Last week I was helping my mother move into a new apartment and needed a wireless phone jack to hook up her fax machine. Of course I used my Acer Iconia Tab W500 to research the available options and find a local store to pick one up. But imagine my surprise when the next day, right there in the middle of a political article in Slate magazine was an ad for an RCA Wireless Phone Jack. Coincidence? Excuse my French, but NFW! Wireless Phone Jacks are a rarely used, highly flawed, and rapidly disappearing technology. The only way an ad for one would ever be displayed is that my behavior the previous day had been tracked, allowing Slate’s ad vendor to display this highly targeted ad.
Now let me compare my emotional response to this tracking to the one I had a couple of weeks earlier when my bank told me they thought someone had cloned my credit card. Stolen credit card: one heartbeat skipped, and then I got on with the process of verifying there were no other signs of identity theft. Stolen privacy: My heart stopped, my head spun for a moment, and then I got REALLY angry. A better comparison to discovering I’d been tracked might be to the time we discovered a cleaning person was stealing from us. The theft was very comparable. In one case physical property, in the other my privacy.
Now I know that my experience last week was fairly minor in terms of actual loss, but substitute health related searching and browsing. Or sex related searches and browsing. Or even something as simple as shopping for Christmas presents. Does a woman really want colleagues, friends, and family to discover she’s pregnant because every time they walk by her computer there are ads up for birthing centers, OB/GYNs, prenatal vitamin supplements, and baby-related paraphernalia? Or do you really want people discovering you have a chronic illness based on the ads displayed on your computer. Or how about your wife figuring out what you are getting her for Christmas based on ads being displayed? And that’s just the risks of the legitimate use cases!
Credit card information is stolen from websites all the time. Passwords are stolen all the time. Employee data is stolen all the time. Other personal information is being compromised all the time. And now there are databases of your most intimate details, as captured from your use of the Internet, stored where someone can and will eventually steal them. Fixing a stolen credit card is easy, if sometimes painful. Fixing a broader identity theft is difficult and can result in issues that linger for years. Fixing harm from the loss of personal information in tracking databases may be impossible.
Understand that I’m not completely against the gathering of information for personalization and targeting purposes. I (mostly) love how Amazon uses on-site tracking to personalize its site. They pioneered this concept and it was largely responsible for their original success selling books. There is still risk to my privacy because Amazon knows an awful lot about me, but as long as they aren’t sharing this information I’m content with the tradeoff. And I have no problem with advertisers putting me in a broad demographic bucket. I’d much rather see adds for new cars than for feminine hygiene products. Really. But they need to accomplish this without tracking and retaining every search I’ve done, every web page I’ve viewed, every link I’ve followed, every product I’ve purchased, etc. To me that’s what Do Not Track (DNT) is about.
I’d like Do Not Track to have a definition that prohibits the collection of detailed information about me but doesn’t prohibit them from making a demographic bucket guess. Advertisers seem to want it to mean nothing, while privacy advocates want it to mean you can’t collect any information about me. For now the advertising community is winning because they simply ignore the Do Not Track indicator. That’s why, despite my browser having sent DNT I was still tracked.
Now before anyone points out I could block tracking with Internet Explorer’s Tracking Protection List (TPL) feature, or add-ins such as Adblock for Firefox, I need to say that I usually do have a TPL set up. It turned out that when I loaded the Windows 8 RTM on my W500 I forgot to turn on a TPL. Now that I’ve done that I know that I’m safe from most tracking. Unfortunately only a very small percentage of users will realize they need to enable technology to block tracking, which is itself the reason that Microsoft made turning Do Not Track on part of its express setup for Internet Explorer 10.
The war between advertisers and privacy advocates is just starting to heat up. But I have some advice for the advertisers. You’ve crossed the line. If someone like me, who recognizes and generally supports the benefits of personalization, is moving towards the position of the most virulent of privacy advocates then you are in trouble. If someone who thinks that government regulation is always worse than letting the private sector sort things out is actually considering that government may need to step in (given that one of government’s few, in my view, legitimate roles is to protect people from theft), then you are in big trouble. It’s time for you to come up with a proposal that truly protects user privacy while giving you decent demographic information. Absent that you are likely to find yourself limited by government regulation to a “Nielsen Family” type approach.
Finally, I wanted to comment on advertiser push-back to Microsoft making Do Not Track part of the Express Settings for Internet Explorer. This was a great pro-privacy move by Microsoft, yet it was also the most advertiser friendly move they could have made! Microsoft has had the option for a few versions of Internet Explorer to turn on a feature to automatically block potential tracking sites. And in IE9 it added the ability to use third-party Tracking Protection Lists, such as one from people responsible for Firefox’s Adblock. Microsoft could have turned on TPLs by default and taken any tracking ability out of the hands of the advertising community. If advertisers continue to fight Microsoft’s choice of Do Not Track as a default setting for IE, or a privacy-protecting definition for Do Not Track, then Microsoft still could make use of a TPL the default. And I hope they do.