How do you feel about your Web-browsing activity being tracked?
During a visit to any given website -- including this one -- the average user's browser may execute a dozen or more tracking scripts, each with its own associated tracking cookie, stored on the user's computer. This enables website publishers and ad distribution networks to record a visitor's online activity and then serve up "interest-based" or "behaviorally targeted" ads -- customized messaging based on that activity.
The benefit to website producers is that targeted ads can be sold to advertisers at higher rates because, presumably, they will be more effective than the traditional banner ads that have long been used on websites. Ad networks generally do the tracking by placing a cookie on consumers' computers when they visit a participating publisher's website. The industry refers to these as "third-party cookies" because the ad network is a third party to the relationship between the user and website publisher. Users are typically unaware that they're being tracked -- and that has made the practice controversial.
[Concerned about your privacy? Check out our three-part series: The paranoid's survival guide.]
There are disagreements even among those who depend on website advertising. While digital ad networks and many website publishers push forward with the practice, some publishers remain cautious. "They get more money from more targeted ads, but they also have brand [reputation] considerations," says Justin Brookman, director of consumer privacy at the Center for Democracy and Technology. He's also co-chair of the World Wide Web Consortium's (W3C) Tracking Protection Working Group, which is developing a Do Not Track (DNT) standard for the industry.
"Do they want to be seen as enabling third party tracking?" Brookman asks. "They're a little more cautious around perceptions than are the third-party ad networks."
Here's how the practice of tracking affects both consumers and website publishers -- and what each side of the equation is doing to try to fix matters.
Whys and wherefores of Do Not Track
In 2011, Do Not Track (DNT) technology was introduced as a method to ensure user privacy. DNT is an optional browser feature that signals advertisers to not track the user's Web activity. It does this by sending an HTTP header with the syntax DNT:1 to every website the browser visits.
The W3C working group was supposed to develop a standard to define what DNT means and how ad networks should respond, but made little progress for the first two years. So while the DNT signal was eventually adopted by most major browsers, many Web publishers and advertisers have been ignoring any privacy requests sent by the signal.
That has left consumers who don't want to be tracked with a more drastic option: Turn on the third-party cookie blocking setting in the browser and install special browser add-on software that prevents tracking scripts from running (because not all tracking is cookie-based).
It's not a complete solution, however. Anti-tracking tools defend against tracking only by third-party advertising networks that deliver ads through the content publisher's website -- although the tools do block all third-party requests, whether from ad networks, social media or analytics companies. The tools don't prevent any tracking by a "first party" -- the publisher of the site or any affiliated advertising networks it owns.
Replacing the cookie
While cookies assign a unique identifier to a user's browser, they can't easily be used to track the user's activity across different devices or even across different browsers running on the same computer. New techniques, such as those recently disclosed by Facebook, Google and Microsoft, will assign a unique identifier to each type of device the user has and link those together to track activity across all of the devices the person uses. These new tracking mechanisms, if they catch on, could be used across each vendor's ecosystem -- and beyond.
Other advertising networks have also been working with statistical identification methods -- browser and device "fingerprinting" techniques -- that don't require the presence of a cookie file.
Meanwhile, as user awareness has increased, so has the level of discomfort with the idea of having all of one's online browsing activity recorded -- particularly by third-party advertising networks that consumers don't know and with whom they have no relationship.
And as the number of tracking scripts has increased, so has the bandwidth consumed when the user attempts to load the page. "Up to 26% of bandwidth goes to loading trackers," says Sarah Downey, privacy advisor at Abine, the distributor of a free anti-tracking add-on program called DoNotTrackMe. According to Downey, the percentage comes from a 2012 Web crawling exercise conducted by Abine.
"As the industry moves toward stealthier methods of tracking [such as device and browser fingerprinting], the only way we can reliably prevent tracking is to block entire requests," says Brian Kennish, co-CEO of Disconnect. Tools like Disconnect take the draconian step of blocking requests to third-party ad networks to deliver an ad when the user visits the site -- which means even a non-targeted ad can't be delivered to the user.
In contrast, a universally accepted Do Not Track mechanism would still allow third-party advertising networks to substitute a contextually appropriate ad for a behaviorally targeted one (e.g., a game ad for users on a gaming site) rather than cutting off the request entirely. "We'd prefer a more subtle solution where we don't have to throw out the entire request," Kennish says.
"It's a very blunt tool. That's why we're trying to find a middle ground with Do Not Track," says the Center for Democracy and Technology's Brookman.
The DNT controversy
W3C formed the Tracking Protection Working Group in 2011. Its mission is "to improve user privacy and user control by defining mechanisms for expressing user preferences around Web tracking and for blocking or allowing Web tracking elements."
But debate among the members of the organization -- which include privacy advocates, Web publishers, advertising networks and many others -- has been contentious, culminating last year with some well-publicized resignations on both the consumer and advertiser sides of the debate.
More recently, the group has been making slow progress on its Tracking Preference Expression standard, which determines the syntax and meaning of the DNT signal. This specification should be ready to be released this spring, according to Brookman. But that may turn out to be the easy part. The group still needs to agree on the Tracking Compliance and Scope specification, which deals with what actions ad networks must take to comply with the DNT request -- and that is still controversial, he says.
For the third-party advertising networks in particular, the DNT discussions represent a potential crisis. Eliminating all tracking is unfair, says Mike Zaneis, senior vice president of public policy at the Interactive Advertising Bureau (IAB), a trade organization for website publishers and online ad sellers; Zaneis is also the IAB representative to the W3C Tracking Protection Working Group.
Advertisers increasingly pay based not on whether users view an ad but whether they respond to it. "You need a way to track user interactions, both on the publisher page and throughout the purchase process. This represents basic accounting and measurement practices for digital advertising," he says.
Not unexpectedly, privacy advocates disagree. "We don't want to break the Web," Abine's Downey says, but adds that users should have a choice as to whether to share -- and with whom. "The industry has created a default where you're followed wherever you go by hundreds of companies."
And the information gathered isn't used to just deliver behaviorally targeted ads, she says, but can be used in other ways, resulting in lower credit scores, price discrimination on e-commerce sites based on your tracking profile or higher insurance premiums. (Downey keeps a running list of examples of such abuses.) "You don't have a say in any of this," she says. Users, she explains, should have a choice when it comes to tracking.
But they do have a choice, argues Zaneis. While no global Do Not Track program is available yet, many publishers and advertising networks allow users to opt out of interest-based advertising for individual sites and services. In addition, the Digital Advertising Alliance's Ad Choices program lets consumers opt out of receiving interest-based advertising from the trade group's 118 members, which include third-party ad networks. And when users opt out, he says, members also agree to stop tracking their online activity.
Is the W3C working group working?
What the W3C's working group was supposed to deliver is that global option -- a choice for users in the form of a universally recognized Do Not Track option that, when turned on, would enable the browser to communicate a Do Not Track signal to publishers and ad distribution networks. The browser vendors were to offer the feature and the working group was to develop the standards dictating what Do Not Track means and how advertisers should respond.
All organizations would then be obligated to honor the user's request, following the specifications laid out by the working group. For instance, Brookman says, "you can't [manually] opt out of every single tracking company. You need a global opt out."
But the effort has bogged down. Since its founding, the working group's membership has ballooned to more than 100 voting participants that represent a wide range of competing constituencies -- including consumers, Web publishers, ad networks, browser vendors, ISPs, cable companies and others.
Until recently, the group hadn't even been able to agree on the basic definitions behind Do Not Track, says group member Mark Groman, president and CEO of the Network Advertising Initiative, a self-regulatory industry association that counts 95 advertising companies as members.
"What does it mean to track -- or not track? What is a first party versus a third party?" And, he adds, does Do Not Track mean "don't gather any information on the user at all," or "don't deliver behaviorally targeted advertising based on that data"?
Last fall, Groman says, they were still having discussions over how to define the words "collection" and "sharing." "That presents a real problem when you're trying to develop a standard," he says.
"Instead of defining what we wanted to control, we delved right into the minutiae," says the IAB's Zaneis. But Brookman, who joined the group in 2011 and became co-chair in September, says the group finally has agreed upon definitions, including the terms "tracking," "collect" and "share." The group has "only a couple unresolved issues that we're working out in the technical document, and then we'll proceed to last call," which is the last opportunity for public input before the standard is approved, he says.
"Perhaps those should have been nailed down earlier, but they are the first things we are settling under the new plan to move forward," he says.
The gathering of some tracking data, such as screen resolution, IP address and referring URL, is required for the basic operation of the Web. But how much information is acceptable to users, and needed or just wanted by the advertisers who are funding commercial websites? "We're trying to walk through what is the least amount you can collect and retain while still allowing the third-party ad ecosystem to work," Brookman says.
"We don't need to tell the Web server nearly so much as we do right now," says Jonathan Mayer, a Stanford University grad student and former working group member. "We can limit it to the bare bones required for the Internet to do its thing."
Mayer has a strong bias against the retention of tracking data by third-party ad networks and has been at the center of some of the more contentious exchanges within the working group. "I don't want companies I've never heard of keeping track of where I go on the Web," he says flatly.
"One side wants the cessation of data collection for any purpose. The other side wants the status quo. It's difficult to rectify those positions, particularly when those tend to be the loudest voices in the room," says Alan Chapell, president of Chapell & Associates, a consumer privacy law firm serving the advertising industry, and working group member.
Then there's the issue of what actions would be required when the ad network receives a Do Not Track signal -- and at what point DNT policy actually applies. For example, should a Do Not Track policy pertain to tracking for all purposes, including market research by firms such as The Nielsen Company, or just for the delivery of those behaviorally targeted ads?