Last week I was helping my mother move into a new apartment and needed a wireless phone jack to hook up her fax machine. Of course I used my Acer Iconia Tab W500 to research the available options and find a local store to pick one up. But imagine my surprise when the next day, right there in the middle of a political article in Slate magazine was an ad for an RCA Wireless Phone Jack. Coincidence? Excuse my French, but NFW! Wireless Phone Jacks are a rarely used, highly flawed, and rapidly disappearing technology. The only way an ad for one would ever be displayed is that my behavior the previous day had been tracked, allowing Slate’s ad vendor to display this highly targeted ad.
Now let me compare my emotional response to this tracking to the one I had a couple of weeks earlier when my bank told me they thought someone had cloned my credit card. Stolen credit card: one heartbeat skipped, and then I got on with the process of verifying there were no other signs of identity theft. Stolen privacy: My heart stopped, my head spun for a moment, and then I got REALLY angry. A better comparison to discovering I’d been tracked might be to the time we discovered a cleaning person was stealing from us. The theft was very comparable. In one case physical property, in the other my privacy.
Now I know that my experience last week was fairly minor in terms of actual loss, but substitute health related searching and browsing. Or sex related searches and browsing. Or even something as simple as shopping for Christmas presents. Does a woman really want colleagues, friends, and family to discover she’s pregnant because every time they walk by her computer there are ads up for birthing centers, OB/GYNs, prenatal vitamin supplements, and baby-related paraphernalia? Or do you really want people discovering you have a chronic illness based on the ads displayed on your computer. Or how about your wife figuring out what you are getting her for Christmas based on ads being displayed? And that’s just the risks of the legitimate use cases!
Credit card information is stolen from websites all the time. Passwords are stolen all the time. Employee data is stolen all the time. Other personal information is being compromised all the time. And now there are databases of your most intimate details, as captured from your use of the Internet, stored where someone can and will eventually steal them. Fixing a stolen credit card is easy, if sometimes painful. Fixing a broader identity theft is difficult and can result in issues that linger for years. Fixing harm from the loss of personal information in tracking databases may be impossible.
Understand that I’m not completely against the gathering of information for personalization and targeting purposes. I (mostly) love how Amazon uses on-site tracking to personalize its site. They pioneered this concept and it was largely responsible for their original success selling books. There is still risk to my privacy because Amazon knows an awful lot about me, but as long as they aren’t sharing this information I’m content with the tradeoff. And I have no problem with advertisers putting me in a broad demographic bucket. I’d much rather see adds for new cars than for feminine hygiene products. Really. But they need to accomplish this without tracking and retaining every search I’ve done, every web page I’ve viewed, every link I’ve followed, every product I’ve purchased, etc. To me that’s what Do Not Track (DNT) is about.
I’d like Do Not Track to have a definition that prohibits the collection of detailed information about me but doesn’t prohibit them from making a demographic bucket guess. Advertisers seem to want it to mean nothing, while privacy advocates want it to mean you can’t collect any information about me. For now the advertising community is winning because they simply ignore the Do Not Track indicator. That’s why, despite my browser having sent DNT I was still tracked.
Now before anyone points out I could block tracking with Internet Explorer’s Tracking Protection List (TPL) feature, or add-ins such as Adblock for Firefox, I need to say that I usually do have a TPL set up. It turned out that when I loaded the Windows 8 RTM on my W500 I forgot to turn on a TPL. Now that I’ve done that I know that I’m safe from most tracking. Unfortunately only a very small percentage of users will realize they need to enable technology to block tracking, which is itself the reason that Microsoft made turning Do Not Track on part of its express setup for Internet Explorer 10.
The war between advertisers and privacy advocates is just starting to heat up. But I have some advice for the advertisers. You’ve crossed the line. If someone like me, who recognizes and generally supports the benefits of personalization, is moving towards the position of the most virulent of privacy advocates then you are in trouble. If someone who thinks that government regulation is always worse than letting the private sector sort things out is actually considering that government may need to step in (given that one of government’s few, in my view, legitimate roles is to protect people from theft), then you are in big trouble. It’s time for you to come up with a proposal that truly protects user privacy while giving you decent demographic information. Absent that you are likely to find yourself limited by government regulation to a “Nielsen Family” type approach.
Finally, I wanted to comment on advertiser push-back to Microsoft making Do Not Track part of the Express Settings for Internet Explorer. This was a great pro-privacy move by Microsoft, yet it was also the most advertiser friendly move they could have made! Microsoft has had the option for a few versions of Internet Explorer to turn on a feature to automatically block potential tracking sites. And in IE9 it added the ability to use third-party Tracking Protection Lists, such as one from people responsible for Firefox’s Adblock. Microsoft could have turned on TPLs by default and taken any tracking ability out of the hands of the advertising community. If advertisers continue to fight Microsoft’s choice of Do Not Track as a default setting for IE, or a privacy-protecting definition for Do Not Track, then Microsoft still could make use of a TPL the default. And I hope they do.
Hal's (Im)Perfect Vision 
The was an article in the NYT a while back about how Kmart knows how females are pregnant before their families do and were sending out special advertising flyers to the females for maternity, baby, and other items through the USPS.
The father of one teenage girl who received such advertising called the local Kmart manager and raised a stink wanting to know why Kmart seemed to be encouraging his teenaged daughter to have sex and get pregnant. The manager apologized profusely and told the father that his daughter would not be receiving any such advertising in the future. A month later the manager received a letter from the father apologizing saying that his daughter had just informed him and his wife that she was x-months pregnant.
Apparently, Kmart received such negative feedback about such advertising that they decided to discontinue it. The article indicated that it wasn’t obvious purchases, such as maternity clothes, that triggered such mailings, but rather Kmart had analyzed the purchasing behavior of females who bought obvious post-delivery items such as diapers, bottles, nursing bras, etc. and were able to determine what items these women were buying early in their pregnancy that non-pregnant women were not, and were able to predict with extreme accuracy which females were pregnant very early in their pregnancy. Apparently the teenager was using a Kmart loyalty/reward card that allowed them to track her purchases and determine she was pregnant.
This makes me wonder just how much tracking is too much.
Target, not Kmart. As one might expect, given their comparative market caps, technical savvy, etc.
Personally, I *hate* tracking. I don’t mind if TPLs become default. I don’t mind if the government puts draconian privacy protections in place. I envy the privacy protections available in Europe.
And that goes beyond tracking. Companies should not keep a history of all your transactions — they should automatically delete them after X years. Just like the IRS won’t audit you after X years, just like the credit bureaus “age out” your cancelled credit cards after 10 years, so too should all companies give you a fresh start with the data they’ve gathered on you.
How much tracking is too much? *Any* tracking is too much, so long as it does not allow you to clear your history and “start over,” as though you’d been reborn. When you start getting creeped out by the ads, you should get the option to delete all the stored data and start with a clean slate.
I’m afraid I don’t know whether it was Kmart or Target. I remembered the article and did a search that returned a link to a page that had Kmart in the title and Target in the body. It had a link to the NYT article, but it’s now hidden behind a pay wall.
Please MS, enable TPLs by default!