Online Ads, Privacy Remain In FTC Crosshairs

AC95 writes "The FTC wants to give users a browser-based tool for opting out of online behavioral tracking, a proposal that has privacy advocates cheering and online advertisers up in arms. A key issue, says FTC attorney Loretta Garrison, is that while most consumers know they're tracked online, they don't fully appreciate how much information is collected. Tim O'Reilly, founder and CEO of O'Reilly Media, worries about knee-jerk legislation criminalizing mistakes that are an inherent part of applying any new technology."

Re:blast

[DJRumpy]

Google is a data miner. Although I know they collect information, I also use their services for free. I understand it's a trade of services for something of value, so I'm not totally opposed to it, although it does give me pause when I use google to search and I have a google account. Although it's easy to claim they don't tie my account info to my searches, It would be a goldmine (literally) if they did so. I find it hard to believe they aren't collecting more than I'm aware of. I applaud this intent by the FTC. After all, Google will still have billions who never install such a plugin, or turn such a feature to exclude them from data mining on in their browser.

I don't want no stinking toolbar to help me out... F those data miners!

An orgy of data

[Itninja]

If you can't fight it, exploit it. I have actually gotten some pretty cool (free) stuff by misrepresenting myself to various sites online (up to the legal limit, of course).Everything from free Amazon gift cards, to free electronics. I even got a free mobile phone (with service paid for 6 months) once because I claimed I had a business with over 100 employees and that I made over $100K yearly (that was back in 1998 when phones were pricier and I only made about 1/3 of that). Free magazine subscriptions, free enterprise web hosting, free lawnmowers, it's all there for the taking for those willing to game the game.

Re:blast

[hedwards]

Indeed, it really depends on how it's being done. It's one thing to restrict such monitoring to the time that you're on their site, and possibly where you go via links and how you get there, but going any further than that is dubious at best. As far as I'm concerned it's fair game for them to mine their own site, provided of course that there's adequate warning and an option to opt out, presumably leaving the site.

Re:blast

[vux984]

Google is a data miner. Although I know they collect information, I also use their services for free.

Their search service and their map service are the only services I use. I am presented their sponsored links in exchange for both. They don't require more than that.

Although it's easy to claim they don't tie my account info to my searches,

Where did they ever claim that? I fully expect they can and do tie your account to your web searches to whatever browsing information their ad tracking cookies report back to your usage of google maps to whatever the umpteen million 3rd party sites using google analytics on the backend give them.

And that's before talking about their image face tagging, youtube efforts, or harvesting your social network through your email contacts and their attempts to expand on that via google talk, and voice... and wave... not to mention the google toolbars...

Hell, even if you don't have a gmail account, they can construct a pretty good social network on an awful LOT of people just based on the gmail users who have you in their contact lists...

Re:With the right addon...

[similar_name]

What about tracking the IP? I use Linux and my roommate uses Windows. I have had to search for drivers and technical information many many times for Linux. One weekend I reinstalled Windows for my roommate. On a fresh install under Windows I began to search for drivers. Google's results kept taking me to sites for Linux drivers.

Don't accept cookies?

[ynohoo]

I only accept cookies from sites I trust. Yes this sometimes causes problems on untrusted sites - which gives me further reason to not trust them! If a web designer does not anticipate "no cookie" users, their intention is to give your privacy a good shafting.

Stop Following Me Around, Club Med

[speedlaw]

I got a taste of this when I went looking online for vacations. I saw "club med" ads on every page I went to for a good two weeks. It got really creepy after a while. I went away but NOT to Club Med.

Re:Very Muddy Waters

[Kirijini]

I would guess we all probably fall into two camps- either dramatically underestimating or dramatically overestimating the level of information stored in the profile. Without better specifics in the hands of the populace about the level of personal details, it doesn't seem to me that a fair level of regulation can possibly be drafted by public officials.

Yes.

An easy regulation that doesn't require google or other online businesses to change their business model (much) would be to simply require them to release all collected data on a user to that user on request (while also making sure that the information is provided securely and confidentially). Attach some kind of civil (rather than criminal, which would probably go to far) penalty, and allow users to sue, either as a class action, or individually. This scheme wouldn't prevent Google from collecting data, but would allow users to understand what data they're giving over, and what kind of uses it can be put to. Google already has the privacy dashboard, but I'm thinking much more granular stuff, including, as others have pointed out, what data about you is collected from your email contacts, etc.

Then, users have the real potential to understand whether or not they want to use the service. It also encourages businesses not to abuse their gathered data. Thus, the market could possibly self-regulate to meet the that magical equilibrium where all parties are as close as possible to maximizing utility. Either no further regulation would be necessary, or the regulation would at least be better informed and more likely to be efficient

Re:blast

[DJRumpy]

That is my point. If Google ties my searches to targeted advertising, then it's a form of data mining being sold for-profit to advertisers interested in what I'm interested in. I actually don't mind targeted ads as I simply block all of them anyway, but I do have privacy concerns that at some point they may tie my search to the 'ME' identity of my iGoogle account.

Wrong! You are confusing just plain advertising with "behavior tracking".

How would a Do-Not-Track system work?

[scdeimos]

I'm all for the FTC/government cracking down on behavioural tracking, but how would such a system work and how could it even be policed?

In the case of the Do-Not-Call system:

• Individuals must register their telephone number with the government (in Australia, at least, you have to repeat this registration every 12 months)
• The government then exports the list to the advertisers/marketers on a regular basis.
• Advertisers/marketers are expected to integrate the list with their systems and honour its content.
• If advertisers/marketers call a number on the Do-Not-Call list it's still up to the individual to complain to the government about it, and the government is expected to pounce on the advertiser/marketer if the number was registered more than 30 days ago.

How would such a system translate to the web? (And I say the web as opposed to the internet as a whole, since the web seems to be where the battlefront is at the moment.)

Possiblities:

• Individuals have to register their IP addresses: fails because of dynamic IP address assignment at most ISP's.
• Individuals have to create a special Cookie: fails because Cookies are only sent to their origin domain - you can't set one for *.com, *.edu, etc.
• Special "X-Do-Not-Track: Yes" HTTP header: this could work but may be stripped by certain proxy servers enroute, rendering it useless. All browsers would have to be updated to include a UI preference that turns this on and off as well.

What about enforcement? How can you tell if someone is tracking you? How can you provably report it to the government so that they can do something about it?

Unfortunately it sounds like a bit of a pipe dream to me.

Re:Am I alone when I say I don't mind it?

[jpapon]

I agree completely. Besides, it's just a good practice to assume that anything you do involving the interwebz is tracked and stored. If I'm up to shenanigans, or I need my activities to be secure, I make sure they're anonymous/secure to the best of my abilities. The Internet is a public arena, I find the claim that you should be anonymous all the time dubious at best. Besides, from my experience, anonymity tends to bring out the worst in people.

Re:How would a Do-Not-Track system work?

[Anonymous Coward]

It's so simple: no cross-site anything, period, all content displayed must be local to that site only.

That means no cross-site CSS, no clear gifs/beacons from any other site, scripts cannot pull any content from other sites, if a domain owner has ownership over more than one domain then their site on one domain cannot pull content from another of their domains. Whatever else, if it comes from another site it must be clearly linked to that site, but that content cannot be pulled, included, or otherwise force-downloaded to the user without their specific action to access that other site content.

But, but... what if an ad provider wants to serve an ad? Instead of site A pulling from ad-server B, the ad provider provides the full copy of the ad to be hosted on site A only. If and only if the ad is clicked on from within site A, and then only after a clear warning that clicking on the ad will go to another site B has been confirmed, only then can the advertiser do all their click-through and tracking stuff since the intent was clear to navigate away from site A to site B.

Same goes for the widgets, instead of pulling from the widget provider's site, the widget provider will have to provide a way for those widgets to be hosted local to the site that is using those widgets.

I am surprised something like this is not already a law, and yet it is not, how stupid is that?