Ad tracking: Is anything being done?

With online tracking on the rise and Do Not Track efforts moving ahead slowly, users and browser vendors have been taking matters into their own hands.

1 2 Page 2
Page 2 of 2

Then there's the issue of what actions would be required when the ad network receives a Do Not Track signal -- and at what point DNT policy actually applies. For example, should a Do Not Track policy pertain to tracking for all purposes, including market research by firms such as The Nielsen Company, or just for the delivery of those behaviorally targeted ads?

Big players vs. smaller ones

Suggestions that DNT policy only apply to third-party advertising networks have advocates for those organizations crying foul. Chapell, for one, thinks this gives big players such as Amazon, Facebook and Google a free pass at the expense of independent ad networks and the smaller publishers that use them.

For example, a large Web publisher may have dozens of sites and brands -- Google even has its own third-party ad networks in AdSense and DoubleClick -- but as long as all of those are connected through a common privacy policy they are classified as a first party. "They can take whatever data they have and use it to target ads across the Internet, even when DNT is turned on," Chapell says.

According to the IAB's Zaneis, there is also more potential for privacy violations when you're dealing with the big ecosystems. Major players like Google and Amazon know the identity of each user once that user self-identifies through online account registrations and transactions. They can then combine online data with offline data from aggregators to serve highly targeted behavioral advertising.

According to the IAB's Zaneis, there is more potential for privacy violations when you're dealing with the big ecosystems.

In contrast, Zaneis argues, the tracking data that most third-party digital advertising companies collect contains no personally identifiable information.

In addition, Facebook's "Like" buttons -- and other social network buttons that appear on many websites -- actively track user activity on those pages and send data back to the social networks. "It's unclear whether the mere presence of a button on a page gives Facebook or Google first-party status," Chapell says. "We've created these artificial distinctions, but there's no real privacy gain. You'd think the bigger companies would be the ones you'd want to target [with Do Not Track]."

Further complicating matters, the opt-in nature of the DNT program has been "hijacked" by some routers and security packages that automatically turn on the DNT header by default, such as the anti-malware software from AVG, says Zaneis. "Anything that sits between the browser and the website can inject the DNT signal. It no longer represents a consumer choice," he adds.

Zaneis sees Microsoft's decision to turn on DNT by default when users install Internet Explorer in a similar fashion. For this reason, he says, at least one major Web publisher that honors DNT signals from other browsers has declined to do so for IE users.

In the meantime, Mozilla and other browser vendors let users decide whether or not to turn on the DNT signal. "We have no plan to turn on DNT by default in Firefox. It is a representation of the user's preference and not Mozilla's," says Alex Fowler, head of privacy and public policy at Mozilla.

The issues regarding who should be allowed to set a DNT signal -- including the level of explanation that must be provided before a user is deemed to have intended to turn it on -- have been resolved within the emerging technical standard that's about to be put forward, Brookman says.

So what happens next?

Efforts in the W3C working group are continuing, but Zaneis thinks the most likely scenario is that the industry will work with "a few key players" to develop a policy that's an extension of a self-regulatory program developed by the Digital Advertising Alliance (DAA), an industry consortium.

Last fall, when frustrations over the W3C Tracking Protection Working Group's lack of progress came to a head, the DAA quit the group and formed its own DNT subcommittee. "We are working with key interest groups to develop principles to incorporate browser signals into the existing DAA program. Think of it as the compliance piece that will be lacking from the W3C process," Zaneis says.

Mozilla's Fowler thinks that DAA parallel effort, which industry groups need to pursue anyway for their own internal self-regulatory programs, might bear fruit. "If they get it right, the opportunity for the W3C to move quickly on a spec is there. It will make the job for the W3C a lot easier," he says.

Jonathan Mayer thinks a solution will need to come from elsewhere. He is now working on Tracking Not Required, a project that stores browsing history data locally "instead of [on] some site you've never heard of," and enables users to determine who gets to see that data.

Increasing numbers of users have been taking matters into their own hands by using anti-tracking browser add-on tools such as Disconnect, based on the add-on download statistics from the major browser vendors. And Mozilla recently released Lightbeam for Firefox, an add-on that attempts to raise consumer awareness by letting users see visually who is tracking them as they surf the Web.

Lightbeam for Firefox lets users see visually who is tracking them as they surf the Web.

In addition, Fowler says that Mozilla has been debating different approaches to blocking third-party cookies -- cookies placed by parties other than the publisher of the site -- including turning the feature on by default in Firefox. According to Alan Chapell, a similar move by Firefox or another major browser vendor would represent a tipping point that could break down the current system. (Apple's Safari browser, which has a relatively small market share, already blocks third-party cookies by default.)

Fowler adds that Mozilla is looking at a range of options, including limiting blocking in certain contexts. For example, third-party cookies might be blocked except when used in conjunction with a shopping cart, or when the user has a relationship with a given third-party site. Or it might create and use a third-party tracking protection list that ships with the browser. "It really is pretty open," he says.

However, Zaneis believes that third-party cookie blocking will only make matters worse. "If they turn off cookies today," he says, "tomorrow you will have a less transparent identifier out there. Companies will switch to statistical identification techniques, which are invisible to the user." And that, he adds, would undermine what Mozilla is trying accomplish.

Mayer isn't too worried. "The consumer control train has left the station," he says. "It's clear that we're heading for something very different, and I'm optimistic about it."

Downey, on the other hand, sees the newer, more sophisticated tracking methods such as browser fingerprinting as a big concern. "There are unique identifiers out there today and it's getting worse. We can't protect against that," she says. Only the browser vendors are in a position to solve the problem, she argues.

If at first you don't succeed...

A Do Not Track policy with all parties as signatories would be a good first step toward addressing these issues across all platforms, and Brookman remains optimistic that a negotiated agreement still can be hammered out. To force movement, the working group has actively pursued a process that allows the co-chairs to "declare definitive positions on contentious issues based on which [positions] have the least strong objections," he says.

But this change has left industry groups that are on the losing end of some decisions feeling disenfranchised. "It is an outrage," Zaneis says of the current process.

Brookman thinks that those browser vendors who implemented the Do Not Track feature in their products and are deeply committed to the idea are positioned to push the group to consensus. "If their DNT signals are being rejected and ignored, they have a lot of options at their disposal to disadvantage non-compliant third parties. That alone may be sufficient incentive for the trade associations to adopt a meaningful DNT standard," he says.

Zaneis says advertisers won't be coerced into an agreement. "The $40 billion U.S. ad industry will not be strong-armed by advocates into agreeing to a standard that does nothing to further privacy or allow the Internet to prosper," he says. "We remain committed to finding a balanced approach that supports privacy and economic growth."

Fowler remains confident. "Since the end of last year we're seeing pretty good progress. We're hopeful that we'll see industry groups in this year moving forward with broader support for DNT," he says.

But while the working group may finally have regained its footing over the last few months, a final resolution still could be a long ways off. In the meantime, users will have to decide whether to live with the status quo, pursue the various opt-out mechanisms available to them, or simply block everything using an anti-tracking program.

Robert L. Mitchell is a national correspondent for Computerworld. Follow him on Twitter at, or email him at

This article, Ad tracking: Is anything being done?, was originally published at

Read more about privacy in Computerworld's Privacy Topic Center.

This story, "Ad tracking: Is anything being done?" was originally published by Computerworld.

Copyright © 2014 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
The 10 most powerful companies in enterprise networking 2022