The Digital Advertising Alliance, an industry group of digital ad-related associations, earlier this week pulled out of an international working group that has worked for over two years to define a Do Not Track policy.
Withdrawal of the group, which includes a wide range of digital ad placement networks, Yahoo and Google, highlights significant dissension about what constitutes the most effective way to support a digital economy based on precision targeting and marketing of goods and the rights of its customers to give out – or not – information about their participation in that economy and the Web itself.
What’s at stake:
Billions of dollars in online advertising revenue and the shape that digital advertising will take in the future. Consumer privacy and protection from unwanted tracking and collection.
In 2012, Internet ad revenue came out to over $36.5 billion, a 15 percent increase from 2011. In the first quarter of 2013, digital ad revenues hit $9.6 billion, a 15.6 percent increase from the first quarter in 2012. According to advertisers, limitations of their ability to collect and use consumer browsing information would be severely detrimental to business. The digital advertising ecosystem consists not only of consumers and advertisers, but also of third-party data collectors who obtain and sell information about consumers to advertisers who go on to use it for ad targeting purposes.
But, consumer advocates and to a lesser extent, government regulators, believe that in its current form, the information collected, and the methods of collection, threaten the state of individual privacy. Certainly, recent outrage over disclosures that the government’s PRISM program, which appears to collect data about online users from the servers of cooperating Web companies, support the notion that not all consumers are comfortable with the idea of allowing strangers possession of such information. Online data brokers have collected and sold information on more than 500 million consumers, by one estimate. Information collected can include:
Details about major life events, such as birthdays, deaths or weddings
Browsing history and shopping habits
Social media information
Publicly available information from court records, phone history, address history, email addresses, property records, voter registration records, criminal records, birth date, work history, education history, business records and more
Date of birth, race, religion, language, home value, household information, political party and more
Research has also shown that even if information is collected anonymously, with possession of a zip code, gender, and birth date, it’s simple to deduce actual identity. Aside from privacy concerns, there are more concrete consequences. A woman in Boston failed to get a drugstore job after an inaccurate profile was submitted to employers . Online research found she had had 14 felony convictions. But the rap sheet belonged to another woman with the same first and last name, who lived nearby.
Advertisers, on the other hand, argue that consumers would prefer to give up information on their normal activities online, in return for more relevant advertisements. They also posit that such mechanisms are crucial to the way that online advertising works.
According a study commissioned by the Interactive Advertising Bureau, this ecosystem contributed $530 billion to the U.S. economy in 2012, measuring statistics such as jobs that depend on the existence of the Internet, the worth of services provided by the Internet (retail, Internet access, and advertising) as well as the value of time spent online by users.
The interests involved in forming a Do Not Track policy seem to recognize the importance of consumer privacy, as well as the importance of the online economy. But they don’t seem to be able to agree on some of the key issues at base of the matter. The working group has been plagued by delays and pushed deadlines. Even former chairman Peter Swire admitted, "I no longer see any workable path to a standard that will gain active support from both wings of the Working Group.”
Other countries have found more success in enacting Do Not Track-like policies. In South Korea, websites are blocked from collecting and using the resident registration numbers that are used for online identification. In Europe, legislators are currently pushing for regulations that would allow all individuals to delete their online information, as a basic human right. Even in the US, California legislature recently passed several bills that would require companies to disclose how their website responds to “do not track” signals, and to disclose whether third parties on the site can collect information about the user’s activities on the web over time.
In the meantime, Google, which controls about a third of online advertising, appears to be creating its own alternative to the “cookies” that websites typically use to track users and what they do. Its name: AdID.
Developing a Do Not Track policy and system that works for both individuals and businesses has proven maddeningly difficult, as proven by the pullout this week of the Digital Advertising Alliance from the working group assigned to the task by the World Wide Web Consortium, the international organization that sets standards for it.
Developing an approach that marketers, manufacturers, service providers and consumers all can use and feel protected by will include a large dose of Web-wide wisdom.
- A clear definition of tracking. The definition should not change as technology behind the Web changes.
- Opting out is a right. Advertisers and consumer advocates seem at least to agree on the point that if a consumer wants out of the system, they should be allowed out. “Consumers who care about data collection and privacy should absolutely have a choice control and an option to opt out,” says Marc Groman, Executive Director of the Network Advertising Initiative. “The disagreement is that some people suggest that everybody wants out.”
- Make sure more than just cookies are covered. If so, choice based opt-out solutions should work to cover all the forms of tracking and collection that are used, not just cookies. While cookies are dominant today, newer forms of technology including evercookies, which can identify a client even after they’ve deleted all their other cookies, and device fingerprinting, which can use unique characteristics of browsers and the machines that use them to tell them apart. “There are new ways of collecting information all the time,” says Jeff Chester, executive director of the Center for Digital Democracy.
- Decide if each unique individual really needs a unique identifier. “The thing EFF cares the most about is user unique identifiers that would allow the compilation of complete browsing histories,” says Lee Tien, Senior Staff Attorney with the Electronic Frontier Foundation. “What about a system where you essentially use bucket profiles or bucket identifiers? So you know that I’m a gardening enthusiast, and that I’m Asian, and maybe two or three other facts, but no unique identifier so that the cookie doesn’t point directly to you and ads are targeted based on preference but not identity.” But this proposal, which did come up in the working group, “didn’t get very far in the process.” According to advertisers, these identifiers are “critical” for conversion tracking and frequency tracking -- measures of an ad’s success. However, Jonathan Mayer, a Stanford grad student who has worked with both Mozilla and the W3 Consortium, has suggested ways to measure advertising impressions, cap frequencies and implement behavioral targeting without using tracking. This works by storing the relevant information on an individual’s own machine. But the information is cached in such a way as to make it available for querying. The costs involved in extending algorithms that conduct queries across all devices using the Internet are, of course, unclear.
- Make “opting-out” efficient. Different tools of varying efficiencies exist to prevent the collection of information on Web users, though none of them can actually completely stop all data collection. Data collectors all have opt-out pages, which may not stop them from actually collecting the data, but might stop them from giving it out in certain circumstances. The DAA also has an opt-out page. Browser add-ons such as Ghostery and DoNotTrackMe also block trackers. Do Not Track adds an hypertext protocol header to a browser that tells companies that you do not want to be tracked. The problem: Not everyone listens. Browsers, including Chrome, Safari, Internet Explorer and Firefox, also offer Do Not Track settings. Google’s AdID, as described, would let users have multiple anonymous IDs that they could use for both private browsing (and set to block everything) and everyday browsing, although some suggest that this will ultimately end up handing over more power to the online ad giant in making them the gatekeepers between advertisers and consumers.
- Get all parties to the table. Those involved in Do Not Track talks have admitted one basic, major failing of the group -- the lack of representation for parties who are perhaps most affected by the outcome. That includes both the consumers being targeted as well as the major brands, like Coca Cola or Ford, who are spending the advertising dollars. “The whole system is to cater to them and yet they’re not in the room. That’s kind of a problem,” says Tien. Groman also notes that small publishers, who need advertising for their main revenue, and agencies, who work with consumers and brands, also have had no opportunity to voice their opinion. “The stakeholders in the room really represent a small fraction of who’ll be impacted,” Groman says. “It’s really unfortunate.”
- Enforce whatever rules result. “Can companies second-guess your Do Not Track signals? For example, is it okay to ignore your setting if it was enabled by antivirus software or during browser installation?,” asks Mayer. At the moment, even if you’re sending out Do Not Track signals, companies can choose to ignore them. So, what does a standard mean if no one follows it? At the NAI, failures to comply with self regulation carry heavy penalties. Members of the group go through a compliance audit every year, are subject to submitted complaints, and are monitored all year. They have documented sanction and accountability procedures that could result in public naming in the NAI’s compliance review, temporary or permanent suspension of membership or even referral to law enforcement.
The digital advertising ecosystem so far has proven resistant to curbs on tracking. And advocates of privacy protections have little incentive to compromise their thinking.
“Both advocates and advertisers think they can win an all-out shooting war,” says Justin Brookman, Director for Center For Democracy and Technology’s Project on Consumer Privacy, as well as one of two co-chairs for the Tracking Protection Working Group along with Carl Cargill from Adobe. “We’ve been at this for a couple of years now. We’re not going to get a solution that pleases everybody.”
Right now, advertisers and privacy advocates can’t seem to agree on anything. In its parting email, the Digital Advertising Alliance wrote, “rather than continue to work in a forum that has failed, we intend to commit our resources and time in participating in efforts that can achieve results.”
One source of disagreement is over what “harm” tracking actually constitutes.
“If you asked people to define the problem you might get a different answer from every member of the group,” says Marc Groman, Executive Director of the Network Advertising Initiative. “There’s a real competitive issue here where we’re threatening the diversity of the Internet and the small and medium publishers who rely on advertising.”
Of course, privacy advocates see it differently.
“It’s an ethical issue for a number of us. The bottom line is that a person’s privacy needs to be protected. This is not a fight about data, it’s about information that affects your personal life and we need to figure out where those lines are” says Jeffrey Chester, executive director of the Center for Digital Democracy. “The industry doesn’t want to go there because they don’t want anything to interfere with the digital data golden goose that they’ve created without public debate.”
Advertisers seem, for the most part, satisfied with the kind of tools that are already available to consumers. Even if they would be open to improving them, they don’t seem necessarily interested in finding new or different ways to enforce the blocking of tracking.
“Twenty five million people have come to our site and more than a million have opted out,” says Dan Jaffe, Group Executive Vice President, Government Relations for the Association of National Advertisers. “The system works. No one else has a system, or enforcement or an international program. We are putting consumer choice first.”
But not everyone agrees that the system is working as it should: Which is why the working group has not disbanded.
“The current draft [of the proposal] is not as robust as some of the advocates would like and includes limitations that advertisers don’t like,” says Brookman. “It’s the right direction for a standard.”
Amy Lee is a business and technology reporter for CruxialCIO. She has written on technology for the Huffington Post and is a 2010 graduate of Yale University in English and writing.