Focusing public attention on emerging privacy and civil liberties issues

Online Tracking and Behavioral Profiling

Online Tracking and Behavioral Profiling

Introduction

This page provides an overview of the current state of online tracking and behavioral profiling and advertising. This page will also follow the debate over the creation of a Do Not Track mechanism.

The world of online tracking has grown increasingly complicated and poses a great threat to consumer privacy. Marketing has come a long way from telephones, and online advertisers use a variety of web-based tactics to track consumers' online behavior and target ads based on that behavior.

Latest News

  • EPIC Seeks Records on FTC "Sign-off" for Facebook Changes: EPIC has filed a FOIA request with the Federal Trade Commission, seeking records related to Facebook's decision to collect users' internet browsing history for advertising purposes. Previously, Facebook collected user data from facebook.com and mobile apps. Now, Facebook plans to collect user data from sites all over the web. Facebook claims that the FTC was briefed about the change beforehand. However, the plan may violate a Federal Trade Commission order prohibiting Facebook from changing its business practices without users’ express consent. Through the FOIA request, EPIC seeks information about the FTC's review of Facebook's plans to monitor users. For more information, see EPIC: Facebook Privacy, EPIC: Online Tracking and Behavioral Privacy, and EPIC: Practical Privacy Tools. (Jun. 20, 2014)
  • Facebook to Profile User Browsing, May Violate FTC Consent Order: Facebook has announced that it will collect detailed browser history on users for advertising purposes. Users who object were told to opt-out. The plan may violate a Federal Trade Commission order, prohibiting Facebook from changing its business practices without users’ express consent. The FTC order follows from complaints filed by EPIC and other consumer privacy organizations in 2009 and 2010. In issuing the order, the FTC found that Facebook "deceived consumers by telling them they could keep their information on Facebook private, and then repeatedly allowing it to be shared and made public." A recent Consumer Reports poll found that consumers overwhelmingly object to having their online activities tracked for advertising purposes. For more information, see EPIC: Facebook Privacy, EPIC: FTC Facebook Settlement, EPIC: Online Tracking and Behavioral Profiling, and EPIC: Practical Privacy Tools. (Jun. 12, 2014)
  • Consumer Reports: 85% of Shoppers Oppose Internet Ad Tracking: According to a recent study by Consumer Reports, consumers overwhelmingly object to having their online activities tracked for advertising purposes. The report found that 85% of consumers would not trade even anonymized personal data for targeted ads. Additionally, 76% of consumers said that targeted advertising adds "little or no value" to their shopping activities. For more information, see EPIC: Public Opinion on Privacy, EPIC: Privacy and Consumer Profiling, EPIC: Online Tracking and Behavioral Profiling, EPIC: Practical Privacy Tools. (May. 20, 2014)
  • Gov. Brown Signs New California Privacy Laws: California Governor Jerry Brown has signed several new Internet privacy bills into law. Assembly Bill 370 amends the California Online Privacy Protection Act by requiring that businesses disclose how they respond to Do Not Track signals or other mechanisms used by consumers to prevent the surreptitious collection of their browsing history. The Governor has also signed Senate Bill 568, which provides for an "eraser button" that would require websites to allow minors to remove their own information. Finally, California has enacted Senate Bill 255, which prohibits "revenge porn": the posting of explicit images or videos without the victim's consent. The passage of these laws has led many to observe that California is "driving Internet privacy policy." For more information, see EPIC: Online Tracking and Behavioral Advertising and EPIC: Children’s Online Privacy. (Oct. 9, 2013)
  • Pew Survey Finds that Vast Majority of Americans Take Steps to Maintain Privacy Online: A recent survey by the Pew Research Center's Internet Project has discovered that 86 percent of Americans take steps to conceal their actions or identities while online. The survey also found that 21 percent had an email or social networking account compromised or taken over by someone else without permission. Furthermore, the majority of respondents believe that "current laws are not good enough in protecting people's privacy online." Other Pew surveys have found that most teens were taking steps to protect their privacy, that a majority of parents were concerned about their children's online privacy, and that users were becoming more active in managing their social media accounts. For more information, see EPIC: Public Opinion on Privacy. (Sep. 6, 2013)
  • Working Group Rejects Industry Do Not Track Proposal: The World Wide Web Consortium has rejected a Do Not Track standard proposed by the online advertising industry. The industry proposal would have allowed advertising companies to continue to collect data about the browsing activities of consumers, but would have limited the way companies could characterize users based on that data. The group stated that industry's proposal was "less protective of privacy and user choice than their earlier initiatives." Senator Rockefeller, the Commerce Committee Chairman, has introduced legislation to regulate the commercial surveillance of consumers online. EPIC has previously recommended to Congress that an effective Do Not Track initiative would need to ensure that a consumer's decision is "enforceable, persistent, transparent, and simple." For more information, see EPIC: Online Tracking and Behavioral Profiling. (Jul. 17, 2013)
  • EU Officials Recommend Do Not Track by Default: The International Working Group on Data Protection released a white paper on online behavioral advertising. The group of leading privacy experts from around the world noted that web tracking allows companies to "monitor every single aspect of the behavior of an identified user across websites." The Working Group also observed that the current efforts of the W3C to develop a DNT track standard could "remain a sugar pill instead of being a proper cure and would such be useless." The Working Group recommended "the default setting should be such that the user is not tracked" and that there be no invisible tracking of users. Senator Rockefeller, the Commerce Committee Chairman, has introduced legislation to regulate the commercial surveillance of consumers online. For more information, see EPIC: Online Tracking and Behavioral Advertising and EPIC: Federal Trade Commission. (Jun. 28, 2013)
  • National Do Not Call Registry Tops 217 Million Phone Numbers: According to the 2012 "National Do Not Call Registry Data Book", the number of actively registered phone numbers is up, but so too are the number of consumer complaints about unwanted telemarketing calls. The FTC has continued to receive large numbers of consumer complaints about robocalls even though most telemarketing robocalls have been illegal since September 2009. EPIC supported establishment of the Do Not Call Registry, and recommended to Congress in 2010 that an effective Do Not Track initiative would need to ensure that a consumer's decision is "enforceable, persistent, transparent, and simple." For more information, see EPIC: Telemarketing and the Telephone Consumer Protection Act and EPIC: Online Tracking and Behavioral Profiling. (Oct. 17, 2012)
  • Survey Finds Widespread Consumer Concerns about Online Privacy: A national survey by Consumer Reports found that most consumers had serious concerns about their online privacy and about the collection and use of their personal data. 71 percent of respondents said they were very concerned about companies disclosing their information without their permission; 65 percent of smartphone owners were very concerned that apps could access their contacts, photos, and location data without their permission; and 53 percent were concerned about data about their online activities and purchases being used to deny employment or loans. For more information, see EPIC: Public Opinion on Privacy. (Apr. 4, 2012)
  • Report: Internet Privacy Tools Generally Fail at Protecting Privacy: A recent report by Carnegie Mellon University finds that internet privacy tools designed to protect consumers from online behavioral advertising are ineffective because they are difficult for users to understand and to configure. The researchers investigated whether users could protect themselves from online tracking by utilizing the privacy settings on popular web browsers, such as Firefox and Internet Explorer. The report also analyzed privacy tools such as Adblock Plus and IE9 Tracking Protection. The report found that the settings are confusing and that users are unable to make informed decisions. Further, unbeknownst to the average user, internet privacy tools' default settings largely fail at blocking online tracking. For more information, see EPIC: Online Tracking and Behavioral Profiling. (Nov. 1, 2011)

Background

There is a giant chasm between the type of tracking that companies are engaged in on the web and what people know or think is occurring. The general public has very little idea that every second they are on the Internet, their behavior is being tracked and used to create a "profile" which is then sold to companies on "stock-market-like" exchanges. According to a Wall Street Journal study, the nation's top fifty websites installed an average of 64 pieces of tracking technology onto the computers of visitors, usually without warning, for a total of 3,180 tracking files. A dozen sites installed more than a hundred. Two-thirds of those files were installed by 131 companies that are in the tracking and online consumer profiling business.

Online tracking is no longer limited to the installation of the traditional "cookies" that record websites a user visits. Now, new tools can track in real time the data people are accessing or browsing on a web page and combine that with data about that user's location, income, hobbies, and even medical problems. These new tools include flash cookies and beacons. Flash cookies can be used to re-install cookies that a user has deleted, and beacons can track everything a user does on a web page including what the user types and where the mouse is being moved.

Advertisers are no longer limited to buying an ad on a targeted website because they instead pay companies to follow people around on the internet wherever they go. Companies then use this information to decide what credit-card offers or product pricing to show people, potentially leading to price discrimination.

This type of data collection violates several Fair Information Practices (FIPs). These online tracking companies have no transparency - so there is no way for a user to access the data being collected about him or her, or correct any inaccuracies. And even if users were to somehow be able to find out what information was being collected, they have no control over what the data collecting companies subsequently do with that information.

According to the Consumer Federation of America and Consumers Union, "there is a fundamental mismatch between the technologies of tracking and targeting and consumers' ability to exercise informed judgment and control over their personal data." The information being collected online is not information that consumers voluntarily share with these tracking companies or online advertising businesses. There are no regulations or limits on what can be collected.

Very sensitive information is often collected, including health and financial data. One company, Healthline, lets advertisers track people with bipolar disorder, overactive bladder, or anxiety - producing ads related to those conditions targeted at specific people. Advertisers collect, use, and sell social security numbers, financial account numbers, and information about sexual behavior and sexual orientation with no controls or limits.

Another consequence of online data collection is the possibility that all these "anonymized" pieces of data could actually be used to identify a person. In the Wall Street Journal, a researcher described how all that is needed to "de-anonymize" data is 33 "bits" of information (some more valuable than others) - and one exemplar website transmitted 26.5 bits of information about a user - enough to narrow the user down to one of just 64 people in the world.

DO NOT TRACK

The idea of a Do Not Track mechanism was first proposed in 2007 as a response to the online tracking and targeted advertising described above. Originally, the idea was for it to be modeled on the Do Not Call registry that the Federal Trade Commission (FTC) administers. The proposal has evolved since then, and is currently being debated in Congress, at the FTC, and amongst advocacy groups and industry.

The most recent idea, proposed by researchers at Stanford, is the browser-header approach. In this approach, a user's browser sends a signal to a website that the user wants to opt-out of being tracked. It does so using an HTTP "header." Whenever a web browser requests content or sends data using HTTP, the protocol that underlies the web, it can optionally include extra information, called a 'header," explain the Stanford researchers.

This mechanism "employs a decentralized design; it thus avoids the substantial technical and privacy challenges inherent to compiling, updating, and sharing a comprehensive registry of tracking services or web users."Jonathan Mayer, one of the principal Stanford researchers, stated that while it operates differently, the Do Not Track registry, "much like the popular Do Not Call registry . . . provides users with a single, persistent setting to opt out of web tracking."

Yet, in order to be effective, advertising companies will have to actually “listen” to this do not track signal being sent from users' browsers. According to the Stanford researchers, there are a variety of ways that this could be enforced, including self-regulation, "supervised self-regulation or 'co-regulation,' to direct regulation by an entity such as the FTC."

The FTC recently released a privacy report that endorsed a Do Not Track mechanism but stopped short of discussing how such an approach would be made effective. The report asks for comments on how Do Not Track would be implemented, but does explain that the most "practical method . . . would likely involve placing a setting similar to a persistent cookie on a consumer's browser and conveying that setting to sites that the browser visits." The FTC report also states that "there must be an enforceable requirement that sites honor those choices" but is vague on the details of how such enforcement would occur.

Legislation

The California Senate is considering a Do Not Track bill. The bill requires websites based in California to give Internet users the right to avoid having their online activities tracked, stored, or sold. Sites that do not comply with the bill could face civil legal action.

Rep. Speier (D-CA) introduced the "Do Not Track Me Online Act" in February 2011.

News

Related Resources