Posts Tagged ‘Quantcast’

Confirmed: Quantcast joins NAI + comments on the good, the bad and the interesting

June 22, 2009

As mentioned here several weeks ago, Quantcast, which collects user information across thousands of sites, has officially joined the Network Advertising Initiative.

The relevant changes to the Quantcast privacy policy follow below. Here are some quick observations:

  1. Interesting: The Quantcast opt-out only applies to their advertising delivery services. They do not allow consumers to opt out of tracking for the purposes of audience measurement.
  2. Good: The policy confirms that Quantcast uses Flash cookies, and states that those are only used for audience measurement of Flash applications and not for behavioral ad targeting. There is no Flash cookie opt-out provided, which aligns with their theory that no opt-out is necessary for audience measurement.
  3. Good: They have a direct link to their opt-out on their top page. Not prominent, but it is there at least.
  4. Good: They now have a deletion policy (called for by the privacychoice best practices for opt-outs). Log data is retained indefinitely for audience research and 13 months for advertising purposes, which puts them among the companies with shorter retention periods (at least for advertising).
  5. Good and Bad: They fixed the issues I mentioned with their prior implementation (unique cookie value), and now have a straightforward, non-unique opt-out cookie. However, they assign a cookie deletion date/time based on the date/time when first set, which — doh! — means the cookie is no longer non-unique.
  6. Not so good: The policy does not expressly state that if you opt-out, behavioral information will not be collected and shared; it only says that if you opt out you will not receive interest-based advertising and content.  A better practice would be to make it clear no information is collected from opted-out users for any purpose other than audience measurement.

Quantcast Privacy Policy

[Effective January 20June 17, 2009]

Quantcast provides this Privacy Policy to inform you of our policies and procedures regarding the collection, use and disclosure of Personally Identifiable Information we receive through our website at www.quantcast.com(the “Quantcast.com Site”), as well as through our Internet audience ratings servicemarket research services, which collectscollect and analyze data across the Web through the Quantcast Tags, as described below (the (“Market Research Services).), and our content and relevant advertising delivery service (“Delivery Service”) (the Market Research Services and the Delivery Service, collectively, the “Services”). This Privacy Policyapplies Policy applies to information that you provide to us when you use our Services as a member of our Quantcast PublisherMeasurement Program (a “Quantcast Publisher”) or as user of Quantcast Marketer (“Marketer Client”), but also when you simply access or use any information or content appearing on the Quantcast.com Site, whether as a registered user (a “Registered User”) or as a non-registered user just browsing the Quantcast.com Site (a “Quantcast Visitor”). This Privacy Policy also explains what type of information is collected if you visit third party websites serving content tagged by Quantcast Publishers or Marketer Clients with Quantcast Tags. We may change the Privacy Policy from time to time. Please consult this Privacy Policyregularly Policy regularly for any updates.

Quantcast is a member of the Network Advertising Initiative (“NAI”) (http://www.networkadvertising.org) and is in compliance with the NAI’s Self-Regulatory Principles.

Personally Identifiable Information means information about you that can be used to contact or identify you. Personally Identifiable Information may include, but is not limited to, your username, your name, phone number, email address and home and business postal addresses.

Information Collection and Use

Quantcast Publishers and Marketer Clients

  • We require Quantcast Publishers and Marketer Clients to provide certain Personally Identifiable Information when first becoming Quantcast Publishers or Marketer Clients. We may also request additional Personally Identifiable Information from time to time thereafter. Providing such additional Personally Identifiable Information is entirely optional, although some Quantcast.com Site features may not work without it.
  • For Quantcast Publishers and Marketer Clients, we use your Personally Identifiable Information mainly to provide the Services to you, as applicable, and to administer your inquiries. We may also use your Personally Identifiable Information to contact you with Quantcast newsletters, marketing or promotional materials and other information that may be of interest to you. If you decide at any time that you no longer wish to receive such communications from us, please follow the unsubscribe instructions provided in any of the communications.

Registered Users

  • If you do not have a website that you want to measure, but you do want to access or use certain information, content, or tools on the Quantcast.com Site or receive our newsletter or other marketing materials and information, you may be required to register and to submit certain Personally Identifiable Information to us. This includes user name, password, email address, physical address, and telephone number, as well as any other information that you decide to provide us with. Your profile information and your name may be displayed in the Quantcast network to enable you to connect with other people on the network, as specified by you in your privacy settings.
  • If you contact us by email through the Site, we may keep a record of your contact information and correspondence, and may use your email address, and any information that you provide to us in your message, to respond to you.
  • In addition, we may use your Personally Identifiable Information to contact you with Quantcast newsletters, marketing or promotional materials and other information that may be of interest to you. If you decide at any time that you no longer wish to receive such communications from us, please follow the unsubscribe instructions provided in any of the communications.

Log Data

  • “Log Data” means information sent by your browser such as your computer’s IP address, pixel code, referring HTTP location, current HTTP location, search string, time of the access, browser’s time, any searches made on the applicable website, and other statistics.
  • When you visit the Quantcast.com Site, whether as a Quantcast Publisher, Marketer Client, Registered User or Quantcast Visitor, our servers automatically record and collect Log Data sent by your browser. We use the Log Data to monitor and analyze the use of the Quantcast.com Site and the Services, for the Quantcast.com Site’s technical administration, to increase the Quantcast.com Site’s functionality and user-friendliness, and to better tailor it to our visitors’ needs. For example, some of this information is collected so that when you visit the Quantcast.com Site again, it will recognize you and will be able to serve content, advertisements, and other information appropriate to your interests.
  • We also collect Log Data each time you visit third-party websites serving content that has been tagged by Quantcast Publishers or Marketer Clients with Quantcast Tags. We analyze such Log Data from different websites and combine it between sites and with other data and informationnon Personally Identifiable Information to produce the Reports that are made available on the Quantcast.com Site, and to enable web publishers to deliver to and advertisers to deliver audience segments that are appropriate for their products or services. This combined data is also used by us and our partners to serve you content, advertisements, and other information tailored to your interests.
  • Our clients use our Market Research Services to understand their current and historical audience characteristics and we retain Log Data for this purpose indefinitely. We retain the ability to use Log Data to provide our Delivery Service for 13 months to accommodate seasonality.
  • We do not link Log Data to any other Personally Identifiable Information about you or otherwise attempt to discover your identity. We make efforts to require our Quantcast Publishers and Marketer Clients to ensure that any such third party website post adequate privacy policies and otherwise protect the privacy rights of their visitors. Check the privacy policies of websites tagged with Quantcast Tags for information regarding the applicable privacy practices.

Cookies

Like many websites, we use cookies on the Quantcast.com Site (by placing or reading them via your browser) to save your registration ID and login password for future logins to the Quantcast.com Site. We also utilize session ID cookies to enable certain features of the Quantcast.com Site, to better understand how you interact with the Quantcast.com Site and to monitor aggregate usage by Quantcast Users and web traffic routing on the Quantcast.com Site. Third party advertisers on the Quantcast.com Site may also place or read cookies on your browser. We also use cookies when you visit websites with content tagged by Quantcast Publishers or Marketer Clients with Quantcast Tags, to collect Log Data, as described in the Log Data section above. You can instruct your browser, by changing its options, to stop accepting browser cookies or to prompt you before accepting a cookie from the websites you visit. In addition, we use Flash cookies in connection with our Market Research Services to measure certain Flash content such as animation, games and videos. Similarly to browser cookies, Flash cookies are used to remember settings, preferences and usage, but are managed through a different interface than the one provided by your web browser. If you want to delete Flash cookies, please access your Flash Player settings management tool available on Adobe’s web site. However, if you do not accept cookies, however, (whether browser or Flash cookies), you may not be able to use all portions of the Quantcast.com Site or all functionality of the Services.

Opt-Out Option
If you prefer not to receive interest based content and ads enabled by Quantcast, you can always opt-out by clicking on our “Opt-Out” link
here or by accessing the NAI’s opt out-tool here. After you opt-out, you will not receive interest based content and advertisements enabled by Quantcast. Please note that opting-out does not turn off other advertisements or other ad delivery solutions (non-Quantcast) that address advertising based on demographic, interests, or other forms of audience based data.

The foregoing opt-out does not cover the collection of Log Data for the purpose of providing our Market Research Services (though no ads are sent to you in connection with such services).

Information Sharing and Disclosure

Log Data and Aggregate Information. We may share the following information with third parties, including, but not limited to, vendors that support the operation of our Services and entities involved in the delivery of advertisements: Log Data collected on both the Quantcast.com Site and third party websites tagged with Quantcast Tags (as described in the Log Data section above), as well as aggregated anonymized information resulting from the analysis of such Log Data for a variety of purposes, including, but not limited to, conducting industry, traffic and demographic analysis, and enabling web publishers to deliver to advertisers audience segments that are appropriate for their products or services.

Comments or Submissions. User Interaction. In addition to your username, any comments or submissions (“Unsolicited Information”) that you post to the Quantcast.com Site, whether as a Quantcast Publisher, a Marketer Client or as a Registered User, will be publicly available. All such Unsolicited Information will be deemed to be non-confidential and Quantcast will be free to reproduce, use, disclose, and distribute such Unsolicited Information to others without limitation or attribution. You should be aware that, if you voluntarily disclose Unsolicited Information online, that Unsolicited Information can be collected and used by others. For example, if you post your email address in comments sections or online forums, you may receive unsolicited messages from others. In addition, if you decide to request a copy of the Reports or other content or information from Quantcast Publishers or Marketer Clients or otherwise interact with other users, certain information that you provided to us during the registration process, such as, for instance, your name, e-mail address, company name, and industry, as well as any other information (including Unsolicited Information) that you disclose in connection with any such communications may be collected, used and disclosed for the purpose of satisfying your request or otherwise allowing such user interaction. Quantcast has no control over the use of Personally Identifiable Information that you voluntarily post in public forums or otherwise disclose while interacting with other users, whether Quantcast Publishers, Marketer Clients or Registered Users. Any such Personally Identifiable Information you choose to disclose should reflect how much you want other users to know about you. We encourage our Quantcast Publishers, Marketer Clients and Registered Users to think carefully about what information about themselves they disclose in their comments or submissions.

Service Providers. We may employ third party companies and individuals to facilitate the Services, to provide the Services on our behalf, to perform services related to administration of the Services (including, without limitation, maintenance, hosting and database management services, and administration). These third parties have access to your Personally Identifiable Information and Log Data only to perform these tasks on our behalf and are obligated not to disclose or use it for any other purpose.

Compliance with Laws and Law Enforcement. Quantcast cooperates with government and law enforcement officials and private parties to enforce and comply with the law. We disclose Personally Identifiable Information and Log Data to government or law enforcement officials or private parties as we, in our sole discretion, believe necessary or appropriate to respond to claims and legal process (including but not limited to subpoenas), to protect the property and rights of Quantcast or a third party, to protect the safety of the public or any person, or to prevent or stop any activity we may consider to be, or to pose a risk of being illegal or legally actionable.

Business Transfers. Quantcast may sell, transfer or otherwise share some or all of its assets, including your Personally Identifiable Information and Log Data, in connection with a merger, acquisition, reorganization or sale of assets or in the event of bankruptcy. You will have the opportunity to opt out of any such transfer if the new entity’s planned processing of your information differs materially from that set forth in this Privacy Policy.

Advertisements

Flash cookies and behavioral tracking: a proposal

April 29, 2009

After noticing Quantcast’s use of “Flash cookies,” I did some research on this technology as it relates to online privacy and behavioral tracking.   I’ve come to concur with other commentators that Flash cookies present a difficult challenge to meaningful consumer privacy choice, and would like to suggest a proposal.

Not all cookies are created equal

First, some background.  Flash cookies, known more formally as Local Shared Objects, work in much the same way as traditional browser cookies.  When you visit a website (or Flash application) the content server is able to access and store data in a defined place on your machine.  This data is available to servers from that same domain on future visits.  By placing a unique identifier as a local shared object (such as a long number), a tracking firm can capture and profile your activities across different visits and different websites. (See Wikipedia for a good roundup of the issues and links to other research and commentary on the topic.)

Some things to note:

1.  To see your own machine’s set of Flash cookies, visit this page on the Adobe website.  There you will see an interface like this, which shows which sites have stored Flash cookies, and how much space you are permitting them to use.  Key point:  browser applications do not provide direct access or control over Flash cookies in the way that they do over traditional cookies.  To do this easily, you must install a browser add-on like Objection or Better Privacy for Firefox (highly recommended if you are researching how these things work).

flashpanel1

2.  Adobe’s special web page shows you the maximum amount of storage space a site can use, and how much they are using, but it does not show you what is being stored there.  In fact, even if you go into the directory structure yourself through the operating system, you will find files that are not easily opened to view.  In practical “opt out” terms, this means you cannot confirm easily that the text consists only of a non-unique looking opt-out cookie, for example. You would need to use an add-on like Objection to see the actual values of the Flash cookies.

3.  Unlike browser cookies, which keep a separate set of cookies for each different browser, a single Flash storage system serves all of the browsers that you may use on one machine.  This means that even if you use two different browsers, your activities in both can be associated with you as a single user.  So-called “private browsing” modes for browsers — which do not store web history or traditional browser cookies — may well still record behavior in Flash cookies.

Given this technical framework, flash cookies are uniquely valuable for behavioral tracking.  They provide all of the same tracking functionality, but unlike traditional cookies, which are regularly deleted by many users, Flash cookies are rarely deleted because (1) users don’t know they are there and (2) the process for managing permissions is practically unusable.

So, who’s using them?  

In light of the persistence and low profile of Flash cookies, you would expect to see tracking companies using Flash cookies.  A quick survey in the machines in my own home revealed Flash cookies being used by the targeters on the following domains (no doubt an incomplete list):

adap.tv
atdmt.com (Akamai)
clearspring.com
doubleclick.net (Google)
eyewonder.com
gigya.com
interclick.com
quantserve.com (Quantcast)
scanscout.com
specificlick.net (Specific Media)
tattomedia.com
tremormedia.com
videoegg.com
visiblemeasures.com

Many of these companies are familiar because they are included in the privacychoice opt-out wizard.  Most of these companies have privacy policies that mention cookie tracking and provide an opt-out.  However, according to a custom search of all of targeting company privacy policiesnone of them mentions “Flash cookies” or “local shared objects” in their privacy policies.  None of them explains how to view, control or delete flash cookies. Nor do they state explicitly whether opting out using traditional opt-out cookie will also serve to opt-out from any tracking via Flash cookies. 

To be fair, we can’t assume that all of these networks are using Flash cookies for tracking purposes, and some of these folks who work in video (like Videoegg) no doubt have non-tracking purposes for Flash cookies (to retain user settings, for example).  But the failure to even mention the use of flash cookies in their privacy policies means they aren’t in compliance with the disclosure rules of  TRUSTe or the Network Advertising Initiative, which requires an explanation of what information is collected about users.  Most likely, many of them are using flash cookies for behavioral tracking, and they just haven’t given much thought to the disclosure and opt-out requirements unique to those methods. 

I’ll be polling them on this question and will update this post with further data.

So now what?

Here’s a conclusion and a proposal:

First, it’s not realistic to suggest that companies simply refrain from using Flash cookies for behavioral tracking. It’s already happening, and thanks to the lousy job Adobe did in implementating flash cookie controls, we’re stuck with a system that is opaque and beyond the average user’s ability to control.

However, any company that does collect any information via Flash cookies (whether for behavioral profiling or otherwise) should update their privacy policies to make this clear, just as they generally do for traditional browser cookies.  This is a another good test of the seriousness of self-regulation in the hands of the NAI and TRUSTe.

Any company that uses flash cookies for behavioral profiling should take one additional step, which is to expressly apply their traditional browser cookie opt-out (already in place with over 70 networks) to also cover the use of flash cookies as well, and to confirm that they are doing so in their privacy policies.  That is to say, any consumer opting out via a traditional browser cookie opt-out should be understood as opting out of all tracking, whether by traditional cookies, Flash cookies, beacons or any other technology that may come down the road.

While this is perhaps not as verifiable (because Flash cookies are difficult to find and read), the fact is that nearly all opt-out cookies require users to trust that the network is honoring the opt-out preference anyway. 

Another possible approach — to create a separate opt-out process that actually writes a Flash version of an opt-out cookie into the local shared objects — is not workable.  Confirmation of the process by viewing a flash cookie is too difficult, and it will be more difficult to aggregate opt-outs for the ease of consumers.  Also, with Silverlight and any number additional browser add-ons that can provide a platform for tracking, it would be unmanageable to support separate opt-out regimes for each.  Rather, a comprehensive, cross-technology opt-out system should build on what has already been put in place with traditional browser cookies.

My suggestion reflects a key underlying philosophy:  Opt-out cookies are nothing more than a statement of the user’s preference, and not a means to actually prevent behavioral targeting. True accountability to honor the user’s preference won’t come through technology, but rather through industry leadership, advertiser oversight and (inevitably) some level of government and legal process.

Quantcast joins the NAI? Uses flash cookies?

April 29, 2009

quantcastlogoQuantcast‘s analytics service has grown rapidly, giving them a footprint (and cookie access) across thousands of websites and 6 billion impressions per day.  They recently launched Quantcast Marketer, which promises advertisers “valuable demographic and interest-based insights about their customers as they are exposed to advertising and/or interact with content or functionality on brand sites.” (emphasis mine)

When I checked for an opt-out on Quantcast’s site earlier this year, I could not find one (even though Omniture and Nielsen offered them), so it was interesting to see that one is now available through their privacy policy page.  

quantcastmenuThe presentation of this opt-out is unusual. The first reference to an opt-out appears on the privacy policy page in a menu on the left, although on the same page there’s no mention of an opt-out in a long paragraph about cookies.  In that text, the only recommendation they offer is to manage cookies through your browser settings.  Also, the label “Opt-out of Quantcast Delivery” is strange (what’s being delivered?). When you click on the link, you get to a pretty standard looking opt-out console.

quantcastnaiIn fact, it looks just like all of the implementations that are collected at the NAI site, although Quantcast is not currently listed as an NAI member.

If I had to guess, I’d say that as Quantcast has moved from simple analytics and into more direct involvement in ad targeting, it has become logical to join the NAI.  To be in the NAI, you must offer an opt-out.  I suspect that this is still in testing, and the rest of the privacy disclosures are just a step behind. Here’s hoping that those are brought in line quicky and that Quantcast puts a prominent opt-out button on the top page of their site, in the true spirit of the NAI.

Now the critique:

First, the cookie itself does not have a name or text content that clearly identifies it as an opt-out cookie, so it’s hard for the user or researcher to feel assured that the opt-out has been effective. I am guessing that the operative cookie is on the quantserve domain and is called “qoo”, but I can’t be sure.

Second, based on trying this on two different machines, it looks like Quantcast is providing unique cookie text for each opt-out, in the form of a long number.  This is poor form, particularly since all the big players (like Google) have moved toward non-unique cookies that, due to their very non-uniqueness, cannot be used for tracking.

One last question for the folks at Quantcast:  tonight I also happened to find a Local Shared Object (flash cookie) on my machine from the quantserve.com domain.  Are you are using these for tracking or targeting purposes?  Will my opt-out be effective for the flash cookie as well?

In my humble opinion, it would be aggressive for Quantcast to use flash cookies for tracking, since consumers don’t understand them and they are difficult to find or remove (perhaps that’s the point). In any case, they aren’t mentioned in the Quantcast privacy policy, whereas browser cookies are discussed extensively.  Since the NAI principles are clear that flash cookies need to be explained as part of “clear and conspicuous” disclosure, we trust that this has already been considered by Charles Curran and his team in Quantcast’s NAI application process, and that appropriate disclosures are on the way.