Tough cookies for Web surfers seeking privacy
For consumers trying to protect their privacy on the Internet, it’s a Catch-22.0.
Advertisers often track Web surfers’ activities so they can deliver targeted ads. One of the best ways to avoid this is to install a tiny piece of software that lets computer users opt out of the practice.
But the trouble is that the digital stop sign is often wiped out by other programs designed to protect people’s privacy and security.
This little-known flaw in the system highlights the increasing complexity of safeguarding personal data as companies collect more and more information about people’s digital footprints: Even the solutions have problems.
“It’s certainly an issue that we need to grapple with,” said Pamela Jones Harbour, a member of the Federal Trade Commission, which monitors privacy issues.
The Internet has no real memory, so websites often deposit a piece of software, known as a cookie, on a Web surfer’s browser to remember that person in future visits.
Companies that deliver online advertising also use cookies to track surfers. By knowing consumer habits, marketers say they can avoid bombarding people with the same ads, track the effectiveness of ads and show more relevant messages. For example, people who visit finance-related websites might see an American Express ad when they visit a more general-interest website.
But that creeps out some people who see it as an invasion of their privacy.
One solution in place since 2001 is a consumer opt-out feature offered by the Network Advertising Initiative, a coalition of major online ad companies, including Yahoo Inc., Microsoft Corp.’s Atlas and Google Inc.’s DoubleClick.
The opt-out mechanism involves installing a cookie that instructs advertisers not to deliver behaviorally targeted ads.
But people who worry about their privacy often set their browser settings to automatically block and delete all cookies. They’re also likely to use anti-spyware programs that seek and destroy cookies.
Therein lies the cookie conundrum.
“The two controls you have in place conflict with each other,” said Kim Howell, a senior privacy strategist for Microsoft, at an online advertising conference Friday sponsored by the Berkeley Center for Law & Technology.
Peter Swire, an Ohio State University law professor who served as privacy czar in the Clinton administration, and Annie Anton, an associate professor of software engineering at North Carolina State University, highlighted the issue last week in a filing to the FTC. They encouraged the agency to create a public “white list” of allowable opt-out cookies, maintained by the government or a private-sector organization.
“The FTC can shine a spotlight on this problem,” Swire said in an interview.
The Network Advertising Initiative’s website tells people they must set their Internet browser to accept cookies to use the opt-out feature. But many people don’t want to do that because of privacy worries. The website doesn’t say anything about anti-spyware software.
“It’s certainly an issue that concerns us,” J. Trevor Hughes, executive director of the advertising coalition, said of the deletion of opt-out cookies. “We will be reaching out to the major anti-spyware vendors to encourage them to engage with us to figure out a way to protect opt-out cookies.”
But some experts say that redesigning browser privacy controls and anti-spyware software to allow opt-out cookies carries risks: Unscrupulous marketers could bypass computer security safeguards by creating cookies that impersonate the opt-out versions.
“It creates probably more problems than it solves,” said Michael Hintze, Microsoft’s associate general counsel. The Redmond, Wash.-based company plans to start using behavioral targeting soon and will give people an opportunity to opt out from those, he said. It also plans to allow users of its Windows Live online network to retain the opt-out cookie as a preference. But Microsoft has not yet developed a solution for its Internet Explorer browser.
Ari Schwartz, who leads the Anti-Spyware Coalition, a group of technology companies, privacy advocates and public interest organizations, said a list of allowable cookies might work in the short term. But his group wants the government to establish a nationwide “do not track” list that consumers could sign up for, similar to the Do Not Call list that prohibits telemarketing.
In the meantime, Schwartz suggested that people solve the cookie conundrum by simply ignoring the advertising coalition’s opt-out feature.
“The easier message to give to consumers today is to delete their cookies,” he said.
--
