Online Tracking and Behavioral Profiling
Online Tracking and Behavioral Profiling
This page provides an overview of the current state of online tracking and behavioral profiling and advertising. This page will also follow the debate over the creation of a Do Not Track mechanism.
The world of online tracking has grown increasingly complicated and poses a great threat to consumer privacy. Marketing has come a long way from telephones, and online advertisers use a variety of web-based tactics to track consumers' online behavior and target ads based on that behavior.
- National Do Not Call Registry Tops 217 Million Phone Numbers: According to the 2012 "National Do Not Call Registry Data Book", the number of actively registered phone numbers is up, but so too are the number of consumer complaints about unwanted telemarketing calls. The FTC has continued to receive large numbers of consumer complaints about robocalls even though most telemarketing robocalls have been illegal since September 2009. EPIC supported establishment of the Do Not Call Registry, and recommended to Congress in 2010 that an effective Do Not Track initiative would need to ensure that a consumer's decision is "enforceable, persistent, transparent, and simple." For more information, see EPIC: Telemarketing and the Telephone Consumer Protection Act and EPIC: Online Tracking and Behavioral Profiling. (Oct. 17, 2012)
- Survey Finds Widespread Consumer Concerns about Online Privacy: A national survey by Consumer Reports found that most consumers had serious concerns about their online privacy and about the collection and use of their personal data. 71 percent of respondents said they were very concerned about companies disclosing their information without their permission; 65 percent of smartphone owners were very concerned that apps could access their contacts, photos, and location data without their permission; and 53 percent were concerned about data about their online activities and purchases being used to deny employment or loans. For more information, see EPIC: Public Opinion on Privacy. (Apr. 4, 2012)
- Report: Internet Privacy Tools Generally Fail at Protecting Privacy: A recent report by Carnegie Mellon University finds that internet privacy tools designed to protect consumers from online behavioral advertising are ineffective because they are difficult for users to understand and to configure. The researchers investigated whether users could protect themselves from online tracking by utilizing the privacy settings on popular web browsers, such as Firefox and Internet Explorer. The report also analyzed privacy tools such as Adblock Plus and IE9 Tracking Protection. The report found that the settings are confusing and that users are unable to make informed decisions. Further, unbeknownst to the average user, internet privacy tools' default settings largely fail at blocking online tracking. For more information, see EPIC: Online Tracking and Behavioral Profiling. (Nov. 1, 2011)
- US and European Consumer Groups Oppose Latest Industry Proposal for Self-Regulation: The Transatlantic Consumer Dialogue has sent a letter to U.S. and European Union officials, urging them to reject an advertising industry proposal to protect online privacy through self-regulation. The industry proposal relies on opt-out techniques that force consumers to click on small icons, hidden on the websites they visit. The TACD letter described the icon regime as “inadequate,” and said that it “is an insufficient means of [giving] notice to a user about the wide range of data collection that they routinely face.” In 1998, EPIC conducted the first evaluation of industry self-regulation to protect online privacy and concluded that "Notice is Not Enough." For more information, see EPIC: Online Tracking and Behavioral Profiling, and EPIC: FTC. (Sep. 9, 2011)
- Do Not Track Bills Introduced in Congress, Move Forward in California: Rep. Markey (D-MA) and Rep. Barton (R-TX) released a discussion draft of the "Do Not Track Kids Act of 2011." This Act establishes enhanced protections for the use and disclosure of the personal information of children and teens online. In February, Rep. Speier (D-CA) introduced the broader Do Not Track Me Online Act. And in California, the Senate Judiciary Committee voted to move their Do Not Track bill, SB 761, to the next stage in the Appropriations Committee. EPIC submitted a statement to Congress saying that an effective Do Not Track initiative must ensure that a consumer's decision to opt-out is "enforceable, persistent, transparent, and simple." For more information, see EPIC: Online Tracking and Behavioral Advertising. (May. 6, 2011)
- Senators Kerry and McCain introduce Internet Privacy Legislation: Senators John Kerry (D-MA) and John McCain (R-AZ) have introduced the "Commercial Privacy Bill of Rights Act of 2011," aimed at protecting consumers' privacy both online and offline. The Bill endorses several "Fair Information Practices," gives consumers the ability to opt-out of data disclosures to third-parties, and restricts the sharing of sensitive information. But the Bill does not allow for a private right of action, preempts better state privacy laws, and includes a "Safe Harbor" arrangement that exempts companies from significant privacy requirements. EPIC has supported privacy laws that provide meaningful enforcement, limit the ability of companies' to exploit loopholes for behavioral targeting, and ensure that the Federal Trade Commission can investigate and prosecute unfair and deceptive trade practices, as it did with Google Buzz. For more information, see EPIC: Online Tracking and Behavioral Profiling and EPIC: Federal Trade Commission. (Apr. 12, 2011)
- Federal Trade Commission Extends Deadline for Comments on Privacy Report: To provide business groups more time to express their views on consumer privacy, the FTC has extended the deadline for submitting comments on the agency's Internet privacy report to February 18th. The preliminary staff report "Protecting Consumer Privacy in an Era of Rapid Change: a Proposed Framework for Businesses and Policy Makers" recommends the creation of a Do Not Track mechanism, the adoption of "privacy by design" techniques, and the use of simplified consumer privacy notices. However, the FTC's report did not address the privacy implications of cloud computing and social networking, the need for a US privacy agency, or a comprehensive federal privacy law based on "Fair Information Practices," as privacy groups had urged. For more information, see EPIC: Federal Trade Commission and EPIC: Online Tracking and Behavioral Profiling. (Jan. 24, 2011)
- Gallup Poll Shows Public Opposed to Online Tracking: A new Gallup poll reveals that 67% of U.S. Internet users do not believe advertisers should "be allowed to match ads to your specific interests based on websites you have visited." Even when confronted with the idea that these targeted ads could keep costs down for users, 61% of those polled said these tracking techniques are "not worth the invasion of privacy involved." These results indicate that the public may support a Do Not Track mechanism, which the Federal Trade Commission recommended establishing in its privacy report. EPIC submitted a statement to Congress saying that an effective Do Not Track initiative must ensure that a consumer's decision to opt-out is "enforceable, persistent, transparent, and simple." For more information, see EPIC: Online Tracking and Behavioral Profiling. (Dec. 22, 2010)
- EPIC Advises Congress on Do Not Track Proposal: EPIC submitted a statement to the House Energy and Commerce Committee, following a hearing on "Do Not Track Legislation: Is Now the Right Time?" Congress is considering proposals that would enable users to opt-out of third-party web tracking, including behavioral advertising. EPIC recommended that Congress review the lessons learned from the history of the Do Not Call List and the Telephone Consumer Protection Act. EPIC said that an effective Do Not Track initiative must ensure that a consumer’s decision to opt-out is "enforceable, persistent, transparent, and simple." For more information, see: EPIC: Online Tracking and Behavioral Advertising. (Dec. 10, 2010)
- Federal Trade Commission Recommends Do Not Track, Privacy by Design, and Short Privacy Notices: The Federal Trade Commission released a preliminary staff report on privacy, following a series of public roundtable discussions. The report recommends the establishment of a Do Not Track mechanism, the adoption of a "privacy by design" techniques, and the use of simplified consumer privacy notices. However, the FTC report did not address the privacy implications of cloud computing and social networking, the need for a US privacy agency, or a comprehensive federal privacy law based on "Fair Information Practices," as privacy groups had urged. For more information, see EPIC: Federal Trade Commission. (Dec. 2, 2010)
There is a giant chasm between the type of tracking that companies are engaged in on the web and what people know or think is occurring. The general public has very little idea that every second they are on the Internet, their behavior is being tracked and used to create a "profile" which is then sold to companies on "stock-market-like" exchanges. According to a Wall Street Journal study, the nation's top fifty websites installed an average of 64 pieces of tracking technology onto the computers of visitors, usually without warning, for a total of 3,180 tracking files. A dozen sites installed more than a hundred. Two-thirds of those files were installed by 131 companies that are in the tracking and online consumer profiling business.
Online tracking is no longer limited to the installation of the traditional "cookies" that record websites a user visits. Now, new tools can track in real time the data people are accessing or browsing on a web page and combine that with data about that user's location, income, hobbies, and even medical problems. These new tools include flash cookies and beacons. Flash cookies can be used to re-install cookies that a user has deleted, and beacons can track everything a user does on a web page including what the user types and where the mouse is being moved.
Advertisers are no longer limited to buying an ad on a targeted website because they instead pay companies to follow people around on the internet wherever they go. Companies then use this information to decide what credit-card offers or product pricing to show people, potentially leading to price discrimination.
This type of data collection violates several Fair Information Practices (FIPs). These online tracking companies have no transparency - so there is no way for a user to access the data being collected about him or her, or correct any inaccuracies. And even if users were to somehow be able to find out what information was being collected, they have no control over what the data collecting companies subsequently do with that information.
According to the Consumer Federation of America and Consumers Union, "there is a fundamental mismatch between the technologies of tracking and targeting and consumers' ability to exercise informed judgment and control over their personal data." The information being collected online is not information that consumers voluntarily share with these tracking companies or online advertising businesses. There are no regulations or limits on what can be collected.
Very sensitive information is often collected, including health and financial data. One company, Healthline, lets advertisers track people with bipolar disorder, overactive bladder, or anxiety - producing ads related to those conditions targeted at specific people. Advertisers collect, use, and sell social security numbers, financial account numbers, and information about sexual behavior and sexual orientation with no controls or limits.
Another consequence of online data collection is the possibility that all these "anonymized" pieces of data could actually be used to identify a person. In the Wall Street Journal, a researcher described how all that is needed to "de-anonymize" data is 33 "bits" of information (some more valuable than others) - and one exemplar website transmitted 26.5 bits of information about a user - enough to narrow the user down to one of just 64 people in the world.
DO NOT TRACK
The idea of a Do Not Track mechanism was first proposed in 2007 as a response to the online tracking and targeted advertising described above. Originally, the idea was for it to be modeled on the Do Not Call registry that the Federal Trade Commission (FTC) administers. The proposal has evolved since then, and is currently being debated in Congress, at the FTC, and amongst advocacy groups and industry.
The most recent idea, proposed by researchers at Stanford, is the browser-header approach. In this approach, a user's browser sends a signal to a website that the user wants to opt-out of being tracked. It does so using an HTTP "header." Whenever a web browser requests content or sends data using HTTP, the protocol that underlies the web, it can optionally include extra information, called a 'header," explain the Stanford researchers.
This mechanism "employs a decentralized design; it thus avoids the substantial technical and privacy challenges inherent to compiling, updating, and sharing a comprehensive registry of tracking services or web users."Jonathan Mayer, one of the principal Stanford researchers, stated that while it operates differently, the Do Not Track registry, "much like the popular Do Not Call registry . . . provides users with a single, persistent setting to opt out of web tracking."
Yet, in order to be effective, advertising companies will have to actually “listen” to this do not track signal being sent from users' browsers. According to the Stanford researchers, there are a variety of ways that this could be enforced, including self-regulation, "supervised self-regulation or 'co-regulation,' to direct regulation by an entity such as the FTC."
The FTC recently released a privacy report that endorsed a Do Not Track mechanism but stopped short of discussing how such an approach would be made effective. The report asks for comments on how Do Not Track would be implemented, but does explain that the most "practical method . . . would likely involve placing a setting similar to a persistent cookie on a consumer's browser and conveying that setting to sites that the browser visits." The FTC report also states that "there must be an enforceable requirement that sites honor those choices" but is vague on the details of how such enforcement would occur.
The California Senate is considering a Do Not Track bill. The bill requires websites based in California to give Internet users the right to avoid having their online activities tracked, stored, or sold. Sites that do not comply with the bill could face civil legal action.
Rep. Speier (D-CA) introduced the "Do Not Track Me Online Act" in February 2011.
- "Your Privacy Online: What They Know", The Wall Street Journal, July-November 2010
- "The Do Not Track List and the Law of Unintended Consequences", Marc Roth, E-Commerce Times, October 16, 2010
- "Lawmaker Introduces Online Do Not Track Bill", Grant Gross, PCWorld, February 11, 2011
- "California Do Not Track Bill Moves Forward", Gavin Clarke, The Register, May 4, 2011
- "Telemarketing and the TCPA," Electronic Privacy Information Center
- "Do Not Track: Universal Web Tracking Opt-Out," project run by researchers at the Stanford Law School Center for Internet and Society and the Security laboratory at the Stanford Department of Computer Science
- Online Behavioral Tracking," Electronic Frontier Foundation
- "Do Not Track Explained," 33 Bits of Entropy, September 20, 2010
- "Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework for Businesses and Policymakers," Preliminary Federal Trade Commission Staff Report, December 2010
- "Privacy Roundtables," Federal Trade Commission, 2009-2010
- "Comments to the FTC concerning the Proposed Online Behavioral Advertising Self-Regulatory Principles," Consumer Federation of America and Consumers' Union, April 11, 2008