Archive for October, 2009

Estimate: Google interest-based targeting reaches 25% of AdSense sites

October 28, 2009

It’s been about seven months since Google announced their interest-based ad-targeting program, which gathers consumer behavioral information across the massive AdSense network of independent sites. Google left it up to the individual sites whether or not to participate, but Google stipulated that to do so they must provide new disclosure in their privacy policy and a link to Google’s privacy policy.

Using links to the Google’s privacy policy as a marker, I did some quick and dirty calculations in June to assess adoption. Now in October we’re in a little better position to make a guesstimate. Importantly, we now have a denominator, since Google disclosed in their Q3 2009 earnings conference call that there are at least a million sites in the AdSense network. For the numerator, each search engine provides its own count of the pages that carry the privacy policy link (and it seems reasonable to assume that in general each site carries the link only on one page):

Google June: 93,600  October: 277,000

Yahoo!  June: 78,000 October: 224,000

Taking the average of Google and Yahoo!’s numbers, and assuming there are one million AdSense sites, it looks like Google’s interest-based ad targeting now reaches about one-quarter of the AdSense network. This pace of adoption seems low given the higher revenue expectations for behavioral targeting and Yahoo!’s apparent success with the technology on news sites.

Of course, ultimately it isn’t the sheer number of sites electing to be in the program that matters; it’s the traffic volume and quality of the sites that do choose to opt-in that determines the program’s success (and the scope of consumer information collected). But if three-quarters of AdSense sites are still hesitating, perhaps Google hasn’t shown them the money just quite yet.

As with so many things, only Google knows. But it may be that this slow adoption has something to do with why so few of us appear to have any advertising-worthy interests, at least according to Google’s Ad Preferences Manager. This is the transparency tool Google rolled out to soften privacy concerns about the AdSense targeting program. As explained in a prior post, few folks actually appear to have any interests available to target upon. Is there a vicious circle at work here?

Good trend beginning? interCLICK kills their Flash cookies

October 26, 2009

interCLICK confirmed this morning they are no longer using Flash cookies for ad targeting, and have conformed their privacy policy accordingly. It sounds like this is part of the NAI’s efforts to rein in the use of this technology among NAI members; even with disclosure, use of Flash cookies just doesn’t line up with consumer expectations about their ability to control ad targeting.

With our own Flash-cookie monitoring underway, we will keep an eye on which networks continue to use them. As a matter of disclosure, ad networks continuing to write Flash cookies for any purpose should make a statement either way as to whether they are used for ad targeting purposes.

Doubleclick’s Flash cookies

October 25, 2009

Since the next version of the privacychoice opt-out tool will incorporate integrated control of Flash cookies, we’ve developed internal tools to start monitoring the incidence of use of Flash cookies by tracking companies. It’s not news that use of Flash cookies has been widely embraced by ad networks; what is surprising is how few of them explain this in their privacy disclosures, or provide any guidance on how to delete or control them.

The most notable example of missing Flash-cookie disclosure comes from the biggest dog of all: Google’s DoubleClick subsidiary. We’re seeing their Flash cookie,, on multiple test machines, which raises questions:

  1. Is DoubleClick’s Flash cookie used to gather interest information? This is not confirmed one way or another in the privacy policy, but should be. (In fact, a search of DoubleClick’s site reveals no mention of Flash cookies.)
  2. If I expressly opt out using the regular DoubleClick browser cookie, and then that opt-out cookie is deleted for any reason, does DoubleClick reconnect my profile with the surviving Flash cookie? Why doesn’t Google just delete the Flash cookie as part of the normal opt-out process?
  3. Better yet, if Google is using Flash cookies to enhance the ad serving experience, why not set the user’s opt-out preference with a durable Flash cookie?

My guess is that DoubleClick’s Flash cookies are not used for interest gathering or ad targeting, but in the absence of a clear statement as to how they are used, consumers are left to wonder.

Akamai and Acerno backtrack on retention

October 9, 2009

Update: As of 10/14 our page checker now reports that Acerno’s policy has changed again to read that information will be kept for one year, not three years. Good news!

Back in August, I posted about Acerno shortening its data retention policy from three years to one year, bringing it in line with its parent company, Akamai, and an emerging one-year standard among the major players.

Now it looks like they’ve reconsidered.

Despite calls from privacy advocates to shorten the retention period for consumer behavioral data, Acerno has now decided that three years seemed just about right, and has modified its privacy policy accordingly.

Oddly enough, Acerno didn’t deem either of the changes to be material enough to highlight in any way, despite an oblique promise (elsewhere in the policy) to at least note the date of an update:

We reserve the right to make changes to this Privacy Policy at any time. While we expect most changes to be minor, there may be changes that are more significant. As such, we will state the date the policy was last updated. We encourage you to review our privacy policy on a regular basis.

At a moment when transparency and consistency should be paramount, it’s a surprise to find Akamai, industry leader and NAI-member, moving (quietly) in the wrong direction.

Hey, Google, where are our interests?

October 9, 2009

When Google announced the launch of interest-based ad targeting in March, they also opened up their Ads Preferences Manager. Google explained that this console shows any consumer the interests that Google has recorded on them based on their activity across Google’s DoubleClick network. Consumers can even edit their interests within a list of over 2,000 individual interest categories.

Google’s move seemed to provide even more transparency than earlier efforts like those of BlueKai’s consumer preference registry. For many, Google’s offering was taken as a sign of good faith, and perhaps a hint of what might be possible if consumers and advertisers could interact about interests in an informed, win-win way.

I just got around to checking out my own interests at Google, only to find none recorded. Curious (and concerned about whether I really have any interests), I checked with some friends and family members. None of them had any Google interests, either. And out of fifty independent testers recruited on Amazon’s Mechanical Turk, only seven seemed to have any interests recorded with Google (an average of about four interests each).

Obviously, either the scope of Google’s interest gathering is more limited than expected, or Google has more information than they’re showing. Why isn’t more interest information available to us?

To track this issue, we’re running an ongoing survey to count the number of interests that Google has on anybody willing to participate. If you want to help (and you haven’t opted-out of Google’s tracking), please take five seconds to visit this page, use the widget to grab what Google says are your interests and allow those to be counted for the survey.

It’s unscientific for sure, but it will be fun to watch as Google’s mission to organize the world’s information also becomes a quest to catalog the interests of humankind.

Postscript: Be sure to follow Opt-out Man, who similarly lacks interests (as far as Google is concerned).

What a difference a word makes

October 7, 2009

Here’s a subtle but meaningful change to the privacy policy for XGraph:

Non-PII (anonymous, non-personal information) may be shared with certain parties for the following purposes: (1) to Partners websites in order to help them target relevant advertisements and content and to better understand their online audiences and customers …

Meaningful because now the information may be commercially shared not only with the sites where it is collected, but also any other third parties in the advertising chain.

In the something’s-better-than-nothing department, they also added an explanation of their retention policy:

We retain collected raw data (e.g. anonymous web logs) for up to six months, after which time this data is discarded. Collected data may be anonymously aggregated or correlated and retained in that form for up to three years.

I have no clue what it means for information to be “anonymously correlated.” Just tell me, for how long does any behavioral action remain associated with my XGraph cookie or IP address?

By the way, XGraph is the ultimate minimalist network. Their website consists solely of a contact email, a privacy policy and an opt-out link. Talk about agile!

Should adult activities be out of bounds for behavioral targeting?

October 4, 2009

In the privacy debate about behavioral tracking and ad targeting, most folks agree that new rules are needed in areas that are considered “sensitive.” Some activities, like researching health conditions or financial planning, will be off limits for tracking once new rules are in place. Companies won’t be able to use information about those activities when compiling user profiles or targeting advertising, and probably will be obligated to delete such data promptly.

This will impose new policies (and probably new operating practices) on many firms engaged in tracking. A substantial majority (65%) of the tracking companies in the privacychoice database make no mention in their privacy statements of special handling for sensitive information.

The larger players are ahead of the curve. With a few exceptions, each of the top ten ad networks already exclude sensitive information from their targeting matrix in some way. In the most typical formulation, “sensitive” information is defined to include government-issued identifiers (like SSN), insurance plan and financial account numbers, your real-time geographic location (via GPS), and “precise information about past, present, or potential future health or medical conditions or treatments, including genetic, genomic, and family medical history.”

A few ad networks go further, also establishing exclusions around sexual identity and adult activities. Google, for example, says it will not associate the omnipresent DoubleClick cookie with information about “sexual orientation.” Clearsight Interactive and AlmondNet will not store information from “adult and gambling sites.” BlueKai does not collect or share data involving “adult behavior such as drinking, politics, or pornographic content.” Exelate promises not to target ads based on “adult related searches or adult content.”

It is easier for an ad network to promise not to use adult activities if they don’t serve ads or collect data on adult sites in the first place. But mainstream ad networks and measurement firms are present on adult sites. Take a look at the Network Privacy Profile for, where you will find DoubleClick, Quantcast, Eyewonder and several others. Those networks are in a position to connect visits to adult sites with a user’s overall profile (and any personally identifiable information, if they have it).

Consumers have some privacy protection in the form of anonymous surfing tools, which are now available in all of the major browsers. But although private browsing mode cuts off access to regular browser cookies on your computer, it doesn’t mask IP addresses or block Flash cookies, which are common across all browsers and are favorite tracking tools for many ad networks. There are technical workarounds, but none within reach of an average consumer.

As regulations emerge, here are two predictions:

  • Use of sexual orientation will be off-limits in behavioral targeting as a matter of law, but activities on adult sites will not. While advocates want to circumscribe targeting as much as possible, they will pick their battles. (Thus the recent proposal from a coalition of privacy advocates only suggested sensitizing information about sexual orientation and “personal relationships.”)
  • In the long run, as opt-out (or even opt-in) choices become more prevalent and robust, companies will extend their definition of sensitive categories beyond non-controversial areas like finance and health. This will be an easy way to make consumers more comfortable, particularly if new rules require companies to show users what’s in their own profiles.