Tag You're It - Business Risks When Customers Find Out You are Tracking Them Cathy Dwyer, PhD. Seidenberg School of Computer Science & Information Systems

Tag You're It - Business RisksWhen Customers Find Out You are Tracking Them

Cathy Dwyer, PhD.Seidenberg School of Computer Science & Information SystemsPace University

(c) Catherine Dwyer, 2010 Tech Talk March 5, 2010

2

OutlineWhat is online behavioral advertising?Who are the major behavioral

targeting companies?Brief overview of targeted advertising

technologyTools that reveal tracking of consumersExamples of sites that use targetingWhat are the risks from using these

services?Some recommendations


3

What is online advertising?“Online Behavioral Advertising means the

collection of data from a particular computer or device regarding Web viewing behaviors over time and across non-affiliate Web sites for the purpose of using such data to predict user preferences or interests to deliver advertising to that computer or device based on the preferences or interests inferred from such Web viewing behaviors.”-source: IAB Self-Regulatory Principles

Requires a tagging mechanism (such as a cookie) and a tracking mechanism (collection of clickstream actions over time, creating a “digital profile”)


4

Who are the dominant behavioral targeting (BT) companies?

Source: knowprivacy.org

http://knowprivacy.org/


5

How widespread is BT?

Source: knowprivacy.org

http://knowprivacy.org/


6

Who represents BT industry interests?


7

Who represents consumer interests?Federal Trade Commission (FTC)Federal Communications

Commission – (FCC)Center for Digital DemocracyCenter for Democracy and Techn

ologyElectronic Privacy Information Ce

nterThe Future of Privacy Forum*

http://www.ftc.gov/

http://www.fcc.gov/

http://www.democraticmedia.org/

http://www.cdt.org/

http://www.cdt.org/

http://epic.org/

http://epic.org/

http://www.futureofprivacy.org/

Overview of BT TechnologyBT is a generic name for a set of

technologies that collects click stream data, develops data warehousing structures, applies data mining algorithms to uncover consumer browsing patterns, and serves targeted ads matched to an individual

BT customizes messages to individuals based on shopping interests, as well as gender, age, and ethnicity

BT terminology

Advertising network –establishes relationships with partner Web sites, collects visitor browsing data, and serves ads matched by algorithm to information known about the online visitor

Tagging – BT embeds digital tags to identify and track consumers. Tags can be placed within any persistent browser state, the most common means being cookies, Web beacons, and Flash cookies

BT terminology cont.Web beacon – 1X1pixel gif file loaded by your

browser as an image -- but it is an image in name only◦ Web beacons are invisible◦ Their purpose is tracking, exploiting the cache as a

place to store tags◦ Browser will block cookies, but not Web beacons

Flash cookies – Adobe Flash uses a local data store that it refers to as shared data objects (Adobe provides an online tutorial describing how to use Flash for tracking)

http://www.adobe.com/resources/richmedia/tracking/


11

To manage Flash cookies:Required to visit this web site:

http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager07.html





12

Analysis of Omniture Web bug

This web bug passes back to the advertising network Omniture my Google search term (“moms,” the page I viewed (nycmomslikeme.com), and plants a unique etag value in my browser cache.

ETAG VALUE “4B8ADDFE-3B65-691578AA”(tag values can be used to connect non-contiguous browser sessions)

http://nycmomslikeme.com/

http://nycmomslikeme.com/


13

What is the appeal of behavioral targeting?Every business needs to grow with new customersHow can your reach only those customers

interested in your products and services?Answer – target themHere is an actual “sales pitch” from a behavioral

targeting company (made to Pace U!):“The retargeting strategy is totally invisible to

the public …Students, faculty, administration, alumni and the public will not be impacted by retargetingstrategies….it is completely unobtrusive, behind-the-scenes, and relevant to the interests ofyour community.”

Translation: no one will know


14

Another sales pitch: We can track anyoneLin Maio, CEO of Tatto Media:

“We are interested in methods that slow the ability of consumers to delete cookies from their computers. Flash cookies are no different that regular cookies in terms of privacy, but on average remain on a person’s computer for more than three months.” – Source: MediaPost

Translation: even if you try to block tracking, we will figure out another way to do it


15

My 2009 study found Levis.com planted tracking files from nine different companies to site visitors, but only identified one advertising partner in its privacy policy, Microsoft-owned Avenue A.

When asked by BusinessWeek to explain, Levis said:

“Microsoft lines up these other partners and changes them frequently, therefore it didn't seem necessary to list these other companies in the privacy policy.”


16

Day of reckoning is coming

Speaking at the NY OMMA Behavioral conference, Adam Kasper, director of digital media at Media Contacts, warned that a "watershed moment" is coming for behavioral targeting when consumers gain greater awareness of the extent to which their online activity can be tracked and targeted, triggering a backlash.

“It's the elephant in the room, and there's going to be a point where consumers get it and there's going to be a big public outcry”

– Source: MediaPost


17

FTC Refers to tracking “ecosystem”Browser plug-ins are available that

identify who is tracking you while you browse (Ghostery and Privacy Choice)

Tracking “radar detectors” uncover the extent of tracking, and are real game changers

Reveal how tracking is carried outTracking is no longer hidden, we must

assume all tracking is (or will soon be) visible to customers

http://www.ghostery.com/

http://www.privacychoice.org/whos_watching


18

Who is tracking entertainment/celebrity fans?


19

Who is tracking Moms?


20

Analysis of tracking on this page provided by Ghostery

Who is tracking ‘green’ consumers?


21

Who is tracking bible readers?


22

Who is tracking queries for medical information?


23

How should you think about using BT for your company?

Pay attention to your customers and what they expect from you

Commercial relationships – between buyer and seller – are carried out under a “social contract” of the market

Social expectations of seller – buyer will value their services and not try to defraud them

Social expectations of buyer – seller will respect their autonomy and not take advantage of opportunistic differences in information access


24

Unfortunate cycle of privacy management“drift -- threat -- react”Your customers have social

expectations of how they will be treated when they visit your web site

If those expectations don’t match how their data is handled, then customers will blame you (not some unknown third party)

You may lose legitimacy and damage your reputation


25

Risks to companies who use targeted advertisingWho exactly are you doing

business with?Who are you trusting with your

most valuable asset – your relationship with your customers?


26

IAB explains online advertising


27

173 tracking companies identified by Privacy Choice


28Courtesy of Jim Brock, Founder of PrivacyChoice












34

RecommendationsPrivacy governance structureCreate a culture of privacy that

begins at the top of the organization

Create an accountable governance process for privacy

Use “personal insights” in evaluating the impact of privacy practices

From Culnan, Williams, MISQ Dec 2009


35

AICPA/CICA Generally Accepted Privacy PrinciplesRecently (2006) The American

Institute of certified Public Accountants and the Canadian Institute of Chartered Accountants released Generally Accepted Privacy Principles (GAPP)

Provides framework for governance structure for internal corporate privacy management of customer data


36

Use personal insight for guidanceConsider whether you would be

comfortable if your data was handled the same way

Consider how your web site treats customers:◦ If your web site were replaced by an ideal

human sales person [albeit constrained to act through this interface], how would that sales person behave?

◦ If a human sales person were to act this way, how would he or she be perceived by your customers?


37

Questions?Thank you!Contact me for copy of slides:

[email protected] me on Twitter: ProfCDwyer

mailto:[email protected]


38

Advertising Attribution Model: What if a consumer sees 10 ads? How will we know which one was the most effective? Brian Lesser’s answer: “we need tracking, we must have tracking” at OMNA Adnets, 11/3/09

Brian LesserGeneral ManagerMedia Innovation

Group(a WPP

company)


39

IAB Consumer choice principle

Consumer choice principle – “users of Web sites at which data is collected for online behavioral advertising [may] choose whether data is collected …. The choice will be provided by the third party entities collecting and using data for online behavioral advertising and the mechanism will found either at the [third party] Web or industry-developed Web sites.”

Translations – customers may be tracked on your site, and may blame you for it, but we will manage how and whether consumers can opt-out


40

I do want to suggest there needs to be an internal conversation at Levis about the specific risks that behavioral targeting brings to your company. Whatever industry practices may be, the fact is your brand is particularly vulnerable to any practices that involve deception. If your company has not done so already, I would recommend conducting focus groups where the behavioral targeting methods you are using are demonstrated in detail, and then consumers are asked for their feedback and reactions. This may be a better guide as to how you handle this technology in the future.

One concern I have about the NAI guidelines is that the behavioral targeting companies insist that only they can provide any opt out mechanisms or privacy controls. This means a web site like yours are completely dependant on the targeting company to handle the privacy options correctly. But your customers have a relationship with you, not with some hidden technology company, and they want to know that Levis is managing their privacy, not kicking the can down the road. If it doesn't work or the targeting being conducted on your site becomes apparent and visible, then your customers will blame you.

One thing that hasn't really happened with this issue is that companies like yours have not been vocal in this debate. I think that should change. You have an interest to protect that is different from consumers, and also different from the targeting companies. I don't think it is good policy to defer to targeting companies when there is the potential to damage your public reputation.


41

The Internet “needs” targeted advertisingAll the wonderful services of the

Internet, Facebook, YouTube, Twitter, and other social media are available to consumers who have come to expect no cost for them

The only way we can provide these services for no cost is through targeted advertising


42

Data transmitted via Web bugScreen size (&s=1280x1024)Referring site (&r=http

://www.google.com/url), query (&q =moms)List of installed software: &p=Move Media

Player; Mozilla Default Plug-in; Turner Media Plugin 1.0.0.10; QuickTime Plug-in 7.3; Windows Genuine Advantage; Microsoft Office 2003; 2007 Microsoft Office system; Adobe Acrobat; Shockwave Flash; iTunes Application Detector; Google Earth Plugin; Picasa; Silverlight Plug-In; Windows Presentation Foundation; Google Updater; Google Update; Java™ Platform SE 6 U4; Microsoft® DRM;


43

Picture of a cookie

Cookie name _csuid

tag value4b76c7261b8ff9eb


44

Flash cookie from Clearspring

BT Terminology cont.

Browsing data collected is divided into Personally identifiable information (PII) and non-PII. Categories of PII include name, email address, SSN. Non-PII is everything else

Platform for Privacy Preferences (P3P) – mechanism for communicating machine readable privacy preferences developed by World Wide Web Consortium (W3C)


46


47

Culnan MISQ, Dec. 2009“Because consumers are vulnerable

in their dealings with businesses due to a lack of information about and an inability to control the subsequent use of their personal information, we argue that organizations have a moral responsibility to [consumers] to avoid causing harm and take reasonable precautions toward that end.”

Documents

Tag You're It - Business Risks When Customers Find Out You are Tracking Them Cathy Dwyer, PhD. Seidenberg School of Computer Science & Information Systems