In the last year, the idea of a “do not track” mechanism for web surfers has gained currency. The name invokes the idea of the do-not-call list for telemarketers, which those of us who prefer eating dinner undisturbed will be well familiar. With Google this week endorsing the concept via its Chrome web browser, will the idea catch on – and how can it protect your privacy?
Despite similar names, the privacy risks differ markedly between annoying telemarketers and online ad networks. In a process known as online behavioural advertising, these ad networks use cookies – persistent data sent and received by your web browser – to build up a profile of you as you surf the web. Although the web sites you use probably aren’t giving away your data, if several of them participate in the same ad network, that company will be able to ascertain that it was the same person, you, who visited them. They then use this information to piece together a profile about you and your interests. It happens constantly and is completely invisible to all but the most hyper-vigilant user.
They do this, of course, because this profile has monetary value. It allows networks to serve up more targeted ads, which have higher click-through rates and are thus more lucrative. So the scraping and collecting of your online tracking crumbs is not going to stop any time soon.
This practice raises significant privacy concerns. While many people are willing to share information about their likes and habits, few would be happy with it being surreptitiously gathered without their express consent. Over a period of time, these companies could build up a pretty complete picture of a person’s web browsing habits, and may even be able to link it to a real-world identity, as they admit themselves.
This threat has long drawn the concerns of privacy activists, and even the US Congress has debated the idea of a do-not-track mechanism to stem the practice. Legislation aside, several solutions are on offer to mitigate the risks.
The first involves using cookies themselves. An initiative called the Network Advertising Initiative, an attempt by industry to assuage concerns, allows users to set an “opt-out” cookie with each one of the dozens of participating advertising networks. These networks, in turn, look for the respective cookies and remove participating users from their behavioural ad programs.
This approach has a few major problems, the biggest of which is complexity. It relies on hundreds of cookies being set across the networks, cookies which can be deleted or forgotten, and must be re-set by a user. The scheme also requires the ad networks themselves to participate in good faith. It’s not always clear just what each of the participating companies do when they see the opt-out cookie.
The good news for users is that participating in this scheme is getting easier. Firefox has a variety of plugins available to manage the opt-out process, including the Beef Taco extension. With Google’s announcement this week, the Chrome browser now has good support for the NAI program. Using the “Keep My Opt Outs” extension, users are automatically opted out of all the NAI-participating networks, and don’t have to remember settings or check back to see the cookies are still set.
Google deserve some kudos for this, simply because they are one of the networks being opted out of. (Google owns DoubleClick, one of the largest ad networks involved.) We’re glad to see they are taking concrete steps when it comes to protecting privacy.
There’s room to improve the do-not-track approach. Due to the fragility of a cookie-based solution, and the requirement that ad companies specifically sign up to programs like the NAI, a different solution (involving HTTP headers) is fighting for industry recognition. In this scheme, your web browser would inform every web site it visited that you wished to opt out of any tracking program, whether you had been there before or not. This seems like a welcome addition to the conventions that govern web usage.
Unfortunately, none of this means users are will be in the clear and free from privacy threats. Removing persistent tracking mechanisms is getting harder and harder, with many alternatives to cookies being exploited by advertisers. Less scrupulous advertisers, whether they claim to respect do-not-track or not, will still have many different ways of tracking you and exploiting that information. Perhaps privacy enhancing technologies will get an edge in the technological arms race for a time, but the battle over ad dollars is likely to be waged for the foreseeable future.