Online Tracking and Behavioral Profiling

Online Tracking and Behavioral Profiling

Introduction

This page provides an overview of the current state of online tracking, behavioral profiling, and related forms of data-driven, targeted marketing.

The world of online tracking has grown increasingly complicated and poses a great threat to consumer privacy. Marketing has come a long way from telephones, and online advertisers use a variety of technologies to track consumers' online and offline behavior and target ads based on that behavior.

Latest News

  • FTC Issues Report on Cross-Device Tracking: The Federal Trade Commission has issued Cross-Device Tracking: An FTC Staff Report, which describes online tracking technology used to link a consumer's activity across smartphones, laptops, tablets, and other internet-connected devices. The report follows from an FTC workshop on this emerging practice. EPIC filed comments with the Commission urging limits on cross-device tracking, which presents significant privacy challenges due to the "lack of transparency and control in this undetectable online tracking scheme." EPIC explained how "notice and choice" fails to protect consumers from this surreptitious activity. The FTC's report recommends continued industry-self regulation and application of the unworkable "notice and choice" approach to this new practice. (Jan. 26, 2017)
  • Lack of Privacy Impacts Internet Use, Economy, Says NTIA Survey: A recent study by the National Telecommunications and Information Administration found that nearly half of Internet users in the US refrained from online activities due to privacy and security concerns. Identity theft was the top concern, cited by 63 percent of respondents, followed by financial fraud, noted by 45 percent. Nearly a quarter of Americans cited concerns about online tracking. “In addition to being a problem of great concern to many Americans, privacy and security issues may reduce economic activity and hamper the free exchange of ideas online,” NTIA concluded. EPIC has supported enactment of the Consumer Privacy Bill of Rights and recently launched “Data Protection 2016,” a non-partisan campaign to make data protection an issue in the 2016 election. (May. 16, 2016)
  • FCC Moves Forward With Narrow Privacy Rules: The Federal Communications Commission has voted to adopt a Notice of Proposed Rulemaking on consumer privacy regulations. The proposal follows Chairman Wheeler's earlier draft proposal, which EPIC explained was too limited to safeguard online privacy. During the vote, Commissioner Ajit Pai echoed EPIC's view that the rulemaking should not focus solely on ISPs. EPIC has argued that the FCC proposal ignores invasive practices by Internet firms, including search companies and social media firms that track and profile Internet users. EPIC previously urged the Commission to "address the full range of communications privacy issues facing US consumers" and to apply the Consumer Privacy Bill of Rights to communications data. (Mar. 31, 2016)
  • EPIC, Consumer Groups Challenge Facebook on Web Snooping: EPIC, along with a coalition of consumer groups, has urged the Federal Trade Commission to block Facebook's plan to collect users' web browsing history. Facebook recently announced plans to collect user data from sites all over the web. But the practice may violate a Federal Trade Commission order prohibiting Facebook from changing its business practices without users' express consent. The groups asked the FTC "to act immediately to notify the company that it must suspend its proposed change in business practices to determine whether it complies with current U.S. and EU law." EPIC has also filed a FOIA request, seeking the FTC's communications with Facebook about this change. For more information, see EPIC: Facebook Privacy, EPIC: Online Tracking and Behavioral Privacy, and EPIC: FTC. (Jul. 29, 2014)
  • EPIC Seeks Records on FTC "Sign-off" for Facebook Changes: EPIC has filed a FOIA request with the Federal Trade Commission, seeking records related to Facebook's decision to collect users' internet browsing history for advertising purposes. Previously, Facebook collected user data from facebook.com and mobile apps. Now, Facebook plans to collect user data from sites all over the web. Facebook claims that the FTC was briefed about the change beforehand. However, the plan may violate a Federal Trade Commission order prohibiting Facebook from changing its business practices without users’ express consent. Through the FOIA request, EPIC seeks information about the FTC's review of Facebook's plans to monitor users. For more information, see EPIC: Facebook Privacy, EPIC: Online Tracking and Behavioral Privacy, and EPIC: Practical Privacy Tools. (Jun. 20, 2014)
  • Facebook to Profile User Browsing, May Violate FTC Consent Order: Facebook has announced that it will collect detailed browser history on users for advertising purposes. Users who object were told to opt-out. The plan may violate a Federal Trade Commission order, prohibiting Facebook from changing its business practices without users’ express consent. The FTC order follows from complaints filed by EPIC and other consumer privacy organizations in 2009 and 2010. In issuing the order, the FTC found that Facebook "deceived consumers by telling them they could keep their information on Facebook private, and then repeatedly allowing it to be shared and made public." A recent Consumer Reports poll found that consumers overwhelmingly object to having their online activities tracked for advertising purposes. For more information, see EPIC: Facebook Privacy, EPIC: FTC Facebook Settlement, EPIC: Online Tracking and Behavioral Profiling, and EPIC: Practical Privacy Tools. (Jun. 12, 2014)
  • Consumer Reports: 85% of Shoppers Oppose Internet Ad Tracking: According to a recent study by Consumer Reports, consumers overwhelmingly object to having their online activities tracked for advertising purposes. The report found that 85% of consumers would not trade even anonymized personal data for targeted ads. Additionally, 76% of consumers said that targeted advertising adds "little or no value" to their shopping activities. For more information, see EPIC: Public Opinion on Privacy, EPIC: Privacy and Consumer Profiling, EPIC: Online Tracking and Behavioral Profiling, EPIC: Practical Privacy Tools. (May. 20, 2014)
  • Gov. Brown Signs New California Privacy Laws: California Governor Jerry Brown has signed several new Internet privacy bills into law. Assembly Bill 370 amends the California Online Privacy Protection Act by requiring that businesses disclose how they respond to Do Not Track signals or other mechanisms used by consumers to prevent the surreptitious collection of their browsing history. The Governor has also signed Senate Bill 568, which provides for an "eraser button" that would require websites to allow minors to remove their own information. Finally, California has enacted Senate Bill 255, which prohibits "revenge porn": the posting of explicit images or videos without the victim's consent. The passage of these laws has led many to observe that California is "driving Internet privacy policy." For more information, see EPIC: Online Tracking and Behavioral Advertising and EPIC: Children’s Online Privacy. (Oct. 9, 2013)
  • Pew Survey Finds that Vast Majority of Americans Take Steps to Maintain Privacy Online: A recent survey by the Pew Research Center's Internet Project has discovered that 86 percent of Americans take steps to conceal their actions or identities while online. The survey also found that 21 percent had an email or social networking account compromised or taken over by someone else without permission. Furthermore, the majority of respondents believe that "current laws are not good enough in protecting people's privacy online." Other Pew surveys have found that most teens were taking steps to protect their privacy, that a majority of parents were concerned about their children's online privacy, and that users were becoming more active in managing their social media accounts. For more information, see EPIC: Public Opinion on Privacy. (Sep. 6, 2013)
  • Working Group Rejects Industry Do Not Track Proposal: The World Wide Web Consortium has rejected a Do Not Track standard proposed by the online advertising industry. The industry proposal would have allowed advertising companies to continue to collect data about the browsing activities of consumers, but would have limited the way companies could characterize users based on that data. The group stated that industry's proposal was "less protective of privacy and user choice than their earlier initiatives." Senator Rockefeller, the Commerce Committee Chairman, has introduced legislation to regulate the commercial surveillance of consumers online. EPIC has previously recommended to Congress that an effective Do Not Track initiative would need to ensure that a consumer's decision is "enforceable, persistent, transparent, and simple." For more information, see EPIC: Online Tracking and Behavioral Profiling. (Jul. 17, 2013)

Background

There is a significant disconnect between the type of tracking that companies are engaged in on the web and what people know or think is occurring. The general public has very little idea that every second they are connected to the Internet, their behavior is being tracked and used to create a "profile" which is then sold to companies for targeted advertising and other purposes.

Online tracking is no longer limited to the installation of traditional "cookies" that record websites a user visits. Now, new tools can track in realtime the data people are accessing and generating and combine that with data about that user's location, income, hobbies, and even medical problems. These new tools include flash cookies and beacons. Flash cookies can be used to re-install cookies that a user has deleted, and beacons can track everything a user does on a web page including what the user types and where the mouse is being moved.

Digital advertising companies also deploy hard-to-detect tracking techniques to follow consumers across their various devices. Today's average consumer uses a variety of Internet-connected devices throughout the day such as smart phones, tablets, smart watches, laptops, health devices, and smart TVs. To keep up, advertisers turn to "cross-device tracking" to monitor consumers across all their devices and create more comprehensive and detailed behavioral profiles.

Very sensitive information is often collected, including health and financial data. Online advertisers can track people with, for example, bipolar disorder, overactive bladder, or anxiety - producing ads related to those conditions targeted at specific people. Advertisers collect, use, and sell Social Security Numbers, financial account numbers, and information about sexual behavior and sexual orientation with no controls or limits.

Online tracking and behavioral profiling violate several Fair Information Practices (FIPs). Online advertisers provide minimal transparency into their practices - so there is no way for a user to access the data being collected about her or correct any inaccuracies. And even if users somehow discovered what information was being collected, they have no control over what the data collecting companies subsequently do with that information.

According to the Consumer Federation of America and Consumers Union, "there is a fundamental mismatch between the technologies of tracking and targeting and consumers' ability to exercise informed judgment and control over their personal data." The information being collected online is not information that consumers voluntarily share with these ad tech companies. There are no meaningful legal contraints on what can be collected.

DO NOT TRACK

The concept of a Do Not Track mechanism was first proposed in 2007 as a remedy to the invasive tracking and profiling practices described above. Initial proposals suggested the mechanism could be modeled on the Do Not Call registry that the Federal Trade Commission (FTC) administers. The proposal has evolved since then, and is currently being debated in Congress, at the FTC, and among advocacy groups and industry.

One concept for a Do Not Track mechanism, proposed by researchers at Stanford, is the browser-header approach. In this approach, a user's browser sends a signal to a website that the user wants to opt-out of being tracked. It does so using an HTTP "header." Whenever a web browser requests content or sends data using HTTP, the protocol that underlies the web, it can optionally include extra information, called a 'header," explain the Stanford researchers.

Yet, in order to be effective, advertising companies will have to actually “listen” to this Do Not Track signal being sent from users' browsers. According to the Stanford researchers, there are a variety of ways that this could be enforced, including self-regulation, "supervised self-regulation or 'co-regulation,' to direct regulation by an entity such as the FTC." Currently there is no legal enforceable Do Not Track mechanism. As a result, many websites ignore the clearly expressed

CROSS-DEVICE TRACKING

As consumers continuously switch from laptop to smart phone to tablet throughout the day, online advertisers have developed a variety of "cross-device tracking" techniques to monitor and serve targeted ads to the same consumer across all his devices. This practice poses numerous privacy challenges for consumers, particularly the lack of transparency and control in this largely undetectable online tracking scheme.

Compounding the secrecy of these practices, companies that engage in cross-device tracking collect vast amounts of personal, sensitive information. Tracking consumer behavior across numerous connected devices creates consumer profiles at an unprecedented level of detail and poses increased risk to consumer privacy. First, connected devices such as smartphones and wearable health devices produce sensitive data not typically available from traditional computer web browsing. Second, while data may not be considered sensitive or personal on one device, it may become highly sensitive or personal when combined with data from linked devices. For example, someone who searches for information about a medical condition from the privacy of her own home may see ads related to that condition on her work computer or family smart TV the next day. Or an employee who is job hunting from his tablet at home may later be shown job search ads on his employer-provided computer at work.

Related Resources

Share this page:

Support EPIC

EPIC relies on support from individual donors to pursue our work.

Defend Privacy. Support EPIC.

#Privacy

EPIC Bookstore

Robot Law

Robot Law
by Ryan Calo, A. Michael Froomkin,
Ian Kerr