Online Tracking and Behavioral Profiling
Online Tracking and Behavioral Profiling
This page provides an overview of the current state of online tracking and behavioral profiling and advertising. This page will also follow the debate over the creation of a Do Not Track mechanism.
The world of online tracking has grown increasingly complicated and poses a great threat to consumer privacy. Marketing has come a long way from telephones, and online advertisers use a variety of web-based tactics to track consumers' online behavior and target ads based on that behavior.
- Pew Survey Finds that Vast Majority of Americans Take Steps to Maintain Privacy Online: A recent survey by the Pew Research Center's Internet Project has discovered that 86 percent of Americans take steps to conceal their actions or identities while online. The survey also found that 21 percent had an email or social networking account compromised or taken over by someone else without permission. Furthermore, the majority of respondents believe that "current laws are not good enough in protecting people's privacy online." Other Pew surveys have found that most teens were taking steps to protect their privacy, that a majority of parents were concerned about their children's online privacy, and that users were becoming more active in managing their social media accounts. For more information, see EPIC: Public Opinion on Privacy. (Sep. 6, 2013)
- Working Group Rejects Industry Do Not Track Proposal: The World Wide Web Consortium has rejected a Do Not Track standard proposed by the online advertising industry. The industry proposal would have allowed advertising companies to continue to collect data about the browsing activities of consumers, but would have limited the way companies could characterize users based on that data. The group stated that industry's proposal was "less protective of privacy and user choice than their earlier initiatives." Senator Rockefeller, the Commerce Committee Chairman, has introduced legislation to regulate the commercial surveillance of consumers online. EPIC has previously recommended to Congress that an effective Do Not Track initiative would need to ensure that a consumer's decision is "enforceable, persistent, transparent, and simple." For more information, see EPIC: Online Tracking and Behavioral Profiling. (Jul. 17, 2013)
- EU Officials Recommend Do Not Track by Default: The International Working Group on Data Protection released a white paper on online behavioral advertising. The group of leading privacy experts from around the world noted that web tracking allows companies to "monitor every single aspect of the behavior of an identified user across websites." The Working Group also observed that the current efforts of the W3C to develop a DNT track standard could "remain a sugar pill instead of being a proper cure and would such be useless." The Working Group recommended "the default setting should be such that the user is not tracked" and that there be no invisible tracking of users. Senator Rockefeller, the Commerce Committee Chairman, has introduced legislation to regulate the commercial surveillance of consumers online. For more information, see EPIC: Online Tracking and Behavioral Advertising and EPIC: Federal Trade Commission. (Jun. 28, 2013)
- National Do Not Call Registry Tops 217 Million Phone Numbers: According to the 2012 "National Do Not Call Registry Data Book", the number of actively registered phone numbers is up, but so too are the number of consumer complaints about unwanted telemarketing calls. The FTC has continued to receive large numbers of consumer complaints about robocalls even though most telemarketing robocalls have been illegal since September 2009. EPIC supported establishment of the Do Not Call Registry, and recommended to Congress in 2010 that an effective Do Not Track initiative would need to ensure that a consumer's decision is "enforceable, persistent, transparent, and simple." For more information, see EPIC: Telemarketing and the Telephone Consumer Protection Act and EPIC: Online Tracking and Behavioral Profiling. (Oct. 17, 2012)
- Survey Finds Widespread Consumer Concerns about Online Privacy: A national survey by Consumer Reports found that most consumers had serious concerns about their online privacy and about the collection and use of their personal data. 71 percent of respondents said they were very concerned about companies disclosing their information without their permission; 65 percent of smartphone owners were very concerned that apps could access their contacts, photos, and location data without their permission; and 53 percent were concerned about data about their online activities and purchases being used to deny employment or loans. For more information, see EPIC: Public Opinion on Privacy. (Apr. 4, 2012)
- Report: Internet Privacy Tools Generally Fail at Protecting Privacy: A recent report by Carnegie Mellon University finds that internet privacy tools designed to protect consumers from online behavioral advertising are ineffective because they are difficult for users to understand and to configure. The researchers investigated whether users could protect themselves from online tracking by utilizing the privacy settings on popular web browsers, such as Firefox and Internet Explorer. The report also analyzed privacy tools such as Adblock Plus and IE9 Tracking Protection. The report found that the settings are confusing and that users are unable to make informed decisions. Further, unbeknownst to the average user, internet privacy tools' default settings largely fail at blocking online tracking. For more information, see EPIC: Online Tracking and Behavioral Profiling. (Nov. 1, 2011)
- US and European Consumer Groups Oppose Latest Industry Proposal for Self-Regulation: The Transatlantic Consumer Dialogue has sent a letter to U.S. and European Union officials, urging them to reject an advertising industry proposal to protect online privacy through self-regulation. The industry proposal relies on opt-out techniques that force consumers to click on small icons, hidden on the websites they visit. The TACD letter described the icon regime as “inadequate,” and said that it “is an insufficient means of [giving] notice to a user about the wide range of data collection that they routinely face.” In 1998, EPIC conducted the first evaluation of industry self-regulation to protect online privacy and concluded that "Notice is Not Enough." For more information, see EPIC: Online Tracking and Behavioral Profiling, and EPIC: FTC. (Sep. 9, 2011)
- Do Not Track Bills Introduced in Congress, Move Forward in California: Rep. Markey (D-MA) and Rep. Barton (R-TX) released a discussion draft of the "Do Not Track Kids Act of 2011." This Act establishes enhanced protections for the use and disclosure of the personal information of children and teens online. In February, Rep. Speier (D-CA) introduced the broader Do Not Track Me Online Act. And in California, the Senate Judiciary Committee voted to move their Do Not Track bill, SB 761, to the next stage in the Appropriations Committee. EPIC submitted a statement to Congress saying that an effective Do Not Track initiative must ensure that a consumer's decision to opt-out is "enforceable, persistent, transparent, and simple." For more information, see EPIC: Online Tracking and Behavioral Advertising. (May. 6, 2011)
- Senators Kerry and McCain introduce Internet Privacy Legislation: Senators John Kerry (D-MA) and John McCain (R-AZ) have introduced the "Commercial Privacy Bill of Rights Act of 2011," aimed at protecting consumers' privacy both online and offline. The Bill endorses several "Fair Information Practices," gives consumers the ability to opt-out of data disclosures to third-parties, and restricts the sharing of sensitive information. But the Bill does not allow for a private right of action, preempts better state privacy laws, and includes a "Safe Harbor" arrangement that exempts companies from significant privacy requirements. EPIC has supported privacy laws that provide meaningful enforcement, limit the ability of companies' to exploit loopholes for behavioral targeting, and ensure that the Federal Trade Commission can investigate and prosecute unfair and deceptive trade practices, as it did with Google Buzz. For more information, see EPIC: Online Tracking and Behavioral Profiling and EPIC: Federal Trade Commission. (Apr. 12, 2011)
There is a giant chasm between the type of tracking that companies are engaged in on the web and what people know or think is occurring. The general public has very little idea that every second they are on the Internet, their behavior is being tracked and used to create a "profile" which is then sold to companies on "stock-market-like" exchanges. According to a Wall Street Journal study, the nation's top fifty websites installed an average of 64 pieces of tracking technology onto the computers of visitors, usually without warning, for a total of 3,180 tracking files. A dozen sites installed more than a hundred. Two-thirds of those files were installed by 131 companies that are in the tracking and online consumer profiling business.
Online tracking is no longer limited to the installation of the traditional "cookies" that record websites a user visits. Now, new tools can track in real time the data people are accessing or browsing on a web page and combine that with data about that user's location, income, hobbies, and even medical problems. These new tools include flash cookies and beacons. Flash cookies can be used to re-install cookies that a user has deleted, and beacons can track everything a user does on a web page including what the user types and where the mouse is being moved.
Advertisers are no longer limited to buying an ad on a targeted website because they instead pay companies to follow people around on the internet wherever they go. Companies then use this information to decide what credit-card offers or product pricing to show people, potentially leading to price discrimination.
This type of data collection violates several Fair Information Practices (FIPs). These online tracking companies have no transparency - so there is no way for a user to access the data being collected about him or her, or correct any inaccuracies. And even if users were to somehow be able to find out what information was being collected, they have no control over what the data collecting companies subsequently do with that information.
According to the Consumer Federation of America and Consumers Union, "there is a fundamental mismatch between the technologies of tracking and targeting and consumers' ability to exercise informed judgment and control over their personal data." The information being collected online is not information that consumers voluntarily share with these tracking companies or online advertising businesses. There are no regulations or limits on what can be collected.
Very sensitive information is often collected, including health and financial data. One company, Healthline, lets advertisers track people with bipolar disorder, overactive bladder, or anxiety - producing ads related to those conditions targeted at specific people. Advertisers collect, use, and sell social security numbers, financial account numbers, and information about sexual behavior and sexual orientation with no controls or limits.
Another consequence of online data collection is the possibility that all these "anonymized" pieces of data could actually be used to identify a person. In the Wall Street Journal, a researcher described how all that is needed to "de-anonymize" data is 33 "bits" of information (some more valuable than others) - and one exemplar website transmitted 26.5 bits of information about a user - enough to narrow the user down to one of just 64 people in the world.
DO NOT TRACK
The idea of a Do Not Track mechanism was first proposed in 2007 as a response to the online tracking and targeted advertising described above. Originally, the idea was for it to be modeled on the Do Not Call registry that the Federal Trade Commission (FTC) administers. The proposal has evolved since then, and is currently being debated in Congress, at the FTC, and amongst advocacy groups and industry.
The most recent idea, proposed by researchers at Stanford, is the browser-header approach. In this approach, a user's browser sends a signal to a website that the user wants to opt-out of being tracked. It does so using an HTTP "header." Whenever a web browser requests content or sends data using HTTP, the protocol that underlies the web, it can optionally include extra information, called a 'header," explain the Stanford researchers.
This mechanism "employs a decentralized design; it thus avoids the substantial technical and privacy challenges inherent to compiling, updating, and sharing a comprehensive registry of tracking services or web users."Jonathan Mayer, one of the principal Stanford researchers, stated that while it operates differently, the Do Not Track registry, "much like the popular Do Not Call registry . . . provides users with a single, persistent setting to opt out of web tracking."
Yet, in order to be effective, advertising companies will have to actually “listen” to this do not track signal being sent from users' browsers. According to the Stanford researchers, there are a variety of ways that this could be enforced, including self-regulation, "supervised self-regulation or 'co-regulation,' to direct regulation by an entity such as the FTC."
The FTC recently released a privacy report that endorsed a Do Not Track mechanism but stopped short of discussing how such an approach would be made effective. The report asks for comments on how Do Not Track would be implemented, but does explain that the most "practical method . . . would likely involve placing a setting similar to a persistent cookie on a consumer's browser and conveying that setting to sites that the browser visits." The FTC report also states that "there must be an enforceable requirement that sites honor those choices" but is vague on the details of how such enforcement would occur.
The California Senate is considering a Do Not Track bill. The bill requires websites based in California to give Internet users the right to avoid having their online activities tracked, stored, or sold. Sites that do not comply with the bill could face civil legal action.
Rep. Speier (D-CA) introduced the "Do Not Track Me Online Act" in February 2011.
- "Your Privacy Online: What They Know", The Wall Street Journal, July-November 2010
- "The Do Not Track List and the Law of Unintended Consequences", Marc Roth, E-Commerce Times, October 16, 2010
- "Lawmaker Introduces Online Do Not Track Bill", Grant Gross, PCWorld, February 11, 2011
- "California Do Not Track Bill Moves Forward", Gavin Clarke, The Register, May 4, 2011
- "Telemarketing and the TCPA," Electronic Privacy Information Center
- "Do Not Track: Universal Web Tracking Opt-Out," project run by researchers at the Stanford Law School Center for Internet and Society and the Security laboratory at the Stanford Department of Computer Science
- Online Behavioral Tracking," Electronic Frontier Foundation
- "Do Not Track Explained," 33 Bits of Entropy, September 20, 2010
- "Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework for Businesses and Policymakers," Preliminary Federal Trade Commission Staff Report, December 2010
- "Privacy Roundtables," Federal Trade Commission, 2009-2010
- "Comments to the FTC concerning the Proposed Online Behavioral Advertising Self-Regulatory Principles," Consumer Federation of America and Consumers' Union, April 11, 2008