Google takes out the trash? Not so much.

Those keenly interested in Google’s every move on privacy didn’t miss the fact that Google chose this Friday-before-a-long-weekend to announce a revision to their master privacy policy, which will be effective on October 3. (Marked copy is at the end of this post.)

For fans of the West Wing, you might be thinking Google must be “taking out the trash,” which refers to the strategy of announcing bad news on Friday afternoons when fewer folks are tuned in. In fact, there’s actually very little in here of interest.

When I first saw the announcement, I hoped there might be greater clarity on Google’s data retention policy, but got no love on that count. In fact, there’s no mention of any changes coming in the separate advertising-related privacy policies.

At the risk of revealing my wonkishness, one passage did catch my eye; note the addition of the last three words in this paragraph:

Google also uses cookies in its advertising services to help advertisers and publishers serve and manage ads across the web and on Google.

I wasn’t aware that third-party ads were being served in Google, but perhaps with the advent of the Google’s ad exchange (see prior post), this is changing.

See anything else interesting in here? Let me know.

MARKED COPY

Privacy Policy

Preview of updated policy which will take effect on October 3, 2010

Last modified: October 3, 2010March 11, 2009 (view archived versions)

At Google we recognize that privacy is important. This Privacy Policy applies to all of the products, services and websites offered by Google Inc. or its subsidiaries or affiliated companies except DoubleClick (DoubleClick Privacy Policy) and Postini (Postini Privacy Policy). Sometimes, we may post product specific privacy notices or Help Center materials to explain our products in more detail); collectively, Google’s “services.” In addition, where more detailed information is needed to explain our privacy practices, we post supplementary privacy notices to describe how particular services process personal information. These notices can be found in the Google Privacy Center.

Google adheres to the US Safe Harbor Privacy Principles of Notice, Choice, Onward Transfer, Security, Data Integrity, Access and Enforcement, and is registered with the U.S. Department of Commerce’s Safe Harbor Program.

If you have any questions about this Privacy Policy, please feel free to contact us through our website or write to us at

Privacy Matters
c/o Google Inc.
1600 Amphitheatre Parkway
Mountain View, California, 94043
USA

Information we collect and how we use it

WeWe offer a number of services that do not require you to register for an account or provide any personal information to us, such as Google Search. In order to provide our full range of services, we may collect the following types of information:

• Information you provide – When you sign up for a Google Account, we ask you for personal information. or other Google service or promotion that requires registration, we ask you for personal information (such as your name, email address and an account password). For certain services, such as our advertising programs, we also request credit card or other payment account information which we maintain in encrypted form on secure servers. We may combine the information you submit under your account with information from other Google services or third parties in order to provide you with a better experience and to improve the quality of our services. For certain services, we may give you the opportunity to opt out of combining such information. You can use the Google Dashboard to learn more about the information associated with your Account. If you are using Google services in conjunction with your Google Apps Account, Google provides such services in conjunction with or on behalf of your domain administrator. Your administrator will have access to your account information including your email. Consult your domain administrator’s privacy policy for more information.
• Cookies – When you visit Google, we send one or more cookies cookies – a small file containing a string of characters – to your computer or other device. that uniquely identifies your browser. We use cookies to improve the quality of our service, including for storing user preferences, improving search results and ad selection, and tracking user trends, such as how people search. Google also uses cookies in its advertising services to help advertisers and publishers serve and manage ads across the web and on Google. We may set one or more cookies in your browser when you visit a website, including Google sites that use our advertising cookies, and view or click on an ad supported by Google’s advertising services.
• Log information – When you access Google services, our servers automatically record information that your browser sends whenever you visit a website. These server logs may include information such as your web request, your interaction with a service, Internet Protocol address, browser type, browser language, the date and time of your request and one or more cookies that may uniquely identify your browser or your account..
• User communications – When you send email or other communications to Google, we may retain those communications in order to process your inquiries, respond to your requests and improve our services. When you send and receive SMS messages to or from one of our services that provides SMS functionality, we may collect and maintain information associated with those messages, such as the phone number, the wireless carrier associated with the phone number, the content of the message, and the date and time of the transaction. We may use your email address to communicate with you about our services.
• Affiliated Google Services on other sites – We offer some of our services on or through other web sites. Personal information that you provide to those sites may be sent to Google in order to deliver the service. We process such information under this Privacy Policy. The affiliated sites through which our services are offered may have different privacy practices and we encourage you to read their privacy policies.
• Third Party ApplicationsGadgets – Google may make available third party applications, such as gadgets or extensions, through its services. The information collected by Google when you enable a third partygadget or other application is processed under this Privacy Policy. Information collected by the third party application or gadget provider is governed by their privacy policies.
• Location data – Google offers location-enabled services, such as Google Maps and Latitude.for mobile. If you use those services, Google may receive information about your actual location (such as GPS signals sent by a mobile device) or information that can be used to approximate a location (such as a cell ID).
• Unique application number – Certain services, such as Google Toolbar, include a unique application number that is not associated with your account or you. This number and information about your installation (e.g., operating system type, version number) may be sent to Google when you install or uninstall that service, when that service periodically contacts our servers (for example, to request automatic updates to the software).

• Links – Google may present links in a format that enables us to keep track of whether these links have been followed. We use this information to improve the quality of our search technology, customized content and advertising. Read more information about links and redirected URLs.

• Other sites – This Privacy Policy applies to Google services only. We do not exercise control over the sites displayed as search results, sites that include Google applications, products or services, or links from within our various services. These other sites may place their own cookies or other files on your computer, collect data or solicit personal information from you.

In addition to the above, we may use the information we collect to:

Provide,Google only processes personal information for the purposes described in this Privacy Policy and/or the supplementary privacy notices for specific services. In addition to the above, such purposes include:

• Providing our services, including the display of customized content and advertising;

• Auditing, research and analysis in order to maintain, protect, and improve our services (including advertising services) and develop new services; and

• ProtectEnsuring the technical functioning of our network;

• Protecting the rights or property of Google or our users.users; and

• Developing new services.

You can find more information about how we process personal information by referring to the supplementary privacy notices for particular services.

Google processes personal information on our servers in the United States of America and in other countries. In some cases, we process personal information on a server outside your own country. We may process personal information to provide our own services. In some cases, we may process personal information on behalf of and according to the instructions of a third party, such as our advertising partners.

Choices for personal information

When you sign up for a particular service that requires registration, we ask you to provide personal information. If we use this information in a manner different than the purpose for which it was collected, then we will ask for your consent prior to such use.

If we propose to use personal information for any purposes other than those described in this Privacy Policy and/or in the specific service privacy notices, we will offer you an effective way to opt out of the use of personal information for those other purposes. We will not collect or use sensitive information for purposes other than those described in this Privacy Policy and/or in the supplementary service privacy notices, unless we have obtained your prior consent.

Google processes personal information on our servers in the United States of America and in other countries. In some cases, we process personal information outside your own country.

Choices

You can use the Google Dashboard to review and control the information stored in your Google Account.

Most browsers are initially set up to accept cookies, but you can reset your browser to refuse all cookies or to indicate when a cookie is being sent. However, some Google features and services may not function properly if your cookies are disabled.

Google uses the DoubleClick advertising cookie on AdSense partner sites and certain Google services to help advertisers and publishers serve and manage ads across the web. You can view, edit, and manage your ads preferences associated with this cookie by accessing the Ads Preferences Manager. In addition, you may choose to opt out of the DoubleClick cookie at any time by using DoubleClick’s opt-out cookie.

You can decline to submit personal information to any of our services, in which case Google may not be able to provide those services to you.

Information sharing

Google only shares personal information with other companies or individuals outside of Google in the following limited circumstances:

• We have your consent. We require opt-in consent for the sharing of any sensitive personal information.
• We provide such information to our subsidiaries, affiliated companies or other trusted businesses or persons for the purpose of processing personal information on our behalf. We require that these parties agree to process such information based on our instructions and in compliance with this Privacy Policy and any other appropriate confidentiality and security measures.
• We have a good faith belief that access, use, preservation or disclosure of such information is reasonably necessary to (a) satisfy any applicable law, regulation, legal process or enforceable governmental request, (b) enforce applicable Terms of Service, including investigation of potential violations thereof, (c) detect, prevent, or otherwise address fraud, security or technical issues, or (d) protect against harm to the rights, property or safety of Google, its users or the public as required or permitted by law.

If Google becomes involved in a merger, acquisition, or any form of sale of some or all of its assets, we will ensure the confidentiality of any personal information involved in such transactions and provide notice before personal information is transferred and becomes subject to a different privacy policy.

We may share with third parties certain pieces of aggregated, non-personal information, such as the number of users who searched for a particular term, for example, or how many users clicked on a particular advertisement. Such information does not identify you individually.

Please contact us at the address below for any additional questions about the management or use of personal data.

Information security

We take appropriate security measures to protect against unauthorized access to or unauthorized alteration, disclosure or destruction of data. These include internal reviews of our data collection, storage and processing practices and security measures, including appropriate encryption andas well as physical security measures to guard against unauthorized access to systems where we store personal data.

We restrict access to personal information to Google employees, contractors and agents who need to know that information in order to process it on our behalf.operate, develop or improve our services. These individuals are bound by confidentiality obligations and may be subject to discipline, including termination and criminal prosecution, if they fail to meet these obligations.

Data integrity

Google processes personal information only for the purposes for which it was collected and in accordance with this Privacy Policy or any applicable service-specific privacy notice. We review our data collection, storage and processing practices to ensure that we only collect, store and process the personal information needed to provide or improve our services or as otherwise permitted under this Policy. We take reasonable steps to ensure that the personal information we process is accurate, complete, and current, but we depend on our users to update or correct their personal information whenever necessary.

Accessing and updating personal information

When you use Google services, we make good faith efforts to provide you with access to your personal information and either to correct this data if it is inaccurate or to delete such data at your request if it is not otherwise required to be retained by law or for legitimate business purposes. We ask individual users to identify themselves and the information requested to be accessed, corrected or removed before processing such requests, and we may decline to process requests that are unreasonably repetitive or systematic, require disproportionate technical effort, jeopardize the privacy of others, or would be extremely impractical (for instance, requests concerning information residing on backup tapes), or for which access is not otherwise required. In any case where we provide information access and correction, we perform this service free of charge, except if doing so would require a disproportionate effort. Because of the way we maintain certain services, after you delete your information, residual copies may take a period of time before they are deleted from our active servers and may remain in our backup systems. Please review the service Help Centers for more information.Some of our services have different procedures to access, correct or delete users’ personal information. We provide the details for these procedures in the specific privacy notices or FAQs for these services.

Enforcement

Google adheres to the US Safe Harbor Privacy Principles of Notice, Choice, Onward Transfer, Security, Data Integrity, Access and Enforcement, and is registered with the U.S. Department of Commerce’s Safe Harbor Program.

Google regularly reviews its compliance with this Privacy Policy. Please feel free to direct any questions or concerns regarding this Privacy Policy or Google’s treatment of personal information by contacting us through this web site or by writing to us at

Privacy Matters
c/o Google Inc.
1600 Amphitheatre Parkway
Mountain View, California, 94043
USA

When we receive formal written complaints, at this address, it is Google’s policy to contact the complaining user regarding his or her concerns. We will cooperate with the appropriate regulatory authorities, including local data protection authorities, to resolve any complaints regarding the transfer of personal data that cannot be resolved between Google and an individual.

Changes to this Privacy Policy

Please note that this Privacy Policy may change from time to time. We will not reduce your rights under this Privacy Policy without your explicit consent. Weconsent, and we expect most such changes will be minor. Regardless, we will post any Privacy Policy changes on this page and, if the changes are significant, we will provide a more prominent notice (including, for certain services, email notification of Privacy Policy changes). WeEach version of this Privacy Policy will be identified at the top of the page by its effective date, and we will also keep prior versions of this Privacy Policy in an archive for your review.

If you have any additional questions or concerns about this Privacy Policy, please feel free to contact us any time through this web site or at

Privacy Matters
c/o Google Inc.
1600 Amphitheatre Parkway
Mountain View, California, 94043
USA

NAI on Flash cookies: almost there …

The Network Advertising Initiative recently completed a comprehensive review of the practices of its members, culminating in its 2009 Annual Report. Given the recent criticism of how Flash cookies may be used to track user behavior (see prior posts), I was pleased to see the NAI cover that practice in its review, and to reiterate the rule against the practice. While this is a big step forward, the NAI should go further to fully resolve Flash cookie question as it pertains to its members.

Based on staff interviews, the report concluded that none of the evaluated companies uses Flash cookies for online behavioral advertising (see footnote 46). Since our own panel found Flash cookies being written by several NAI members (including Specific Media and DoubleClick), the NAI must have been assured that these firms have implemented internal controls about how they use Flash cookies. But without an explanation of those assurances (or even why Flash cookies need to be used in the first place), the report is incomplete. The NAI should ask those firms to update their privacy policies to explain the use of Flash cookies and disavow their use for targeting. (See an earlier post on this as it relates to DoubleClick.)

The Flash cookie issue has rightly become a focus for privacy advocates, even though (at least as to the NAI membership), it looks like it shouldn’t be. A more unequivocal statement from the NAI members who use Flash cookies for other purposes will mean that networks abusing Flash cookies have nowhere to hide.

Doubleclick’s Flash cookies

Since the next version of the privacychoice opt-out tool will incorporate integrated control of Flash cookies, we’ve developed internal tools to start monitoring the incidence of use of Flash cookies by tracking companies. It’s not news that use of Flash cookies has been widely embraced by ad networks; what is surprising is how few of them explain this in their privacy disclosures, or provide any guidance on how to delete or control them.

The most notable example of missing Flash-cookie disclosure comes from the biggest dog of all: Google’s DoubleClick subsidiary. We’re seeing their Flash cookie, googleads.g.doubleclick.net, on multiple test machines, which raises questions:

1. Is DoubleClick’s Flash cookie used to gather interest information? This is not confirmed one way or another in the privacy policy, but should be. (In fact, a search of DoubleClick’s site reveals no mention of Flash cookies.)
2. If I expressly opt out using the regular DoubleClick browser cookie, and then that opt-out cookie is deleted for any reason, does DoubleClick reconnect my profile with the surviving Flash cookie? Why doesn’t Google just delete the Flash cookie as part of the normal opt-out process?
3. Better yet, if Google is using Flash cookies to enhance the ad serving experience, why not set the user’s opt-out preference with a durable Flash cookie?

My guess is that DoubleClick’s Flash cookies are not used for interest gathering or ad targeting, but in the absence of a clear statement as to how they are used, consumers are left to wonder.

Should adult activities be out of bounds for behavioral targeting?

In the privacy debate about behavioral tracking and ad targeting, most folks agree that new rules are needed in areas that are considered “sensitive.” Some activities, like researching health conditions or financial planning, will be off limits for tracking once new rules are in place. Companies won’t be able to use information about those activities when compiling user profiles or targeting advertising, and probably will be obligated to delete such data promptly.

This will impose new policies (and probably new operating practices) on many firms engaged in tracking. A substantial majority (65%) of the tracking companies in the privacychoice database make no mention in their privacy statements of special handling for sensitive information.

The larger players are ahead of the curve. With a few exceptions, each of the top ten ad networks already exclude sensitive information from their targeting matrix in some way. In the most typical formulation, “sensitive” information is defined to include government-issued identifiers (like SSN), insurance plan and financial account numbers, your real-time geographic location (via GPS), and “precise information about past, present, or potential future health or medical conditions or treatments, including genetic, genomic, and family medical history.”

A few ad networks go further, also establishing exclusions around sexual identity and adult activities. Google, for example, says it will not associate the omnipresent DoubleClick cookie with information about “sexual orientation.” Clearsight Interactive and AlmondNet will not store information from “adult and gambling sites.” BlueKai does not collect or share data involving “adult behavior such as drinking, politics, or pornographic content.” Exelate promises not to target ads based on “adult related searches or adult content.”

It is easier for an ad network to promise not to use adult activities if they don’t serve ads or collect data on adult sites in the first place. But mainstream ad networks and measurement firms are present on adult sites. Take a look at the Network Privacy Profile for playboy.com, where you will find DoubleClick, Quantcast, Eyewonder and several others. Those networks are in a position to connect visits to adult sites with a user’s overall profile (and any personally identifiable information, if they have it).

Consumers have some privacy protection in the form of anonymous surfing tools, which are now available in all of the major browsers. But although private browsing mode cuts off access to regular browser cookies on your computer, it doesn’t mask IP addresses or block Flash cookies, which are common across all browsers and are favorite tracking tools for many ad networks. There are technical workarounds, but none within reach of an average consumer.

As regulations emerge, here are two predictions:

• Use of sexual orientation will be off-limits in behavioral targeting as a matter of law, but activities on adult sites will not. While advocates want to circumscribe targeting as much as possible, they will pick their battles. (Thus the recent proposal from a coalition of privacy advocates only suggested sensitizing information about sexual orientation and “personal relationships.”)
• In the long run, as opt-out (or even opt-in) choices become more prevalent and robust, companies will extend their definition of sensitive categories beyond non-controversial areas like finance and health. This will be an easy way to make consumers more comfortable, particularly if new rules require companies to show users what’s in their own profiles.

Website analytics and targeting: is there an elephant in the room?

In sampling top websites for the privacychoice service, we see that nearly all of them use hosted website analytics to understand user behavior. Like an ad network, an analytics service works through Javascript code embedded throughout pages on a website. As humans navigate the site, background communications with the analytics server provide complete visibility on behavior, including counting new or repeat users, seeing which search terms they used to find your site, and which of your pages pages are most popular. Using cookies and IP addresses, a user’s multiple sessions can be linked in order to understand user loyalty and behavior over time.

The sheer ubiquity of analytics code raises an obvious question: Is website analytics data used to target advertising?

The question gains importance given the growing overlap between analytics providers and ad networks, where Google is the biggest in each market. It has the widest footprint in selling and serving ads through the AdSense network and DoubleClick. It also also gives away Google Analytics for free to web publishers, which is present on over three-quarters of the sites sampled for privacychoice. For  customers who are also advertisers on Google networks, the appeal is an integrated end-to-end cycle — from ad click through user actions taken on the site — enabling publishers to connect the dots for a more effective ad spend. The other analytics providers include a handful of enterprise-grade platforms like Omniture. Once Omniture becomes part of Adobe, they may have access to a larger web-wide footprint through the huge installed base of Flash applications (also widely used in ads).

Yahoo! also offers its own analytics product to advertising customers, and Yahoo! makes it clear that analytics data is leveraged to target advertising. User activities on sites running Yahoo!’s analytics program can be associated with the user’s account and activities on Yahoo!’s family of sites. For purposes of disclosure, websites using Yahoo!’s service are directed to include specific language in their privacy policies and a link to more information. According to Yahoo! search, around 3,000 sites carry the required language:

“We use third-party web beacons from Yahoo! to help analyze where visitors go and what they do while visiting our website. Yahoo! may also use anonymous information about your visits to this and other websites in order to improve its products and services and provide advertisements about goods and services of interest to you.”

Yahoo! can connect user activities from its analytics network with Yahoo!’s sites or ad networks. Does Google?

The answer is, probably not, if only in light of Google’s other practices. DoubleClick requires each participating website to make a special privacy disclosure about the use of information for ad targeting, and provides an opt-out cookie for consumers. Google Analytics has neither. Also Google analytics collects user information through a different domain (google-analytics.com) than they use for their ad networks (doubleclick.net, googlesyndication.com and others). While this doesn’t mean they can’t use analytics data for ad targeting, it does make it harder as a practical matter.

However unlikely it may be, given the huge but invisible reach of Google Analytics, it’s reasonable to expect an express statement from Google. This could be as simple as: information gathered via Google Analytics is not associated with other Google user information or used to target advertising.

To search of this kind of statement, you can start start by navigating Google’s privacy policies. Which one is relevant is not immediately obvious. Look at Google Analytics for a privacy policy and you end up at the general Google Privacy Center (unlike DoubleClick, which has a separate policy, and 15 other Google services, which have supplements to the general policy).

Google’s general policy is particularly unhelpful in explaining how user information is handled by Google Analytics. In the explanation of data gathering via cookies, IP addresses and such, matters are framed with “when you visit Google'” or “when you access Google services.” Who even knows they are using Google services when they happen to trigger Google Analytics code on a third-party site? But still you will find no express statement about mixing analytics and targeting data.

Turn from the consumer disclosures to the terms of service Google Analytics provides its analytics customers. There you find this express statement about the use of information:

Google and its wholly owned subsidiaries may retain and use, subject to the terms of its Privacy Policy (located at http://www.google.com/privacy.html , or such other URL as Google may provide from time to time), information collected in Your use of the Service.

The policy does go on to say that, although Google may retain and use the information, it will not share any site’s information with third parties. But by implication, Google still can use the information to target ads, so long as it does not disclose the targeting information to advertisers. The fact that Google probably doesn’t use analytics data this way isn’t the point. What is needed is a statement that makes Google accountable for that policy. In crafting privacychoice summaries, this ambiguity in Google’s policies means we cannot assume that users are anonymous to Google when they are on sites using Google Analytics.

This example provides important takeaways for folks writing rules for this industry. To ensure clarity and accountability, any company in the business of collecting and using information about users from across different websites should register each domain they use, and bind it legally to a complete privacy policy that governs the activity. There’s no room — and no reason — for ambiguity.

AdSense interest-based targeting: how many publishers are on board?

When Google rolled out interest-based targeting in March, they called on each of their Adsense publishers to revise their privacy policies:

Your posted privacy policy should include the following information about Google and the DoubleClick DART cookie:

* Google, as a third party vendor, uses cookies to serve ads on your site.
* Google’s use of the DART cookie enables it to serve ads to your users based on their visit to your sites and other sites on the Internet.
* Users may opt out of the use of the DART cookie by visiting the Google ad and content network privacy policy.

So, now that we’re three months past the announcement, just how many AdSense sites have complied with this directive and opted-in to interest based advertising?

Other than some apocryphal findings, I haven’t seen a reported number, but perhaps one rough way to measure it is to see how many privacy policy pages the search engines show as having that required link to Google’s privacy policy. Each search engine provides its own answer:

On Google – 93,600
On Yahoo! – 78,000
On Bing – 21,100

That’s a wide variation, but even if you take the high one, you’re still talking about what’s likely a small percentage of the total number of AdSense sites, although potentially a high percentage of AdSense traffic (only Google knows).

Does this reflect publisher hesitation about behavioral targeting? Uncertain impact on ad revenue? Inattention?  AdSense malaise?

———————-

NB This decidedly unscientific exercise depends on the construction of my search query, which no doubt may be interpreted differently by each search engine. Here’s the query:

“privacy policy” AND link:http://www.google.com/privacy_ads.html OR “http://www.google.com/privacy_ads.html”

The idea is to only capture pages that (1) are site privacy policies; and (2) either have the URL in searchable text or have the URL as a hypertext link.

If there are any search experts out there with suggestions on how this query could be structured better, please let me know!

Flash cookies and behavioral tracking: a proposal

After noticing Quantcast’s use of “Flash cookies,” I did some research on this technology as it relates to online privacy and behavioral tracking.   I’ve come to concur with other commentators that Flash cookies present a difficult challenge to meaningful consumer privacy choice, and would like to suggest a proposal.

Not all cookies are created equal

First, some background.  Flash cookies, known more formally as Local Shared Objects, work in much the same way as traditional browser cookies.  When you visit a website (or Flash application) the content server is able to access and store data in a defined place on your machine.  This data is available to servers from that same domain on future visits.  By placing a unique identifier as a local shared object (such as a long number), a tracking firm can capture and profile your activities across different visits and different websites. (See Wikipedia for a good roundup of the issues and links to other research and commentary on the topic.)

Some things to note:

1.  To see your own machine’s set of Flash cookies, visit this page on the Adobe website.  There you will see an interface like this, which shows which sites have stored Flash cookies, and how much space you are permitting them to use.  Key point:  browser applications do not provide direct access or control over Flash cookies in the way that they do over traditional cookies.  To do this easily, you must install a browser add-on like Objection or Better Privacy for Firefox (highly recommended if you are researching how these things work).

2.  Adobe’s special web page shows you the maximum amount of storage space a site can use, and how much they are using, but it does not show you what is being stored there.  In fact, even if you go into the directory structure yourself through the operating system, you will find files that are not easily opened to view.  In practical “opt out” terms, this means you cannot confirm easily that the text consists only of a non-unique looking opt-out cookie, for example. You would need to use an add-on like Objection to see the actual values of the Flash cookies.

3.  Unlike browser cookies, which keep a separate set of cookies for each different browser, a single Flash storage system serves all of the browsers that you may use on one machine.  This means that even if you use two different browsers, your activities in both can be associated with you as a single user.  So-called “private browsing” modes for browsers — which do not store web history or traditional browser cookies — may well still record behavior in Flash cookies.

Given this technical framework, flash cookies are uniquely valuable for behavioral tracking.  They provide all of the same tracking functionality, but unlike traditional cookies, which are regularly deleted by many users, Flash cookies are rarely deleted because (1) users don’t know they are there and (2) the process for managing permissions is practically unusable.

So, who’s using them?  

In light of the persistence and low profile of Flash cookies, you would expect to see tracking companies using Flash cookies.  A quick survey in the machines in my own home revealed Flash cookies being used by the targeters on the following domains (no doubt an incomplete list):

adap.tv
atdmt.com (Akamai)
clearspring.com
doubleclick.net (Google)
eyewonder.com
gigya.com
interclick.com
quantserve.com (Quantcast)
scanscout.com
specificlick.net (Specific Media)
tattomedia.com
tremormedia.com
videoegg.com
visiblemeasures.com

Many of these companies are familiar because they are included in the privacychoice opt-out wizard.  Most of these companies have privacy policies that mention cookie tracking and provide an opt-out.  However, according to a custom search of all of targeting company privacy policies, none of them mentions “Flash cookies” or “local shared objects” in their privacy policies.  None of them explains how to view, control or delete flash cookies. Nor do they state explicitly whether opting out using traditional opt-out cookie will also serve to opt-out from any tracking via Flash cookies. 

To be fair, we can’t assume that all of these networks are using Flash cookies for tracking purposes, and some of these folks who work in video (like Videoegg) no doubt have non-tracking purposes for Flash cookies (to retain user settings, for example).  But the failure to even mention the use of flash cookies in their privacy policies means they aren’t in compliance with the disclosure rules of  TRUSTe or the Network Advertising Initiative, which requires an explanation of what information is collected about users.  Most likely, many of them are using flash cookies for behavioral tracking, and they just haven’t given much thought to the disclosure and opt-out requirements unique to those methods. 

I’ll be polling them on this question and will update this post with further data.

So now what?

Here’s a conclusion and a proposal:

First, it’s not realistic to suggest that companies simply refrain from using Flash cookies for behavioral tracking. It’s already happening, and thanks to the lousy job Adobe did in implementating flash cookie controls, we’re stuck with a system that is opaque and beyond the average user’s ability to control.

However, any company that does collect any information via Flash cookies (whether for behavioral profiling or otherwise) should update their privacy policies to make this clear, just as they generally do for traditional browser cookies.  This is a another good test of the seriousness of self-regulation in the hands of the NAI and TRUSTe.

Any company that uses flash cookies for behavioral profiling should take one additional step, which is to expressly apply their traditional browser cookie opt-out (already in place with over 70 networks) to also cover the use of flash cookies as well, and to confirm that they are doing so in their privacy policies.  That is to say, any consumer opting out via a traditional browser cookie opt-out should be understood as opting out of all tracking, whether by traditional cookies, Flash cookies, beacons or any other technology that may come down the road.

While this is perhaps not as verifiable (because Flash cookies are difficult to find and read), the fact is that nearly all opt-out cookies require users to trust that the network is honoring the opt-out preference anyway. 

Another possible approach — to create a separate opt-out process that actually writes a Flash version of an opt-out cookie into the local shared objects — is not workable.  Confirmation of the process by viewing a flash cookie is too difficult, and it will be more difficult to aggregate opt-outs for the ease of consumers.  Also, with Silverlight and any number additional browser add-ons that can provide a platform for tracking, it would be unmanageable to support separate opt-out regimes for each.  Rather, a comprehensive, cross-technology opt-out system should build on what has already been put in place with traditional browser cookies.

My suggestion reflects a key underlying philosophy:  Opt-out cookies are nothing more than a statement of the user’s preference, and not a means to actually prevent behavioral targeting. True accountability to honor the user’s preference won’t come through technology, but rather through industry leadership, advertiser oversight and (inevitably) some level of government and legal process.

How relevant is TRUSTe to behavioral targeting?

TRUSTe has established itself as the leading independent organization certifying the privacy practices of online providers. This list of companies that have obtained TRUSTe certification is indeed large, 2,400+ according to their site, and includes heavyweights like Yahoo! and Microsoft/MSN. TRUSTe certification is said to be something like the Good Housekeeping seal for consumer privacy.  In TRUSTe’s own words:

The TRUSTe seal means that the company whose Web site you are visiting takes your privacy seriously. We monitor the compliance of member businesses, provide an arena for you to file privacy violation complaints, and make sure these complaints are heard.

So, if behavioral targeting is a frontier for consumer privacy, you would expect ad networks and other BT companies to see TRUSTe certification as an important badge of honor, and also be prepared to submit to some oversight.

As it turns out, in our research on over 70 different tracking networks, far fewer than I expected have actually gone to the trouble to step up for TRUSTe certification. Among the larger players, Yahoo! and Microsoft appear to be certified by TRUSTe as to their ad network activities. Although AOL is TRUSTe certified as to the aol.com service, they maintain separate policies for their several ad networks, like advertising.com, Platform-A and Quigo, and there’s no mention of TRUSTe in those brands (other than Tacoda). Recent heavyweight entrant to behavioral targeting, Akamai, has not been certified, nor has Quantcast (which is amassing quite a footprint across its network).  (By the way, among other tracking research companies, Omniture and Coremetrics have been certified, while Nielsen appears not to be.)

And among the smaller ad network players, only a handful (including among others AudienceScience, Fetchback, Nextag, RealMedia.com and Media6degrees) are TRUSTe certified. Notable uncertified small players:  BlueKai, Collective Media, Adify, Fox Interactive Media, Turn and dozens of others.

Of course, the elephant in the room is (always) Google (including the massive DoubleClick and AdSense ad networks). Interestingly we found no mention of TRUSTe certification mentioned in their privacy policies or on TRUSTe’s list. Speaking cynically, I guess you wouldn’t expect behemoth Google to humble itself to a pesky third-party watchdog, even though Yahoo and Microsoft were willing to do so. 

For privacychoice 2.0, we’re still planning to allow users to opt-out only from networks that are not TRUSTe certified, since for many consumers, it’s good enough to now that a watchdog is involved. Unfortunately, it looks like that opt-out list will be a pretty big.  

For an industry claiming to be able to regulate itself, this doesn’t exactly inspire confidence.

Google crosses the divide

 

Big news today, if you are interested in behavioral targeting:  Google is now associating behavior across “partner” sites (presumably including all AdSense sites and DoubleClick sites) to target advertising.

Some excerpts from the Google blog:

We think we can make online advertising even more relevant and useful by using additional information about the websites people visit. Today we are launching “interest-based” advertising as a beta test on our partner sites and on YouTube. These ads will associate categories of interest — say sports, gardening, cars, pets — with your browser, based on the types of sites you visit and the pages you view. We may then use those interest categories to show you more relevant text and display ads.

…

This kind of tailored advertising does raise questions about user choice and privacy — questions the whole online ad industry has a responsibility to answer. Many companies already provide interest-based advertising and they address these issues in different ways. For our part, we’re launching interest-based advertising with three important features that demonstrate our commitment to transparency and user choice.

• Transparency – We already clearly label most of the ads provided by Google on the AdSense partner network and on YouTube. You can click on the labels to get more information about how we serve ads, and the information we use to show you ads. This year we will expand the range of ad formats and publishers that display labels that provide a way to learn more and make choices about Google’s ad serving.
• Choice – We have built a tool called Ads Preferences Manager, which lets you view, delete, or add interest categories associated with your browser so that you can receive ads that are more interesting to you.
• Control – You can always opt out of the advertising cookie for the AdSense partner network here. To make sure that your opt-out decision is respected (and isn’t deleted if you clear the cookies from your browser), we have designed a plug-in for your browser that maintains your opt-out choice.