UPDATE: A study by Stanford University Law School’s Center for Internet and Society has found that many online advertising networks are not adhering to their own privacy policies and continue to rely on and push out Web tracking cookies even after users have indicated that they do not wish to be tracked.
Half of 64 online advertising firms did not remove their tracking cookies from consumers’ computers after they have opted out of behavioral ad targeting. Twelve percent of those firms failed to remove tracking cookies, or continued to place them on consumers’ systems even after those consumers opted out of tracking. The study, which was carried out over several months by researchers at the Stanford Security Lab, suggest that voluntary, industry led efforts to reign in unwanted user tracking online may be falling short.
However, at least one of the companies named in the report says that the researchers reached false conclusions about tracking based on external observations, and didn’t verify their findings with the companies in question.
Results of the study were published on the Web site of Standford Law School. Researchers looked at the actions of 64 out of 75 members of the Network Advertising Initiative (NAI), a voluntary Internet advertising industry group formed to address concerns about online privacy violations. Researchers tested to see if behavioral tracking cookies were placed both before and after users opted out of tracking and enabled the Do Not Track options offered by the advertising networks. The Stanford Researchers manually identified tracking cookies and observe how they were altered throughout each test.
Results were discouraging. All but one of the 64 companies whose cookies were observed left existing tracking cookies in place after users elected the Do Not Track option. Half of the 64 left the cookies in place after users opted out of tracking all together. The survey, when taken together with a similar study done by Carnegie Mellon University in February, identified eight current NAI members that appear to continue tracking users even after they opt out of tracking – often in violation of promises made in their own privacy agreements. Among those are: 24/7 Real Media, Adconion, AudienceScience, Netmining, Undertone, Vibrant Media and Wall Street on Demand.
The Carnegie Mellon Study, released in March, also found low levels of compliance with the requirements set forth by the Network Advertising Initiative and the Digital Advertising Alliance (DAA). Both groups were established as efforts by the industry to self regulate in the face of scrutiny from the U.S. Federal Trade COmmission (FTC). Both groups require members to provide features, like the Ad Option feature, that make it easy for consumers to opt out of online advertising and tracking.
Together, the Stanford study and the study by Carnegie Mellon suggest that industry oversight of the effectiveness of these features and advertisers adherence to the terms of their own privacy policies is lacking. For example, Stanford researchers found that NAI member Adconion’s privacy policy states that a user is “free to opt out of the Adconion Cookie.” But that opting out deleted only one of three tracking cookies placed by the company, and left the other two in place. Ad firm AudienceScience tells users in its privacy policy that it will “delete all previously collected information from the cookies, and put new information in the cookie which tells us to stop collecting information from that device.”Researchers found that opting out of AudienceScience removes its unique tracking cookie but not a “highly unique cookie that represents the user’s interests.” Furthermore, subsequent reloads of the content updated the interest cookie.
AudienceScience now removes both the unique and the interest cookie from the customer’s machine, but was always in compliance with the NAI guidelines, CTO Basem Nayfeh told Threatpost.
Previously, when users chose the opt-out option, AudienceScience stripped personal information from the cookie and overwrote a unique customer ID with an opt-out ID. However, the company left the cookie itself and would update a time stamp setting within the cookie – in essence: indicating when the last time the cookie was seen by AudienceScience’s systems, Nayfeh said.
Stanford researchers couldn’t analyze the content of the cookie itself (it was encrypted) and failed to contact AudienceScience to clarify how the cookie was being altered after the opt-out option was selected, he said. Because the time stamp field was updated, reserachers observing the cookie would note that its size and encrypted value change, suggesting that the company was continuing to update the cookie with the consumer’s information.
Nayfeh said the company now removes the cookie entirely.
“In retrospect, I think confusion caused by the decision to not remove the cookie, as should have been done in the first place,” he said.
In a blog post, NAI Executive Director Charles Curran said that the researchers at Stanford confused “do not target” choices offered by online advertisers and “do not track” features that are built into many new browsers.
The group’s code commits members to providing an opt-out of the use of online data for behavioral advertising that will “make their ads more relevant,” but also recognizes that “companies sometimes need to continue to collect data for operational reasons that are separate from ad targeting based on a users online behavior.”
In the end, NAI it has what might be considered a ‘failure to communicate’ (our term not theirs) with the Stanford and CMU researchers. That is: the researchers expect that advertisers are looking for the kind of public interest ban on collecting “any data” from consumers, whereas the NAI and its members just feel a need to adhere to what NAI describes as “self regulatory commitments to limit ad targeting based on user interests.”
Nayfeh of AudienceScience thinks the industry led efforts are working.
“I think people in the industry take (the NAI guidelines) more seriously than people think we do,” he said.
It remains to be seen whether the FTC will step in with blanked protections for online privacy. The FTC has voiced concerns over Web tracking in the past, but so far hasn’t issued hard and fast rules limiting it. In December, 2010, for example, the Commission introduced preliminary report on protecting consumer privacy that called for a framework to address privacy issues raised by consumers and called for the creation of a Do Not Track mechanism. FTC Chairman Jon Leibowitz declared that consumers “deserve far better from the corporations we trust our data with.” Browser manufacturers have responded with extensions and built in features for their Web browsers that allows users to opt-out of ad tracking cookies.