[LINK] SMH: 'Inside the cookie monster ...'
Roger Clarke
Roger.Clarke at xamax.com.au
Tue Oct 5 08:29:58 AEDT 2010
[A lead-article on abuse of online consumer data.
[If anyone picks up material errors, it would be handy to know, thanks.
Inside the cookie monster - trading your online data for profits
Date: October 05 2010
The Sydney Morning Herald
p. 1 pointer to p. 4
Nicky Phillips
http://www.smh.com.au/technology/technology-news/inside-the-cookie-monster--trading-your-online-data-for-profits-20101004-164ee.html?skin=text-only
Sandwiched between a bakery and a health food supermarket in the
heart of Cupertino, California, is the headquarters of a new kind of
stock exchange - one that trades data, your data.
It is operated by a US company called BlueKai and at any moment on a
typical day the interests and preferences of more than 200 million
web users are for sale to the highest bidder. [*Any* bidder?]
The data is divided into categories - everything from wedding dresses
and mountain bike helmets to coffee makers and luggage - with users
identified by the ''unique identifier'' of their web browser, the
software that finds, retrieves and presents information online. In
the right hands, the data is marketing gold dust because it allows
advertisers to target consumers showing a clear interest in a product
or category. Someone who goes online to research internet security
software, for example, might receive advertisements from a software
company within hours, perhaps minutes of their first mouse click. The
potency of such advertising has turned online data trading into a
burgeoning industry. (There already at least seven US data exchanges
similar to BlueKai.)
Many users are oblivious to its existence but this
multimillion-dollar enterprise is founded on the covert business of
spying on web surfers.
The industry's primary tools are tracking devices deployed on
thousands of websites, surreptitiously gathering information about
visitors. Australian users are far from immune.
A Herald review of the top 10 most-viewed Australian-owned websites -
or those with an Australian subsidiary - revealed a startling picture
of this extensive, and increasingly intrusive, practice.
Ninemsn.com.au installed the most tracking devices - 109. Bigpond.com
had 93 and smh.com.au 86. Google tracks users on the more than 1
million websites that display its advertisements.
The information these devices gather is considered anonymous because
it identifies web browsers, not individuals. But the aggregation of
data from multiple sources means companies can quickly build a
detailed profile of a user - so detailed that some people outside the
industry fear privacy is at risk.
Privacy laws in Australia cover only the use of personal information
such as names and addresses. But because your online activity is
linked only to a browser ID, it is not considered personal
information and as a result the industry is almost entirely
self-regulated.
[It's not as clear-cut as Nicky suggests.
[The data is arguably subject to Australian privacy aw:
http://www.austlii.edu.au/au/legis/cth/consol%5fact/pa1988108/s6.html
"Personal information means information ... about an individual whose
identity ... can reasonably be ascertained, from the information or
opinion".
[But even is the actions are in breach of Australian law, the law is
subject to no sanctions, some of the companies are out of
jurisdictional reach, and the previous PC'er was hostile to consumers
and very friendly to business and government. (What the new regime
will be like is yet to be seen).]
Website privacy policies are often vague and unclear, leading to
suggestions that web users are being manipulated by advertisers who
are not open about what they are doing. There are also genuine fears
that all this data could end up in the wrong hands. Tracking devices
come in a variety of forms, including cookies, web beacons and flash
cookies. Cookies are placed by the owner of the website and record
basic information such as passwords and preferences. They have a
reputation for being innocuous.
Online tracking is done almost entirely by cookies and beacons -
invisible images embedded in a web page - which belong to companies
other than the original website. The combination of the beacon and
the cookie allows this third-party company to see automatically what
elements of a page the user has clicked on, potentially identifying
information held in the URL of the page the computer is visiting,
such as an email address.
What happens with that data is now out of the user's hands.
Most of these third-party companies, usually advertisers and data
collectors, have relationships with hundreds, sometimes thousands, of
websites, making it possible for them to follow a user's progress
across the web. Over time, this covert surveillance allows them to
build detailed profiles of the user's interests and activities.
Ed Harrison, the commercial director of media for Fairfax Digital -
which is part of Fairfax Media, the publisher of the Herald - said it
used cookies to track users' behaviour, create a better user
experience and optimise the effectiveness of advertising.
"The benefit is that we are providing more relevant advertising to
consumers," he said.
The ABC website has 42 tracking devices. Carolyn MacDonald, the head
of marketing at ABC Innovation, said they were used to monitor
audience engagement with an external advertising campaign and to
measure website traffic.
But the privacy policies of smh.com.au, news.com.au and the ABC do
not mention their use of third-party cookies or beacons. Bigpond.com
and ninemsn do disclose their use of third-party tracking devices and
who installed them. But none of the websites declared how long data
would be retained.
[It needs analysing whether the ABC is in breach. APF Board members
met with Mark Scott some months ago. But we were discussing whether
the ABC would adopt the lead-role in establishing a code for
reporters, not whether the ABC's web-sites breach the public's
expectations, let alone breach privacy law!]
"Privacy policies are often intentionally really vague and you can't
tell what they do," wrote a privacy researcher, Ashkan Soltani, in a
recent study.
Most of the websites the Herald analysed said they shared information
on web customers only within their network or with business partners.
But Mr Soltani said that as some companies had up to 2000 affiliates,
that was hardly an exclusive group.
The websites said the information collected was anonymous because
users were identified by a unique code in a cookie assigned to their
computer and their data was often aggregated with information from
other users. Users were also free to delete their cookies, or opt out
of being tracked. "We are not tracking an individual, but a browser,"
Mr Harrison said.
In Australia and many other countries, data collecting is not a crime
because the information is not considered personal.
But the Greens senator Scott Ludlam said Australia's privacy laws
needed to be reviewed to keep up with the changing online environment.
The acting Privacy Commissioner, John McMillan, admitted data
aggregation was a privacy issue but would not say the practice could
be breaking the law.
The extent and sophistication of consumer profiling has sparked fears
among technologists, privacy advocates and even regulators that web
users' anonymity is under threat.
''If you start collecting these bits of data from all over the place
you can develop quite a detailed profile of [a] person,'' said a
computer engineer, Carlos Jensen, of Oregon State University.
A computer researcher, Catherine Dwyer, at Pace University in New
York, said: ''The clear intent of data collection is to track
consumers over time and build up digital dossiers of their interests
and shopping activities.''
For more than a year, Telstra has been combining demographic
information about its phone customers with data culled from their
online browsing habits. When customers access their online account to
pay a bill, MediaSmart - which Telstra owns - places a unique ID in a
cookie on the user's computer. Telstra then builds a detailed profile
that includes the user's age and gender as well as search categories
used on Telstra's other websites such as the Yellow and White Pages,
Where Is and Big Pond shopping and movies. The more Telstra knows
about a web user, the more targeted its ads can be.
For example, if a user searches the Yellow Pages for paint, they
might receive paint advertisements on the Bigpond home page the next
day.
The general manager of MediaSmart, Mark Shaw, said this approach
allowed ''advertisers to influence people at a critical moment in
their purchasing decision-making.''
Bigpond said users could opt out of targeted advertising.
Telstra is not the only company to gather web users' online interests
and behaviour. Fairfax Digital and Yahoo7 also do it.
While all these companies insist the information is not shared
outside their network, there are concerns that businesses will
eventually sell their data. "If there is money to be made, you'd be
amazed what companies will do," said Mr Soltani.
eBay.com.au already allows information on its web browsers to be
collected and auctioned on data exchanges such as BlueKai.
BlueKai said it did not allow sensitive information such as mental
health, sexual orientation or religious beliefs to be auctioned on
the exchange.
But the greatest fear of many watching the rapid expansion of online
tracking and data collecting is whose hands the information may
ultimately fall into. With the industry almost entirely
self-regulated, there appear to be almost no practical legal limits
on how the data can be used.
''Imagine an insurance company wanting to know what kind of risk they
are assuming with this person. Here is a person who is researching a
lot of medical information. That might be a red flag,'' said a cyber
law researcher, David Vaile.
Insurance companies could be on the phone to BlueKai right now.
WHAT WE DID
The Herald analysed the tracking devices installed on a Fairfax Media
laptop by the top 10 most-viewed Australian-owned websites (including
websites with Australian subsidiaries) as identified by analytics
company Nielsen. Each site was reviewed using software programs
called Tamper Data, Ghostery and Add and Edit Cookie.
Each website was visited multiple times and all data was removed from
the computer before the next website was assessed. The Herald
considers tracking devices to be any cookies, beacons or flash
cookies placed by companies other than the original website visited.
HOW TO STOP THE TRACKERS
Cookies are managed by the user's web browser. You can set your web
browser to not accept third-party cookies or automatically delete
cookies when the browser is closed. Beacons cannot be deleted and are
not stored on your computer. They run as part of the normal function
of many websites. However, you can opt out of being tracked by
publishers, advertisers or data collectors and exchanges by visiting
the National Advertising Initiative's opt-out page or the websites of
various companies such as BlueKai and Yahoo. To remove Flash cookies,
web users must visit Adobe's website.
GLOSSARY
COOKIES: small text files loaded onto a user's computer. Many
cookies recognise a browser when it returns to the site, remembering
user preferences and passwords.Tracking users across the internet is
mainly done by ''third-party'' cookies, installed by companies other
than the website.
BEACONS: tiny invisible graphics similar to cookies, which are also
used to track the movements of users. Web beacons are embedded on web
pages and users cannot remove them.
FLASH COOKIES: Any website that uses Adobe Flash videos may use these
cookies. Some websites allow third-party Flash cookies. Can be
deleted by visiting the Adobe website.
Profiling children proves kids' stuff for advertisers
Nicky Phillips
October 5, 2010
The Sydney Morning Herald
http://www.smh.com.au/technology/technology-news/profiling-children-proves-kids-stuff-for-advertisers-20101004-164er.html
Vivien Suttner knows her two young boys will be bombarded with
advertisements whenever they venture online.
''I don't like that children have become such a target of
advertising, but I know it is unavoidable,'' she said.
What she finds disconcerting is the online games her children, aged
eight and 10, play may be tracking their movements across the
internet and sharing such information with advertisers, who build a
profile of their behaviour to better target them.
Online surveillance has become a fast-growing practice with the
explicit aim of surreptitiously gathering as much data on web users'
behaviour and activities as possible.
Children's gaming websites are part of this data collection industry,
and install large numbers of covert devices.
Of the four children's gaming websites the Herald visited, three used
tracking devices, such as cookies, web beacons and flash cookies [see
glossary].
A cyber law researcher, David Vaile, said advertisers and data
collectors were developing extremely sophisticated tools for
tracking. "With some of these technologies, unless you've got a
detector or know what you're looking for, you won't know they are
there," said Mr Vaile, of the University of NSW's cyberspace law and
policy centre.
The tracking is almost always carried out by third party companies,
not the original website. "You can discover a dozen or more different
companies' tracking tools on the one page," he said.
The devices don't ask the user's permission to collect data, identify
themselves or explain the data will be stored offshore. "These
invisible bugs don't play nicely."
One of the most pervasive and covert tracking devices being deployed
by websites are Flash cookies, which are stored on an external server.
Chris Harris, from the gaming website Ninjakiwi.com, said they used
flash cookies to store information such as scores and game levels.
"It is important to [use flash cookies] with flash games so players
don't have to re-do everything if they leave the site.
But flash cookies can be used by data collector as tracking devices
and have the potential to reinstall deleted regular cookies.
In the US, individual web users have sued several large advertising
and data collection companies for using a sophisticated tracking
device called flash cookies which have the potential to re-spawn
deleted cookies.
Mrs Suttner, an educational psychologist, said if companies were
building profiles on children there should be some form of regulation.
--
Roger Clarke http://www.rogerclarke.com/
Xamax Consultancy Pty Ltd 78 Sidaway St, Chapman ACT 2611 AUSTRALIA
Tel: +61 2 6288 1472, and 6288 6916
mailto:Roger.Clarke at xamax.com.au http://www.xamax.com.au/
Visiting Professor in the Cyberspace Law & Policy Centre Uni of NSW
Visiting Professor in Computer Science Australian National University
More information about the Link
mailing list