[LINK] SMH: 'Inside the cookie monster ...'

Roger Clarke Roger.Clarke at xamax.com.au
Tue Oct 5 08:29:58 AEDT 2010


[A lead-article on abuse of online consumer data.
[If anyone picks up material errors, it would be handy to know, thanks.

Inside the cookie monster - trading your online data for profits
Date: October 05 2010
The Sydney Morning Herald
p. 1 pointer to p. 4
Nicky Phillips
http://www.smh.com.au/technology/technology-news/inside-the-cookie-monster--trading-your-online-data-for-profits-20101004-164ee.html?skin=text-only

Sandwiched between a bakery and a health food supermarket in the 
heart of Cupertino, California, is the headquarters of a new kind of 
stock exchange - one that trades data, your data.

It is operated by a US company called BlueKai and at any moment on a 
typical day the interests and preferences of more than 200 million 
web users are for sale to the highest bidder.  [*Any* bidder?]

The data is divided into categories - everything from wedding dresses 
and mountain bike helmets to coffee makers and luggage - with users 
identified by the ''unique identifier'' of their web browser, the 
software that finds, retrieves and presents information online. In 
the right hands, the data is marketing gold dust because it allows 
advertisers to target consumers showing a clear interest in a product 
or category. Someone who goes online to research internet security 
software, for example, might receive advertisements from a software 
company within hours, perhaps minutes of their first mouse click. The 
potency of such advertising has turned online data trading into a 
burgeoning industry. (There already at least seven US data exchanges 
similar to BlueKai.)

Many users are oblivious to its existence but this 
multimillion-dollar enterprise is founded on the covert business of 
spying on web surfers.

The industry's primary tools are tracking devices deployed on 
thousands of websites, surreptitiously gathering information about 
visitors. Australian users are far from immune.

A Herald review of the top 10 most-viewed Australian-owned websites - 
or those with an Australian subsidiary - revealed a startling picture 
of this extensive, and increasingly intrusive, practice.

Ninemsn.com.au installed the most tracking devices - 109. Bigpond.com 
had 93 and smh.com.au 86. Google tracks users on the more than 1 
million websites that display its advertisements.

The information these devices gather is considered anonymous because 
it identifies web browsers, not individuals. But the aggregation of 
data from multiple sources means companies can quickly build a 
detailed profile of a user - so detailed that some people outside the 
industry fear privacy is at risk.

Privacy laws in Australia cover only the use of personal information 
such as names and addresses. But because your online activity is 
linked only to a browser ID, it is not considered personal 
information and as a result the industry is almost entirely 
self-regulated.

[It's not as clear-cut as Nicky suggests.
[The data is arguably subject to Australian privacy aw:
http://www.austlii.edu.au/au/legis/cth/consol%5fact/pa1988108/s6.html
"Personal information means information ... about an individual whose 
identity ... can reasonably be ascertained, from the information or 
opinion".
[But even is the actions are in breach of Australian law, the law is 
subject to no sanctions, some of the companies are out of 
jurisdictional reach, and the previous PC'er was hostile to consumers 
and very friendly to business and government.  (What the new regime 
will be like is yet to be seen).]

Website privacy policies are often vague and unclear, leading to 
suggestions that web users are being manipulated by advertisers who 
are not open about what they are doing. There are also genuine fears 
that all this data could end up in the wrong hands. Tracking devices 
come in a variety of forms, including cookies, web beacons and flash 
cookies. Cookies are placed by the owner of the website and record 
basic information such as passwords and preferences. They have a 
reputation for being innocuous.

Online tracking is done almost entirely by cookies and beacons - 
invisible images embedded in a web page - which belong to companies 
other than the original website. The combination of the beacon and 
the cookie allows this third-party company to see automatically what 
elements of a page the user has clicked on, potentially identifying 
information held in the URL of the page the computer is visiting, 
such as an email address.

What happens with that data is now out of the user's hands.

Most of these third-party companies, usually advertisers and data 
collectors, have relationships with hundreds, sometimes thousands, of 
websites, making it possible for them to follow a user's progress 
across the web. Over time, this covert surveillance allows them to 
build detailed profiles of the user's interests and activities.

Ed Harrison, the commercial director of media for Fairfax Digital - 
which is part of Fairfax Media, the publisher of the Herald - said it 
used cookies to track users' behaviour, create a better user 
experience and optimise the effectiveness of advertising.

"The benefit is that we are providing more relevant advertising to 
consumers," he said.

The ABC website has 42 tracking devices. Carolyn MacDonald, the head 
of marketing at ABC Innovation, said they were used to monitor 
audience engagement with an external advertising campaign and to 
measure website traffic.

But the privacy policies of smh.com.au, news.com.au and the ABC do 
not mention their use of third-party cookies or beacons. Bigpond.com 
and ninemsn do disclose their use of third-party tracking devices and 
who installed them. But none of the websites declared how long data 
would be retained.

[It needs analysing whether the ABC is in breach.  APF Board members 
met with Mark Scott some months ago.  But we were discussing whether 
the ABC would adopt the lead-role in establishing a code for 
reporters, not whether the ABC's web-sites breach the public's 
expectations, let alone breach privacy law!]

"Privacy policies are often intentionally really vague and you can't 
tell what they do," wrote a privacy researcher, Ashkan Soltani, in a 
recent study.

Most of the websites the Herald analysed said they shared information 
on web customers only within their network or with business partners.

But Mr Soltani said that as some companies had up to 2000 affiliates, 
that was hardly an exclusive group.

The websites said the information collected was anonymous because 
users were identified by a unique code in a cookie assigned to their 
computer and their data was often aggregated with information from 
other users. Users were also free to delete their cookies, or opt out 
of being tracked. "We are not tracking an individual, but a browser," 
Mr Harrison said.

In Australia and many other countries, data collecting is not a crime 
because the information is not considered personal.

But the Greens senator Scott Ludlam said Australia's privacy laws 
needed to be reviewed to keep up with the changing online environment.

The acting Privacy Commissioner, John McMillan, admitted data 
aggregation was a privacy issue but would not say the practice could 
be breaking the law.

The extent and sophistication of consumer profiling has sparked fears 
among technologists, privacy advocates and even regulators that web 
users' anonymity is under threat.

''If you start collecting these bits of data from all over the place 
you can develop quite a detailed profile of [a] person,'' said a 
computer engineer, Carlos Jensen, of Oregon State University.

A computer researcher, Catherine Dwyer, at Pace University in New 
York, said: ''The clear intent of data collection is to track 
consumers over time and build up digital dossiers of their interests 
and shopping activities.''

For more than a year, Telstra has been combining demographic 
information about its phone customers with data culled from their 
online browsing habits. When customers access their online account to 
pay a bill, MediaSmart - which Telstra owns - places a unique ID in a 
cookie on the user's computer. Telstra then builds a detailed profile 
that includes the user's age and gender as well as search categories 
used on Telstra's other websites such as the Yellow and White Pages, 
Where Is and Big Pond shopping and movies. The more Telstra knows 
about a web user, the more targeted its ads can be.

For example, if a user searches the Yellow Pages for paint, they 
might receive paint advertisements on the Bigpond home page the next 
day.

The general manager of MediaSmart, Mark Shaw, said this approach 
allowed ''advertisers to influence people at a critical moment in 
their purchasing decision-making.''

Bigpond said users could opt out of targeted advertising.

Telstra is not the only company to gather web users' online interests 
and behaviour. Fairfax Digital and Yahoo7 also do it.

While all these companies insist the information is not shared 
outside their network, there are concerns that businesses will 
eventually sell their data. "If there is money to be made, you'd be 
amazed what companies will do," said Mr Soltani.

eBay.com.au already allows information on its web browsers to be 
collected and auctioned on data exchanges such as BlueKai.

BlueKai said it did not allow sensitive information such as mental 
health, sexual orientation or religious beliefs to be auctioned on 
the exchange.

But the greatest fear of many watching the rapid expansion of online 
tracking and data collecting is whose hands the information may 
ultimately fall into. With the industry almost entirely 
self-regulated, there appear to be almost no practical legal limits 
on how the data can be used.

''Imagine an insurance company wanting to know what kind of risk they 
are assuming with this person. Here is a person who is researching a 
lot of medical information. That might be a red flag,'' said a cyber 
law researcher, David Vaile.

Insurance companies could be on the phone to BlueKai right now.


WHAT WE DID

The Herald analysed the tracking devices installed on a Fairfax Media 
laptop by the top 10 most-viewed Australian-owned websites (including 
websites with Australian subsidiaries) as identified by analytics 
company Nielsen. Each site was reviewed using software programs 
called Tamper Data, Ghostery and Add and Edit Cookie.

Each website was visited multiple times and all data was removed from 
the computer before the next website was assessed. The Herald 
considers tracking devices to be any cookies, beacons or flash 
cookies placed by companies other than the original website visited.

HOW TO STOP THE TRACKERS

Cookies are managed by the user's web browser. You can set your web 
browser to not accept third-party cookies or automatically delete 
cookies when the browser is closed. Beacons cannot be deleted and are 
not stored on your computer. They run as part of the normal function 
of many websites. However, you can opt out of being tracked by 
publishers, advertisers or data collectors and exchanges by visiting 
the National Advertising Initiative's opt-out page or the websites of 
various companies such as BlueKai and Yahoo. To remove Flash cookies, 
web users must visit Adobe's website.

GLOSSARY

COOKIES: small text files loaded onto a user's computer.  Many 
cookies recognise a browser when it returns to the site, remembering 
user preferences and passwords.Tracking users across the internet is 
mainly done by ''third-party'' cookies, installed by companies other 
than the website.

BEACONS: tiny invisible graphics similar to cookies, which are also 
used to track the movements of users. Web beacons are embedded on web 
pages and users cannot remove them.

FLASH COOKIES: Any website that uses Adobe Flash videos may use these 
cookies.  Some websites allow third-party Flash cookies. Can be 
deleted by visiting the Adobe website.


Profiling children proves kids' stuff for advertisers
Nicky Phillips
October 5, 2010
The Sydney Morning Herald
http://www.smh.com.au/technology/technology-news/profiling-children-proves-kids-stuff-for-advertisers-20101004-164er.html

Vivien Suttner knows her two young boys will be bombarded with 
advertisements whenever they venture online.

''I don't like that children have become such a target of 
advertising, but I know it is unavoidable,'' she said.

What she finds disconcerting is the online games her children, aged 
eight and 10, play may be tracking their movements across the 
internet and sharing such information with advertisers, who build a 
profile of their behaviour to better target them.

Online surveillance has become a fast-growing practice with the 
explicit aim of surreptitiously gathering as much data on web users' 
behaviour and activities as possible.

Children's gaming websites are part of this data collection industry, 
and install large numbers of covert devices.

Of the four children's gaming websites the Herald visited, three used 
tracking devices, such as cookies, web beacons and flash cookies [see 
glossary].

A cyber law researcher, David Vaile, said advertisers and data 
collectors were developing extremely sophisticated tools for 
tracking. "With some of these technologies, unless you've got a 
detector or know what you're looking for, you won't know they are 
there," said Mr Vaile, of the University of NSW's cyberspace law and 
policy centre.

The tracking is almost always carried out by third party companies, 
not the original website. "You can discover a dozen or more different 
companies' tracking tools on the one page," he said.

The devices don't ask the user's permission to collect data, identify 
themselves or explain the data will be stored offshore. "These 
invisible bugs don't play nicely."

One of the most pervasive and covert tracking devices being deployed 
by websites are Flash cookies, which are stored on an external server.

Chris Harris, from the gaming website Ninjakiwi.com, said they used 
flash cookies to store information such as scores and game levels.

"It is important to [use flash cookies] with flash games so players 
don't have to re-do everything if they leave the site.

But flash cookies can be used by data collector as tracking devices 
and have the potential to reinstall deleted regular cookies.

In the US, individual web users have sued several large advertising 
and data collection companies for using a sophisticated tracking 
device called flash cookies which have the potential to re-spawn 
deleted cookies.

Mrs Suttner, an educational psychologist, said if companies were 
building profiles on children there should be some form of regulation.


-- 
Roger Clarke                                 http://www.rogerclarke.com/
			            
Xamax Consultancy Pty Ltd      78 Sidaway St, Chapman ACT 2611 AUSTRALIA
                    Tel: +61 2 6288 1472, and 6288 6916
mailto:Roger.Clarke at xamax.com.au                http://www.xamax.com.au/

Visiting Professor in the Cyberspace Law & Policy Centre      Uni of NSW
Visiting Professor in Computer Science    Australian National University



More information about the Link mailing list