Archive for September, 2009

Website analytics and targeting: is there an elephant in the room?

September 29, 2009

In sampling top websites for the privacychoice service, we see that nearly all of them use hosted website analytics to understand user behavior. Like an ad network, an analytics service works through Javascript code embedded throughout pages on a website. As humans navigate the site, background communications with the analytics server provide complete visibility on behavior, including counting new or repeat users, seeing which search terms they used to find your site, and which of your pages pages are most popular. Using cookies and IP addresses, a user’s multiple sessions can be linked in order to understand user loyalty and behavior over time.

The sheer ubiquity of analytics code raises an obvious question: Is website analytics data used to target advertising?

GAThe question gains importance given the growing overlap between analytics providers and ad networks, where Google is the biggest in each market. It has the widest footprint in selling and serving ads through the AdSense network and DoubleClick. It also also gives away Google Analytics for free to web publishers, which is present on over three-quarters of the sites sampled for privacychoice. For  customers who are also advertisers on Google networks, the appeal is an integrated end-to-end cycle — from ad click through user actions taken on the site — enabling publishers to connect the dots for a more effective ad spend. The other analytics providers include a handful of enterprise-grade platforms like Omniture. Once Omniture becomes part of Adobe, they may have access to a larger web-wide footprint through the huge installed base of Flash applications (also widely used in ads).

Yahoo! also offers its own analytics product to advertising customers, and Yahoo! makes it clear that analytics data is leveraged to target advertising. User activities on sites running Yahoo!’s analytics program can be associated with the user’s account and activities on Yahoo!’s family of sites. For purposes of disclosure, websites using Yahoo!’s service are directed to include specific language in their privacy policies and a link to more information. According to Yahoo! search, around 3,000 sites carry the required language:

“We use third-party web beacons from Yahoo! to help analyze where visitors go and what they do while visiting our website. Yahoo! may also use anonymous information about your visits to this and other websites in order to improve its products and services and provide advertisements about goods and services of interest to you.”

Yahoo! can connect user activities from its analytics network with Yahoo!’s sites or ad networks. Does Google?

The answer is, probably not, if only in light of Google’s other practices. DoubleClick requires each participating website to make a special privacy disclosure about the use of information for ad targeting, and provides an opt-out cookie for consumers. Google Analytics has neither. Also Google analytics collects user information through a different domain ( than they use for their ad networks (, and others). While this doesn’t mean they can’t use analytics data for ad targeting, it does make it harder as a practical matter.

However unlikely it may be, given the huge but invisible reach of Google Analytics, it’s reasonable to expect an express statement from Google. This could be as simple as: information gathered via Google Analytics is not associated with other Google user information or used to target advertising.

To search of this kind of statement, you can start start by navigating Google’s privacy policies. Which one is relevant is not immediately obvious. Look at Google Analytics for a privacy policy and you end up at the general Google Privacy Center (unlike DoubleClick, which has a separate policy, and 15 other Google services, which have supplements to the general policy).

Google’s general policy is particularly unhelpful in explaining how user information is handled by Google Analytics. In the explanation of data gathering via cookies, IP addresses and such, matters are framed with “when you visit Google'” or “when you access Google services.” Who even knows they are using Google services when they happen to trigger Google Analytics code on a third-party site? But still you will find no express statement about mixing analytics and targeting data.

Turn from the consumer disclosures to the terms of service Google Analytics provides its analytics customers. There you find this express statement about the use of information:

Google and its wholly owned subsidiaries may retain and use, subject to the terms of its Privacy Policy (located at , or such other URL as Google may provide from time to time), information collected in Your use of the Service.

GA in PCThe policy does go on to say that, although Google may retain and use the information, it will not share any site’s information with third parties. But by implication, Google still can use the information to target ads, so long as it does not disclose the targeting information to advertisers. The fact that Google probably doesn’t use analytics data this way isn’t the point. What is needed is a statement that makes Google accountable for that policy. In crafting privacychoice summaries, this ambiguity in Google’s policies means we cannot assume that users are anonymous to Google when they are on sites using Google Analytics.

This example provides important takeaways for folks writing rules for this industry. To ensure clarity and accountability, any company in the business of collecting and using information about users from across different websites should register each domain they use, and bind it legally to a complete privacy policy that governs the activity. There’s no room — and no reason — for ambiguity.

privacychoice 2.0: the experiment continues

September 25, 2009

A principal mission of the privacychoice project is to make consumer privacy more understandable. When it comes to behavioral tracking, the biggest barrier to understandability is that the practice is largely invisible to consumers. Your actions may be logged and profiled as you use different websites, and you probably don’t know which companies are doing it or how they promise to handle your behavioral information.

The new version of aims to help close this information gap. Here’s what’s new:

  1. A visual tool that provides a tracking privacy scorecard for several hundred top websites, showing you summaries of selected tracker policies, highlighting those with concerns.homepage grab
  2. A new Firefox add-on called TrackerWatcher, which enables a consumer to see who’s tracking them on any site they visit, and to see the relevant policies and concerns in one place.
  3. A set of icons that correspond with five privacy practices that are important for consumers to understand: Anonymity, Sharing, Sensitivity, Deletion and Oversight.
  4. A redefined framework for our opt-out add-on, that allows either a complete opt-out (all networks that offer an opt-out) or an opt-out only on those networks with any special concerns in the five practice categories.

The privacychoice project is an experiment to see whether or not online privacy can be understood by consumers; whether complex principles can be reduced to their essence, abstracted and visualized; and whether disparate data sources, policies and processes can be aggregated in a sustainable way. I welcome your feedback and comments!

Rubicon and YuMe step up on opt-outs

September 21, 2009

In prior posts I’ve mentioned both YuMe, a video ad network, and The Rubicon Project, one of the new intermediary firms that optimizes website ad revenue by selecting the highest yielding ad from across multiple ad networks or exchanges. After wondering out loud about YuMe’s lack of an opt-out and Rubicon’s lack of any privacy statement for consumers, it looks both have taken steps in the right direction in the last few days.

YuMe revised their privacy policy for consumers and added an opt-out cookie process. The disclosures are clear and the process is smooth. Opt-out is now mentioned on YuMe’s homepage (although not prominently).

Rubicon took a different approach, adding a “Transparency” page linked from their homepage (“Privacy” still takes you to B2B disclosures). Here a consumer can opt-out of tracking by Rubicon, and also see what interests Rubicon has associated with their profile.

Although I visited half a dozen websites where Rubicon is installed, including auto, sports and baby sites, I couldn’t get any interests to register on the Transparency page. This piece may not yet be operational, or there may be a lag, but once it is, it will put Rubicon in company with BlueKai, Google and a few others who not only provide preference choices, but also provide the consumer with the contents of their online profile.

This is worthy of praise, but Rubicon’s implementation needs improvement. Suggestions:

  1. Consumers who come to Rubicon’s homepage will be looking for information about “privacy” and will end up in the wrong place. Putting the opt-out process below a label like “Transparency” won’t compute for consumers, and renders the exercise largely useless.
  2. Showing interests and providing an opt-out are good steps, but they don’t substitute for an actual privacy policy that also addresses questions like data retention, sharing of information with third parties, and method of data collection (cookies, Flash cookies, IP addresses?). The TRUSTe seal appears at the bottom of the Transparency page, implying that the disclosure is covered by TRUSTe’s certification (although it seems rather thin to have qualified).
  3. After pressing the opt-out button (with the unnecessary radio button choice), there’s no cue that confirms that the opt-out has been effective, even though a cookie has been written. Also, it isn’t clear whether, by opting out, any affinity profile information that has previously been created will be deleted.
  4. There’s no explanation of how the opt-out cookie may be lost if cookies are deleted, nor a link to browser add-ons that can set the cookie permanently (such as those provided by Google, TACO or privacychoice).

It’s good to see more networks beefing up privacy disclosures and making opt-outs available. But for Rubicon and many other tracking companies, the implementation of consumer privacy disclosure and choice still seems half-hearted.

How do the most trusted companies enable third-party tracking?

September 17, 2009

According to a survey sponsored by TRUSTe, here are the top ten brands most trusted by consumers when it comes to privacy. Just for grins, here are links to the privacychoice profiles for their websites (where we have them already). This lets you see how the most trusted brands enable third-party tracking, a practice largely invisible to consumers.

Procter & Gamble

Some of these companies have pretty long lists of third party trackers on their sites, with some serious holes in their privacy practices (concerns highlighted in our new interface).

As TRUSTe notes, 8 out of 10 are TRUSTe certified, at least as to their own privacy policies. What does TRUSTe certify about the practices of trackers enabled on these trusted sites?

Adobe buys Omniture: hope for a Flash-cookie fix?

September 16, 2009

Adobe is buying Omniture, which seems like a good idea for a number of reasons that David Cancel has cogently pointed out.

Here’s another good reason:  if Adobe wants to be in the analytics business, then it’s going to matter to them more whether they have the trust of the consumers whose behavior they want to track. For that reason, they should fix the privacy issues with Flash cookies now.

By “fix” I mean, for starters, every Flash install should offer an extension to the browser to give you at least the same visibility and control as you have over regular cookies. Browser makers should have built this in this a long time ago, but if they won’t, Adobe should.

OthersOnline + Rubicon: no consumer policies required?

September 15, 2009

Ad optimizer Rubicon announced acquired OthersOnline, which is “an “affinity scoring” service that determines how strongly a person is interested in particular brands, products or topics.” Business Week frames this as part of an inevitable consolidation of sources of behavioral targeting data. It sounds like a good occasion to dig into their privacy practices.

Rubicon has been a puzzle for the privacychoice classifications, since like a number of companies in this field, they have no consumer-facing privacy policy. The policy linked from their homepage literally applies only to their customers and visitors to their website. Rubicon’s policy is certified by TRUSTe, which might lead a consumer to think the certification also covers their practices relative to the general public. In this case, TRUSTe certification may mean that Rubicon does not collect any user information, even though consumer browsers interact with Rubicon servers when visiting websites where Rubicon is installed.

OthersOnline doesn’t link to any privacy statement from their homepage, but with some searching you can find a blog post about privacy from February 2007. It includes assurances that personal information is never shared, but no mention of whether or how anonymous information or profiles may be shared, whether sensitive information is collected or what policies apply to deletion, assuming those concepts apply to how their service operates.

We will keep an eye out for any changes to the Rubicon privacy policy. Transactions of this sort often provide a good opportunity for some housecleaning. Even if Rubicon collects no consumer information, a statement to that effect in the privacy policy would be helpful.

UPDATE: Since this post, Rubicon has shored up its disclosures. See my post here.

The Ad-Tracking Debate: Where Should Disclosure Live?

September 13, 2009

On the question of how to reconcile behavioral targeting and privacy, we now have definitive proposals from each end of the spectrum. In July, the advertising industry delivered its Self-Regulatory Principles (urging industry efforts instead of legislation). Then last week a coalition of privacy advocates delivered a Legislative Primer (calling for a broad set of laws). The stage is set for conflict as Congress digs in.

Industry and advocacy groups do seem to agree that enhanced disclosure of behavioral tracking is necessary, which means consumers should be better able to identify the companies collecting data, easily find their privacy practices and policies, and have a meaningful chance to opt-out.

But it’s still not clear how web users will find that disclosure online. This question goes to the core of how new rules will affect a consumer’s daily experience: Should advertisers be required to embed privacy disclosures inside or right next to the advertisements themselves (as the legislating group contends)? Or can websites provide a link to comprehensive disclosures about all of the networks collecting information on a page or throughout a site (which could suffice for the self-regulators).

For consumers the best answer is to require both.

Disclosure in the advertisement has obvious appeal. Why not associate tracking activity as directly as possible with the tracker’s ad? Consumers spooked by a particular ad would know just where to go to find out more and make choices.

Yet “in-ad” disclosure — with nothing else — also puts a burden on the consumer, who (ironically) must now look even more closely at ads to stay informed about their privacy. How many in-ad disclosure links would you need to click on to get a full picture of what’s happening on a single page? How about an entire site? What if, instead of being spooked by a particular ad, you’re generally interested in all of the privacy disclosures and choices for networks touching your favorite site or the page you’re viewing?

The effectiveness of in-ad disclosure also has practical challenges. What’s the layout when more than one tracking party collects data with a single advertisement, such as an ad network and an individual advertiser? What about trackers who capture IP addresses or write cookies without presenting any ad? What do you do about the growing crop of companies who work behind the scenes to aggregate targeted audiences, but are not directly in the ad-serving chain?

A more perfect (and not much harder) solution would put links to disclosure both in the adsand on the page or site. As proposed by industry groups, there should be a recurring icon in or around ads that consumers can come to associate with tracking and learning about why any particular targeted ad was served to them.

But if consumers want to look into their privacy options on that site more generally, a link on every page should take them to one place with all of the privacy information they need. Composition of those summaries can be automated based on sampling pages on the site, as you can see in the Network Privacy Profile for Let websites, industry groups and privacy advocates experiment and innovate on this kind of presentation, with feedback from consumers.

Websites have much to gain from behavioral targeting, so it makes sense for them to participate in enhanced disclosure. With that kind of participation, interest-driven marketing can work for all concerned: websites, advertisers, networks and informed consumers.


Doh! Addition to best practices for opt-outs

September 11, 2009

The privacychoice summary of best practices for opt-outs has seen consistent views, and I have heard from many ad networks that they found it useful in creating or shoring up their own practices.

But I forgot to include a completely obvious point, which I have now added:

Ideally, to remember the opt-out preference, use both a browser cookie (so users can see it) and a Flash cookie (so it is persistent). If you are using Flash cookies generally but don’t use a Flash cookie to solidify your opt-out, ask yourself if that really seems fair and in the best interests of users?

It’s true that you can count on one hand the number of ad networks that use Flash cookies to remember opt-out preferences, so maybe I’m spitting in the wind. But if you use Flash cookies for tracking, and you don’t provide a Flash cookie for the opt-out, that’s an unprincipled approach to consumer privacy.

Which companies collect user information on government websites?

September 10, 2009

Yesterday and today many smart people have been gathered for the Gov2.0 conference to discuss bringing our government into the 21st century, Web-wise. One important topic is the integration of public and private Web services, particularly how government sites can leverage privately-provided social networking, site analytics and communications tools.

The privacychoice system provides a glimpse into how this integration is progressing. By sampling pages on top websites, the privacychoice system maps which tracking networks we find on those sites in order to create a Network Privacy Profile. This Profile gathers in one place the summaries and excerpts for the relevant third-party privacy policies. This provides a composite of the privacy practices citizens sign up to now when using government sites. Click through from this list to see the individual profiles for top-traffic government sites we have scanned.

Of the top several dozen dot-gov sites in our system, here’s the breakdown of how many of them have integrated third-party-served content or services:

50%     AddThis/Clearspring
34%    Google Analytics
26%    CrazyEgg
24%    WebTrends
5%       YouTube

(No other companies were found on more than a one or two government sites and were less than 5%.)

From a privacy point of view, it’s concerning to see AddThis with such a high share, given their relatively weak approach to privacy issues. Also, although it’s no surprise to see Google Analytics making inroads (it’s a great, free service), this comes despite ambiguities in Google’s formal policies as to how user data is handled (more on that in a future post). CrazyEgg and Webtrends present the least concern, since their policies expressly disavow sharing information other than with the site where collected (thus no cross-site profiles are created).

AddThis update: 12 days, zero progress

September 9, 2009

It has been about 12 days since the first of a couple of posts (here and here) outlining the privacy issues in how AddThis (a subsidiary of Clearspring) is implemented on government sites like

It is an important topic. As the government embraces social tools, companies like AddThis must commit to the highest levels of transparency and care when it comes to the collection of information about citizens using government sites.

Unfortunately, there has been no progress.  In tests this morning, AddThis is writing not only Flash cookies, but also regular browser cookies on machines of visitors to who click on the AddThis tool. This is despite the language of their contract with the GSA, which says,

“AddThis agrees not to serve any cookies
on domains that end with .gov or .mil.”

I did hear from the AddThis team last week, first saying they couldn’t reproduce the issue. Then they acknowledged the issue but made the point that serving cookies from the AddThis or ClearSpring domain is permitted; and that the contract only prohibits them only from serving cookies from the domain and not their own. This of course is technical nonsense (only the government can serve cookies from their domain) and clearly not what was intended in the contract. AddThis also said that fixing this problem is a priority, and they would work to push a fix early this week.

Nothing so far.

Having successfully interacted in private with over a dozen ad networks on how to improve their privacy and opt-out practices, I don’t come to these topics with skepticism. I have no doubt that the cookie issue was inadvertent. The problem is that the inaction and dissembling from AddThis comes in the context of one of the most poorly executed privacy and opt-out processes I’ve seen.

On that score, I’m still waiting for any comment on the other questions posed about the AddThis implementation:

  1. Their disclosures are inadequate as to if and how information is shared with third parties.
  2. Their opt-out process is weak.
  3. They use Flash cookies and do not clearly explain how this relates to their tracking opt-out.