Cookies, Banner ads, and Privacy

This article first appeared at http://slashdot.org/yro/99/10/22/0249212.shtml

Posted by jamie on Tue Oct 26, '99 06:00 AM
from the C-is-for-global-clicktrails dept.

Because you're reading Slashdot, you probably know that client-side cookies are perfectly safe. They don't contain any code that gets executed by your computer, and there are limits to keep them from filling up your hard drive. Just as importantly, no server can read another server's data, each site reads only its own cookies, and you don't have to worry about privacy. If you don't want a site to know anything about you, you don't tell that site anything. Simple. Or is it?

When Netscape embraced-and-extended the HTTP spec in 1995, it was really just trying to digitize the shopping cart. Allowing a server to store just a few bits on the client added almost no overhead and it made many applications, such as shopping carts, very convenient.

Maybe it was deliberate; maybe nobody really cared; or maybe it was an engineer's simple distaste for tweaking a spec too much: but they allowed cookies to hang off GIFs as well as HTML, and that changed everything. There were probably ten people in the: world at that point who could have foreseen the explosion in banner ad traffic, yielding a multi-billion-dollar industry in less than five years.

Yes, billion -- the large banner-ad company DoubleClick merged with database firm Abacus Direct last year in a billion-dollar stock swap. How much is a billion dollars worth of advertising revenue on the net? At DoubleClick's current rate, it's about 750 billion banner ads. Think of it as four petabytes of GIFs.

And the vast majority of those GIFs just get ignored. When's the last time you clicked a banner? There aren't any precise figures, but the consensus is that the average click-through rate is dropping. Three percent click-through used to be good. Now a well-targeted ad will be happy to get one or two percent. It's hard work to make money from banners, and getting harder every day.

That's why DoubleClick, and firms like it, need to maximize their efficiency. Their income ends up depending on that click-through rate. The higher they can raise that number, the more they can justify charging their clients. Sending targeted ads becomes critical. And the only way to target you is to learn more about you.

The GIF cookie loophole makes this pretty easy. The first banner ad that your browser requested from a banner-ad company got a user ID cookie sent back with it. And - here's the key - since so many banner GIFs all come from the same company's domain name, your browser sends back the same user ID no matter which website you're viewing the banner on. Your user ID is being tracked all over the web.

In the case of DoubleClick, that's a fair number of sites. They won't talk to you unless you serve a million impressions a month - and their network includes 651 publishers which translates to who-knows how many websites. All told, they deliver a billion ads every two days.

Though the Internet Movie Database can't tell where else you've been on the web today, the company delivering its banners knows. That same company knows if you read National Review, TeenMag, or Dilbert. It knows if you're into professional wrestling or what cruises you were looking at on Travelocity. It even has some of your click history through WebMD.com.

The comforting thing has always been that, while the corporation may be able to follow your footprints around the web, at least they haven't known it's you who's making them. The disconcerting thing is, that's about to change.

Remember that billion-dollar merger between DoubleClick and the database company? This database company doesn't sell software. Abacus Direct uses databases to store names, addresses, and other information about people. In offices across the country, their computers have information on two billion purchases made from 1,100 separate consumer catalogs over the years, "representing virtually all U.S. consumer catalog buying households." Their CEO brags,

"Through the sophisticated use of state-of-the-art technologies and modeling techniques, Abacus' outstanding ability to synthesize vast amounts of data into valuable insights about individual consumer buying behaviors has proven itself to be an important marketing tool for our age."

That's why it's very interesting that DoubleClick's privacy policy changed earlier this month. Its text used to read:

"DoubleClick does not know the name, email address, phone number, or home address of anybody who visits a site in the DoubleClick Network. All users who receive an ad targeted by DoubleClick's technology remain completely anonymous."

That promise is gone without a trace from the new policy. The new policy reads:

"In the course of delivering an ad to you, DoubleClick does not collect any personally-identifiable information about you, such as your name, address, phone number or email address."

Of course not. In delivering the ad, DoubleClick just collects your user ID. It probably already has your name, address, phone number and email address, somewhere in the Abacus database.

A little further down is the portent of things to come. There is "one particular Web publisher" in their network which collects a "log-in name and demographic data about users." Which publisher is that? They don't say.

Whoever it is, you may already have given it your name and address, perhaps to register for a contest, or maybe in exchange for reading its free content. Everyone does it; it's a small price to pay. DoubleClick is already combining their demographic data (your name and address) with its own database (your viewing and clicking habits) in order to deliver more-targeted ads on this one website.

And if their programmers do their jobs right, it'll end up being a simple SQL query to join up your user ID, the name you gave the mysterious web publisher, your Abacus demographic data and catalog purchases, and the footprints you've left all over the net for the past two years, into a single big lump of your online/offline data.

To be fair, their privacy policy promises they won't start doing this without, er, changing their privacy policy:

"...should DoubleClick ever match the non-personally-identifiable information collected by DoubleClick with Abacus database information, DoubleClick will revise this Privacy Statement to accurately reflect its modified data collection and data use policies and ensure that you have adequate notice of any changes and a choice to participate."

Aren't you glad that, when DoubleClick revised its privacy statement on October13,1999, you were given adequate notice of how you were being tracked across the internet? (They've sent out 46 press releases so far this year. Informing you about weakening your privacy wasn't one of them.)

Things aren't as bad as they could be. One fortunate thing is that the banner-ad market isn't a monopoly yet. Not even close. Adbility lists over fifty ad networks, of which DoubleClick is just one of the larger ones (probably the largest).

But, when any rapidly expanding market starts to level off, the smaller and less-efficient companies get eaten. Nobody knows when the internet's growth curve will hit that point, but exponential expansion can't continue forever. At some point, the companies that can't send banner ads targeted to your community will get left behind. We'll end up with two, maybe three, meganetworks that deliver a large majority of the world's banner ads.

What can you do about it? To protect your own personal privacy, opt out of DoubleClick's cookies. Of course, this doesn't affect other banner-ad companies, who may or may not even offer this solution once they get as big as DoubleClick. It also doesn't help novice websurfers like your grandmother, who doesn't understand why she should refuse free cookies. More importantly, it can't ever be a real answer - if more than a tiny percentage of their audience ever opted out, DoubleClick would see the competitive advantage of their billion-dollar merger start to erode, and that'd be the end of that option.

What makes more sense is to close the cookie loophole. DoubleClick isn't the real problem; the HTTP spec is the problem. The browsers should change their implementation of cookies so that, by default, foreign sites can't send me cookies along with their GIFs. Why should cookies be allowed onto my hard drive if they aren't attached to the page I'm viewing?

Since DoubleClick's privacy policy claims that cookies "are not essential for us to continue our leadership," they should have no problem supporting this as the default behavior of every major web browser.