Posts Tagged ‘Yahoo!’

Baloney, indeed

October 9, 2010

Today’s Wall Street Journal coverage (“Website Operators Say It Isn’t Possible to Keep Track of All Tracking Tools”) attributed this quote to Yahoo!’s Chief Privacy Officer, Anne Toth, in yesterday’s Congressional hearings.

It is technically impossible for Yahoo! to be aware of all software or files that may be installed on a user’s computer when they visit our site.

My own Tweet about the article lead was: “Baloney,” to the extent it implied that Yahoo! has no practical way to control third-party tracking on Yahoo! pages.

As it turns out, that reading of the statement was baloney, since (1) it seems to have been taken out of context from Yahoo!’s complete response, and (2) it was made in response to a somewhat loaded question.

The question was whether Yahoo! has perfect visibility as to how third-party advertisers interact with consumer browsers. Yahoo! seems to have answered honestly and correctly: no scalable monitoring system can detect every third-party server interaction which could carry a cookie or local storage artifact. But the rest of Yahoo!’s submission makes it clear that they actively sample and monitor third-party tracking to the extent technically feasible, just as you would hope. (By the way, any site can have access to this kind of scanning through PrivacyChoice.)

It’s great to see the privacy discussion focus not only on the advertisers and ad networks, but also on the publishers who decide which companies can track through their sites. It’s time for big names like Yahoo! and Google to make it a published policy to give tracking access only to companies that are compliant with strong industry guidelines and are subject to regular oversight.


From Yahoo!’s full testimony:

8. Is your company aware of all third-party tracking devices that may be installed on a user’s computer when the user visits your site?

No, it is technically impossible for Yahoo! to be aware of all software or files that may be installed on a user’s computer when they visit our site. When a user visits Yahoo!, we can “see” their Yahoo! cookies which the browser transmits to us. Yahoo! does not have access to other cookies present on a user’s hard drive or all the software that a user may have installed.

As a web site publisher, Yahoo! determines the content feeds and advertisement placements for each of our services and web pages. Nearly every page on Yahoo! is generated dynamically. The content and ads that appear change minute by minute as news headlines, stock quotes, and advertising are all refreshed frequently. An ad that appears when the page initially loads may be replaced by a different ad when the page is refreshed (or reloaded), along with all the content that appears on that page. Yahoo! has relationships with different content and advertising providers. In these agreements, Yahoo! often has performance requirements about how quickly a page element or advertisement must load and these requirements often include limitations on the use of third party cookies on a Yahoo! page as each incremental cookie often results in diminishing page performance.

a) If yes, what evaluations does your company perform to discover such devices? If no, why not?

Yahoo! runs regular scans using internal and external systems to detect third party domains on our web sites that may set or access their own cookies. This is then compared to our list of approved vendors that have completed our compliance program including security, privacy, performance and contractual reviews.

b) What actions does your company take upon discovery of a previously unknown third party tracking device?

If Yahoo! discovers a third party is resident on our properties that has not completed our compliance program, Yahoo! may contact the party or its partners directly to address this issue.


PrivacyWidgets as a platform for value-exchange

January 18, 2010

As mentioned in the release notes for the PrivacyWidget and earlier posts, PrivacyWidgets can provide a platform for the value-exchange between consumers and advertisers using behavioral advertising. In this relationship, the consumer exchanges information about themselves and their interests for more relevant advertising and content.

Some ad-delivery companies are already investing in making the value-exchange more transparent for users, by showing them information about the specific interests and preferences that have been stored about them. At least seven companies already do this: BizoBlueKaieXelateGoogleRubicon ProjectSafecount and Yahoo!

These companies are betting that, by and large, consumers will appreciate more relevant advertising and can be made comfortable with any privacy impact. They’re giving this substance by reading back something about what they know about the consumer, and inviting the consumer to engage with a process to share even more about their interests.

PrivacyWidgets facilitate this transparency. As a simple start, we had added links within the PrivacyWidget to take the user directly to their personal preference information for those companies that make it available. Check out the Sample PrivacyWidget on our site to see some examples.

This is also good for websites, who choose their ad delivery partners and provide the context for the exchange in value: ad-supported content and services. Consumers who will share more about their interests will provide more advertising value. So PrivacyWidgets offer more than just an easy way to comply with disclosure requirements; over time they can drive engagement and higher ad value. For the consumer, this virtuous circle leads to more and better free content.

Website analytics and targeting: is there an elephant in the room?

September 29, 2009

In sampling top websites for the privacychoice service, we see that nearly all of them use hosted website analytics to understand user behavior. Like an ad network, an analytics service works through Javascript code embedded throughout pages on a website. As humans navigate the site, background communications with the analytics server provide complete visibility on behavior, including counting new or repeat users, seeing which search terms they used to find your site, and which of your pages pages are most popular. Using cookies and IP addresses, a user’s multiple sessions can be linked in order to understand user loyalty and behavior over time.

The sheer ubiquity of analytics code raises an obvious question: Is website analytics data used to target advertising?

GAThe question gains importance given the growing overlap between analytics providers and ad networks, where Google is the biggest in each market. It has the widest footprint in selling and serving ads through the AdSense network and DoubleClick. It also also gives away Google Analytics for free to web publishers, which is present on over three-quarters of the sites sampled for privacychoice. For  customers who are also advertisers on Google networks, the appeal is an integrated end-to-end cycle — from ad click through user actions taken on the site — enabling publishers to connect the dots for a more effective ad spend. The other analytics providers include a handful of enterprise-grade platforms like Omniture. Once Omniture becomes part of Adobe, they may have access to a larger web-wide footprint through the huge installed base of Flash applications (also widely used in ads).

Yahoo! also offers its own analytics product to advertising customers, and Yahoo! makes it clear that analytics data is leveraged to target advertising. User activities on sites running Yahoo!’s analytics program can be associated with the user’s account and activities on Yahoo!’s family of sites. For purposes of disclosure, websites using Yahoo!’s service are directed to include specific language in their privacy policies and a link to more information. According to Yahoo! search, around 3,000 sites carry the required language:

“We use third-party web beacons from Yahoo! to help analyze where visitors go and what they do while visiting our website. Yahoo! may also use anonymous information about your visits to this and other websites in order to improve its products and services and provide advertisements about goods and services of interest to you.”

Yahoo! can connect user activities from its analytics network with Yahoo!’s sites or ad networks. Does Google?

The answer is, probably not, if only in light of Google’s other practices. DoubleClick requires each participating website to make a special privacy disclosure about the use of information for ad targeting, and provides an opt-out cookie for consumers. Google Analytics has neither. Also Google analytics collects user information through a different domain ( than they use for their ad networks (, and others). While this doesn’t mean they can’t use analytics data for ad targeting, it does make it harder as a practical matter.

However unlikely it may be, given the huge but invisible reach of Google Analytics, it’s reasonable to expect an express statement from Google. This could be as simple as: information gathered via Google Analytics is not associated with other Google user information or used to target advertising.

To search of this kind of statement, you can start start by navigating Google’s privacy policies. Which one is relevant is not immediately obvious. Look at Google Analytics for a privacy policy and you end up at the general Google Privacy Center (unlike DoubleClick, which has a separate policy, and 15 other Google services, which have supplements to the general policy).

Google’s general policy is particularly unhelpful in explaining how user information is handled by Google Analytics. In the explanation of data gathering via cookies, IP addresses and such, matters are framed with “when you visit Google'” or “when you access Google services.” Who even knows they are using Google services when they happen to trigger Google Analytics code on a third-party site? But still you will find no express statement about mixing analytics and targeting data.

Turn from the consumer disclosures to the terms of service Google Analytics provides its analytics customers. There you find this express statement about the use of information:

Google and its wholly owned subsidiaries may retain and use, subject to the terms of its Privacy Policy (located at , or such other URL as Google may provide from time to time), information collected in Your use of the Service.

GA in PCThe policy does go on to say that, although Google may retain and use the information, it will not share any site’s information with third parties. But by implication, Google still can use the information to target ads, so long as it does not disclose the targeting information to advertisers. The fact that Google probably doesn’t use analytics data this way isn’t the point. What is needed is a statement that makes Google accountable for that policy. In crafting privacychoice summaries, this ambiguity in Google’s policies means we cannot assume that users are anonymous to Google when they are on sites using Google Analytics.

This example provides important takeaways for folks writing rules for this industry. To ensure clarity and accountability, any company in the business of collecting and using information about users from across different websites should register each domain they use, and bind it legally to a complete privacy policy that governs the activity. There’s no room — and no reason — for ambiguity.

No mention of retention (results of our policy review)

May 8, 2009

In the course of our research for privacychoice 2.0, we’ve been surprised at how hard it is to get a handle on the data retention policies of the ad and tracking networks.  This is despite the fact that data retention practices are a key disclosure point for consumer online privacy. The FTC principles called this out:

To address the concern that data collected for behavioral advertising may find its way into the hands of criminals or other wrongdoers, and concerns about the length of time companies are retaining consumer data, the FTC staff proposes:  Any company that collects or stores consumer data for behavioral advertising should provide reasonable security for that data and should retain data only as long as is necessary to fulfill a legitimate business or law enforcement need.

Here’s what the NAI guidelines (PDF) require of their members:

Each member directly engaging in [Online Behavioral Advertising], a) Multi-Site Advertising and/or Ad Delivery & Reporting shall clearly and conspicuously post notice on its website that describes its data collection, transfer, and use practices. Such notice shall include clear descriptions of the following, as applicable: …  The approximate length of time that data used for OBA, vi. Multi-Site Advertisiisiising and/or Ad Delivery & Reporting will be retained by the member company.

In reviewing the policies of 63 targeting networks, here’s what we learned:

1. Most companies don’t disclose their retention timeframe, or do so obliquely.

Suprisingly, for 41 of the companies (nearly two-thirds), we could not find an express statement of how long consumer data is retained.  In the NAI membership, we could not find such a statement for any of these companies:

24/7 Real Media (WPP) (retention provisions added 12/09)
Audience Science (added two-year retention period 12/09)
Microsoft (subsidiary Atlas discloses a 2 year timeframe)
[x+1] (retention provision added 11/09)

Two of the other heavyweights in the NAI — Google and Yahoo! — have published information about their retention practices, in the press or on their blogs. (Here’s a round up of some of these statements.)  But as far as we could tell, they have not included an express timeframe in their privacy policies, where a consumer would expect to find it.

2. Retention periods vary widely, but the trend is toward a year or less.

Of those 22 networks who have put a time frame in their disclosure policies, there’s a wide range, but with accumulation at or below one year (particularly for the larger networks).

One year or less:  13
Over one year but not more than 2 years: 6
Three years: 2
Indefinite: 1

Special mention goes to Fetchback, which is clear in their disclosures that they retain the information indefinitely. Whatever you might think about that policy, at least the disclosure is clear and where a consumer would expect to find it.

For 41 other companies:  Until your policies are more clear, consumers and (yikes) regulators can fairly assume that you are also retaining and using the information indefinitely.

Behavioral targeting and the bottom line

May 6, 2009

Since behaviorally targeted advertising represents a fast growing share of the overall market, we’re starting to see interesting references here and there to its relative value and pricing. Here are a couple from quarterly earnings calls.

From the ValueClick Q1 2009 call (courtesy of Seeking Alpha), emphasis mine:

Tom Vadnais [CEO]

On the pricing issue, we don’t really disclose details on the pricing, but the way the scale works is that the normal CPM rates for display advertising without targeting and without vertical networks and so on, that tends to be the lowest price that we offer. But what advertisers are finding is using our technology. While is the price is higher, they are using targeting technology, the conversions are much higher, so the ROI for the investor or for the advertiser works out very well. So it’s a scale of without targeting, with targeting there is a higher price and then our vertical networks are higher price yet because you are dealing now with very targeted audience that we know is interested in the vertical that we are serving those ads for. So that’s kind of how the scale works, but we don’t disclose the specific numbers.

Youssef Squali – Jefferies & Co.

But just to get a sense of the magnitude, is it two times X? Or is it –?

Tom Vadnais

Yes, I am sure you can imagine, there isn’t like a rate card here that we use, everything is variable. But the targeting – all I can really say there is, it is higher, it’s certainly multiple higher than without targeting and that’s really isn’t as relevant as what the return on investment is that the advertiser is looking for. So it’s not really what you pay for the serving, it’s what you get at the end, that determines the return purchases. And there is still a demand for non-targeted display, but that demand is shifting over towards targeting.

Over on the Scripps Q1 call (also courtesy of Seeking Alpha), behavioral targeting via Yahoo! is where they see all of the growth:

Mark Contreras [SVP Newspapers]

Probably the biggest place where we’re seeing growth and the biggest contributor to that 30% growth in pure play is behavioral targeting with our Yahoo! partnership. All of the verticals – auto, real estate, help wanted even – are down, but our ability to sell behavioral targeting has really caught on with our advertisers and particularly with our sales forces. We compete in the consortium with other companies – we’re members with other companies, I should say – and we’re very proud of the results that we’ve driven so far. We’re kind of at the top of the consortium in terms of gross dollars sold in that. So that’s really what’s driving the pure play number the most.

How relevant is TRUSTe to behavioral targeting?

April 16, 2009

TRUSTe has established itself as the leading independent organization certifying the privacy practices of online providers. This list of companies that have obtained TRUSTe certification is indeed large, 2,400+ according to their site, and includes heavyweights like Yahoo! and Microsoft/MSN. TRUSTe certification is said to be something like the Good Housekeeping seal for consumer privacy.  In TRUSTe’s own words:

The TRUSTe seal means that the company whose Web site you are visiting takes your privacy seriously. We monitor the compliance of member businesses, provide an arena for you to file privacy violation complaints, and make sure these complaints are heard.

So, if behavioral targeting is a frontier for consumer privacy, you would expect ad networks and other BT companies to see TRUSTe certification as an important badge of honor, and also be prepared to submit to some oversight.

As it turns out, in our research on over 70 different tracking networks, far fewer than I expected have actually gone to the trouble to step up for TRUSTe certification. Among the larger players, Yahoo! and Microsoft appear to be certified by TRUSTe as to their ad network activities. Although AOL is TRUSTe certified as to the service, they maintain separate policies for their several ad networks, like, Platform-A and Quigo, and there’s no mention of TRUSTe in those brands (other than Tacoda). Recent heavyweight entrant to behavioral targeting, Akamai, has not been certified, nor has Quantcast (which is amassing quite a footprint across its network).  (By the way, among other tracking research companies, Omniture and Coremetrics have been certified, while Nielsen appears not to be.)

And among the smaller ad network players, only a handful (including among others AudienceScience, Fetchback, Nextag, and Media6degrees) are TRUSTe certified. Notable uncertified small players:  BlueKai, Collective Media, Adify, Fox Interactive Media, Turn and dozens of others.

Of course, the elephant in the room is (always) Google (including the massive DoubleClick and AdSense ad networks). Interestingly we found no mention of TRUSTe certification mentioned in their privacy policies or on TRUSTe’s list. Speaking cynically, I guess you wouldn’t expect behemoth Google to humble itself to a pesky third-party watchdog, even though Yahoo and Microsoft were willing to do so. 

For privacychoice 2.0, we’re still planning to allow users to opt-out only from networks that are not TRUSTe certified, since for many consumers, it’s good enough to now that a watchdog is involved. Unfortunately, it looks like that opt-out list will be a pretty big.  

For an industry claiming to be able to regulate itself, this doesn’t exactly inspire confidence.