Posts Tagged ‘Clearspring’

AddThis: Still breaking the bargain

August 19, 2010

hI wrote last week about how AddThis has ignored significant privacy questions as it starts to harvest data for behavioral targeting. AddThis sharing widgets, installed on 1.5 million websites, now collect behavioral profiles for auction to third-party ad delivery companies.

I’m not objecting to the notion of collecting and using data through a widget. My objection is that, by failing to tell consumers and publishers about what’s going on, they are breaking the implicit bargain in the consumer data ecosystem. The “bargain” says that consumers get free content and services (like nifty sharing widgets) in exchange for their anonymous data, but data collection comes with robust notice of how data are collected and used, and a meaningful chance to opt-out.

What’s amazing is that, even after losing AOL as a partner over this issue, ClearSpring and AddThis are still breaking the bargain by hiding the ball from consumers and publishers. Here’s what I mean:

  • There’s still no prominent mention of profiling in the AddThis signup process, except one buried deep in the terms of service.
  • You also won’t find any announcement in the AddThis Blog, even though they could easily have cut and pasted from the extensive blog post about the program on the Clearspring blog (their separately branded portal for advertisers and ad partners). Apparently, the behavioral profiling of 1 billion users isn’t as blog-worthy as supporting the re-tweet button or Will and Charlie’s trip to the Internet Identity Workshop.
  • You won’t find any announcement in the AddThis Developer Forums, although one curious developer happened to discover it on  July 21 (pre-announcement, hmmm), and was provided some special code to disable cookies. If you want his code and didn’t catch that particular forum entry, good luck finding it in the help documentation (I couldn’t). You have to email them to get it.
  • You won’t even find a mention of behavioral profiles in the AddThis FAQ. There is a question, “What data does AddThis collect and why?” and the answer consists of a link to the AddThis privacy policy. Paragraph 17 of the privacy policy does discuss profile sharing. I guess it was too much trouble to provide a summary of the changes on the top of the page, or anything at all on the AddThis homepage (like “New!” next to the privacy policy link).

In this light, it’s hard to take Clearspring’s CEO seriously when he says to the Wall Street Journal that “This is very much a participatory system” for publishers.

Are they terrified that if they actually provide good disclosure, more publishers like AOL will freak out, either over privacy or uncompensated leakage of valuable profile data? Personally, I doubt that, but it’s all in how you handle it. One thing’s for sure: hiding the ball isn’t working.

Two more interesting questions to think about:

What about back-end processes? Front-end disclosure is important, but the rubber meets the road on the back-end where consumer profiles are used and shared in ways invisible to users. For AddThis, there’s a critical back-end privacy function of keeping email addresses (which are used extensively in the service) separate from behavioral profiles. If AddThis won’t invest in simple front-end disclosures, why should anyone feel assured that they are investing in robust back-end privacy processes?

Where will the NAI come out? I’ve been told that Clearspring is in the process of applying for NAI membership. Can the NAI admit Clearspring with a deeply flawed privacy framework, particularly since publisher-to-consumer disclosure is a principle that the NAI vowed to enforce more strongly in 2010? Is it consistent with NAI policies for NAI members to purchase and use Clearspring’s tainted data, as Media6Degrees apparently may already doing?

Note 8/21: AddThis appears to be responding, and has a blog post on AddThis now about the new program. Still watching for integration of prominent notice and easy opt-out for publishers and consumers, to see if they really mean it.

Advertisements

AddThis transitions to behavioral advertising, ignoring key privacy questions

August 11, 2010

Last week AddThis announced that data collected through their sharing widget, installed on 1.5 million websites, will now be used for behavioral advertising. According to the announcement, anonymous profile information for over 200 million users, including the pages they have visited on AddThis publisher sites, is now available to other ad delivery companies in real time bidding.

The new AddThis program is similar to Google’s transition of AdSense into an ad exchange platform (see prior posts). In both cases, tags placed on publisher sites for one purpose are now being used for different and more extensive purposes. And in both cases the companies should clarify answers to some important privacy questions.

Publisher Notice

Shouldn’t publishers be made aware of the change in how their users’ data will be handled, and provided with an opportunity to opt-out? Is it fair to assume that all sites with the widget already installed — including hospitals, schools, church groups, and government agencies with no other advertising — would choose the AddThis widget if they were aware that their user behavioral data will be sold?

For publishers signing up today, there’s no reference to behavioral data collection in the signup process for the AddThis widget. Is this deceptive?

Consumer Notice

Will the AddThis widget include a notice to consumers that tracking information is being collected on each page that serves the widget, regardless of whether the consumer interacts with it? (This kind of notice is required under the IAB’s guidelines and could be provided with something akin to the power “i”.)

Will AddThis also ensure that when the data are used to display an ad, the consumer will be notified that AddThis was the source and provide an opt-out?

Are AddThis publishers required to amend their own consumer privacy policies to provide notice of AddThis data collection, as is standard practice for compliant ad networks?

Will consumers be able to see what’s in their own AddThis profile, as they can on Google, Yahoo! and leading ad networks?

NAI Compliance

Neither AddThis nor its parent Clearspring is listed as a member of the Network Advertising Initiative, the industry organization charged with defining privacy standards and providing oversight for behavioral advertising.

The AddThis announcement says that the company “complies with the Network Advertising Initiative standards.” What does this mean, given that AddThis is not subject to NAI compliance reviews; they do not appear to follow the NAI’s requirement that publishers pass through disclosure in their privacy policies; and they lack NAI-required privacy disclosure as to data retention?

Why wasn’t NAI membership considered a prerequisite to launching the new program?

Conclusion

Hopefully AddThis will move quickly to remedy the privacy shortcomings in their new program. How they approach this will tell us not only about their own commitment to privacy and self-regulation, but also the commitment of any partners and advertising customers who continue to participate.

Flash cookies and behavioral tracking: a proposal

April 29, 2009

After noticing Quantcast’s use of “Flash cookies,” I did some research on this technology as it relates to online privacy and behavioral tracking.   I’ve come to concur with other commentators that Flash cookies present a difficult challenge to meaningful consumer privacy choice, and would like to suggest a proposal.

Not all cookies are created equal

First, some background.  Flash cookies, known more formally as Local Shared Objects, work in much the same way as traditional browser cookies.  When you visit a website (or Flash application) the content server is able to access and store data in a defined place on your machine.  This data is available to servers from that same domain on future visits.  By placing a unique identifier as a local shared object (such as a long number), a tracking firm can capture and profile your activities across different visits and different websites. (See Wikipedia for a good roundup of the issues and links to other research and commentary on the topic.)

Some things to note:

1.  To see your own machine’s set of Flash cookies, visit this page on the Adobe website.  There you will see an interface like this, which shows which sites have stored Flash cookies, and how much space you are permitting them to use.  Key point:  browser applications do not provide direct access or control over Flash cookies in the way that they do over traditional cookies.  To do this easily, you must install a browser add-on like Objection or Better Privacy for Firefox (highly recommended if you are researching how these things work).

flashpanel1

2.  Adobe’s special web page shows you the maximum amount of storage space a site can use, and how much they are using, but it does not show you what is being stored there.  In fact, even if you go into the directory structure yourself through the operating system, you will find files that are not easily opened to view.  In practical “opt out” terms, this means you cannot confirm easily that the text consists only of a non-unique looking opt-out cookie, for example. You would need to use an add-on like Objection to see the actual values of the Flash cookies.

3.  Unlike browser cookies, which keep a separate set of cookies for each different browser, a single Flash storage system serves all of the browsers that you may use on one machine.  This means that even if you use two different browsers, your activities in both can be associated with you as a single user.  So-called “private browsing” modes for browsers — which do not store web history or traditional browser cookies — may well still record behavior in Flash cookies.

Given this technical framework, flash cookies are uniquely valuable for behavioral tracking.  They provide all of the same tracking functionality, but unlike traditional cookies, which are regularly deleted by many users, Flash cookies are rarely deleted because (1) users don’t know they are there and (2) the process for managing permissions is practically unusable.

So, who’s using them?  

In light of the persistence and low profile of Flash cookies, you would expect to see tracking companies using Flash cookies.  A quick survey in the machines in my own home revealed Flash cookies being used by the targeters on the following domains (no doubt an incomplete list):

adap.tv
atdmt.com (Akamai)
clearspring.com
doubleclick.net (Google)
eyewonder.com
gigya.com
interclick.com
quantserve.com (Quantcast)
scanscout.com
specificlick.net (Specific Media)
tattomedia.com
tremormedia.com
videoegg.com
visiblemeasures.com

Many of these companies are familiar because they are included in the privacychoice opt-out wizard.  Most of these companies have privacy policies that mention cookie tracking and provide an opt-out.  However, according to a custom search of all of targeting company privacy policiesnone of them mentions “Flash cookies” or “local shared objects” in their privacy policies.  None of them explains how to view, control or delete flash cookies. Nor do they state explicitly whether opting out using traditional opt-out cookie will also serve to opt-out from any tracking via Flash cookies. 

To be fair, we can’t assume that all of these networks are using Flash cookies for tracking purposes, and some of these folks who work in video (like Videoegg) no doubt have non-tracking purposes for Flash cookies (to retain user settings, for example).  But the failure to even mention the use of flash cookies in their privacy policies means they aren’t in compliance with the disclosure rules of  TRUSTe or the Network Advertising Initiative, which requires an explanation of what information is collected about users.  Most likely, many of them are using flash cookies for behavioral tracking, and they just haven’t given much thought to the disclosure and opt-out requirements unique to those methods. 

I’ll be polling them on this question and will update this post with further data.

So now what?

Here’s a conclusion and a proposal:

First, it’s not realistic to suggest that companies simply refrain from using Flash cookies for behavioral tracking. It’s already happening, and thanks to the lousy job Adobe did in implementating flash cookie controls, we’re stuck with a system that is opaque and beyond the average user’s ability to control.

However, any company that does collect any information via Flash cookies (whether for behavioral profiling or otherwise) should update their privacy policies to make this clear, just as they generally do for traditional browser cookies.  This is a another good test of the seriousness of self-regulation in the hands of the NAI and TRUSTe.

Any company that uses flash cookies for behavioral profiling should take one additional step, which is to expressly apply their traditional browser cookie opt-out (already in place with over 70 networks) to also cover the use of flash cookies as well, and to confirm that they are doing so in their privacy policies.  That is to say, any consumer opting out via a traditional browser cookie opt-out should be understood as opting out of all tracking, whether by traditional cookies, Flash cookies, beacons or any other technology that may come down the road.

While this is perhaps not as verifiable (because Flash cookies are difficult to find and read), the fact is that nearly all opt-out cookies require users to trust that the network is honoring the opt-out preference anyway. 

Another possible approach — to create a separate opt-out process that actually writes a Flash version of an opt-out cookie into the local shared objects — is not workable.  Confirmation of the process by viewing a flash cookie is too difficult, and it will be more difficult to aggregate opt-outs for the ease of consumers.  Also, with Silverlight and any number additional browser add-ons that can provide a platform for tracking, it would be unmanageable to support separate opt-out regimes for each.  Rather, a comprehensive, cross-technology opt-out system should build on what has already been put in place with traditional browser cookies.

My suggestion reflects a key underlying philosophy:  Opt-out cookies are nothing more than a statement of the user’s preference, and not a means to actually prevent behavioral targeting. True accountability to honor the user’s preference won’t come through technology, but rather through industry leadership, advertiser oversight and (inevitably) some level of government and legal process.