Beginning next week, the FTC will hold a series of
public roundtables covering the growing number of challenges to consumer
privacy on the Internet. Dubbed “Exploring Privacy,” the daylong discussions
will focus on “the collection and use of information by retailers, data
brokers, third-party applications, and other diverse businesses.” Hold that yawn. Behavioral tracking and ad targeting have everything to do with the pesky “Warning!” pop-up blinking behind your browser window right now. The one that could shatter your online privacy.
In advance of the roundtables, Fast Company spoke with
online privacy advocates Jules Polonetsky, co-chair and director of the Future
of Privacy Forum, and Ari Schwartz, vice president and chief operating officer
of the Center for Democracy and Technology. Below, Polonetsky and Schwartz
highlight five of most nefarious techniques used to trick and track you.
1. “Malvertising Gangs”
“One of the biggest challenges in the ad ecosystem
right now is that it’s really easy for anyone to place an ad,” says Polonetsky, one of
the attendees of next week’s roundtables. “Including actual criminals who would
like to mug you.”
Such is the case with malvertising gangs, groups of scammers
who pose as legitimate advertisers in order to infiltrate the complex system of
nearly 100 ad networks–like Google’s AdSense–that distribute ads to Web sites
all across the Internet. Shortly after a fake ad has been introduced into the
system, it morphs into “scareware,” advising any and all who visit the page
that a virus has infected their computer.
“They make your machine look infected and then sell you a
fake antivirus software,” says Schwartz. “You actually download the problem.”
While the fraud often ends with the consumer forking over $40 or $50, some
scams go further, racking up additional charges on consumers’ credit cards and
hijacking victims’ computers to churn out spam.
Difficult to detect and increasingly sophisticated,
malvertising gangs have launched a series of high-profile attacks in recent
months. In early September, a group planted ads that wound up on Web site of
The New York Times. Days later, malvertisers struck The Drudge Report. That
same month, Microsoft filed five lawsuits against malvertising groups with seemingly benign names such as “Soft
Solutions” and “Direct Ad.”
Beyond the consumers directly impacted by malware,
Polonetsky notes that malvertising gangs undermine the integrity of the
legitimate ad networks and reputable Web sites they strike. “If the idea that
just viewing an ad–not even clicking it–is bad,” he says, “it poses a huge
threat to the online advertising industry.”
What you can do: Check with and check out any company before
downloading their antivirus software. You can even try calling them, an effort that pales in comparison to the hassle of a virtual infection.
2. Flash Cookies
By now, most Web users are familiar with cookies, the
packets of code that store user data, remembering our preferences and automatically filling out
the contact forms in our online shopping carts. Cookies can be blocked entirely, removed frequently or allowed to pile up (often
slowing the browser to a crawl)–point is the user has the final word. Not so
with flash cookies.
“Cookies aren’t as easy as should be, but they’re
controllable,” says Polonetsky. “But flash cookies aren’t. Flash cookies can
stick around and reinstall the cookie after you delete it.”
As with many tricks of the behavioral-tracking trade, flash
cookies were intended as a helpful technology. Created as a means of storing
flash preferences that would otherwise be deleted by antivirus software, flash
cookies are filed away in Adobe Macromedia, so they don’t show up in your
browser. Because of this loophole, third-party advertisers can store consumer
profiles on flash cookies and track their online behavior long after they thought they’d deleted their cookies.
A recent report by researchers at UC Berkeley found that 54
of the top 100 Web sites use flash cookies, noting that “even the ‘Private
Browsing’ mode recently added to most browsers such as Internet Explorer 8 and
Firefox 3 still allows flash cookies to operate fully and track the user.”
What you can do: Firefox users can download a free add-on,
called Better Privacy, that can be set to automatically eliminate flash
cookies. Others can read more about their Adobe privacy settings here.
3. “Cookie appends”
Beyond clogging up your browser with bits of data, cookies
can track your online behavior. Schwartz says cookie tracking, or cookie
appends, are the next evolution of reverse email appends–whereby advertisers
access all sorts of personal information via your email address. Sign up for an
online newsletter recently? By crosschecking your email address, the publisher
may have access to everything from your name and address to your ethnicity,
personal interests, and credit score. A cookie append works in the same way.
“Say you buy something from GAP,” says Schwartz. “Working
with Experian, GAP can get all your personal information and build a personal
profile. Then they tie a cookie to you that watches everything you do,” further
adding to your profile.
Companies like Axciom (profiled here by The Wall Street
Journal) and use tracking cookies to collect and analyze consumer data, categorize
consumers into “clusters” like “Apple Pie Families,” “Young Workboots,” and “Mixed Singles-Urban Scramble.” The data is then sold to online retailers and
used to serve up targeted ads.
4. Personal Health Data
In the past, advertisers tended to steer clear of tailoring
ads to consumers’ health interests. All those Google searches about that uncomfortable
rash? That was your business. But times have changed, according to Polonetsky.
“A few years ago ad networks started offering very detailed
health profiles,” he says. “It’s been hard for the industry to draw a bright
line. Pharma companies are looking for this info, and it’s hard to imagine a
small ad network turning down the money.”
Ad networks still largely avoid targeting sensitive health
issues, like cancer, and government regulations like HIPAA bar advertisers from
accessing your personal health records. Just don’t be surprised if you start
seeing ads for adult diapers after reading a news story on incontinence.
What you can do: As with cookie tracking, check with a
preference manager to see what kind of personal data advertisers are storing
5. ISP Tracking
If you thought the specter of ISP tracking, or deep-packet
inspection (DPI), vanished with NebuAd, the multimillion-dollar ad targeting
company that collapsed this past May under a class action lawsuit and
congressional inquiry, you were sadly mistaken. The practice–which involves
logging individuals’ surfing habits, including the terms they search and the
sites they visit, and using them to serve up ads–is alive and well at companies
like Phorm and Front Porch.
While much maligned by privacy advocates, DPI appears to be
gathering momentum; on November 26, various news outlets reported that Virgin
Media is planning to use the technique to monitor its network for illegal
filesharing, covertly examining peer-to-peer packets for copyright infringement.
“It comes down to understanding that the ISP is passing on
information,” says Schwartz. “They get everything you do online.”
What to do: Stay tuned. Schwartz says the U.S. House Energy
and Commerce Committee has advised ISPs that the practice is illegal, and
further legal action is pending.