Beginning next week, the FTC will hold a series of public roundtables covering the growing number of challenges to consumer privacy on the Internet. Dubbed "Exploring Privacy," the daylong discussions will focus on "the collection and use of information by retailers, data brokers, third-party applications, and other diverse businesses." Hold that yawn. Behavioral tracking and ad targeting have everything to do with the pesky "Warning!" pop-up blinking behind your browser window right now. The one that could shatter your online privacy.
In advance of the roundtables, Fast Company spoke with online privacy advocates Jules Polonetsky, co-chair and director of the Future of Privacy Forum, and Ari Schwartz, vice president and chief operating officer of the Center for Democracy and Technology. Below, Polonetsky and Schwartz highlight five of most nefarious techniques used to trick and track you.
1. "Malvertising Gangs"
"One of the biggest challenges in the ad ecosystem right now is that it's really easy for anyone to place an ad," says Polonetsky, one of the attendees of next week's roundtables. "Including actual criminals who would like to mug you."
Such is the case with malvertising gangs, groups of scammers who pose as legitimate advertisers in order to infiltrate the complex system of nearly 100 ad networks—like Google's AdSense—that distribute ads to Web sites all across the Internet. Shortly after a fake ad has been introduced into the system, it morphs into "scareware," advising any and all who visit the page that a virus has infected their computer.
"They make your machine look infected and then sell you a fake antivirus software," says Schwartz. "You actually download the problem." While the fraud often ends with the consumer forking over $40 or $50, some scams go further, racking up additional charges on consumers' credit cards and hijacking victims' computers to churn out spam.
Difficult to detect and increasingly sophisticated, malvertising gangs have launched a series of high-profile attacks in recent months. In early September, a group planted ads that wound up on Web site of The New York Times. Days later, malvertisers struck The Drudge Report. That same month, Microsoft filed five lawsuits against malvertising groups with seemingly benign names such as "Soft Solutions" and "Direct Ad."
Beyond the consumers directly impacted by malware, Polonetsky notes that malvertising gangs undermine the integrity of the legitimate ad networks and reputable Web sites they strike. "If the idea that just viewing an ad—not even clicking it—is bad," he says, "it poses a huge threat to the online advertising industry."
What you can do: Check with and check out any company before downloading their antivirus software. You can even try calling them, an effort that pales in comparison to the hassle of a virtual infection.
2. Flash Cookies
By now, most Web users are familiar with cookies, the packets of code that store user data, remembering our preferences and automatically filling out the contact forms in our online shopping carts. Cookies can be blocked entirely, removed frequently or allowed to pile up (often slowing the browser to a crawl)—point is the user has the final word. Not so with flash cookies.
"Cookies aren't as easy as should be, but they're controllable," says Polonetsky. "But flash cookies aren't. Flash cookies can stick around and reinstall the cookie after you delete it."
As with many tricks of the behavioral-tracking trade, flash cookies were intended as a helpful technology. Created as a means of storing flash preferences that would otherwise be deleted by antivirus software, flash cookies are filed away in Adobe Macromedia, so they don't show up in your browser. Because of this loophole, third-party advertisers can store consumer profiles on flash cookies and track their online behavior long after they thought they'd deleted their cookies.
A recent report by researchers at UC Berkeley found that 54 of the top 100 Web sites use flash cookies, noting that "even the 'Private Browsing' mode recently added to most browsers such as Internet Explorer 8 and Firefox 3 still allows flash cookies to operate fully and track the user."
What you can do: Firefox users can download a free add-on, called Better Privacy, that can be set to automatically eliminate flash cookies. Others can read more about their Adobe privacy settings here.
3. "Cookie appends"
Beyond clogging up your browser with bits of data, cookies can track your online behavior. Schwartz says cookie tracking, or cookie appends, are the next evolution of reverse email appends—whereby advertisers access all sorts of personal information via your email address. Sign up for an online newsletter recently? By crosschecking your email address, the publisher may have access to everything from your name and address to your ethnicity, personal interests, and credit score. A cookie append works in the same way.
"Say you buy something from GAP," says Schwartz. "Working with Experian, GAP can get all your personal information and build a personal profile. Then they tie a cookie to you that watches everything you do," further adding to your profile.
Companies like Axciom (profiled here by The Wall Street Journal) and use tracking cookies to collect and analyze consumer data, categorize consumers into "clusters" like "Apple Pie Families," "Young Workboots," and "Mixed Singles-Urban Scramble." The data is then sold to online retailers and used to serve up targeted ads.
4. Personal Health Data
In the past, advertisers tended to steer clear of tailoring ads to consumers' health interests. All those Google searches about that uncomfortable rash? That was your business. But times have changed, according to Polonetsky.
"A few years ago ad networks started offering very detailed health profiles," he says. "It's been hard for the industry to draw a bright line. Pharma companies are looking for this info, and it's hard to imagine a small ad network turning down the money."
Ad networks still largely avoid targeting sensitive health issues, like cancer, and government regulations like HIPAA bar advertisers from accessing your personal health records. Just don't be surprised if you start seeing ads for adult diapers after reading a news story on incontinence.
What you can do: As with cookie tracking, check with a preference manager to see what kind of personal data advertisers are storing about you.
5. ISP Tracking
If you thought the specter of ISP tracking, or deep-packet inspection (DPI), vanished with NebuAd, the multimillion-dollar ad targeting company that collapsed this past May under a class action lawsuit and congressional inquiry, you were sadly mistaken. The practice—which involves logging individuals' surfing habits, including the terms they search and the sites they visit, and using them to serve up ads—is alive and well at companies like Phorm and Front Porch.
While much maligned by privacy advocates, DPI appears to be gathering momentum; on November 26, various news outlets reported that Virgin Media is planning to use the technique to monitor its network for illegal filesharing, covertly examining peer-to-peer packets for copyright infringement.
"It comes down to understanding that the ISP is passing on information," says Schwartz. "They get everything you do online."
What to do: Stay tuned. Schwartz says the U.S. House Energy and Commerce Committee has advised ISPs that the practice is illegal, and further legal action is pending.