How Companies Analyze Your Spending And Habits

Two really good news article explain how companies analyze consumers spending and social networking activity. I highly recommend that you read both articles.

The Forbes magazine article, "How Target Figured Out a Teen Girl Was Pregnant Before Her Father Did," summarized very well the problematic behavior of many corporations and retailers. To get a jump on its competitors, Target extensively analyzed -- perhaps better than most retailers -- its customers' purchases and attached undisclosed demographic data to each customer's identification number to mathematically predict what customers might by.

The prediction formulas were so good, Target was able to mathematically deduce from past purchases that this teen girl was pregnant and send coupons to her home -- all before the teen told her parent of the pregnancy:

"What Target discovered fairly quickly is that it creeped people out that the company knew about their pregnancies in advance... So Target got sneakier about sending the coupons. The company can create personalized booklets..."

These personalized coupon books were an attempt to hide the fact that Target knew so much, and disguise that knowledge by presenting both coupons not related to pregnancy with coupons that were related:

"... we learned that some women react badly... Then we started mixing in all these ads for things we knew pregnant women would never buy, so the baby ads looked random... we found out that as long as a pregnant woman thinks she hasn’t been spied on, she’ll use the coupons. She just assumes that everyone else on her block got the same mailer..."

One of my friends called Target's behavior "untethered stupidity" to market pregancy products to a teenager. Yes, that was incredibly stupid, and was likely enabled by its rush to make money. Some of my friends were surprised at the content of the above Forbes article. I wasn't surprised because of the amount of personal information shared:

• Consumers share on social networking websites the items (e.g., products, services, television/cable shows, music) products we like or prefer,
• Banks regularly collect and resell both debit-card and credit-card purchases,
• Consumers share on social networking websites a wide variety of sensitive personal data (e.g., birth date, children's names and ages, list of relatives). The full birth date makes it easy for data brokers and advertisers to distinguish several people with the same name,
• Consumers share product preferences and travel vacation habits through loyalty program memberships,
• State motor vehicle registries regularly sell drivers' data to companies and data brokers. That includes the car, from which marketers can deduce your wealth, favorite color, and when to pitch extended auto warranty service plans,
• Data brokers like Spokeo and Acxiom compile consumers' demographic data from public records and social networking websites, which retailers can purchase,
• Leaky entertainment, quiz, and gaming apps on social networking websites regularly collect consumers sensitive personal data,
• Leaky smartphone apps regularly collect consumers' sensitive personal data, they often shouldn't. The lack of privacy policies with these apps mean the app developers are free to sell the personal data collected.

What might that undisclosed demographic data be? It's pretty easy to deduce or infer:

• Name, address, age from the store loyalty program registration
• Income from any store credit cards, loyalty program registrations, surveys, or average purchase history over time (e.g., wealthy people spend more, less wealthy purchase more with coupons)
• Favorite colors from the colors of clothes purchased
• Left-handed preference from types of products purchased
• Personal preferences from any product comments at the retailer's web site or products "liked" at social networking websites (purchased from data brokers)
• Type of vision from purchases (e.g., non-prescription sunglasses indicate good vision)
• Health issues (e.g., eczema, dry skin, dandruff) from the types of lotions and shampoos purchased
• Health issues (e.g., over-weight) by the size of clothes purchased or from retailers offering pharmacies and in-store clinics
• Durable goods (e.g., dishwasher, washing machine, gas or electric oven) used at home from purchases
• Auto and electronics owned from purchases, either the item or related accessories purchased
• Approximate ages of children by types of toys purchased or from photographs at social networking websites
• Where else you shop, based on GPS coordinates collected from any apps installed on your smartphone, or data purchased from mobile service providers
• Retail stores that use facial recognition cameras can track your shopping patterns (e.g., when where, duration), even when you pay with cash and left your GPS-enabled cell phone at home, and supplement this with demographic data from photos you are tagged in at social networking websites
• Any gaps in the above demographic data can easily be filled by data purchased from data brokers like Acxiom and/or ads run on social networking websites

The New York Times article, "How Companies Learn Your Secrets," includes a more detailed analysis, with how marketers look for "chunks" in consumers' behaviors to predict future purchases:

"This process, in which the brain converts a sequence of actions into an automatic routine, is called “chunking.” There are dozens, if not hundreds, of behavioral chunks we rely on every day. Some are simple: you automatically put toothpaste on your toothbrush before sticking it in your mouth..."

Some chunks are more complex; consider the series of behaviors women will perform to prepare for a pregnancy: purchase different clothes, lotions, and/or personal hygiene items. Now, think more broadly, because everyone's behaviors can be chunked. Not just women. The researchers found:

"... when some customers were going through a major life event, like graduating from college or getting a new job or moving to a new town, their shopping habits became flexible in ways that were both predictable and potential gold mines for retailers. The study found that when someone marries, he or she is more likely to start buying a new type of coffee. When a couple move into a new house, they’re more apt to purchase a different kind of cereal. When they divorce, there’s an increased chance they’ll start buying different brands of beer. Consumers going through major life events often don’t notice, or care, that their shopping habits have shifted, but retailers notice..."

And a baby definitely qualifies as a major life event.

Now, consider your past purchases. Advertisers value that so they can serve up different products at these major life events. Coombine this with your GPS location in the physical world, and it is a marketers dream: to know you shop every Saturday morning and then serve up ads on your smartphone before you arrive at the supermarket; or to serve up childrens toy and food ads before you shop for their birthday parties.

Maybe all of this doesn't bother you, or maybe it does. The bottom line: where you go in the world, what you purchase, and how much you consume are all pretty personal facts. Consumers should have control over when and with whom this personal data gets shared. If you choose to share everything, fine. Some of us feel and act differently.

ScanScout Settles With FTC About Flash Cookies Used For Tracking Consumers

ScanScout has agreed to settle with the U.S. Federal Trade Commission (FTC) about charges the company used deceptive marketing with a website privacy policy that claimed consumers could opt-out of online tracking, when they couldn't opt-out because the company's website used the Flash cookie technology to collect data which browser settings couldn't block. An FTC press release summarized the terms of the proposed settlement:

"... bars misrepresentations about the company’s data-collection practices and consumers’ ability to control collection of their data. It also requires that ScanScout take steps to improve disclosure of their data collection practices and to provide a user-friendly mechanism that allows consumers to opt out of being tracked."

During the lawsuit and before the settlement agreement, ScanScout merged with Tremor Video. The consent order (PDF), which applies to the merged company and its subsidiaries, stated:

"... officers, agents, representatives, and employees and all other persons in active concert or participation with any of them, who receive actual notice of this Order by personal service or otherwise, whether acting directly or through any entity, in connection with the online advertising, marketing, promotion, offering for sale, sale, or dissemination of any product or service, in or affecting commerce, shall not misrepresent in any manner, expressly or by implication: (A) the extent to which data from or about a particular user or the user’s online activities is collected, used, disclosed, or shared; or (B) the extent to which users may exercise control over the collection, use, disclosure, or sharing of data collected from or about them, their computers or devices, or their online activities."

The consent order also stated that within 30 days of the approved consent order, the company:

"... place a clear and prominent notice, including a hyperlink, on the homepage(s) of its website(s), which states, “We collect information about your activities on certain websites to send you targeted ads. To opt out of our targeted advertisements click here.” When selected, the hyperlink shall take consumers directly to the mechanism... that enables users to prevent respondent: from collecting data that can be associated with a particular user, or that contains any unique identifier, including user ID or Internet Protocol (IP) address; from redirecting users’ browsers to third parties that collect data, absent a click or other affirmative action by such user; and from associating any previously collected data with the user..."

For five years after the approved consent order, the companies must save and forward to the FTC both complaints from consumers and all company documentation proving compliance with the consent order.

During the summer of 2011, a class-action lawsuit was filed against AOL, Brightcove, and ScanScout about the use of the Flash cookies technology to secretly track consumers' online usage.

The proposed settlement agreement is open for comment by the public until December 8, 2011, after which the FTC will decide whether to make it final. To submit comments, follow the online comment instructions at this website. Comments submitted via postal mail should be sent to: Federal Trade Commission, Office of the Secretary, Room H-113 (Annex D), 600 Pennsylvania Avenue, N.W., Washington, DC 20580.

To learn more about the various tracking technologies, browse posts in this blog about browser cookies, "zombie cookies," Flash cookies, "super cookies," and etags. The FTC OnGuard Online website also contains a section about the various online cookies technologies.

Lawsuit Alleges Hulu.com and KISSmetrics Used "Zombie E-Tags" To Track Consumers Without Notice And Consent

Last month, a lawsuit was filed in Central California District Court against Space Pencil and Hulu.com, alleging that the companies tracked consumers online usage without notice or consent using "Zombie Etags," a newer Internet technology. According to the complaint, consumers:

"... that accessed Hulu's website had HTTP cookies respawn via Flash shared objects, HTML 5 Local Storage, and/or cache/ETags after they had been deleted."

"Zombie ETags" refers to the latest combination of Internet technologies used to track online usage: HTML 5 local storage, and/or cached Etags. The Zombie Etags allegedly regenerate any HTML cookies the user has deleted, removing control from the user and preventing privacy. Entity Tags, also known as "Etags," are a mechanism to verify that the page components a web browser displays match the components on the web server hosting the URL or original web page.

According to the complaint (PDF - 6.3 MBytes), Space Pencil is the company doing business as KISSmetrics. Hulu.com is a popular website that streams video of television shows from ABC, CBS, Fox, NBC, and other networks and studios. This is at least the second class-action lawsuit filed against both companies.

This class-action lawsuit (Couch et al versus Space Pencil et al) was filed, in part, because the consumers:

"... accessed the Hulu website, relying on the Hulu's Terms of Service and Privacy Policy which provided assurances against unauthorized tracking..."

What makes this lawsuit a little different from prior lawsuits (e.g., "zombie cookies), is the technology and hacking allegations:

"... Internet users who accessed Hulu's website, and knowingly, without the user's knowledge or consent, "Hacked" the Plaintiffs' and Class Member's Computing Devices in order to conduct covert surveillance of Plaintiffs and Class Members online activities, using web analytics to collect and de-anonymize Plaintiffs' and Class members' online data, providing the mechanism for Hulu to conduct perpetual online tracking of its users and a method to use cross domain tracking..."

This alleged tracking technology allowed Hulu and KISSmetrics to track Hulu.com users' online usage across the Internet and beyond the Hulu.com website. The complaint referenced several working papers about tracking technologies:

• "Flash Cookies And Privacy" by Ashkan Soltani et. al, 2009
• "Respawn Redux" by Ashkan Soltani, 2011

The 2009 working paper documented the extent of company websites using Flash cookies to regenerate HTTP cookies. The 2011 working paper documented the regenerated HTTP cookies practice:

"In our follow-up study, we found that Hulu was still respawning deleted user cookies using homegrown Flash and Javascript code present on the Hulu.com site. Additionally, Hulu, Spotify, and many others were also respawning using code provided by analytics firm KISSmetrics. Hitten Shah, the founder of KISSmetrics, initially confirmed that the research surrounding respawning was correct in an interview with Ryan Singel although he later criticized the findings after a lawsuit was filed."

Both companies supposedly stopped their Zombie Etag tracking on July 29, 2011. KISSmetrics published this response to the July 2011 lawsuit. The class-action plaintiffs want the tracking software and data files removed from their computers. The sensitive personal information:

"... compiled and misappropriated included sensitive information, such as users' video viewing choices revealing personal interests, his/her sexual preference, political views, and even more specific information like health conditions, such as DEPRESSION..."

The attorneys representing the plaintiffs in this class-action lawsuit include Strange & Carpenter, and a name I recognize: the law office of Joseph Malley.

If you want to learn more, I recommend reading this Wired story.

Several Internet Service Providers Hijack And Replace Consumers' Search Results

When you use a search engine like Google, Yahoo, or Bing you expect it to reliably deliver the search results the search engine was built to deliver, and not a replacement set of links from an intermediary -- without notice and without your consent. New Scientist reported that several internet service providers (ISPs) have modified and redirected these search results:

"The hijacking seems to target searches for certain well-known brand names only. Users entering the term "apple" into their browser's search bar, for example, would normally get a page of results from their search engine of choice. The ISPs involved in the scheme intercept such requests before they reach a search engine, however. They pass the search to an online marketing company, which directs the user straight to Apple's online retail website."

Last week, the New York-based law firm of Reese Richman filed a class-action lawsuit against one of the ISPs, its marketing firms, and Paxfire, the technology company which reportedly provides the equipment used to redirect and replace searches. Experts believe that the redirect process violates several statutes, including wiretapping laws. One of the marketing firms identified with the alleged serch redirection is Commission Junction. The ISP identified in the lawsuit is RCN.

Researchers at the International Computer Science Institute in Berkeley, California discovered the redirection and have monitored it for several months. Reportedly, a total of ten (10) ISPs were found to perform search results hijacking and replacement.

"The redirection can also produce unwanted results. A user wanting to read an article in The Wall Street Journal, for instance, might search for "wsj"; the redirection system would take them to a page offering subscription deals for the paper..."

If you want to learn more, there is a good article at the Electronic Frontier Foundation website:

"Major users of the Paxfire system include Cavalier, Cogent, Frontier, Fuse, DirecPC, RCN, and Wide Open West. Charter also used Paxfire in the past, but appears to have discontinued this practice."

It would seem that once again greed trumps common sense. The search results hijacking and replacement alters a basic function of how the Internet operates. You could say that users were "mugged" for their searches.

About three years ago, in an attempt to increase their revenues several ISPs installed deep-packet inspection software on their servers to server display targeted ads while tracking without notice and consent all of their subscribers Internet activity (e.g., e-mail, text, searches, web browsing). Consumers and privacy advocates protested strongly; both in both the United States and Europe.

Several ISPs testified in hearings before the U.S. Congress, and at least one ISP admitted to the secret spying on its subscribers. In their rush to make money, ISPs abused their subscribers' privacy and trust.  Several technology companies, like Adzilla and Phorm, were sued and either settled class-action suits against them or went out of business.

It would seem that we are about to repeat another round of privacy abuses by ISPs with their technology and marketing partners. Executives at these companies are either ignorant of or ope that consumers have forgotten the lessons of three years ago. Well, we have not forgetten. Privacy, disclosure, and consent still matter.

I predict several more class-action lawsuits will emerge, plus an updated list of ISPs to avoid doing business with because of privacy abuses. Not matter how they might spin it, it is not right to replace the standard search results from search engines with garbage for an ISP to build its revenues. Consumers' needs matter.

Study: 'Do Not Track" Opt-out Compliance Varies Among Advertisers

Several news sources recently reported the results of a study by researchers at the Stanford Security Lab. The researchers developed a method to monitor whether or not advertisers complied with the consumer opt-out selection from targeted advertising.

Consumers can opt out of targeted advertising at the Network Advertising Iniative website, or use this beta version Firefox Add-on. You can read the research study methodology here, with updates from several advertisers.

AdWeek reported the researchers' findings:

"Nearly half of the companies participating in the self-regulatory Network Advertising Initiative do not remove tracking cookies after users opt out of online behavioral ad targeting, according to Jonathan Mayer, a graduate student and research fellow at the Stanford Center for Internet and Society. At least eight of the companies explicitly say they’ll stop tracking after users opt out but continue to leave tracking cookies in place, said Mayer."

Those eight companies included: 24/7 Real Media, Adconion, AudienceScience, Netmining, Undertone, Vibrant Media, Wall Street on Demand, and TARGUSinfo AdAdvisor.

If a company says it won't track you, then remove the tracking mechanism from that consumers browser/computer. And there is confusion:

"... on some industry sites that specifically mention data collection, the language is written in such a way that people might think they’re opting out of collection altogether, but they’re actually only opting out of information gathering for the specific use of ad targeting."

So, a comprehensive solution would seem to have to include at least three factors:

1. Clear, consistent language about what the consumer is opting out of (e.g., target ads, tracking, data collection, all of the above)
2. Clear, consistent compliance and removal of the tracking mechanisms
3. Independent auditing of advertiser opt-out compliance, since most consumers do not have the time, skills, nor experience to perform this technical audit. Ideally, the audit would also publish the names of offending companies

The research study results suggest to me that self-regulation probably is not working. What do you think?

FTC Testifies before Congress About Mobile Privacy

With several mobile device tracking, data collection, and app abuse issues emerging recently, it is important to know the position of one of the chief regulatory agencies in the United States. On May 10, Jessica Rich, Deputy Director of the Bureau of Consumer Protection at the U.S. Federal Trade Commission (FTC), testified before the Senate Judiciary Committee Subcommittee for Privacy, Technology and the Law about mobile device privacy.

Rich first cited some CTIA statistics: wireless penetration of 96% in the United States with 27% having smart phones. During 2010, about 62% of marketers used some form of mobile marketing for their brands.

Rich emphasized that the FTC has explored mobile and wireless issues since 2000, and hosted mobile wireless and consumer privacy workshops that explored some of the issues. As additional proof of the FTC's commitment to mobile privacy for consumers, Rich cited FTC actions against:

• Google for allegedly deceiving consumers by using information collected from Gmail users to generate and populate a new social network, Google Buzz, without users’ consent,
• Twitter for serious lapses in the company’s data security that allegedly allowed hackers to hijack accounts and to obtain access to private “tweets” and non- public data,
• Reverb Communications for alleged deceptive mobile gaming endorsements in the iTunes store,
• Philip Flora for using 32 pre-paid cell phones to over 5 million unsolicited text messages to the mobile phones of U.S. consumers.

Based upon several privacy roundtable discussions, the FTC drafted a preliminary report with privacy recommendations:

"First, staff recommends that companies should adopt a "privacy by design" approach by building privacy protections into their everyday business practices... Second, staff recommends that companies should provide simpler and more streamlined privacy choices to consumers. This means that all companies involved in data collection and sharing through mobile devices -- carriers, handset manufacturers, operating system providers, app developers, and advertisers -- should work together to provide these choices and to ensure that they are understandable and accessible on the small screen... Third, the staff proposed a number of measures that companies should take to make their data practices more transparent to consumers, including improving disclosures to consumers..."

All of this was nice a start, but the FTC's position is still weak and is heavily tilted for corporations at consumers' expense. More balance is needed.

As I read the FTC' Richs testimony (PDF), the recommendations are not mandatory but voluntary. And she skipped an important issue: that most or all tracking programs are opt-out based (e.g., where consumers are automatically included), instead of opt-in based (e.g., where consumers are in control and must opt-in or register first before companies can track them).

What do you think?

Facebook And Google Claim The "Do Not Track" Bill Is Bad For The Economy

In a letter to the California legislature (PDF), several companies including Facebook and Google claim that the proposed "Do Not Track" law is bad for the California economy:

"California Senate Bill 761 would create an unnecessary, unenforceable and unconstitutional regulatory burden on Internet commerce. The bill covers an overly broad range of information, and would regulate indirectly virtually all businesses who collect, use or store information from a website. The measure would negatively affect consumers who have come to expect rich content and free services..."

The companies that signed this letter included Acxiom, Allstate, American Express, Experian, Facebook, Google, Acxiom, Reed Elsevier, Specific Media, Time Warner Cable, Yahoo, and others. The companies claim that SB 761 is unnecessary because:

"... consumers can easily opt out of the collection of data through browser tools. The four leading Internet browsers - Internet Explorer, Safari, Firefox, and Google Chrome - all provide user-friendly filtering options that block the ability of companies to collect data or track Internet use."

This is not entirely correct, as websites and companies are not required to honor the do-not-track request from the web browser. According to these companies, this is how California's economy could be harmed:

"SB 761 would create a second, conflicting set of standards to which companies would have to conform or else face class action lawsuits. This would, in turn, create significant confusion and uncertainty for investors, businesses and consumers. Online commerce would simply be unworkable if websites were forced to comply with a patchwork of privacy and notice laws. This would impose an unprecedented and arduous regulatory burden on Internet commerce. Further, a do not track requirement on the use of this data would stifle innovation..."

A patchwork quilt of laws? That is what we have today with breach notification and data security across states. If these companies can exist with a patchwork quilt of breach notification laws in one area, they can live with a patchwork quilt of laws in another area.

The bigger issue is that these companies have taken a strong stand for extensive tracking. How? These companies are content with opt-out as the program standard: consumers are always automatically included and the burden is on consumers to consistently opt-out. I have long argued in this blog for the program standard to be opt-in: consumers aren't included until the consumers chooses to register or opt-in.

Plus, I Facebook's objections to any limitations on consumer tracking is not a surprise to me, given Facebook's ties to Rapleaf, and how Facebook uses its social plugins to both deliver content and to track consumers across the Internet. When you visit a website with a facebook social plugin, Facebook captures the date and time of your visit, the web page visited, your IP address, your computer's operating system, and (if you are signed into Facebook) your Facebook user ID number. This data collection rivals what Google collects.

The letter has a "sky is falling" aspect to it. These companies operated well when the Internet had little or no tracking. They will survive regardless of the claims.

Update: Pandora Subpoena

When I wrote this earlier post, I'd checked the Pandora website for any news releases or comments from the company. There weren't any comments then.

The Rolling Stone reported that Pandora is removing third-party advertising platforms (e.g., Google, AdMeld and Medialets), and is revising its smart phone apps:

"... certain third-party advertising software development kits (SDKs) from Medialets, AdMeld and Google have been the subject of scrutiny and speculation in the media. While we have no reason to believe that any of these mobile advertising companies acted outside the scope of our privacy policy, we have decided to remove the advertising SDKs entirely to ensure that our listeners have complete confidence in our commitment to their privacy."

Smartphone Apps That Listen: A Crime Or A Feature?

ComputerWorld reported about three iPhone and Droid apps that use the microphone on consumers' smartphone to listen to whatever you are doing:

"The apps use ambient sounds to figure out what you're paying attention to... The apps are Color, Shopkick and IntoNow, all of which activate the microphones in users' iPhone or Android devices in order to gather contextual information that provides some benefit to the user."

The Color app reportedly uses both the smartphone microphone and camera to:

"... detect when people are in the same room. The data on ambient noise is combined with color and lighting information from the camera to figure out who's inside, who's outside, who's in one room, and who's in another..."

The app makers promote these listening apps as a feature. to me, it's a crime.

Do consumers really need a smartphone app that listens to what you are doing, or watching on television, to serve up the appropriate social networking website? This seems like a bridge too far. Way too far.

Now, some apps, like Shazam on the iPhone, are appropriate. When engaged, this app identifies a song a consumer can't readily identify. Then, the consumer can presumably go buy the song.

And, I do like the voice-activated Bing search on my Windows smartphone. When I engage it, the app makes searching easier and faster -- provided I am in a fairly quiet location.

Me? I want more privacy, not less. Listening apps should work only in the foreground when activated, not sneakily and constantly in the background. And, when I visit somebody, I shouldn't have to worry about whether their smartphone is listening in or not. Notice and opt-out both seem impossible in these situations.

New AOL Privacy And Terms Policies Go Live March 31

There are plenty of changes underway at AOL. Earlier this month, AOL announced plans to purchase the Huffington Post website and news ooperation. Then, AOL announced to its members that it will revise, consolidate, and simplify its online privacy and terms-of-use policies:

From: AOLLegal
Date: February 20, 2011 4:54:10 AM EST
Subject: Updated Terms of Service and Privacy Policy for AOL Users

Dear AOL Users,
AOL is working hard to change and improve the way we serve you across all aspects of our services. We have recently relaunched and improved many of our consumer experiences, including AOL.com and MapQuest.com. As we continue to improve AOL for you, some of the improvements are updating the ways that we interact with you and your information. As a result, we want to update you on our Terms of Service (TOS), which contains the agreements between you and AOL.

In addition, we are also updating our Privacy Policy. Privacy is incredibly important to all of us and we want to present the updates to our privacy policy in a simplified format designed to help clarify what information we collect, how we use it, and the marketing preferences and online advertising choices available to you. Both the updated TOS and Privacy Policy are available online now and will take effect on March 31, 2011.

You can find the old Terms of Service here. What I like about this announcement: it is a step in the right direction to provide consumers with full disclosure. Consolidating and simplifing documents that are usually difficult to read is a huge benefit. I also like that the targeted advertising opt-out link is front-and-center on the AOL Privacy main page. I like that the new policy discusses mobile devices. With the rapid pace of technology advances, website policies should change frequently.

I have not performed a line-by-line comparison of the old and new policies. I am not an AOL user, so I am sure that some AOL users will perform this analysis. There may be policy changes embedded that users object to.

Previously, AT&T made policy changes regarding online targeted advertising. These are always helpful for consumers.

What do you think? Will AOL users find the new policy easier to read? Will AOL continue to revise its policies as its busienss changes? Share your opinions below.

Advertiser Networks Threaten Consumers Privacy Online

If you have been following online developments and technologies, then you've probably realized that advertiser networks try (or attempt) to collect an increasing amount of personal information about consumers.

For many years, that collection was limited to the use of web browser cookies, or when you signed into a website with an ID/password. Then "pop-up" and pop-under" ads appeared in an attempt to force the display of advertisements for users who regularly deleted their web browser cookie files. The collection then spread to "zombie" and Flash cookies, to apps at social networking websites, to "web bugs" and "web beacons," and lately to popular mobile devices. You can see some of the results of that data mining at websites like Spokeo and Pipl.

It was good to read this Philadelphia Inquirer article:

"Internet ad networks are likely tracking nearly everything you do - not just you, but also your teenage kids. The networks, along with data miners and brokers, are creating "online profiles" that become more and more valuable the deeper they get."

As you read this, many of you are thinking that there is no problem. Data collection provides the convenience of targeted or relevant advertisements for a better online experience, right? Yes, for those of use that value targeted advertisements online.

There have been some under-publicized advertising opt-out failures. Plus, those consumers who don't want the tracking are confronted with a growing list of opt-out links and do-not-track software, because the default so far has been everyone is included (whether you want to be included or not). That places the burden on consumers to continually opt-out of ad networks, who can easily configure their systems to auto-re-include consumers when things change. How fair is that?

There is also the issue of disclosure and notice in website privacy and terms-of-use policies. Those policies should be complete and accurate.

Maybe you don't care where your personal data goes and who it is shared with or sold to. I care about where my data is bought, sold, and shared. And you may care because it affects your children. The Center For Digital Democracy:

"... joined more than a dozen others Friday to urge the FTC to pay special attention to the vulnerability of teenage Internet users - those 13 and older, who are too young for the safeguards of the Children's Online Privacy Protection Act. One ironic result of that good law, they say, is that teenagers are essentially treated like adults online. Social-networking sites such as Facebook put adolescents at extra risk, not because the sites themselves are so insidious, but because they are places where young people share so much personal information - or perhaps over-share..."

That sounds like a good start to more sensible laws that balance the needs of consumers (and children) versus the needs of corporations.

I haven't covered childrens issues much in this blog, except in posts about the Ringleader class-action, and money management education for high school students. I expect to cover childrens issue more often during 2011.

Quantcast Settles 'Zombie Cookie' Tracking Lawsuit

I reported in July about a class action lawsuit filed in U.S. District Court in Central California against online measurement firm Quantcast Corporation and several of its affiliates for using "zombie cookies" to track consumers' online activity and for violating several computer and consumer privacy laws. The other companies named in that lawsuit were Myspace Inc., American Broadcasting Companies Inc. ESPN Inc., Hulu LLc., JibJab Media, MTV Networks, NBC Universal Inc. and Scribd Inc..

Earlier this week, Wired magazine reported that:

"... Quantcast has agreed to pay $2.4 million to settle a class action lawsuit alleging it secretly used Adobe’s ubiquitous Flash plug-in to re-create tracking cookies after users deleted them... More than $1 million of the settlement will go to fund privacy groups chosen by the plaintiffs, and 25% will go to the lawyers who filed the suit. It’s unlikely that any money will go to the class, since it essentially includes every internet user in the U.S."

In a press release, Quantcast said this about the settlement:

"We chose to settle the litigation to bring clarity and certainty to our customers and to avoid the burden and cost of further litigation."

When you've been caught -- literally and figuratively -- with your hand in the cookie jar, I guess that there's not much to say after settling a lawsuit. Congratulations to those attorneys -- Joe Malley and others -- in this suit, as the tracking likely would have continued otherwise. Thanks for advocating for consumers' online privacy.

Ringleader Digital And Others Sued For Using 'Zombie Databases" on Consumers' Mobile Devices

Advertisers and tracking companies have gone to great lengths to track consumers' Internet usage on laptop and desktop computers. 28% of mobile subscribers have smart phones. As consumers have shifted their usage to mobile devices (e.g., smart phones, PDAs), online tracking has followed.

I read the Aughenbaugh et al v. Ringleader Digital Inc et al complaint (PDF format; 1.3 MBytes) filed in California District Court. The class-action lawsuit alleged that Ringleader Digital and the other companies intentionally exploited software on mobile devices to track consumers' Internet usage, since many consumers now use mobile devices to surf the Internet instead of their laptop or desktop computer.

A prior blog post discussed how companies use "zombie cookies" to track consumers Internet usage by regenerating browser cookies that consumers deleted from the web browsers on their laptop or desktop. Because browser cookies are not as useful for tracking Internet usage on mobile devices, the companies in this lawsuit used a new tracking scheme:

"Defendants found the solution to their problem with HTML 5. A large number of hand held mobile devices, such as the iPhone, use HTML 5 software to operate the mobile browsers on these devices. The HTML 5 software contains local storage databases that allow websites to store information on these devices..."

You could call this database of consumer information a "zombie database" since consumers cannot delete the tracking database on their mobile devices, and when deleted the database recreates itself immediately. Is that what you want on your mobile device? I doubt it. Me neither.

The companies named in the lawsuit are CNN, Surfline/Wavetrack, Whitepages, Travel Channel, Accuweather, Go2 Media, Merriam-Webster, and Medialets. All of these companies operate mobile website versions of their traditional websites. All of these companies allegedly use Ringleader Digital's Time Stamp technology. With its Media Stamp (TM) product, Ringleader Digital alleged collected sensitive personal information about millions of smart phone users in this way:

"When a mobile website that uses media Stamp is accessed, Ringleader's own databases collect information from the mobile device and the Media Stamp technology assigns Plaintiff's mobile device a "unique" identifying number. Ringleader stores this number on its database and uses the HTML 5 storage databases on the users' hand held mobile devices to store the assigned "unique" identifying number."

Were you aware that your Internet usage with your smart phone was being tracked this way? Did you authorize any companies to do this tracking and/or save information to your smart phone? I'll be you didn't. This is huge also because:

"The HTML 5 database is titled RLGUID, which stands for Ringleader Global Unique ID. With a unique identifying number that is assigned to a specific mobile device, Media Stamp allows Ringleader Digital, advertisers, ad agencies and website publishers to track a user's web browsing movements across the entire Internet and not just one particular website."

Think about that and when you used your smart phone to do online banking, accessed your health records, and/or researched medical conditions online. Do you want all of this tracked? I doubt it.

If you read the online terms and conditions policies at the websites for the companies listed above, you still wouldn't know about the mobile tracking:

"CNN, Surfline, Accuweather, Go2.com, Whitepages, Merriam-Webster's and Travel Channel's privacy policies inadequately inform Plaintiffs of the extent in which they are being tracked by an unidentified third party... most of the Defendants' sites fail to address or identify Ringleader and media Stamp at all. Accuweather, Surfline, Go2,.com and CNNmoney.mobile do not even have a privacy policy on their mobile webpage."

Ringleader Digital launched in October 2010 a certification program for its Time Stamp clients. What? They weren't doing this alreadY? This new certification program sounds like too little way to late, since Ringleader started in 2005.

Plus, the certification program requires Stamp clients to provide consumers with both a mobile tracking opt-out mechanism at their website, and a link to the mobile tracking opt-out mechamism at Ringleader's website. Opt out? We've heard this sad song before.

Ringleader's approach is to automatically include all mobile users in tracking, and place the burden on consumers to opt out of the mobile tracking. We've seen this approach before in various behavioral advertising programs, and it is too easy to override consumers' opt-out choices as new Time Stamp clients join, or as mobile privacy policies change.

If Ringleader Digital and its Time Stamp clients are as customer focused as they claim, then the tracking program default should be all mobile users excluded with an opt-in mechanism. If Ringleader's program is as good as the company claims, then consumers will opt-in. Let the marketplace decide.

Back to the class-action complaint. The sensitiver personal consumer data collected:

"... Ringleader Digital, at a minimum, collected browser identifiers, session information, device type, carrier provider, IP addresses, unique device ID, carrier user ID, and web sites visited... it is unclear if they collect telephone numbers and specific names..."

According to Courthouse News Service, a second class-action lawsuit filed last week in New York State (Hillman et al v. Ringleader Digital) alleged the data collected also included:

"... gender, age, race, number of children, education level, geographic location, and household income... what the web user looked at [online] and what he/she bought, the materials he/she read, details about his/her financial situation, his/her sexual preference, his/her name, home address, e-mail address and telephone number, and even more specific information like health conditions..."

In this second class-action lawsuit, one of the affected consumers is 12 years old. So the mobile tracking of a minor allegedly broke the Children's Online Privacy Protection Act, in addition to other laws. Yes, minors use mobile devices, too.

When I read about situations like this, I wonder what illgotten consumer information collected by Ringleader Digital is also shared with mobile device apps. We've seen this abuse happen on social media sites.

When I read about situations like this, it is sad and depressing. First, there is the mobile tracking without disclosures and without obtaining consumers' consent. Second, today's mobile devices are more like personal computers than the simpler cellular phones of eight years ago. Yet, mobile devices are still marketed with the walled garden approach of celular phones from 10 years ago.

Most mobile devices are still restricted to a single telecomunications network, and to a single online store for apps. Do you shop in the physical world at a single store? I don't. Plus, the list of apps are prescreened and censored. Many mobile devices restrict which apps you can disable or uninstall.

I don't have these restrictions with my laptop/desktop, and I don't want them with my mobile device. (Many social networking websites, like Facebook, are walled gardens too, but that is another discussion.) The freedom of choice is how we consumers exercise power in the marketplace.

No matter how cool the interface is on an Apple iPhone or iPad is, giving up the power of choice in the marketplace for convenience is giving up too much.

I want the freedom to install any software I want on my mobile device; especially to manage any tracking mechanisms. That includes software like MAXA Research, which I use on my laptop to manage and delete (LSO) tracking files.

What do you think of the mobile tracking? Of the related issues? Are you happy with today's mobile devices and the restrictions?

[Correction: this blog post has been updated to list the Hillman et al v. Ringleader et al class-action lawsuit filed in New York Southern District court. The post originally mentioned a class action filed in Texas.]

Quantcast And Several Major Online Sites Sued For Alleged Use of 'Zombie' Cookies To Track Consumers Online

last week, a class-action lawsuit was filed in U.S. District Court in Central California against Quantcast Corporation and several of its affiliates for using "zombie" cookies to track consumers' online activity and for violating several computer and consumer privacy laws.

The affiliates include several major online companies and their websites you have probably used: Myspace Inc., American Broadcasting Companies Inc. ESPN Inc., Hulu LLc., JibJab Media, MTV Networks, NBC Universal Inc. and Scribd Inc.. The complaint alleges that the companies violated one or several laws:

• Computer Fraud and Abuse Act, 18 U.S.C. § 1030
• Electronic Communications Privacy Act, 18 U.S.C. § 2510
• Video Privacy Protection Act, 18 U.S.C. § 2710
• California’s Computer Crime Law, Penal Code § 502
• California's Invasion of Privacy Act, Penal Code § 630
• UCL, Business and Professional Code § 17200
• Consumer Legal Remedies Act

I've Been Mugged reviewed the complaint (PDF, 690k bytes), which alleged that several consumers:

"... were victims of unfair, deceptive, and unlawful business practices; wherein their privacy, financial interests, and computer security rights, were violated by Quantcast Corporation, and websites affiliated individually with Quantcast... by setting flash cookies on their user’s computers to use as local storage within the flash media player to back up browser cookies for the purposes of restoring them later."

The suit also alleged that the defendant companies:

"... knowingly authorized, directed, ratified, approved, acquiesced, or participated in the unfair and deceptive business practices made the basis of this class action, which included, but was not limited to, setting of an online tracking device which would allow access to, and disclosure of, personal information (“PI”), personal identifying information (“PII”), and/or sensitive indentifying information (“SII”). This information was derived from the Internet user’s online activities, including visits to non-Quantcast Flash Cookie Affiliates’ websites, accomplished covertly, without actual notice, awareness, consent or choice of the user."

This is important: the suit alleges that the companies used the Flash cookies technology to secretly track consumers' online habits and usage, to regenerate traditional web browser cookies, and to collect consumers' sensitive personal information. The companies allegedly profited from this practice and never provided the consumers with notice (in website privacy and terms policies) or opt-out mechanisms.

These "zombie" cookies are the regenerated traditional web browser cookies you usually delete. Like the zombie monsters you have seen in movies, they never seem to completely disappear; and they keep returning despite your best efforts to kill them.

The complaint also cited the problematic, vague, and misleading portions of each defendant company's website privacy or terms policy. The suit does not include all Quantcast affiliates; only those there were involved in the covert tracking and use of "zombie cookies." The suit described in detail how the covert tracking and sensitive personal information collection worked:

"... information obtained by the placement of flash cookies on the users’ computer hard drive and the use of user’s local storage within their flash media player to back up browser cookies for the purpose of restoring them later without actual notice/awareness and consent/choice of the user.."

This is important. Since the firms knew that consumers regularly deleted their browser cookies (to avoid tracking and to maintain their privacy online), the companies intentionally used the Flash cookies technology to regenerate deleted web browser cookies on consumers' personal computers without the consumers' knowledge or consent.

In this class action suit, one of the lawyers representing the consumers in the complaint is a Privacy Crusader I've written about previously: Joe Malley. Malley has much plenty of experience with online privacy, targeted ad tracking, and data collection issues as he has been involved with class actions against Facebook and its Beacon affiliates, NebuAd, and Adzilla. Earlier this year, Facebook settled the suit for $9.5 million. So, I am happy that Malley is involved with this latest suit.

In researching this latest suit, the attorneys found that:

• The leading websites regularly use Flash cookies for a variety of reasons,
• Many of of these leading websites also use Flash cookies" to regenerate web browser cookies that consumers have regularly deleted,
• To justify tracking via tailored online ads, advertisers regularly claim that consumers want online ads tailored to their interests while studies have documented otherwise

When I first wrote about the privacy and tracking issues with Flash cookies, I also spoke with with several web developers I have worked with in prior jobs. Some knew about Flash cookies but most had no idea about the extent of online tracking and data collection via the technology. If these professionals with deep Internet experience have no idea, then the average consumer or online user definitely has no idea of the technology, the privacy abuse problems, or what, if anything, to do about it.

Since I learned about the "zombie" cookie problem, I now use two software products to monitor and delete all cookie files on my home computer:

1. MAXA Cookie Manager software
2. BetterPrivacy add-on for the Firefox browser

Depending upon which web browser used, consumers may decide to download one or both of the above software products. I like the MAXA Research software since it monitors all Local Shared Objects (LSOs) on your computer: web browser cookies, Flash cookies, and DOM user data. Most web browsers have menu options to delete standard web browser cookies, but are unable to delete Flash cookies and other LSOs. The I've Been Mugged blog features a June 2010 interview with the Chief Technology Officer at MAXA Research.

Moreover, this class action suit highlights the fact that companies' website policies are often vague and lack sufficient detail for consumers to make informed decisions. Granted, many consumers don't read the privacy and terms of use policies at websites, but that is no excuse for companies to publish insufficient policies. Plus, Federal and state laws lag far behind online technologies. This makes online privacy difficult for consumers and many companies seem to take advantage of this situation.

Last, this class action suit should be a wake-up call to consumers across the Internet. Now is the time for consumers to demand accountability from websites and advertisers. If they refuse to provide accurate disclosures in their website policies, shop elsewhere. If they refuse to provide easy-to-find opt-out mechanisms for their advertising and marketing programs, shop elsewhere. If you find websites offering advertising and marketing programs with opt-in mechanisms, shop there instead.

If this "zombie" cookie situation bothers your (and I sincerely hope that it does), I encourage you to write to your elected officials and demand stronger laws requiring companies to fully disclose in their websites the tracking and technologies used by their websites, partners, and affiliates.

Holy Terminator, Batman -- Google is Skynet!

[Editor's Note: I am pleased to feature another post by guest author R. Michelle Green, the Principal for her company, Client Solutions. She is a combination geek girl, personal organizer, and career coach. She has studied what makes some individuals embrace or avoid information technology. (She’s definitely one of the former.) Michelle helps others improve their use of technology in their personal or professional life. Today, Michelle tackles Google and privacy.]

By R. Michelle Green

Have you ever had the experience of wiping up a spill and then realizing the clean spot makes the rest of the table look bad, so now you have to wash the whole table? That’s the way I feel about my recent blog posts. I’ve been looking at more and more things that infringe on our privacy, and now I just have to keep pulling at that thread, even if it unravels my whole sweater... Wow, a Cusinart of metaphor. Anyhow.

I was patting myself on the back for being Facebook security savvy when a Chicago friend tells me he won’t trust Google with his web and search history. He also opted out of search personalization, where Google puts sites you already like to visit higher in your search query results. The hell you say! Don’t trust Google!? Google is wonderful, Google is my friend! The company’s motto is “Don’t Be Evil,” right?

Google’s gotten a lot of slack from people like me, who love the effectiveness, creativity and style in the tools available online and through text, for personal and professional needs. The search engine is a thing of beauty, no question. But we’ve come a long way (especially in internet years, my friend) from Google’s early statement, underscored on the Corporate Philosophy page last updated September 2009, that all they wanted to do was be the very best search engine they could be.

Let’s examine the evidence. Google CEO Eric Schmidt in a 2007 Wired interview said that Google is no longer first a search company, but an advertising company. In a 2008 CNBC interview with Maria Bartiromo he returned search to primacy, saying it was “even more important…than advertising,” and citing it as critical to end-user happiness. But when CNBC can say that 95% of your profit comes from selling AdWords, make no mistake about it, it’s the company’s priority.

The Business Insider chart below shows advertising’s role as a function of Google revenue over time:

This gives more credence to Schmidt’s 2007 statement to Wired: Google is advertising (Doubleclick), a social phenomenon (YouTube, Google Chat and Google Groups), an end-user system (Google Apps, Android) and a giant supercomputer. For a company that puts transparency high in its ideals, there is little or no clarity about who owns the your web and search history. (Since possession is nine-tenths of the law, I think Google owns it, even if my name’s on it.)

Is that in and of itself evil? It might be nice to have Google organize everything you do online, help you find that hysterical sleeping ancient Pomeranian dog you saw three years ago. So what if they keep it on their own servers? The big sin here isn’t that they do it – others can and do also.

If you are a Comcast 'net user (or Yahoo, or AOL or portals) and stay signed in while you surf, they can associate your actions uniquely with the profile information you offered at sign up, just as Google does with its Gmail users. You might even say they’ve been a little more straightforward about it, offering greater user control with it than the aforementioned web portals. There’s a dash of hubris and a fair share of hypocrisy, however, in Google’s assertions that they’ll never do anything evil with the data they amass. Data lives to become knowledge, knowledge is power, and we know what power does. Absolutely.

So what information does Google have about you? Inquiring minds and all that. Check for yourself by going to your Google search page and clicking on the web history link in the upper right hand corner. Then for funsies, follow the link that says, “is that everything?” where Google also talks about its cookies and server logs.

If you already have a Google account, you can get more precise information at Google Dashboard. My Dashboards for different Gmail names are different, but they show they’re related because I have their calendars connected. The Search history is far spottier than I expected, however, in part because I’m scrupulous about logging in and out of Gmail on a per task basis. And while at first blush it may look sparse, note they are offering you samples of your search in various categories, you must click on the category for more detail.

Don’t get me wrong, I remain a Google fan. I think it’s incredibly cool that Washington D.C. firefighters are using Google Apps, for example. It lets them call up schematics of abandoned buildings, the locations of fire hydrants, whether the hydrants are working or non-working (!), and the locations of their trucks. The District showed a first-year taxpayer savings of $3 million using the tool. I love “20 percent time,” where Google encourages use of work time on personal projects as a path to greater innovation. I like how they’re standing up to China. However, I believe the CEO’s statement to CNBC, “If you have something that you don't want anyone to know, maybe you shouldn't be doing it in the first place,” is problematic, (and from him, maybe a tad hypocritical).

Even if you trust Google today, what if pieces of the company get sold off to less beneficent people? Could the management mantra change one day from “don’t be evil”? With so very much information in one place, how vulnerable are they (er, are WE?) to the loss of their password program Gaia? And, has their very success blinded them to recognizing the cumulative steps toward monopoly, no matter how benevolent or effective? I am very impressed with the commentary, “Google’s Microsoft Moment” likening their current position to Microsoft in the 1990s – that they are in danger of becoming what Google’s founders once found anathema.

Think back to the description of Google as supercomputer for a minute. They’ve got the images (Street Views, Google Goggles, Picasa, YouTube, etc.). They’ve got the words (every search query ever, Google Books, Google Scholar). They’ve got the commerce (AdWords, Google Shopper, Google Checkout, Doubleclick). They’ve got the tools (Google Apps, Android, Google Docs). No doubt about it – it’s Skynet, goin’ somewhere to happen...

Readers going for extra credit should check out CNBC’s excellent special Inside the Mind of Google, available in its entirety online, and running on CNBC again on June 21st.

---

© 2010 R. Michelle Green. Reprinted with permission.

Tracking Your Online Habits and Privacy: Huge Problems Persist

While much attention during the last few weeks has focused on Facebook and privacy, there is a far bigger privacy issue facing consumers online. It involves a technology that many websites use and few consumers are aware of.

Many websites try to present relevant advertisements based on pages you have viewed in that site, or your past purchases. Perhaps you have noticed this. My wife said she noticed more ads for flowers online after she has just bought some flowers online. She knows intuitively that something is going on behind the scenes; that her information is being shared somehow. The specific technology is a mystery to her and to many consumers.

Maybe you like relevant ads; maybe you don't. How do websites present relevant ads? One method is your sign-in credentials. When you visit a site and enter your ID and password to sign in, the website knows it's you and can track your movements within its site. That's fine and dandy. If you don't want to be tracked, don't sign in to that site.

Some websites serve up relevant ads without requiring you to sign in. How do they do this? One method is a technology called web browser cookie files or "HTTP cookies." An HTTP cookie file is a small amount of text saved in a file located on the hard drive in your computer; in a folder with your web browser software (e.g., Firefox, Safari, Internet Explorer, etc.). Many websites use HTTP cookies because it's a way to identify you; to save in an HTTP cookie file an identifier so the website can tell if you are a new or returning visitor; and to track your online movements within their website to present relevant ads based on the pages you viewed within their site.

So if you visit a clothing site online and shop for shoes, it may save a code to the HTTP cookies file indicating when you first visited the website and the shoes site section viewed, so the website can present to you more shoe ads while you view other site sections with pants, coats, boots, or whatever. Some consumers like for the websites they visit to present relevant ads. Some consumers don't.

I have worked in the website design industry since 1997 primarily as a user experience and information architecture professional. I've built, as part of a design team, both large and small websites. Whenever we were building a website that included personalization, the topic of HTTP cookies versus sign-in credentials always came up. The method we used -- sign-in credentials, HTTP cookies, or something else (hint: keep reading and you'll learn what that is) was always a balance between the website design goals, users' needs, the client's budget, the preferences of the web developers, and the technological capabilities of the client's Information Technology' department.

In 2007, a study found that about 30% of consumers regularly delete the HTTP cookies on their computers. These consumers value their privacy and prefer to retain as much control as possible of their personal information. Why consumers take the time and effort to delete HTTP cookie files:

• Some websites use "session-based" HTTP cookies: information about you is stored in the HTTP cookie only for the time period while you visit the website. When you leave that website, the information stored in the HTTP cookies is deleted.
• Some sites uses "persistent" HTTP cookies: the site edits the HTTP cookie so it retains information for later use tomorrow, next week, next month, next year or whenever you return to that site.
• Some companies buy and sell the information saved in HTTP cookies at "behavioral exchanges."

You can use your web browser software to delete HTTP cookies manually or set it to automatically delete HTTP cookies at a predetermined schedule. For example, in the Internet Explorer menu bar select:  Tools --> Internet Options --> Browsing History Delete to view the automatic and manual options.

In May 2009, I performed an informal analysis of the HTTP cookies files used by Experian and Equifax: two of the three major credit reporting agencies. In that analysis both credit reporting agencies and their advertisers saved information to HTTP cookies on my computer as soon as I visited each web site's home page. Why? To track my online movements within each site, to determine if I was a first-time or returning user, and which ads I had viewed. Based on that knowledge, they could charge their ad clients based on a more accurate measurement of online usage by me and all other consumers visiting each site.

What I found disturbing from that analysis was that both credit reporting sites started tracking my online usage before I had a chance to read each website's Terms of Conditions and Privacy policies to learn how each web site and its advertisers track my online movements. So consumers should know that tracking via HTTP cookies starts immediately when you go online.

The recent concerns about privacy at Facebook is that Facebook wants to, a) make public personal information many consumers want to keep private, and b) track your online movements and serve up relevant ads when you visit other websites; not only at the Facebook site. This is part of a trend online today.

Since that study showed that a significant number of consumers delete the HTTP cookies on their computer monthly, advertisers have sought a more reliable tracking method that wasn't vulnerable to deletion by consumers. It seems that they have found a solution with the Adobe Flash Player software which creates its own cookie files, commonly referred to as "Flash cookies" or "Local Shared Objects" (LSO).

Adobe Flash is the technology many websites use to deliver an interactive, animated website experience, content and ads. Adobe Flash Player is the free software installed with your web browser software so you can view content at websites that use Adobe Flash. Perhaps you have seen the Adobe Flash player image on the right. Adobe is the company that owns the technology and distributes the Flash player software.

You don't have to install Adobe Flash Player on your computer, but most people do because it provides a better online experience at websites that present content with Adobe Flash -- a popular technology among website designers. The Adobe Flash player software stores a "Flash cookie" file on your computer in a different file folder location which web browser and online-ad-blocking software don't access and delete.

One benefit to advertisers is that they can set Flash cookies to never expire. Another appeal is that they can store a lot more information. An HTTP cookie stores a maximum of about 1,024 bytes of information; compared to about 5 megabytes maximum for a Flash cookie. You don't need to be a rocket scientist to see which is better at collecting massive amounts of consumers' personal data and Internet habits.

Like any other technology, some websites use Flash cookies responsibly, while other sites abuse consumers' privacy with it. The problem is:

1. Few consumers know about Adobe Flash,
2. Even fewer consumers know about Flash cookies,
3. Few to no websites inform users that their websites use Adobe Flash cookies,
4. It's the wild west on the Internet and their are no rules or regulations about this, and
5. Some websites use Flash cookies to permanently store information about consumers to avoid HTTP cookie deletion by consumers.

The problem is not new. In July 2009, I first wrote about privacy concerns with Flash cookies. To control the information Flash cookies store about you and your online habits, at that time I advised consumers to use the "Flash Privacy and Settings Control Panel" tool available at the Adobe website. I have since learned that advice is only a partial solution.

In a study last year, researchers at the University of California Berkeley analyzed the use of Flash cookies at the top 100 web sites. The researchers found:

• 98 % of the websites analyzed use HTTP cookies; 54 % use Flash cookies
• Of the websites using HTTP cookies, each site uses on average 36 different HTTP cookies
• Of the websites using Flash cookies, each site uses on average 5 individual Flash cookies
• The websites using Flash cookies included the private sector and government
• A significant percentage of sites used Flash cookies to store the same information as HTTP cookies
• The content in Flash cookies is stored by both the organization that operates the website and third-party organizations (e.g., advertisers, website measurement firms)
• Some websites use Flash cookies to programatically recreate HTTP cookies that the consumer has previously deleted
• Many websites that use Adobe Flash are TRUSTe certified
• The "Private Browsing" mode in Internet Explorer version 8 and Firefox version 3 doesn't delete Flash cookies
• The researchers called Flash cookies a "Persistent Identification Element" (PIE)
• Consumers with a computer running the Windows operating system can view Flash cookie files in this folder: \Documents and Settings\[username]\Application Data\Macromedia\Flash Player
• Consumers with a computer running the Apple operating system can view Flash cookie files in this folder: /users/[username]/Library/Preferences/macromedia/Flash Player/
• The "Clear Private Data" option in the Firefox web browser will not delete Flash cookies
• Some sites use Flash cookies that actively counter the opt-out mechanism from the Network Advertising Iniative (NAI), which enables consumers to opt out of behavioral advertising programs

I am concerned about consumer privacy issues with Flash cookies given the above findings, plus:

The use of Flash cookies is one technology among several used by websites to perform "behavioral advertising" (or "targeted advertising" or "behavioral targeting"). Several Internet Service Providers (ISPs) engaged in behavioral advertising, collected information about their subscribers, and didn't obtain their subscribers consent first. Advertisers and companies in a variety of Industries seem to be rushing headfirst down a similar path with Flash cookies.

When a company collects consumers' data and share it with other companies, the responsible thing to do is to inform its customers (and prospective customers) and then gain their express consent. Today, almost no companies (and government agencies) are disclosing their Flash cookies policies or activities.

Will this situation with Flash cookies improve? I believe that it will take some legal action for change to occur. Awareness among consumers is too low and the pursuit of profits by companies and advertisers is great.

Meanwhile, what can consumers do to protect themselves? Assuming you want to surf the web with as much privacy as possible:

1. Set your web browser to automatically delete HTTP cookies,
2. Firefox web browser users should install the BetterPrivacy add-on to review and delete Flash cookies,
3. Maxa Research offers a software product to help consumers review and delete both HTTP cookies and Flash cookies,
4. Visit the "Flash Privacy and Settings Control Panel" tool at the Adobe website to control what information Flash cookies saves about you, or
5. Surf the web with an iPad or device that doesn't use Adobe Flash.

If you discover any more tools to manage Flash cookies information, please share them in the comments section below.

Adzilla Quietly Settles Class-Action Lawsuit

About a year ago, I wrote about the class-action lawsuit involving Adzilla. Last week, Media Post reported:

"A privacy lawsuit against behavioral targeting company Adzilla and its partners was quietly settled late last month, according to court records. Adzilla, which stopped operating in the U.S. in 2008, did not acknowledge any wrongdoing as part of the settlement... Adzilla agreed that it will "require opt-in consent of consumers or any consent that may be required to avoid violation of the Electronic Communications Privacy Act" should it resume ISP-based targeting in the U.S."

Readers of this blog know that I am a proponent of opt-in systems; to require behavioral advertising companies to clearly notify and inform consumers first and to only collect data about consumers after gaining explicit, prior consent via a conspicuous online opt-in mechanism. Several Internet service providers abused consumers' rights by collecting data without notice and without gaining prior consent.

Unfortunately:

"The settlement leaves unresolved whether it's legal to target Web users based on data purchased from Internet service providers."

Center For Digital Democracy Asks The FDA To Investigate Use of Behavioral Targeting By Drug Companies

As a user experience professional who worked on pharmaceutical sites like CiprXR and Avelox, this news item caught my attention. The Center For Digital Democracy (CDD) has asked the U.S Food and Drug Administration to investigate the use of behavioral targeting by drug manufacturers:

"On pharmaceutical websites, as well as on so-called “unbranded” sites, popular social networks, and interactive video channels, a digital marketing system designed to more effectively tap into the concerns—and anxieties—of those seeking health information has emerged. Few U.S. health consumers are aware that they are being identified, labeled, profiled, and tracked on the Internet while they search or access information on specific conditions or concerns."

Along with its request, the CDD has asked the FDA to work with the U.S. Federal Trade Commission, which has experience investigating behavioral targeting issues and developing behavioral targeting rules.

“The health and safety of U.S. consumers must be protected from inappropriate and potentially harmful use of digital marketing applications that have been embraced by pharmaceutical and health marketers,” explained CDD’s Executive Director Jeff Chester. “It is essential that the FDA craft regulatory safeguards for Internet-related promotion, especially since interactive communications will become the dominant form for the delivery of health information and advertising to both consumers and health professionals.”

According to the MediaPost site:

"The CDD's filing listed several publisher sites that focus on health, including HealthCentral, which says that marketers can advertise on 35 condition-specific categories... the company runs contextually targeted ads on HealthCentral sites -- that is, ads that relate to the content on its pages -- but doesn't directly offer behaviorally targeted ads on its own sites. HealthCentral also runs some Google AdSense ads, which can be targeted based on behavior; users can opt out of that cookie-based behavioral targeting by Google... HealthCentral has a deal with Microsoft allowing the company to serve behaviorally targeted ads to some users who go to its sites after previously visiting HealthCentral."

I have written extensively in this blog about issues related to behavioral targeting (also known as "behavioral advertising) and abuses by various companies (e.g., Sears, NebuAd, Adzilla, ISPs) that failed to inform consumers and offer appropriate opt-in mechanisms. Kudos to the CDD for taking action.

Behavioral Exchanges: Where Your Web Browser Cookies Are Bought And Sold

Who knew that when you opted into getting online ads from an advertising network that you were also agreeing to allow firms to sell the contents of your browser cookie file. From the New York Times:

"BlueKai and eXelate work in similar ways. They both track who is interested in what through a cookie, an invisible bit of code on a Web page. When someone does a search, for example, on Kayak.com for first-class flights to Paris in September, that information can be captured by a cookie, and Kayak.com can sell that cookie using eXelate or BlueKai."

How it works:

"Once the [corporate advertising] buyers log in to the exchange, they select the criteria they want, and the exchange tells them how many cookies are for sale. BlueKai has about three million cookies for in-market sedan buyers, for instance, and nine million for cellphones and P.D.A.’s. The advertisers specify how recent they want the cookie to be — they may want only people who have looked for their product in the last day — and bid on a price. The challenge for eXelate and BlueKai is to get publishers and commerce sites interested in selling information about their visitors."

It's unclear if this applies to Adobe Flash cookies, which also collect and share data about consumers.

Consumer notification, control, and opt-in (not opt-out) mechanisms need to be really clear about this. And, I believe behavioral exchanges should exclude medical information. It'd be great if the FTC actually did its job and set some guidelines for behavioral exchanges.

Targeted Advertising Programs Integrate Your Offline And Online Habits

Things are moving quickly in the behavioral advertising industry, and we consumers had better pay attention. In her Behavioral Insider blog, Laurie Sullivan summarized some important developments from the OMMA Behavioral conference in San Francisco:

"... the trend became apparent from the start of the show when Exelate provided a pre-conference presentation focusing on integrating shopping data. Later in the day, MediaPost Senior Writer Wendy Davis led a panel where Fran Maier, CEO at Truste, confirmed that all the information gathered from online and POS transactions can be aggregated to create a "very detailed profile." She said consumers do know they are being tracked online, but they are not given enough information about the information collected. Execs from the analytics firm Webtrends provided some further insight. Webtrends is working with Dotomi, which retargets ads to consumers, to integrate Analytics 9..."

How it works:

"Webtrends built a data collection applications programming interface that will allow marketers to integrate data into Webtrends's analysis engine. Marketers can feed the POS data from in-store cash registers into a central repository database. Marketers can extract part, or all, of the data and feed it into the analytic engine and correlate the data to transactions on the Web site. Analytics treats it as a conversion event -- just as if the customer bought the products or services online."

Want to learn more? Follow any of the above links, or read the Behavioral Advertising section of this blog.