You visit a favorite Web site. You browse a while, and then you notice that all the ads you see are remarkably well-tailored for your unique preferences. The banner ads or AdSense offerings are for things that you like, or for businesses that are local to you. Product suggestions are for things you’ve recently browsed or purchased from a mail-order company.
How on earth does “teh Internets” know these things?
Simple. You are a number in an enormous database, and the data associated with that number is growing at a frightening rate.
Savvy Web users already know that cookies can track your browsing history, but the old standby of blocking or deleting cookies is no longer enough. Marketers are increasingly integrating offline data, or data from other online sources like social-networking sites, to develop a comprehensive profile about you. This profile worth its weight in gold — it can be sold and shared as an asset. Worse, this aggregation is happening behind the scenes, with users unaware of the wide variety of information being integrated into their marketing profiles.
Ryan Singel, writing in Wired on April 9, reports that some privacy-protection groups have had enough:
A trio of privacy groups want federal regulators to take a close look at ad networks that track web surfers’ and sell targeted ads.
The groups want the Federal Trade Commission to open an inquiry into whether these networks, including Google and Yahoo, are unfairly tracking Americans and profiting from their data.
The World Privacy Forum, the Center for Digital Democracy and U.S. PIRG (public interest research groups) argue that online marketers are secretly combining online data with offline data and using that to run real-time ad auctions.
“Consumers will be most shocked to learn that companies are instantaneously combining the details of their online lives with information from previously unconnected offline databases without their knowledge, let alone consent,” said U.S. PIRG Consumer Program Director Ed Mierzwinski. “In just the last few years, a growing and barely regulated network of sellers and marketers has gained massive information advantages over consumers.”
Companies named in the complaint (.pdf) include Google, Yahoo, PubMatic, TARGUSinfo, MediaMath, eXelate, Rubicon Project, AppNexus and Rocket Fuel.
At issue is a growing market of targeted, real-time ads, where advertisers can choose to show ads to people based on their age, gender, income and location — as well as their recent online behavior — often on unrelated sites that let third parties track users (for instance, Wired.com uses DoubleClick to serve ads and it tracks users across the web using cookies.)
Third-party cookie tracking isn’t new — but as the complaint points out, marketers are increasingly trying to augment that data with other data sets — such as the social network data that Rapleaf harvests and re-sells.
The kicker line in Singel’s story: “Tying ad cookies to personally identifiable data would let marketers successfully combine online and offline data on website visitors to build a complete digital dossier on a user.”
Nervous yet? Even a centrist privacy group funded by the tech industry itself is calling for regulations. That’s how bad it is.
It is interesting to note that Facebook came down hard-and-heavy against Suicide Machine, a service that scrubs a user’s profile from social-networking sites like Facebook, MySpace and Twitter. These networking sites presently allow a person to delete a profile, but “deletion” is merely inactivation — the profile and all associated data still exists, and is still subject to indexing and search and resale. Suicide Machine is different; you supply your login and password, and its scripts actually delete all information in the profile, so that the inactivated profile is stripped down to an empty shell. After only a few hundred (out of more than 300 million) active accounts were emptied by Suicide Machine, Facebook acted swiftly to block the service. This behavior, combined with the way that Facebook keeps trying to trick users into opening data on their profiles, is suggestive. It doesn’t take a genius to see that the name of the game is personal-data aggregation and resale.
And why not? It’s big business. If you were selling a product, wouldn’t you like to have a mailing list targeted to people who you already know are likely to enjoy your product? If you were advertising a service, wouldn’t you prefer to tailor your ads to people in your local community who fit your service’s targeted demographic profile? Of course you would.
The problem is that consumers are at a significant disadvantage. They are not notified in a reasonable manner that their information is tracked, nor do they have a reasonable chance to opt out or to charge companies for the privilege of selling their marketing preferences. Worse, for people who have poor impuse control or even a psychological disorder that includes spontaneous purchasing, highly customzied targeted advertising is akin to preying on the weak — like putting a fresh beer, unasked, in front of a recovering alcoholic.
The slippery slope is greased with lard: When terabytes of marketing data can be successfully linked to personally identifiable information, it’s not a stretch to link it one step further to things like credit reports. Already, so much information about a person is publicly available; allowing businesses the opportunity to build a complex dossier on a person, without that person’s active consent or ability to opt out, is a step too far. Might next-generation social profiling be next? Or could prospective landlords or employers have the chance to buy a report that lists the things you buy, the subjects you search for, and the keywords in your ostensibly private social-networking profiles? Maybe skip tracers or creditors can start harassing friends and family — whose information is conveniently obtained via your own online profiles, or from theirs — to do the repayment shakedown? What if a father-in-law-to-be ran a marketing report and discovered your penchant for browsing S&M Web sites?
The Federal Trade Commission should act quickly to put a stop to the unfettered aggregation of private consumer data; if the FTC lacks the spine, then Congress should put into place definitive regulations that protect a citizen’s online privacy. At a minimum, users should be actively informed of all monitoring activities and given the opportunity to definitively and persistently opt-out, on a per-company basis as well as globally, and a user must be allowed to actively opt-in to any change to a site’s privacy terms that would otherwise open private data to the public or to third-party indexers, before this information is released.
Although this humble blogger is unabashedly pro-capitalist, I do accept that there must be certain limits placed on free enterprise in order to protect consumers from unfair or predatory business practices. No person should have his private activity collected and profiled without his active consent. Period.
It’s time for action, before it’s too late.