The Wall Street Journal kicked off a series on online privacy this weekend with outstanding coverage of how the ad industry tracks your activity online.
It tested the top 50 websites to see how much they track you. Read it and weep—or shiver, anyway:
As a group, the top 50 sites placed 3,180 tracking files in total on the Journal’s test computer. Nearly a third of these were innocuous, deployed to remember the password to a favorite site or tally most-popular articles.
But over two-thirds—2,224—were installed by 131 companies, many of which are in the business of tracking Web users to create rich databases of consumer profiles that can be sold.
The top venue for such technology, the Journal found, was IAC/InterActive Corp.’s Dictionary.com. A visit to the online dictionary site resulted in 234 files or programs being downloaded onto the Journal’s test computer, 223 of which were from companies that track Web users.
Two hundred and twenty-three! (The WSJ, by the way, is admirably forthright about its own website’s habits, disclosing it in the sixth paragraph smack dab on the front page).
Cookies, of course, have been around nearly since the dawn of the Web. They help sites remember you so you don’t have to log in every time you visit. But how many people not in the biz really understand the extent to which things have spiraled out of control like this? Very, very few.
What do they know about you? Well, thanks to the WSJ for linking out to a site called BlueKai, which I’d never heard of, but which sure has heard of me, we can take a look.
It’s creepy, indeed. Like a benign stalker. BlueKai even knows where I’ve been offline in the last several months, thanks to its airline trackers. It knows I’ve flown to and from Seattle, Tulsa, Washington D.C. on a Thursday, a Friday, and a Saturday. It knows that I booked at least one of those flights less than seven days in advance. It knows by my IP address that I’ve been in Oklahoma City and Texas, though it’s wrong that I’ve been in Austin-Round Rock (at least not since 2003!). It knows I’m 33 years old. And it says my “bizographics” are C-Suite, executives, and high net worth. Wrong on all three! Somewhat amusingly, Lotame, a company profiled in the Journal piece, segments me as an “Armchair Diplomat,” whatever that is.
Click here to see what BlueKai knows about you.
It’s also very interesting where some ad networks draw the line on what they’ll track and target. Here’s the Journal again:
Healthline says it doesn’t let advertisers track users around the Internet who have viewed sensitive topics such as HIV/AIDS, sexually transmitted diseases, eating disorders and impotence. The company does let advertisers track people with bipolar disorder, overactive bladder and anxiety, according to its marketing materials.
And here’s what else they’re putting on your machine:
Beacons, also known as “Web bugs” and “pixels,” are small pieces of software that run on a Web page. They can track what a user is doing on the page, including what is being typed or where the mouse is moving.
Which allows stuff like Google targeting ads based on where you put your mouse. Okay. But where does all this stuff stop?
The story, by Julia Angwin, caused Jeff Jarvis to fry his motherboard this weekend. Contrary to what Jarvis says, this is indeed excellent journalism. It brings an issue that some us have just a vague awareness of (and many don’t know about at all) and forces it into the public eye—in terms that everyone can understand. Here’s Jarvis:
There is absolutely nothing new — thus nothing newsworthy — in what the Journal promises threatens to be a series.
That’s reminiscent of nothing more than the dismissive response to the Wikileaks Agfhanistan story and to the Washington Post’s recent Top Secret America series.
- 1
- 2
Years ago Oracle’s Larry Ellison, one of the multi-billionaire luminaries of the IT business, threw down the gauntlet to the lesser minions of his world—professional and amateur alike—with his curt, summary pronouncement that there was no such thing as privacy on the Internet and that the best that could be done by the rest of the world was to “forget about it.”
The players in this drama were not the typical Internet user—although by purchasing a ticket to the show that user has unwittingly become its victim—but rather the many IT professionals and legions of capable amateurs who were delighted by the challenge. With relish, they took up the glove against the Ellisons and Scott McNealys, another IT power who echoes Ellison's position on Internet privacy.
For years it has been a game of catch-up left to the geeky types with at least a passing knowledge of Javascript, Perl and the coding necessary to author a Web page in HTML, XHTML, PHP, etc.; those who know that a Domain Object Model (DOM) is not a scantily-clad woman posing for a photographer.
The state of the resulting race—a matter of playing leapfrog, really—is presently closer than most would imagine, and it is probably safe to say that there will never be a winner in the race, but save your headstones for Internet privacy because it is far from dead. In fact, many of the refinements developed in the effort to maintain some measure of privacy have made their way to mainstream browsers like Netscape’s Firefox, Apple’s Safari and Opera. Defeating the Javascript that powers most efforts at Internet tracking has become almost trivial with, for example, the highly popular NoScript add-on for Firefox, a measure, among many others, that is not beyond the non-technical Internet user.
I haven't read the WSJ article but the “pixel” that Ryan refers to is rather the smallest unit of display that can appear on your terminal. I suspect this means the “pixel bug,” another of the synonyms for the Web bug or what is more properly called a transparent GIF, a very small image that is ordinarily not visible to the user. Web bugs cannot record your key strokes or mouse movement, such functions are rather enabled by Javascript, and key strokes cannot be recorded outside of any form that you fill in on a Web page. Nevertheless, such functions are strong arguments for disabling Javascript, at least selectively, on a Web page. Almost always the offending script originates in an externally sourced script from, say, Omniture, or Google's infamous DoubleClick or their google-analytics as used right here on CJR's home page. Yes, dear reader, Big Brother Google is looking over your shoulder right now.
Among the more viable threats, attention is presently shifting to what is called “cross-site scripting” and the furtive alteration of a tab open in the browser that does not have the “focus” of the user (it is open but not being viewed). Most Internet users are not aware that a Flash file called an LSO (Linked Shared Object) is retained by the browser—theoretically forever—that often contains tracking elements. It, too, “phones home” whenever you are on the Web.
We will never be bulletproof; that isn't the nature of the game, unfortunately. But there is a great deal we can do, depending on our concerns for privacy, that will greatly reduce the threat.
There is, of course, a simple and very effective way to eliminate virtually all of these threats to privacy; the text-only browser. Browsers like Lynx and W3M ignore all Javascript and do not load images. You would be surprised at how fast a page loads without all of the fireworks and dancing bears that most of commerce sees fit to shove in your face. When I come here to CJR, I am interested in text and text alone. My browsing history and cache are not available to any Web site. Unfortunately, I believe such browsers are available only to UNIX and
#1 Posted by Joel Stookey, CJR on Tue 3 Aug 2010 at 12:27 AM
"Years ago Oracle’s Larry Ellison..."
Actually, the privacy quote is from Scott McNealy, former CEO of Sun Microsystems, who famously said, "You have zero privacy anyway. Get over it."
http://www.wired.com/politics/law/news/1999/01/17538
#2 Posted by Towse, CJR on Tue 3 Aug 2010 at 06:00 PM