Who's Tracking Your Web Movements?

Dec. 4, 2007 — -- There is a fundamental disconnect between Internet consumers and their online privacy. Every survey suggests that consumers are worried about their online privacy. But when it comes to understanding how to protect their personal information, the gap looms large.

A recent report from the Annenberg School at the University of Pennsylvania and the Samuelson Clinic at the University of California-Berkeley Boalt School of Law offers this troubling assessment: "When consumers see the term 'privacy policy,' they assume the Web site cannot engage in many practices that, in reality, are common in e-commerce."

For example, most online consumers believe that the mere presence of the phrase "privacy policy" means that the Web site will not share any of their personal information with other Web sites or companies, according to the report.

Yet in practice, the phrase means nothing of the sort and instead provides consumers with the details on just how their information is stored, what information is being collected, and with whom that information can be shared (although there is also much debate about whether consumers who do read privacy policies can even understand their legalese).

A significant minority falsely believes that privacy policies bar a Web site from developing a profile of a person's online activities, a practice increasingly embraced by online marketers.

Consumers need to realize that with every click of the mouse they are leaving electronic footprints that can be tracked, collected, stored, collated, aggregated and massaged to create a stunningly accurate personal profile of their online activities, preferences and behaviors. There is a name for this practice: behavioral tracking.

Behavioral tracking is most often accomplished through the use of cookies, tiny data files that live on consumers' computers, placed there by Web sites and advertisers on those sites.

Cookies are nothing new, and they often serve to make the online experience easier, for example by remembering passwords, personalizing news preferences or remembering the items left in a site's online shopping cart from a previous visit.

All Internet browsers have tools that allow consumers to corral their cookies in numerous ways, including blocking all third-party cookies that permit advertising networks to track consumer behavior across sites. Having to fiddle with Web browser settings and preferences can be intimidating, and separating helpful cookies from tracking cookies can be a formidable task.

But vigilant cookie management alone can't defeat more sophisticated ways of tracking you online. Certain cookies seem impervious to efforts to wipe them out. Some new business models bypass cookies altogether, collecting click stream data directly from Internet service providers. Although an entire industry has grown up to specifically track online behavior and develop rich profiles for advertising purposes, the current structure for protecting consumer privacy interests is woefully inadequate. Consumers deserve meaningful choices and controls over their personal information, and there needs to be a way to enforce their privacy rights.

In November the U.S. Federal Trade Commission held a two-day meeting to discuss the issue of online behavioral tracking. Industry representatives, hoping to forestall any kind of government intervention, offered their own proposals, promising an increased level of vigilance in their efforts to educate customers about information gathering and tracking practices, and tools to make it easier for customers to essentially "Just Say No" to such practices.

Critics of behavioral tracking, including our organization, told the FTC that current industry guidelines aimed at protecting online consumer privacy aren't working and that change was needed to rein in and give consumers more control. To that end, the FTC was presented with a set of proposals, including the creation of a "Do Not Track" list. Such a list would function much like the current "Do Not Call" list but the list would not include consumer names and information.

Instead the plan calls for the FTC to compile and manage a list of servers and devices used to place tracking identifiers (including those contained in cookies) on consumers' computers. With such a list freely available to the public through the FTC, the community of browser and other software developers could create tools that would easily allow consumers to use the list to block the placement of those tracking identifiers, and thereby prevent advertisers and Web sites from tracking their activities on the Web.

"The Do Not Track" list would not prevent advertisers from serving ads, nor would it interfere with the use of helpful cookies that support users' online preferences. But it would put control back where it belongs -- with users -- and it would lay the foundation for consumers to be able to make informed choices about their privacy online.

Leslie Harris is president and CEO of the Center for Democracy & Technology.