Keep it simple: Opt-out cookies should always overwrite tracking cookies

The renewed notice-and-choice framework being rolled out for behavioral advertising has an important shortcoming:  Opt-out cookies only serve to turn off the delivery of behaviorally targeted ads, they don’t promise to turn off data collection in the first place.

The problem is that many companies provide opt-out cookies that are written separately from their tracking cookies. This means a tracking company may be collecting data with one cookie, while being told by another cookie not to apply it. Because the user still remains uniquely identifiable to the tracking system, the risk of technical (or ethical) failure remains. In that sense, the opt-out framework doesn’t really answer a central privacy concern.

Perhaps the solution is simple:

When a user opts out, a non-unique opt out cookie should always overwrite each cookie that stores behavioral information.

When this rule is followed, an opted-out consumer can be assured that there’s no unique tracking cookie on their computer that could be used for data collection. Several opt-out cookies, notably the Google DoubleClick cookie, already operate this way by replacing the unique user “id” with the non-unique “OPT-OUT”.

Compliance with this requirement is simple to verify and monitor. Watchdogs can confirm through external sampling that opt-out cookies are being delivered on request and that they are non-unique. More often than not, opt-out failures will result from simple technical problems that cause the cookie not to be written in the first place; we’ve seen more than a dozen broken opt-outs in the last year through PrivacyChoice. Through random sampling, you can also confirm that once a company delivers an opt-out cookie, it stays in place and doesn’t revert to a unique cookie that could be used for tracking.

If an ad company still needs to use unique cookies for non-targeting purposes (like frequency caps) even on opted-out machines, they should certify and publish which cookies are which, so that behavioral cookies are always identified. Verifying accurate identification should be part of the NAI’s annual technical review, as should be confirming that no non-cookie tracking methods are used (which is also easy to monitor externally). These kinds of direct reviews or audits of backend process will be far more simple and effective than trying to determine forensically whether opted-out consumers are only being served untargeted ads.

A cookie overwriting requirement would require some technical changes for companies that currently separate their behavioral cookies from their opt-out cookie, or those that combine behavioral and non-behavioral functions in a single cookie. But this seems like a small price to pay for a significantly more effective and accountable opt-out framework, which is the heart of the self-regulatory effort.

The First Principle of Fairness in Ad Targeting

BlueKai and Efficient Frontier announced a pilot program that targets ads based on keywords that are inferred from consumer behavior across BlueKai’s network. It seems like a significant competitive development, since advertisers can now simply use their existing Google AdWords lists to program ad buying.

Under the agreement, Efficient Frontier will participate in a beta program where client keyword lists will be submitted to BlueKai and matched against intent data segments. Efficient Frontier will then use this set of intent data to drive targeting for display advertising against the qualified audience. Buying BlueKai Intent™ by keywords will enable search marketers to identify in-market audiences – defined by existing search keyword lists – and reach them outside the walls of search engines with any media partner and at significant scale.

BlueKai has always been a leader in giving consumers a view to their own ad profile, true to what I consider to be the First Principle of Fairness in Ad Targeting: If the advertiser can buy against a characteristic of the profile, then the consumer should be able to see it and delete it. It’s hard to think of a principled reason why you wouldn’t provide this visibility, which makes it surprising that even some of the largest players still fail to do so and the NAI doesn’t require it.

Assuming BlueKay stays true to the Principle, I’m watching to see keywords appear in my own entry in the BlueKai Registry sometime soon.

Baloney, indeed

Today’s Wall Street Journal coverage (“Website Operators Say It Isn’t Possible to Keep Track of All Tracking Tools”) attributed this quote to Yahoo!’s Chief Privacy Officer, Anne Toth, in yesterday’s Congressional hearings.

It is technically impossible for Yahoo! to be aware of all software or files that may be installed on a user’s computer when they visit our site.

My own Tweet about the article lead was: “Baloney,” to the extent it implied that Yahoo! has no practical way to control third-party tracking on Yahoo! pages.

As it turns out, that reading of the statement was baloney, since (1) it seems to have been taken out of context from Yahoo!’s complete response, and (2) it was made in response to a somewhat loaded question.

The question was whether Yahoo! has perfect visibility as to how third-party advertisers interact with consumer browsers. Yahoo! seems to have answered honestly and correctly: no scalable monitoring system can detect every third-party server interaction which could carry a cookie or local storage artifact. But the rest of Yahoo!’s submission makes it clear that they actively sample and monitor third-party tracking to the extent technically feasible, just as you would hope. (By the way, any site can have access to this kind of scanning through PrivacyChoice.)

It’s great to see the privacy discussion focus not only on the advertisers and ad networks, but also on the publishers who decide which companies can track through their sites. It’s time for big names like Yahoo! and Google to make it a published policy to give tracking access only to companies that are compliant with strong industry guidelines and are subject to regular oversight.

———

From Yahoo!’s full testimony:

8. Is your company aware of all third-party tracking devices that may be installed on a user’s computer when the user visits your site?

No, it is technically impossible for Yahoo! to be aware of all software or files that may be installed on a user’s computer when they visit our site. When a user visits Yahoo!, we can “see” their Yahoo! cookies which the browser transmits to us. Yahoo! does not have access to other cookies present on a user’s hard drive or all the software that a user may have installed.

As a web site publisher, Yahoo! determines the content feeds and advertisement placements for each of our services and web pages. Nearly every page on Yahoo! is generated dynamically. The content and ads that appear change minute by minute as news headlines, stock quotes, and advertising are all refreshed frequently. An ad that appears when the page initially loads may be replaced by a different ad when the page is refreshed (or reloaded), along with all the content that appears on that page. Yahoo! has relationships with different content and advertising providers. In these agreements, Yahoo! often has performance requirements about how quickly a page element or advertisement must load and these requirements often include limitations on the use of third party cookies on a Yahoo! page as each incremental cookie often results in diminishing page performance.

a) If yes, what evaluations does your company perform to discover such devices? If no, why not?

Yahoo! runs regular scans using internal and external systems to detect third party domains on our web sites that may set or access their own cookies. This is then compared to our list of approved vendors that have completed our compliance program including security, privacy, performance and contractual reviews.

b) What actions does your company take upon discovery of a previously unknown third party tracking device?

If Yahoo! discovers a third party is resident on our properties that has not completed our compliance program, Yahoo! may contact the party or its partners directly to address this issue.

No fear of Google (Analytics)

I just revised the PrivacyChoice privacy policy to reflect that we will be using Google Analytics to understand our users better and build a better service for them. Since this involves providing a Google service with access to PrivacyChoice user data, it may give some users pause. So it’s worth explaining how I came to this long-considered decision.

It was pretty simple: Decent and cost-effective analytics are mission critical for us to build great services for our users. After trying a number of different alternatives, Google Analytics offers a uniquely high level of functionality and economy. Piwik, the open source approach we have tried for nearly two years, is an admirable effort and allowed us to host the process directly. But it really doesn’t compare in terms of functionality, and has been difficult to maintain. In companion projects, we’ve also tried other inexpensive hosted solutions, each of  which failed us.

I’m mindful of an old blog post where I mused about whether Google might use Analytics data for ad targeting, which was really a complaint about the lack of clarity in Google’s published policy at the time. That problem has since been fixed to my own satisfaction, and for more concerned users there is an opt-out process (which unfortunately requires an add-on installation to work).

Ultimately, I have to believe that, although there’s always the risk of abuse of user data by a rogue employee (as with any hosted service), it seems very likely to me that Google takes care to enforce any boundaries that they clearly promise. Given their position in the marketplace, it is a sensible investment. It’s when they don’t make the promise or the promise isn’t clear that I get more concerned.

It’s good to agonize over decisions like this, as should any website enabling third party data collection on their site.

Next agonizer: A Facebook Like button?

Chompon is an Outlier

One of the ways we will know whether the new self-regulatory framework is succeeding is that “outliers” — those who do not comply with the new guidelines — will be shunned. The folks who are playing by the rules won’t be playing with those who don’t.

Key distinction: It is not that there won’t be outliers; there always will be some companies who don’t play by the rules. But what matters is that advertisers, agencies, data companies and websites should view outliers and their data as contaminated so long as  they do not comply with good privacy practices.

I’ll be nominating outliers from time to time as we come across them at PrivacyChoice. First up, Chompon, a company that allows any website to integrate a Groupon-like coupon offerings into their own site experience. Here’s a quote from Chompon’s interview in AdExchanger.

Any thoughts about leveraging the datasets you’re collecting – perhaps re-selling cookie data or offering retargeting of deals through display ad exchanges?

Data privacy is actually extremely important to us. We do not contact the publisher’s users, and the publisher can always download his user data at any point. We do anonymously leverage user data, however, to provide better deal targeting across our network of publisher partners. This allows us to guarantee that the deals users see are relevant and tailored to their personal tastes.

As “extremely important” as data privacy may be to Chompon, you won’t find an opt-out process on Chompon’s site. You won’t even find appropriate privacy or data collection notice in the terms they offer to customers.

Chompon is an outlier.