Archive for January, 2010

Microsoft unveils ad-preferences landing page: a few questions

January 30, 2010

Microsoft Advertising has launched their “Learn About This Ad” page, which is the landing page for users clicking on the new behavioral-advertising icon announced last week.

A few comments:

  • This is largely a collection of links to Microsoft’s privacy policy and opt-out pages, the NAI site, and some videos (Silverlight installation required). There isn’t much new here, since Microsoft still lags Yahoo! and Google in providing transparency about the individual interest information stored about users.
  • There’s no statement of adherence to the Self-Regulatory Principles, which would be required by their terms.
  • The types and use of data are still buried in Microsoft’s privacy policy, a few clicks from the landing page. Will this be considered compliant?
  • There’s no indication if or whether this landing page will list other ad-delivery companies involved in the selection of the ad, which is, of course, the hard part.

Adobe’s small step forward on Flash-cookie control

January 29, 2010

As mentioned at today’s FTC Roundtable, Adobe has announced an important privacy improvement in Flash 10.1 (now in beta testing).

Here’s the relevant passage from the release notes (PDF):

Browser privacy mode (desktop only)
Flash Player 10.1 abides by the host browser’s “private browsing” mode, where local data and browsing activity are not persisted locally, providing a consistent private browsing mechanism for SWF and HTML content. Private local shared objects behave like their public variants as long as Flash Player is in memory and local shared objects created during private browsing are removed when returning to public browsing mode. Existing shared objects are preserved but inaccessible until private browsing is turned off. Libraries in the Flash Player cache, like the Flex framework, are unaffected by private mode. Supported in Firefox, Chrome, and Internet Explorer. No developer action required.

This is helpful from a privacy perspective, in that it aligns with the consumer’s reasonable expectation that activities in private-browsing sessions leave no trace and cannot be associated with activities during other browsing sessions.

But it doesn’t really address the more fundamental concerns raised about Flash cookies when used for behavioral targeting. Consumers expect that when they clear their browsing history using native browser controls, they wipe the slate clean with respect to cookies. While the major ad networks have moved away from using Flash cookies for behavioral tracking, you will find quite a few smaller ad delivery companies still using Flash cookies. The failure of Adobe and the major browser makers to align with consumer expectations is truly inexplicable.

How much transparency is enough?

January 27, 2010

Lotame has become the latest ad delivery company to provide consumers with a picture of the information stored about them for ad targeting, which they refer to as the Lotame Preferences Manager. The Lotame panel is much like Yahoo!’s and Google’s, in that the user sees and can customize their interests across a set of categories. And like Yahoo!, Lotame also feeds back your demographic information (age and gender).

Lotame’s approach is unique in that they actually show you an ad they select based on those interests. Unfortunately in my case, it doesn’t seem so well targeted (, but it’s a nice touch. We’ve added Lotame’s preferences manager to their entry in the PrivacyWidget database, so users who spot them on widgeted websites can go directly to this information.

Other targeting companies would be smart to jump on this trend quickly (even without further NAI, IAB or FTC encouragement). This is the single most powerful means to educate consumers about the benefits of targeted advertising and, as discussed in an earlier post, will become the platform for the value-exchange between ad-delivery companies, consumers and websites.

Some very important question remain. Most importantly, how deep do these disclosures need to go?  Why wouldn’t the consumer disclosures include all of the targeting characteristics that companies show to advertisers?

To see a stark contrast in approaches to this question, look no further than the ad preference managers offered by Yahoo! and Google. Yahoo!’s is the most robust in the industry, and gives the user information about search terms used to target ads, demographics and even location. Google offers only a list of interest topics, even though there’s little doubt they use additional factors for ad targeting.

With eight companies now providing consumer transparency and more on the way, we’ve entered a new phase of consumer transparency. Now the question becomes, is it misleading to show the consumer less information about their own characteristics than you show an advertiser wanting to target them?

PrivacyWidgets as a platform for value-exchange

January 18, 2010

As mentioned in the release notes for the PrivacyWidget and earlier posts, PrivacyWidgets can provide a platform for the value-exchange between consumers and advertisers using behavioral advertising. In this relationship, the consumer exchanges information about themselves and their interests for more relevant advertising and content.

Some ad-delivery companies are already investing in making the value-exchange more transparent for users, by showing them information about the specific interests and preferences that have been stored about them. At least seven companies already do this: BizoBlueKaieXelateGoogleRubicon ProjectSafecount and Yahoo!

These companies are betting that, by and large, consumers will appreciate more relevant advertising and can be made comfortable with any privacy impact. They’re giving this substance by reading back something about what they know about the consumer, and inviting the consumer to engage with a process to share even more about their interests.

PrivacyWidgets facilitate this transparency. As a simple start, we had added links within the PrivacyWidget to take the user directly to their personal preference information for those companies that make it available. Check out the Sample PrivacyWidget on our site to see some examples.

This is also good for websites, who choose their ad delivery partners and provide the context for the exchange in value: ad-supported content and services. Consumers who will share more about their interests will provide more advertising value. So PrivacyWidgets offer more than just an easy way to comply with disclosure requirements; over time they can drive engagement and higher ad value. For the consumer, this virtuous circle leads to more and better free content.

Introducing the Tracking Company Index

January 15, 2010


The PrivacyChoice Tracking Company Index.

A comprehensive database of information about the privacy practices and policies of hundreds of ad delivery and targeting companies.

For starters: company summaries and privacy contacts, sites where seen, known data methodologies (including Flash cookies), industry oversight, opt-out processes (including opt-out cookie lifetime) and privacy policy highlights.

For Whom?

Responsible websites and ad networks, curious consumers, principled advertisers, industry overseers, consumer advocates, privacy-tool developers and academic researchers.


Transparency promotes accountability.

NAI on Flash cookies: almost there …

January 14, 2010

The Network Advertising Initiative recently completed a comprehensive review of the practices of its members, culminating in its 2009 Annual Report. Given the recent criticism of how Flash cookies may be used to track user behavior (see prior posts), I was pleased to see the NAI cover that practice in its review, and to reiterate the rule against the practice. While this is a big step forward, the NAI should go further to fully resolve Flash cookie question as it pertains to its members.

Based on staff interviews, the report concluded that none of the evaluated companies uses Flash cookies for online behavioral advertising (see footnote 46). Since our own panel found Flash cookies being written by several NAI members (including Specific Media and DoubleClick), the NAI must have been assured that these firms have implemented internal controls about how they use Flash cookies. But without an explanation of those assurances (or even why Flash cookies need to be used in the first place), the report is incomplete. The NAI should ask those firms to update their privacy policies to explain the use of Flash cookies and disavow their use for targeting. (See an earlier post on this as it relates to DoubleClick.)

The Flash cookie issue has rightly become a focus for privacy advocates, even though (at least as to the NAI membership), it looks like it shouldn’t be. A more unequivocal statement from the NAI members who use Flash cookies for other purposes will mean that networks abusing Flash cookies have nowhere to hide.

VideoEgg dissembles

January 13, 2010

At first I was pleased to see that VideoEgg, a rapidly growing video ad network, updated their consumer privacy policy on a couple of important points (see our updated summary):

  1. They added a data retention policy: 12 months for log data and indefinite retention of aggregate data, which is right in the middle of industry norms.
  2. They added a clear exclusion for sensitive-category information, which they define to include “health, religion, political views or sexual orientation” (and they note that they do not have pornographic sites in their network).

However there’s still a gigantic omission: no consumer opt-out feature. VideoEgg uses Flash cookies for tracking, so the fair thing to do would be to offer a Flash-based opt-out cookie (see this example). This would make the opt-out preference at least as durable as the method they use to track behavior. Unfortunately, they chose to provide neither a browser-based nor a Flash-based opt-out process.

However, they chose to write their privacy policy as if they offer a consumer opt-out (“We have also provided an opt-out mechanism for ad targeting”). This is dissembling. All they provide is a link to the Macromedia Flash cookie control panel, a befuddling process which, in order to work as an opt-out, requires the consumer to find the VideoEgg domain in their tiny Flash control panel and change the permitted data storage level to zero (a process that VideoEgg doesn’t even explain in their policy). VideoEgg is kind enough to provide a link to the NAI’s global opt-out site, in case consumers want to use the real opt-out processes of their competitors.

What’s the only thing worse than not offering a consumer opt-out? Saying you do when you don’t.

PrivacyWidget 1.0: Demonstrating enhanced privacy notice and choice for behavioral ads

January 12, 2010 1.0 is live today for public beta testing. Website publishers who deploy online behavioral advertising can now see and experiment with the enhanced notice-and-choice required by the Self-Regulatory Principles for Online Behavioral Advertising announced last year.

This is an important milestone for PrivacyChoice, as part of our charter to design and demonstrate technologies to enhance consumer privacy disclosure and choice. Many thanks to all those who have provided input and advice!

Here are some of the values that guided the design of the PrivacyWidget service:

Consumer Experience. While PrivacyWidgets will be installed by webmasters, consumers are the ones who will actually use them. In the consumer experience we emphasize three key objectives: simplicity, consistency and persistence.

Simplicity means integrating all relevant policy and opt-out information for a website or webpage into a single interface that does not require interaction with separate advertisements or ad-network websites. The disclosure information is nested so users can learn to their level of interest; choices are prominent and require a minimal number of clicks. Consistency means storing preferences in one place so users can confirm them at any time, and see their status on any PrivacyWidget they may encounter across sites. Persistence means acknowledging the fleeting nature of opt-out cookies by tightly integrating the PrivacyChoice opt-out browser add-ons to keep preferences in place.

Customization. Consumer OBA privacy disclosure is a new endeavor, so there are no clear rules about how the new disclosure should be integrated into websites – above the fold, below the fold, linked from a floating tab, attached to an icon next to an ad, or attached to a link. Some websites may want to include excerpts from ad-network privacy policies. Others may be satisfied with links to privacy-policy pages. A web publisher may also want to customize its list to reflect individual arrangements with ad-network partners. For example, some AdSense publishers have not enabled interest-based advertising, and may choose to omit that network from the list.

We don’t view it as our job to set policy on the integration or depth of disclosure, or to provide disclosure language that is right for every situation (no doubt our starting language can be improved). Customization gives individual websites the flexibility to craft their own privacy experience. Experimentation and real user input can shape best practices.

Analytics and Feedback. Since we’re here to support experimentation and iteration, we built a basic analytics dashboard for each site’s PrivacyWidget, including viewer counts, opt out rates and a satisfaction-survey results. Individual site analytics and feedback are confidential, but we’re asking beta participants to let us aggregate overall trends. This offers the first chance to study consumer views on a large scale directly in the context of the privacy notice-and-choice experience. Relative opt-out rates among ad networks may help websites make smarter decisions about which third-parties to enable.

Neutrality. As a matter of visual design, the guiding principle is neutrality, to ensure that the PrivacyWidget can work in and around a wide variety of websites and color palettes. This requirement led to simple shapes, a controllable dominant color, and a “light box” overlay interface that maintains the context of the anchoring page.

We have also sought neutrality in the substantive disclosures and choices presented to the consumer. We use each ad-delivery company’s own words to describe its business and policies. We offer “opt-in” as well as “opt out” choices (for networks that support them).

Easy Installation. The PrivacyWidget derives the correct list of ad networks automatically for each page where it appears, which makes set-up very simple. Since it installs with a few lines of Javascript, we’ve made it easy for websites to install and try out. They can run a trial and see the impact (and opt-out rates) before installing across the entire site.

Free. PrivacyWidgets are free for any website, large or small. There’s no reason to put up barriers to complete consumer disclosure, and we’re confident that contributions and partnerships can support the modest costs we incur to provide the service. We do appreciate contributions from sites that need advanced customization and alerts, but we aren’t setting any minimum amount. No contributions are expected while we are in beta.

Beta. Since the service is still in beta, please expect to find a few rough spots. A few obvious issues: the stats view is yet to be optimized and loads very slowly, editing widget text with html needs much refinement, and proper error screens are not always in place. Please let us know of any issues you see.

What’s next? In addition to continuing to improve performance and functionality based on feedback, here are some upgrades we have in development:

  • Templates. We enable complete customization of the language used to explain behavioral advertising, but we also would like to offer several different templates based on each site’s primary needs. For example, it may be more important for e-commerce sites to highlight retargeting (where they have partners identify users on the website in order to reach them on other sites), rather than targeted advertising provided on their own site.
  • User Profiles. Since some networks are now starting to provide consumers with a view of the interests and preferences collected about them, we will embed easy links to this information.
  • Summaries. For ease of use, we’re going to experiment with summary indicators, such as when all networks on a page or site are NAI members, or all of them have conforming policies.
  • Ad Tags. Over time, the leading networks will adopt ad tags that identify individual ads as behaviorally-targeted. We will surface these classifications in the consumer-facing list of networks on the page since it is useful as to networks that participate).
  • Ad Network Index. The PrivacyWidget service will be integrated with a broader public index of tracking-network information to be launched in the next few days. Our goal is to create a resource of public information for websites, advertisers and consumers, since ultimately they will have a huge influence on privacy and disclosure standards for the industry.

Google’s Teracent: The worst consumer opt-out? (updated)

January 10, 2010

UPDATE 1-18-10: Some rapid progress on improvements: There is now an opt-out link on Teracent’s homepage and the CAPTCHA requirement has been removed. Hopefully improvements are also in the works to make the opt-out cookies unique and longer-lived (although just as likely, you might expect Teracent’s entire process to be assimilated into Google’s consumer disclosures and opt-out interface). In the mean time, here’s Teracent’s entry in the PrivacyChoice Index (still showing no opt-out available, given the remaining uncertainties).

In November of last year, Google announced the acquisition of Teracent, a company specializing in dynamic ad creative that is customized on the fly based on factors like the user’s interests and location. A review of Teracent’s consumer privacy experience shows that Google has much work to do in order to bring it up to industry norms. Unfortunately, it also provides a reminder of the challenges to self-regulation for ad-targeting.

Starting with disclosure, the Teracent privacy policy includes the kind of statement that confounds privacy advocates (for good reason):

“We retain the Non-[Personally Identifiable Information] collected via our Technology for up to 6 months in order to ensure that our Technology is functioning properly. After 6 months, we render this information anonymous and store it for up to three years.”

But wait, if the information you collect is “Non-Personally Identifiable” then why would you need to render it “anonymous” after six months? Isn’t it already anonymous?

Of course, they probably mean that after six months they will disassociate individual log entries from IP addresses, but can a consumer possibly understand what this means?

There’s even more work to do on Teracent’s opt-out process, which doesn’t even come close to best practices (see our handy guide to those):

1. The process is not easy to find because it’s not linked from Teracent’s homepage. An interested consumer needs to click the “About” link from the homepage to then see anything about privacy or an opt-out.

2. The opt-out cookies themselves store unique strings (destroying any semblance of anonymity) and are not named in a way to be identified by the user as an opt-out cookie. (The vast majority of networks include the phrase “opt out” in the cookie name or text to make this clear.) Also Teracent appears to use three different domains in the opt-out process (,, but you can’t tell if all three are necessary for the opt-out to be effective. If all three aren’t necessary, the ones that aren’t shouldn’t even be written as part of the process.

3. The opt-out cookies have a six-month lifespan, far short of the five-year minimum now required by the NAI.

4. This is really unusual: the user has to complete a CAPTCHA in order to get the opt-out cookie(s). And it’s a fussy one, at least in my experience. I’m not sure I’ve seen an opt-out process that is less consumer friendly.

No doubt Google is working to assimilate Teracent into its own (much better) consumer privacy practices. But Teracent’s shortcomings provide a good reminder of the chasm in quality between the best and worst consumer privacy practices of ad-targeting companies. Until websites and advertisers start to attend to these matters in their own choices, this disparity in commitment to best practices will remain a central challenge to effective self-regulation.

Could behavioral-ad labeling mislead consumers?

January 7, 2010

In prior posts I have focused on shortcomings in proposals to place consumer targeting disclosure directly in advertisements using icons and labels. While the idea has intuitive appeal, I don’t believe consumers should be expected to manage their privacy choices on an ad-by-ad or network-by-network basis, and I’m concerned that marketing techniques like retargeting, where data may be collected outside of any particular ad, will be missed.

Even more important is the problem of limited participation: there are hundreds of targeting companies but only a subset submit to industry standards and oversight, and those adherent networks are outnumbered on top websites. Unless the FTC were specifically to require OBA labeling by all networks, you can assume that only a minority of targeting companies will do so.

This participation problem means that an in-ad disclosure framework, standing alone, could actually be misleading for consumers. The more consumers come to understand what the labels mean and learn to watch for them, the more an absence of an label creates a potentially false assurance that an ad hasn’t been targeted on behavior.

It’s ironic: the more that certified networks train you to focus in on their own behavioral targeting, the more they are training you to ignore what their less scrupulous competitors are doing.

This is why, as a baseline, OBA disclosure needs to operate at the webpage or website level. Each webpage having targeted ads needs to link to a list of relevant networks, opt-out choices, and maybe even policy information, whether or not some OBA ads carry special labels. The cross-industry principles put this forward as an alternative, when in fact it should be a requirement.

It’s true that this approach will never get complete participation from websites, either. But if the members of the NAI were truly to require complete OBA disclosure throughout their network websites, and make it easy for websites to do, publishers will finally have to consider the practices of the ad networks they enable. It will take far less than complete participation by top websites to isolate non-adherent networks. And publishers who fail to take simple steps to enhance disclosure will far more accountable to their users than ad networks ever will be.