Proactive IT Security
 

Personalized web advertisements - good or bad?

2011-01-27 [Privacy issues, Protection projects, Social engineering, Trends & predictions]

Introduction

Advertisements (ads) on the web have become part of a multi-billion industry. These days it is almost impossible to read news on the web without being overwhelmed by a plethora of ads for everything from cars to diapers. However, it is presumably not optimal to display the car ads to children. Nor are most teenagers particularly interested in diapers. 

A better system for both the advertiser, and the persons who see the ad, would presumably be only to come upon information about products and services that are perceived as potentially interesting.

This is where third party cookies come handy. 

Cookies - a blessing or a curse

What is a cookie

Cookies are an important element in how these days' modern web sites function. They allow you to log into web sites and stay logged in as long as you are visiting that site, they allow you to purchase different items on a web site and subsequently put them in your shopping cart, and much more.

Simply put a cookie is just some data placed on your computer when you visit a web site.  These data are sent back to the same web site the next time you visit with the same browser. You normally never notice this, but the cookie technology has functionality that may turn your web surfing into a better experience.

However, a web page may include elements fetched from other web sites, typically images, movies and advertisements. These sites are of course also allowed to place cookies on your computer (since your browser also visits these in the case where the web page uses third-party elements). And this is how the system for customized advertisements functions.

To make it even clearer, let us use an example:

We assume that Norman's web displayed advertisements from the company with the Internet domain general-cool-ads.com. If you visit Norman's web, the domain norman.com is allowed to set cookies on your computer, and since (hypothetically) the Norman's web page you view also displayed an ad, the domain general-cool-ads.com is also allowed to set cookies.

This may be used in such a way that the next time you visit a Norman page, another advertisement from general-cool-ads.com is displayed (since that site now knows that you viewed the first one, based on the cookie on your computer).

This, however, becomes more interesting if you visit a completely different company's web site, like the fictitious site besttoys-always.com. That web site also displays advertisements from general-cool-ads.com. And the advertising web site is still able to see that its ads were displayed previously (when you visited Norman's web) and may act accordingly when selecting which ads to displayed to you. An advertisement for a security product may then be displayed even if you are visiting a web site, which sells toys.

Cookies can also be used to monitor how users navigate through a web site - tracking cookies - and potentially also on different web sites by utilizing the third party cookie technology mentioned above. This can be used to further customize advertisements based on surfing behavior.

Good or bad?

The use of personalized advertisements is not necessarily perceived as bad by those who are exposed to the system.

Many (most?) may prefer to avoid advertisements altogether. However, when advertisements are shown, it may be better to be exposed to ads that are relevant to you than completely random ads, where the majority probably is totally beyond your interests.

The problem has to do with privacy issues. Since cookies to some extent are able to track surfing behavior, this may represent a violation of your wish/need to be completely anonymous. It should be mentioned that the cooking technology is not able to track you as a person, but more precisely the person surfing with a particular browser on your computer, which in many cases may be you and you only.

Does this matter? Most of us would argue that our surfing habits are not that interesting, and this point of view is probably usually correct.

On the other hand it may be argued that customized advertisements may not be used for goods and services. Ads may of course be used for almost anything, including political propaganda, which may be more disturbing. Being presented for political statements and views based on surfing behavior may leave many with a bad feeling.

Opt-out from tracking

The United States Federal Trade Commission (FTC) Staff issued a preliminary report late last year with several suggestions facilitating consumers to be able to make their own choice regarding private data and other privacy issues.

The report states:

Companies engaged in behavioral advertising may be invisible to most consumers. The FTC repeatedly has called on stakeholders to create better tools to allow consumers to control the collection and use of their online browsing data. In response, several companies have developed new tools that allow consumers to control their receipt of targeted advertisements and to see and manipulate the information companies collect about them for targeting advertising.

(...)

Commission staff supports a more uniform and comprehensive consumer choice mechanism for online behavioral advertising, sometimes referred to as “Do Not Track.” Such a universal mechanism could be accomplished by legislation or potentially through robust, enforceable self-regulation. The most practical method of providing uniform choice for online behavioral advertising would likely involve placing a setting similar to a persistent cookie on a consumer’s browser and conveying that setting to sites that the browser visits, to signal whether or not the consumer wants to be tracked or receive targeted advertisements. To be effective, there must be an enforceable requirement that sites honor those choices.

Proposals from browser vendors

The three largest browser vendors have all come up with approaches to this issue. These suggestions are completely different, and it remains to see if one particular (if any) will receive most acceptance throughout the industry.

We shall look briefly at these three alternatives:

Microsoft's (Internet Explorer) suggestion

Just a few days after the FTC report was published Microsoft announced some plans for privacy features in the upcoming Internet Explorer 9. In Microsoft Advertising Blog Microsoft's Rik van der Kooi, Corporate Vice President, Advertiser and Publisher Solutions Group wrote:

IE9’s privacy settings, like those contained in IE8, will not be on by default, but they will allow users to create lists of sites they wish to share information with, as well as sites they do not wish to share information with. The settings do not take a position on managing information; instead, they provide an improved platform for consumers to exercise choice.

The new options available in IE9 represent another step in the journey to optimize the balance between privacy issues and targeted advertising. They should serve as a catalyst for continued thoughtful discussion and debate about how best to achieve that balance and in so doing, send a message that we are far better off developing solutions and choices as an industry than if we allow the government to do it for us.

This led analysts to believe that Microsoft's solution was a kind of browser blacklisting system, where the surfer optionally may decide the web sites with which he wishes to share information.

Microsoft calls the new functionality Tracking protection - see this blog item, which also discusses the new IE9 functionality.

Mozilla's (Firefox/SeaMonkey) proposal

Mozilla has proposed a different alternative to Microsoft's, as Mozilla focuses on implementing a Do Not Track feature into the header request sent from the browser to the web sites:

As the first of many steps, we are proposing a feature that allows users to set a browser preference that will broadcast their desire to opt-out of third party, advertising-based tracking by transmitting a Do Not Track HTTP header with every click or page view in Firefox. When the feature is enabled and users turn it on, web sites will be told by Firefox that a user would like to opt-out of OBA [online behavioral advertising]. We believe the header-based approach has the potential to be better for the web in the long run because it is a clearer and more universal opt-out mechanism than cookies or blacklists.

This approach however, also has its limitations, at least in the short term. Mozilla states this in the following manner:

The challenge with adding this to the header is that it requires both browsers and sites to implement it to be fully effective. Mozilla recognizes the chicken and egg problem and we are taking the step of proposing that this feature be considered for upcoming releases of Firefox.

Google's (Chrome) extension

Just a few days before this security article is written, Google came up with a released solution for its browser, Chrome. Google's answer to the issue is an extension to Chrome - Keep My Opt-Outs, described by the vendor like this:'

Keep My Opt-Outs is an extension for users who aren’t comfortable with personalization of the ads they see on the web. It’s a one-step, persistent opt-out of personalized advertising and related data tracking performed by companies adopting the industry privacy standards for online advertising.

One of the disadvantages of this solution is that it only functions for ads from companies that adhere with the Self-Regulatory Program for Online Behavioral Advertising. It is therefore easy to circumvent for advertisers who for some reason do not want to comply, and it is focused on cookies from U.S.-based online ad companies.

Google has published its program source for the extension as an open source, probably hoping that other browser vendors (and independent programmers?) will make it available also for competing browsers. 

The future

A solution to the challenges discussed in this article is overdue, and it looks like some implementations will appear in the near future (one is already here). Hopefully the organizations, which are able to define the outcome, are able to agree on one solution.

Several different permanent solutions to the same problem will not be beneficial for any of the involved parties (consumers, businesses, browser vendors, consumer rights organizations, marketing corporations, legislators etc.).

As soon as this year we may see the direction this discussion takes.

References