Slashdot Log In
Cookies, Ad Banners, and Privacy
from the C-is-for-global-clicktrails dept.
When Netscape embraced-and-extended the HTTP spec in 1995, it was really just trying to digitize the shopping cart. Allowing a server to store just a few bits on the client added almost no overhead and it made many applications, such as shopping carts, very convenient.
Maybe it was deliberate; maybe nobody really cared; or maybe it was an engineer's simple distaste for tweaking a spec too much: but they allowed cookies to hang off GIFs as well as HTML, and that changed everything. There were probably ten people in the: world at that point who could have foreseen the explosion in banner ad traffic, yielding a multi-billion-dollar industry in less than five years.
Yes, billion -- the large banner-ad company DoubleClick merged with database firm Abacus Direct last year in a billion-dollar stock swap. How much is a billion dollars worth of advertising revenue on the net? At DoubleClick's current rate, it's about 750 billion banner ads. Think of it as four petabytes of GIFs.
And the vast majority of those GIFs just get ignored. When's the last time you clicked a banner? There aren't any precise figures, but the consensus is that the average click-through rate is dropping. Three percent click-through used to be good. Now a well-targeted ad will be happy to get one or two percent. It's hard work to make money from banners, and getting harder every day.
That's why DoubleClick, and firms like it, need to maximize their efficiency. Their income ends up depending on that click-through rate. The higher they can raise that number, the more they can justify charging their clients. Sending targeted ads becomes critical. And the only way to target you is to learn more about you.
The GIF cookie loophole makes this pretty easy. The first banner ad that your browser requested from a banner-ad company got a user ID cookie sent back with it. And - here's the key - since so many banner GIFs all come from the same company's domain name, your browser sends back the same user ID no matter which website you're viewing the banner on. Your user ID is being tracked all over the web.
In the case of DoubleClick, that's a fair number of sites. They won't talk to you unless you serve a million impressions a month - and their network includes 651 publishers which translates to who-knows how many websites. All told, they deliver a billion ads every two days.
Though the Internet Movie Database can't tell where else you've been on the web today, the company delivering its banners knows. That same company knows if you read National Review, TeenMag, or Dilbert. It knows if you're into professional wrestling or what cruises you were looking at on Travelocity. It even has some of your click history through WebMD.com.
The comforting thing has always been that, while the corporation may be able to follow your footprints around the web, at least they haven't known it's you who's making them. The disconcerting thing is, that's about to change.
Remember that billion-dollar merger between DoubleClick and the database company? This database company doesn't sell software. Abacus Direct uses databases to store names, addresses, and other information about people. In offices across the country, their computers have information on two billion purchases made from 1,100 separate consumer catalogs over the years, "representing virtually all U.S. consumer catalog buying households." Their CEO brags,
"Through the sophisticated use of state-of-the-art technologies and modeling techniques, Abacus' outstanding ability to synthesize vast amounts of data into valuable insights about individual consumer buying behaviors has proven itself to be an important marketing tool for our age."
That's why it's very interesting that DoubleClick's privacy policy changed earlier this month. Its text used to read:
"DoubleClick does not know the name, email address, phone number, or home address of anybody who visits a site in the DoubleClick Network. All users who receive an ad targeted by DoubleClick's technology remain completely anonymous."
That promise is gone without a trace from the new policy. The new policy reads:
"In the course of delivering an ad to you, DoubleClick does not collect any personally-identifiable information about you, such as your name, address, phone number or email address."
Of course not. In delivering the ad, DoubleClick just collects your user ID. It probably already has your name, address, phone number and email address, somewhere in the Abacus database.
A little further down is the portent of things to come. There is "one particular Web publisher" in their network which collects a "log-in name and demographic data about users." Which publisher is that? They don't say.
Whoever it is, you may already have given it your name and address, perhaps to register for a contest, or maybe in exchange for reading its free content. Everyone does it; it's a small price to pay. DoubleClick is already combining their demographic data (your name and address) with its own database (your viewing and clicking habits) in order to deliver more-targeted ads on this one website.
And if their programmers do their jobs right, it'll end up being a simple SQL query to join up your user ID, the name you gave the mysterious web publisher, your Abacus demographic data and catalog purchases, and the footprints you've left all over the net for the past two years, into a single big lump of your online/offline data.
To be fair, their privacy policy promises they won't start doing this without, er, changing their privacy policy:
"...should DoubleClick ever match the non-personally-identifiable information collected by DoubleClick with Abacus database information, DoubleClick will revise this Privacy Statement to accurately reflect its modified data collection and data use policies and ensure that you have adequate notice of any changes and a choice to participate."
Aren't you glad that, when DoubleClick revised its privacy statement on October13,1999, you were given adequate notice of how you were being tracked across the internet? (They've sent out 46 press releases so far this year. Informing you about weakening your privacy wasn't one of them.)
Things aren't as bad as they could be. One fortunate thing is that the banner-ad market isn't a monopoly yet. Not even close. Adbility lists over fifty ad networks, of which DoubleClick is just one of the larger ones (probably the largest).
But, when any rapidly expanding market starts to level off, the smaller and less-efficient companies get eaten. Nobody knows when the internet's growth curve will hit that point, but exponential expansion can't continue forever. At some point, the companies that can't send banner ads targeted to your community will get left behind. We'll end up with two, maybe three, meganetworks that deliver a large majority of the world's banner ads.
What can you do about it? To protect your own personal privacy, opt out of DoubleClick's cookies. Of course, this doesn't affect other banner-ad companies, who may or may not even offer this solution once they get as big as DoubleClick. It also doesn't help novice websurfers like your grandmother, who doesn't understand why she should refuse free cookies. More importantly, it can't ever be a real answer - if more than a tiny percentage of their audience ever opted out, DoubleClick would see the competitive advantage of their billion-dollar merger start to erode, and that'd be the end of that option.
What makes more sense is to close the cookie loophole. DoubleClick isn't the real problem; the HTTP spec is the problem. The browsers should change their implementation of cookies so that, by default, foreign sites can't send me cookies along with their GIFs. Why should cookies be allowed onto my hard drive if they aren't attached to the page I'm viewing?
Since DoubleClick's privacy policy claims that cookies "are not essential for us to continue our leadership," they should have no problem supporting this as the default behavior of every major web browser.
Advertising in general (Score:4)
I don't want a Ford Escort, no matter how often you tell me it's stylish, I don't believe that Lotus makes "super.human.software" no matter how often I'm told. A deceit is a deceit however often it's repeated.
Banner adverts and targetted marketing are perfect examples of this. The reason I don't click through SlashDot's banner adverts for CodeWarrior is that I don't want the blasted thing. It doesn't matter how often you deliver the image to me, I still don't want the thing.
How long is it going to take before people stop making things people don't want and trying to convince them that they do ever more streneously...
Will we still have a culture left by then? Or will we end up, tired of advertising, and left wondering what we had to fill the world before it?
Or are we already there?
When was the last time salesman spoke truth to customer? Does anyone remember?
I am a person. I will decide if I want your product. The frequency of you telling me about it is not a factor. Learn.
[sillywiz]
IMG SRC cookies needed (Score:5)
Paranoid direct-marketing reasons shouldn't be used as a reason to break perfectly acceptable behaviour in a browser (especially a behaviour that has generated a multi-billion dollar industry!)... yes, there are people collecting information about you in order to more efficiently sell you things. There's people collecting information about your power consumption, long distance usage and a host of other things too, not to mention the government going through your spending habits for whatever purposes they have (probably tax related ;).
Having done my time in surveillance/counter-surveillance circles, I can honestly say that what most people consider as privacy is the most widely-hyped and catered-to fictional ideal of all time. Anyone can find out anything about anyone else, so long as they have the time, money and talent to do it. What most people consider as privacy would best be described as obscurity... lost in a sea of other dull, obscure people leading a life too dull to be of any concern to anyone (except perhaps ad banner people and spammers ;).
--
rickf@transpect.SPAM-B-GONE.net (remove the SPAM-B-GONE bit)
It's not the advertisers that matter ... (Score:5)
Example: you visit an AIDS awareness web site, then hop over to Amazon.com and buy a book about living with HIV. You do this because your kid sister has a friend who is HIV positive and wants to know more about it and asked you to do her a favour.
Years later, you put in an application for life assurance to cover your endowment mortgage ... and the life assurance company turns you down. Seems their data mining brought up a warning flag: "buys material about living with AIDS, visits AIDS awareness websites". Ergo, their expert system deduces that you may have HIV (a very bad life insurance risk!).
Admittedly, this sort of abuse shouldn't be possible if proper privacy laws are in place. But in the USA, there are no effective consumer privacy laws (hence the current fracas with the EU, which is bringing in reasonable ones). Nothing stops your insurance company from buying the DoubleClick net's database to check against health risks; it's not information subject to medical confidentiality, is it?
This is a relatively mild example of how data mining can go wrong. Much, much worse things can happen to you -- comp.risks [comp.risks] is full of examples of people being arrested and dragged off to prison because they share the same name and birthday as a wanted felon, or similar cases of public officials putting their trust blindly in a database that has had information indiscriminately shovelled into it.
If we bring political or governmental issues into it, it gets even worse -- imagine, for example, if your local police force starts looking for people who have looked at web sites with details of how to pick locks and who are not registered locksmiths. Sound outrageous? Of course it is -- until it happens.
Privacy is a fundamental human right; and one that is barely protected by law here in the EU, and utterly inadequately protected in the US.
Glad I live in the UK (Score:3)
Privacy has been dead for centuries (Score:3)
discard all your ISP accounts
shred your credit cards
always pay cash (not even cheques)
avoid a drivers license
avoid owning a home or conventional renting
don't register to vote
don't file taxes
Even surfing anonymously on slashdot is betting your privacy on the scruples of Rob and co. Check out the article (just over a month ago) [slashdot.org] about maybe being able to telnet into a Dreamcast. sTp81 [slashdot.org] runs nmap on systems that use his Dreamcast coverage site. That to me is a pretty blatant invasion of privacy.
Every time you use credit some information is being collected about you, not as a class of users but individually, its called your credit report.
Just about everything you do can be used to track you or track down information about you (do you rent in an upscale community or do you have the upper unit in somebodies home?) and this has been true for a long time. Privacy has been dead about as long as commerce has existed.
New technologies may mean new ways to track (such as banner adds) but the concept isn't new. It's also the price each of us has to pay due to our expectaction on getting most services, such as slashdot, for free. Somebody has to foot the bill and unless CmdrTaco, Hemos and Nate have a rich uncle its going to be us through banner ads.
www.junkbuster.com (Score:3)
Chris Wareham
Re:Does it make much difference?? (Score:3)
It's not the ads, it's the information you can gather. Let me give an example of the kind of thing you can find with an sql join.
Once upon a time, my employer did library systems and drugstore systems. In the drugstore system, customer adresses & phone numbers were protected, but they weren't protected in the library system
So a user selected for people who had a perscription for birth-control pills in the drugstore database, and joined for matching names in the library database. This gave him names and adresses, which he filtered to get ones nearby.
Anyone want to guess what he was planning to "sell" the selected customers?
---daveMozilla lets us do what we want (Score:3)
A simpler solution is to disable cookies in the browser. Netscape at least has a setting for that
With Mozilla we can do what we want. Need to change the way cookies are handled? Go ahead - you've got the source. Want to build Junkbuster right in? Suit yourself. How about a random cookie feature - where you accept the cookie, but you return some fictional person's data... hey, if you implement that, I for one will use your patch.
just use per session cookies (Score:3)
How do you do that? I run a Perl script nightly on Windows and UNIX that removes all cookies that I don't want. An even simpler approach is to make your cookies file read-only (edit it beforehand and leave in it only the cookies you like) or replace it with an empty directory (no persistent cookies at all).
Why should you be concerned about long-term tracking? I think it will only be a matter of time until life insurance, credit card companies, employers, and health insurance companies use your purchasing and browsing data to assign you to risk groups. And all of that will happen with automated data mining techniques, so there will be little cause to claim discrimination if the neural network classifier doesn't like you. It's not that I'm a particularly high risk to insurers, I just don't want to feel that my health insurance company is looking over my shoulder every time I order a pizza with extra cheese.
With per-session cookies, advertisers get some data, but they can't correlate it easily with personal information. That seems like a good compromise to me.
Junkbuster is the way to go (Score:3)
A simpler solution is to disable cookies in the browser. Netscape at least has a setting for that.
Re:Junkbuster is the way to go (Score:5)
The original: http://www.junkbuster.com/ [junkbuster.com]
The version I use: http://www.waldherr.org/junkbuster/ [waldherr.org]
I prefer the latter because, well, look at the site and you'll see. Regardless, I urge you to install and use it.
Does it make much difference?? (Score:3)
Y'see I don't particularly mind seeing banner ads. Hell, I even click through occasionally. I completely sympathise with those who hate banner ads however, especially on the grounds of bandwidth.
However opting out of DoubleClick's system isn't going to stop you from receiving banner ads. It just means that they won't be able to serve you the banner ads that their system thinks you will be most interested in.
At the same time, there are commercial organisations collecting and storing information about my habits every day - supermarket club-cards, Visa spending patterns, online book purchases etc. I truly hope that for the most part they are doing so, in order to learn more about my habits as one of their many customers. To be honest, unless they start sending me unsolicited spam, I don't find it too much of a hassle.
I also sometimes think it must be quite amusing, as I live a fairly unconventional lifestyle.
I spent a few years hiding from all the lists I could. I was avoiding the "poll tax" in England. Every 6 months I moved house, I worked so I wouldn't be on the unemployment register, I never filled in official forms.
The tactic worked, but it was hard work. It also meant no credit, difficulty getting banking facilities, difficulty getting utilities connected when I moved house - everything was a lot of hassle. In the end the Poll Tax went away and I was able to come back into normal life and start building up a credit rating etc. Much easier to manage life.
In short - I understand people's privacy concerns, but how serious is it really, to have targeted advertising pointed in your direction??
Community maintained blocklist (Score:3)
There is also a nice URL [junkbuster.com] to verify that you are runing the proxy correctly, and displays the loaded blocklist and configuration. It works great as a home page.
I've been using this setup for quite a long time and I am very happy with the results. The browsing time is greatly increased and without the clutter.
Edit your cookies.txt regularly (Score:3)
Cleaning out this file does a couple of things for my peace of mind. 1) It screws with the statistics of all those places that use cookies for tracking me. 2) It clears out potentially percievably incriminating data if my employer were to decide to hire web-Nazi's to see what people are doing on company computers even in their off hours. If I ever want somebody to know what I've seen on the net I'll tell them myself.
--
A correction and my experience (Score:3)
This isn't true if you leave Netscape's cookie settings at the default of "Accept All Cookies". You need to change it to "Accept only cookies which get sent back to the originating server" to prevent sites from "stealing" cookies of other sites with malicious javascript. I'm not sure how it works on IE but I'm sure it's just as easy with ActiveX giving out access to your entire hard drive to whomever wants it.
Now, as for tracking, cookies, and ads
And yes, I run ads and cookies on my site out of necessity, not marketing or demographic reasons.
Re:Discard images from different site than page? (Score:3)
In either \windows\hosts or
Essentially, the image will be broken. Some browsers handle this more gracefully than others.
------
Don't like it? Opt out. (Score:5)
------
Take control for yourself! (Score:3)
Why bother with letter DoubleClick decide to remove their cookies? Do it yourself! In WebTechniques [webtechniques.com], Randal Schwartz [stonehenge.com] wrote an Anonymizing Proxy server in Perl that can run as a console app in the background that you can use to strip out all your cookies (as he wrote it), or, with a slight modification, you can have it strip out only DoubleClicks's cookies.
The original column is at http://www.stonehenge.com /merlyn/WebTechniques/col11.html [stonehenge.com] (code here [stonehenge.com]), and he updated it (a "Preforking, compressing proxy" [stonehenge.com] (code [stonehenge.com])) last February. He also wrote a "Cookie Jar" [stonehenge.com] (code here [stonehenge.com]) application that can be used for the same purpose.
They all run on *nix, of course, but I have gotten the original proxy server running on a Win95 box and on WinNT boxes using ActivePerl.
Check it out. Take control for yourself--don't rely on their ridiculous "opt-out" option. Fight back.
darren
Imagine what we can do with the mozilla source... (Score:3)
Think what we will be able to do with the final mozilla code though:
Oh, for more coding time and less projects to work on!
Busting Doubleclick cookies crumbles others, tho.. (Score:3)
From the WWWAC List, as posted by a user there:
"I was having trouble putting items in my buy.com shopping cart. It kept
telling me I should check my cookies to make sure I had them enabled.
I do have them enabled.
However, in my hosts file I have the hostname ad.doubleclick.net pointing
to 127.0.0.1. (I seem to get about 30% fewer ads from this as I surf.)
Problem is, buy.com is broken when you point ad.doubleclick.net to nothingness.
I removed my block on Doubleclick and buy.com worked fine"
I must say the all-or-nothing implications of this is making me spew my coffee.
Comments? Technical solutions to this?
Re:cookies? (Score:3)
Ignorance, fear and unjustified paranoia mainly.
Time was when cookies just applied to a single site. What this fine article points out is that this is no longer true. The vendors of banner ads can now not only tell that I read Slashdot, but also that I read other sites AND they'll know that it's the same user agent who reads both Slashdot and UFO review, or who regularly reads content from 15 different sites about PalmPilots. This is much more commercially valuable information than simple being a Slashdot reader.
Weblog and magazine sites aren't the best place to sell banner ads. Lovely sites, but their catchment is just too broad. A real killer for banner ads would be technology that hits me with cigar ads on the prestigious Salon site, because it also knows that my browser visits regularly visits humidor.com.
Assuming that they'll do the things most profitable to them, chances are that the banner ad companies will use this information to send more specifically targetted banners. This isn't a bad thing overall. It probably means that when I read Slashdot in a year's time, I'll see the Linux banners replaced by golf club banners, because I'm not a Linux person but I do play an awful lot of golf. Is decoupling the banner ad from its host site context such a bad thing ? I think not.
Expect also to see cheap banner ad rates for small specialist sites like golf and cigars. They're not feeding the banners to make revenue, they're doing it to catch demographics. We're already seeing many kid's sites with on-line games, that are just there to catch information on who has kids and who is worth targetting with toy adverts. Imagine that being used to sell you kid's toys when you're browsing Slash, because months back it found you had a couple of pokemon-crazed offspring.
OTOH - If you're feeling paranoid, consider what a malicious ad server company could do with a cross reference of those browsers that regularly access both Church News and World Of Pron, or Accountancy Online and the Lose-Your-Shirt Casino. Remember too that "media" companies often extend from gutter tabloids to market research and new media companies. Now that makes me uneasy.
Re:No; monsters here. (Score:3)
Welcome to the well-tracked world of the URL. It takes a great deal of time and effort to avoid tracking. If you want to avoid being tracked, you always have to examine the URL carefully BEFORE you click it.
If the medium is the message, why does the Direct Marketing Association require the target to send a request by US mail, in order to be put on the Telephone Preference Service? It's called cost-shifting by privacy advocates, and good business by the DMA.
Re:It's not the advertisers that matter ... (Score:4)
"You have no privacy, get over it."
The problem is that most CEOs do not have much in the way of privacy, what with journalists and photographers following them around with tape recorders and cameras, and security personell protecting them from unwanted attentions.
This lack of corporate director privacy encourages them to ignore the feelings of those who do have a small amount of privacy already, and make it truly difficult to remain unknown and still get the services provided by the corporation.
Slashdot itself is somewhat guilty of this. Everybody knows that Rob has an email address. Most who read Slashdot know how to find it, and probably send him enough email that he's swamped. At least occasionally, he's followed by reporters.
So, we end up with a login system that's not only extraordinarily complex and customizable, but also cookie powered and easily trackable. If Rob wants to find out what I read today, he probably can do so fairly easily. He can tell me that he's not, and won't, and that the software system that Slashdot uses is designed to prevent tracking (No, he hasn't told me this.) There's no proof one way or the other, unless there's tracking in the current Slash release.
Oh, and targetted ads... To DoubleClick, the-dma.org, et al, go away. I'm not a target, I'm a human being, and I despise being treated as another datapoint to be aimed at. Sure, I am a statistic. That doesn't mean I like it, or that I want to be treated as one by a bunch of corporations.
A low amount of privacy is no excuse for reducing privacy further.
The real privacy zealots will not be posting to Slashdot, or anywhere else on the net.
Why opt out? Do it hacker-style... (Score:5)