Archive for August, 2009

More on AddThis — looking at the GSA contract

August 31, 2009

A quick follow up on last week’s post outlining questions about the privacy practices of AddThis when installed on government websites. As a result of a FOIA request by the Electronic Privacy Information Center, the General Services Administration has now released its contract with AddThis. As EPIC points out, this contract is one of the few disclosed contracts to provide that persistent cookies will not be used on .gov sites.

clearspring flash cookiesHere’s the problem: As you can see from the screen grab, as of the time of this post, AddThis is indeed writing cookies — Flash cookies no less — on, doing so upon interaction with the AddThis widget. (Note: Clearspring is the parent company of AddThis and the formal party to the GSA contract.)

Hopefully AddThis will move quickly to resolve this issue and also to shore up their relatively weak privacy disclosures and opt-out processes.


Acerno (Akamai) falls in line on retention

August 28, 2009

Bringing their privacy policy in line with the emerging industry standard, Acerno, Akamai’s behavioral targeting company, now only allows user information to be retained for up to one year (previously three years). This brings their policy in line with Akamai’s and is a good development, but a reminder of how many tracking companies still do not have any stated retention period for user data.

Citizen privacy: three questions for AddThis

August 28, 2009

addthislogoWhile reviewing a new opt-out process that Add This implemented a few weeks back, I came across an interesting statement:  “The White HouseFBI, and Navy trust and use AddThis.” Not a surprise, since the AddThis service is useful and user friendly, and the Obama administration has made it a priority to bring government sites into Web 2.0.

At the same time, the issue of data collection by the government on official websites has been in the news lately, and even the subject of a recent NY Times editorial. Obviously when the government is collecting data, it raises special concerns. But what are the rules when, in the course of providing a useful service for a government site, advertising companies are enabled to collect user information from citizens?

After taking a look at the network privacy profile for and other top government sites (stay tuned for more on that effort), I confirmed that AddThis is indeed coded into quite a few government sites. But on none of the government sites I reviewed was there any direct reference to the AddThis data collection practices, privacy policy or opt-out process. Also I found no reference to any special policies applicable to operation of the AddThis service on government websites versus other commercial sites.

This proposition shouldn’t be controversial: When private companies collect data on government sites, they should comply with best industry privacy practices for disclosure and choice.

With that in mind, here are three questions that should be addressed by AddThis and any other companies seeking to collect user information on government websites.

1. Is information about citizen activities shared with third parties?

The answer to this should obviously be “no,” particularly insofar as AddThis is installed on government sites that may touch sensitive areas like health ( or But that answer is not clearly confirmed by a reading of the AddThis privacy policy:

We may share the following information with third parties, including, but not limited to, vendors that support the operation of our website and Services, and entities involved in the delivery of advertisements: Log Data collected on both our websites and Services, as well as aggregated anonymous information resulting from the analysis of such Log Data for a variety of purposes, including, but not limited to, usage patterns, behavioral patterns, traffic and demographic analysis, and enabling web publishers to deliver to advertisers audience segments that are appropriate for their products or services. (Emphasis added.)

It is clear enough that directly identifiable information like name and email address may not be shared. But the implication remains that Log Data (which includes pages accessed, IP address and “other statistics”), at at individual level, may be shared with other companies  for the purpose of ad targeting. For example, could they share with a health-related advertisers the fact a computer at my IP address researched a particular malady on and emailed a family member? I don’t expect that there is any conscious effort to do this, but the policy statement should clearly address and resolve the point.

2. Is your opt-out process the best it can be?

Like nearly 100 other companies who collect user information across sites, AddThis provides an opt-out process using browser cookies. But their implementation falls short of best practices in important ways. (For more detail on best practices, see a full list.) Here are the issues:

  • Since consumers may come looking for the opt-out, why not include a reference to the opt-out feature on your top page, like other companies?  Why bury the link in the middle of your privacy policy?
  • Why require users to take the separate step of checking a box? (Out of all of the opt-out processes we track, only a handful require such a step.)
  • Why write an unique opt-out cookie, when it destroys any semblance of anonymity for the user? (The vast majority of companies with opt-out cookies write non-unique cookies, to eliminate any possibility that the opt-out cookie itself can be used for tracking a unique user.)
  • Is the effect of opting out adequately explained in your policy? Here’s how the privacy policy reads:

Cookie opt-out option

If you prefer not to receive interest based content and advertisements enabled by AddThis data, you can always opt-out by clicking on our “Opt-Out” link click here. Note that if Flash is not installed in your browser, this marketing preference is not applicable.

After you opt-out, you will not receive interest based content and targeted advertisements enabled by AddThis data. Please note that opting-out does not turn off other advertisements. Also, if you change your computer, change your internet browser (e.g. from Internet Explorer to Firefox), or delete all your cookies, you will need to renew your preferences.

The foregoing opt-out does not cover the collection of Log Data (though no ads are sent to you in connection with such services).

  • If I opt-out, does that mean that my activities across different AddThis-enabled sites (including government sites) are not logged and associated as those of a single (anonymous) user? Or are they still logged and filed, but just not used for advertising purposes?
  • What is meant by the reference to Flash in the first paragraph? Why would the normal cookie opt-out only apply if Flash is present? Was this sentence intended to be included in the section about Flash cookies (see below)?

3. Why do you use Flash cookies and how does it relate to the opt-out process?

The AddThis privacy policy acknowledges the use of of Flash cookies:

In addition, we use Flash cookies in connection with our Services. Similar to browser cookies, Flash cookies are used to remember settings, preferences and usage, but are managed through a different interface than the one provided by your web browser. If you want to delete Flash cookies, please access your Flash Player settings management tool available on Adobe’s web site. However, if you do not accept cookies (whether browser or Flash cookies), you may not be able to use all portions of our website or all functionality of the Services.

As noted in an earlier post , Flash cookies (“local shared objects” set and managed by the Flash player) are particularly troublesome because browsers provide no native means for users to delete or control them. Many consumers believe they have cleared cookies with browser controls when, in fact, Flash cookies persist.

A quick check confirmed that Flash cookies are being written by AddThis on once you first interact with the AddThis widget. This prompts me to ask:

  • Are Flash cookies really necessary to your delivery of the service in ways that regular browser cookies cannot fulfill?
  • Why don’t you at least provide a link to the Adobe page where users can delete and manage Flash cookies?
  • When I opt-out via normal browser cookies, do you delete all information associated with the Flash cookie?

* * *

The public/private cooperation pioneered by companies like AddThis is, in my opinion, a very good thing for both government and the Web. But this opportunity entails responsibility to provide effective privacy disclosure and choices for citizen users. For companies like AddThis, this means bringing their disclosures and processes into line with industry best practices (or better). For government agencies, this means a closer review not only of how they directly gather and handle citizen data, but also how their private-company partners do so.

AdSense opens up and privacy disclosure gets more complicated

August 27, 2009

According to Paid Content, Google’s AdSense network will soon allow many other third-party ad networks to serve advertising via the AdSense code already embedded on millions of websites. This is significant from a privacy point of view, to the extent that it provides many smaller ad networks with access to a much wider set of websites, complicating privacy and opt-out disclosures.

googleadsenseGoogle will make the determination as to whether a third-party ad network qualifies to participate, and according to the program rules, this includes a review of their privacy practices. When it comes to user targeting, here’s how Google explains the requirements in an FAQ for third-party ad networks:

You may use cookies for reporting purposes and to target ads, provided that the data you use was collected in accordance with industry standards:

Where there is a conflict between the NAI and IAB UK policies, the more stringent policy applies. Google determines at its own discretion whether or not you are compliant with these standards.

In particular, the certification process requires you to have the following:

  • A descriptive privacy policy on your site
  • A prominent link to opt-out from the privacy policy
  • No PII used in the creation of segments
  • No sensitive segments or segments targeted at children under 13 years of age
  • No packet sniffing in the collection of behavioral data

There’s no mention of the new self-regulatory principles, which are more specific about disclosure and require individual websites to disclose specific ad networks that use or collect behavioral data on their site (if such disclosure is not present in the ads themselves). Google does not seem to be requiring that a participating AdSense website provide such disclosure; the privacy statement and opt-out presentation applies only to the ad network’s own website.

The AdSense policies draw a distinction between collection and use of behavioral information in this program — third-party networks may use behavioral information they have gathered elsewhere to serve the ad, but may not collect information for behavioral purposes in the course of serving it. As Google explains it to the ad network:

You may use a cookie, web beacon, or other tracking mechanism to collect anonymous traffic data for purposes of aggregated reach, frequency and/or conversion reporting. Collecting impression-level data via cookies or other mechanisms for purposes of subsequent re-targeting, interest category categorization, or syndication to other parties on AdSense inventory is prohibited. (This restriction does not apply to click- or conversion-level data.)

Google does not explain here if or how these distinctions will be enforced. The same information is available to the ad network in either case, so to confirm compliance with this rule would require some kind of back-end audit of the network’s practices.

We will be watching AdSense sites closely as new networks start to flow through Google’s widely distributed Javascript. The privacychoice platform looks beyond the Javascript itself to see which servers are actually serving ads on a page through that code, so our Network Privacy Profiles will provide an accurate picture of the privacy policies in play for any AdSense website that opens up to third-party ads. For an AdSense website publisher committed to complete privacy disclosure and choice, our system should provide a simple solution.

Missing privacy policies: a proposal

August 18, 2009

In the course of analyzing and excerpting privacy policies for Network Privacy Profiles, we’re sometimes left with a problem: an ad-related company serves content across many sites and is in a position to collect tracking information, but the company doesn’t seem to have a privacy policy relevant to those activities. In some cases they don’t have a privacy policy at all, and in others they have a privacy policy which, as written, only covers visitors to their corporate website and not visitors to other sites where they serve content.

At last count, 22 companies in our database fit into this category (see links and summaries):

IAC Advertising Solutions
Lifestreet Media
Rubicon Project
Tatto Media

Here are some potential reasons why a company on this list might not have a consumer-facing privacy policy:

  1. The company doesn’t collect user information at all in the course of serving content or providing a service on the other sites. For example, web optimization firms use scripts that select ads from different ad networks, which may not involve the collection of any user information by the optimizing firm.
  2. The company collects user information across sites (even if just clickstream data), but doesn’t associate the activities of the same individual across different websites. This could be true for companies that provide site-specific analytics or research. While they may set cookies and associate behaviors on a single site, because they don’t associate across sites and only share information with the site of collection, their view may be that their activities are already covered by the site’s own privacy policy.
  3. The company does collect user information across sites, but hasn’t yet posted a privacy policy for consumers. Or the company has a corporate policy that is intended to also cover consumers, but is literally written in a way that does not extend beyond the corporate site.

Given the potential for consumer confusion, here’s a proposal:

  • If your company is in a position to collect user information about users across websites, you should always include a statement in your own privacy policy that explains whether you do and how that information is used. Even if you provide an opt-out for consumers, you still need to explain how information is handled for those consumers who do not opt out.
  • Make sure the language in your policy is clear about which provisions apply to the corporate website and which provisions apply to users of other sites where you serve content or gather information.

And, of course, if you do collect user information across websites and you don’t have any privacy policy at all, you should get one, pronto.

PS If your company is on this list and you think we got it wrong, please send us a note or post a comment. We monitor all of these pages for changes and will update our lists promptly when we see clarifications.

Proximic’s 126-word privacy policy: more than complete

August 17, 2009

On the policies page of Proximic’s website, this is all they have to say about privacy:

We respect your privacy!

Proximic does not ask, require, acquire or retain any individual personal information to identify end-users as a prerequisite to use our products and services. Obviously from a technology standpoint individual IP Addresses could be tracked and identify browsing behavior. However, we have committed ourselves to an extensive self-binding Privacy Policy prohibiting us to do so. Proximic does not record the browsing behavior of its end-users or visitors of the sites in the Proximic Publisher Network at all – neither via a browser plug-in, cookie placement or any other tracking method. At no point any kind of individual information about the browsing behavior is stored. Therefore Proximic in no case markets or communicates to a third party any personal data collected. See our Privacy Policy for details.

Although they mention a Privacy Policy that isn’t yet linked, I’m not sure there’s much more that they need to say. Since  they don’t track anybody across sites in their network, the questions of sensitivity, sharing and deletion fall away. This is pretty unique among ad-network polices that we track, and it required creating some new summary templates when adding them to the Network Privacy Profile database.

Although we don’t see proximic much in our site sampling, their bet on success through contextual rather than behavioral factors certainly makes for a clean privacy profile. It will be interesting to see if their business keeps them on this course, particularly with the dominant-competitor Google adding behavioral factors into the mix with AdSense.

Two notable privacy policy updates

August 17, 2009

In the last week, we saw two interesting changes to privacy policies  that we track (and these are now updated in our database):

Fetchback formerly had no deletion requirement for user information, and now deletes all information after 1 year. It seems like there’s a lot of momentum around 1 year as the maximum retention period, at least among the minority of tracking companies that have any kind of deletion policy. See the prior post on this topic.

interclick now includes a reference to their use of Flash cookies (acknowledging that these are not deleted through normal browser privacy processes). At least their statement promises (or at least implies) that if you follow their normal process (regular cookies) you will be opted out of all tracking, including Flash cookies. (See the prior post on this important topic.)