to have ads targeted based on their behavior; opt-out cookies do not promise to prevent the continued collection of behavioral data. Ad delivery companies may still retain a tracking cookie on your computer separate from the opt-out cookie, which continues to transmit behavioral information. If the goal of Do Not Track is consumer choice over data collection, the current form of opt-out cookies don’t really cut it.

There have also been proposals for a universal header, which, like an opt-out cookie, would automatically transmit the opt-out preference as part of every interaction with any server, including ad servers. By ditching the need for individual opt-out cookies, this is easier to maintain as the use of targeting spreads to more companies and brands; but standing alone it doesn’t  provide any more assurance about data collection because tracking cookies may still be in use.

3. Data collection opt-outs

A hybrid approach could focus on improving the current opt-out functionality to make it more effective as a Do Not Track method. Here’s how it could work:

• When a consumer requests an opt-out cookie, the non-unique cookie is written over each and every cookie that the company uses to store behavioral information.
• Tracking companies publicly certify which domains and cookies are used for behavioral information. Industry organizations or private auditing firms can query and spot check companies on the back end to make sure certification is accurate.
• Using test machines in the wild, verification vendors and watchdogs can easily test to confirm that generic opt-out cookies are written on request and are not altered over time.
• The enhanced notice-and-choice experience would enable users to get a full set of improved opt-out cookies from all networks in a few clicks. Users who clear cookies regularly would have an option to install bookmarklets or add-ons to store opt-out preferences and replace them more easily.

Here’s the operational catch: companies that currently store behavioral and non-behavioral data in the same cookie must segregate those uses. But in a Do-Not-Track world, segregating behavioral and non-behavioral cookie functions is simply good practice, like separating accounting functions where there’s a potential conflict of interest. Otherwise you’re shifting the burden of trust completely the consumer.

Which approach is best?

Since the current opt-out framework doesn’t really provide a “Do Not Track” option, the choice might come down to Door Number 1 (browser-based blocking) and Door Number 3 (an improved opt-out framework that actually controls data collection).

From a consumer point of view, browser-based blocking may be the most verifiable. From an industry point of view, data-collection opt-outs may preserve the most operational flexibility, by permitting non-behavioral tracking to continue.  The good news is that both approaches can and would co-exist, so that consumers don’t need to make any compromise.

Here’s the crucial point: In either case, tracking companies must identify the domains and cookies they use for tracking, those must be isolated from non-behavioral cookies, and those distinctions must be subject to back-end compliance reviews. Only once that is in place does Do Not Track become a practical possibility.

By the way, no Do Not Track system can deal with all rogue tracking methods, like Flash cookies, browser fingerprinting or IP-address tracking. Think of that like the occasional telemarketer who still calls you at dinnertime in defiance of No Call List. It’s inevitable and regrettable, but doesn’t undermine the fundamental value of the program.

Who’s checking your opt-out process?

At PrivacyChoice we have been building out our processes to better automate how we check and analyze opt-outs across the nearly 300 ad-delivery companies in the PrivacyChoice Index.

Given this visibility, it never ceases to amaze me how many companies fail to check or monitor their own opt-out processes. We’re now up to well over two dozen cases in which an ad targeting company purports to offer an opt-out, but it either was never really implemented or is broken in some serious way.

The latest example is Chango, which targets ads based on search queries harvested from referring URLs seen by Chango’s publisher partners. There’s probably no behavioral data more intimate to users (and more valuable to advertisers) than the stuff Chango collects.

Unfortunately, we have been unable to verify the proper operation of Chango’s opt-out for several months; their process tells you you’re opted out, but doesn’t write any kind of enduring cookie, much less one that is labeled as an opt-out. As is our practice, we have privately written to Chango multiple times to let them know of the issue, but we’ve never received a reply.

Here’s the deal: For all of its limitations, cookie-based opt-outs are at the heart of the self-regulatory framework. If you’re not prepared to invest in a well-designed, properly functioning and monitored opt-out program, then you really shouldn’t be in the behavioral targeting business.

If you manage privacy at an ad-targeting company, ask yourself three questions:

1. Which human in your company owns the technical opt-out process end to end?
2. Have you implemented an opt-out with best practices (including a long cookie life and overwriting any unique identifiers that collect behavioral data)?
3. How will you know when it’s broken?

TrackerBlock: Simple, Effective, Transparent

This week we released TrackerBlock for Firefox, which is the easiest and most effective tool to control online tracking. For the first time, users have complete visibility and control over the tracking company universe, including detailed policy and oversight information hundreds of companies.

TrackerBlock also is the only privacy tool that supports the emerging self-regulatory framework for behavioral advertising. Users can choose between blocking all tracking companies or only those not committed to industry best practices and compliance reviews.

Moving Beyond Opt-Outs for Add-ons

TrackerBlock represents a big shift in approach from our first Firefox addon, which served to make opt-out cookies permanent in your browser. With TrackerBlock, users don’t have to rely on ad firms to respect their cookie preferences, or worry about keeping opt-out cookies in place. Instead, the add-on prevents companies from reading cookies by stripping cookie information out of headers that are sent by the browser to the ad server. It also blocks companies from writing new cookies. For all blocked companies, TrackerBlock removes Flash cookies from those domains at the end of each browsing session. (Once Firefox 4.0 is out, we will also provide removal of other local stored objects, such as html5.)

I couldn’t escape this conclusion: If you’re going to offer an add-on to control tracking, the user deserves the best possible assurance that their preferences will be honored. Opt-out cookies shift a burden of trust and verification to the consumer. Unfortunately, many ad companies continue to retain tracking ID’s on opted-out computers, because their tracking cookies are stored separately from their opt-out cookies (see prior post). The computer’s unique identifier continues to be transmitted with every ad.

Simple, Effective and Transparent

Click to Enlarge

Two important things about the TrackerBlock interface:

1. Consumers can customize as much as they want, but they also can have a few simple choices that are immediately effective.

2. As part of the interface, consumers for the first time can see a comprehensive set of tracking company information for hundreds of companies. For each company, we’re providing a summary of their policies in four different key categories (Anonymity, Sharing, Boundaries and Deletion), with indicators of those policies that, in our view, deserve more attention.

We did our best to avoid any compromise between completeness of information and ease of use. Now it’s up to users to tell us whether we’ve succeeded.

What’s Next?

We’re at work on improvements to the PrivacyChoice Bookmark (still a good idea for users on other browsers or who won’t use an add-on), and we’re testing a form of TrackerBlock for Internet Explorer, so stay tuned.