Not long ago, if you were looking for a new car and suddenly started seeing auto ads everywhere, you might have thought this was a coincidence, or maybe the product of your own increased attention.
But, in the online realm, ad placement is based on pretty much everything except coincidence. Cookies and a variety of other tracking mechanisms allow advertisers, merchants, news services and non-profits to follow individuals’ activities so they can deliver specifically targeted content.
We often know about these mechanisms and appreciate the convenience they provide. Few people are likely to be surprised that Netflix keeps track of what movies they watch (if they watch them through Netflix, that is). Netflix also knows, if I fill out the ratings form, which movies I like best. It uses the information to suggest other titles I might enjoy. I benefit from that service.
Frequently, however, Internet users have no idea that they are being tracked. We browse in ignorant bliss while third parties take note of our viewing proclivities and buying habits, which can then be put to use to sell us sports memorabilia, hype a new restaurant or solicit our donations.
If you are unnerved by this, fear not: The government is preparing to step in. Last month the House Subcommittee on Commerce, Trade and Consumer Protection met to discuss the idea of a data privacy law, a concept championed by the committee’s former chairman, Rep. Bobby Rush, D.-Ill. At around the same time, the Department of Commerce and the Federal Trade Commission both released reports examining ways to regulate data collection on the Web. Both reports discuss the possibility of a “do not track” mechanism, which would allow Internet users to indicate to websites they visit that they want their information to remain private.
Most browsers are already equipped with a privacy mode that temporarily stops them from accepting cookies, caching web pages, or recording the user’s history. But browser-based privacy screens can interfere with websites that need to keep track of users’ activities in order to function fully. Many of the conveniences we take for granted, like forms that fill themselves in, disappear once the privacy shield goes up.
This is why most users enter privacy mode only when they’re doing something, well, private. It’s not altogether surprising that privacy mode is also commonly called “porn mode.” A “do not track” mode could selectively allow information to be tracked to improve the functionality of websites, without allowing that information to be entered into marketing databases — assuming website operators here and abroad respect regulators’ rules.
Privacy modes also fail when it comes to defending against new methods of data mining, including “fingerprinting.” Fingerprinting, a technique being developed by BlueCava Inc., is poised to emerge as a new industry standard. When computers interact with one another — for example, when one computer accesses a website hosted on another — they broadcast a wide array of information about their configurations, including what fonts are installed and what time zones their clocks are set to. This is necessary to ensure that websites display correctly. In fingerprinting, digital surveillance companies use all of this identifying information to distinguish individual computers and other devices as they roam the Web. The surveillance companies can then create profiles of these devices and, by extension, their users. BlueCava has even figured out how to use fingerprinting to link separate devices owned by the same person.
Since fingerprinting doesn’t rely on cookies, existing browser privacy modes don’t work. A “do not track” setting, on the other hand, could potentially be used to indicate to surveillance companies that certain computers’ “fingerprints” should not be kept on file. In fact, BlueCava has said that it intends to build in such an opt-out mechanism. However, despite this stated intention, it has not yet offered an opt-out to the owners of the 200 million devices whose fingerprints it says it has collected so far. There lies the problem with the “do not track” concept: It only works if the companies doing the tracking are willing to cooperate.
Rep. Rush, who introduced a data privacy bill last July and plans to do so again this year, said he is considering including a mandatory “do not track” mechanism. "Through such a mechanism, consumers could advise would-be trackers unambiguously and persistently that they do not wish to be followed by digital snoopers and spies across websites and their various fixed and mobile computing devices," he said.
Regulation may be neither the only answer, nor the best one. Outlawing certain methods of data collection may simply inspire other, more covert means of surveillance, or drive the surveillance companies offshore and out of the reach of American enforcement. Mozilla Corp., the maker of the popular Firefox browser, recently decided against including a new anti-tracking device with its next version of the browser precisely because it realized the device would prompt data miners to turn to more sophisticated, and potentially more deceptive, means.
Mozilla and other software companies are fairly agile, and able to make changes to their products as needed to anticipate and respond to advances in technology. The government is a bit slower on its feet.
As with many technological problems, the best solution may be technical rather than legal. One possibility might be for some company that is widely trusted by the public to act as an intermediary between users and the sites they visit, preventing users’ “fingerprints” from being lifted. Already, many web-surfers in China and Iran use proxy servers to disguise their online activities and gain access to blocked sites. Similar techniques could be developed to combat marketers’ snooping.
In the meantime, we will have to remember that the only guaranteed way to turn on “privacy mode” is to turn off the computer.