I've Been Mugged Blog

Yesterday's post discussed research about how retailers extensively track consumers online. Today, I wanted to explore this further.

So, I secured my Microsoft Internet Explorer browser and its Privacy settings to prompt me every time a Web site or page attempted to place or edit a Web cookie on my computer. This prompt would allow me to note the site requesting the cookie, and either accept or reject that cookie request.

I am not a computer expert, and this is not a formal, academic test. And it doesn't cover Web Beacons. This informal test is limited in that it won't indicate the contents of each Web cookie request; only that a cookie request occurred. I am sure that there are plenty of computer experts that can design a sufficiently rigorous test. Regardless, I felt the need to start somewhere.

For test web sites, I chose two of the credit reporting agencies' sites (Equifax.com and Experian.com) since I use these sites, have discussed them previously, and since these sites contain sensitive personal data about consumers.

It didn't take long for the results to show. When trying to access the Equifax.com home page, I noticed that the site placed a multitude of Web cookies on my computer. The list of companies writing to my Web browser cookie file went far beyond just Equifax:

• 12 Web cookies requests by Equifax.com, plus
• Advertising.com
• Doubleclick.com (2 requests)
• Quantserve.com (2 requests)
• Atdmt.com (2 requests)
• Eloqua.com
• Hitbox.com (2 requests)

If you are counting, that was about 22 cookies requests before the home page fully loaded. To me, that seemed like a lot of Web cookie requests. And, who are these companies? Some of the names (e.g., HitBox, Doubleclick) I recognize since I work in the Internet industry. I know some of these are tracking services for advertisements.

I couldn't help but wonder what most consumers would think of this. I couldn't help but wonder what most consumers, who don't have the benefit of working in the Internet industry, would think of this -- if they took the time and knew how to configure their Web browser. This would probably make any consumer pause, and wonder what exactly is going on.

Now, I don't mean to imply that all Web cookies are bad. Some are good and useful. I use a few Web cookies to manage this blog. My first point is this: all of the above cookies requests happened before the Equifax.com home page loaded in my browser. So, consumers don't really have a choice because all of this tracking and data collection happens before consumers can read the home page, and read the Equifax Privacy Policy to make an informed decision about their online privacy.

Sure, we all want to be informed consumers, but things seem stacked against consumers. The online tracking at Web sites starts sooner than many consumer probably would expect.

Next, I read the Equifax.com Privacy Policy to see what it says about Web cookies and the company names I encountered:

"We use session and persistent cookie technology for several purposes. For example, cookies: Allow you to order more than once during a visit without your having to re-enter your information each time you place an order for a Personal Solutions product; Allow us to gather aggregated statistical data about the use of our website for research purposes; Help us improve your navigation of our web site(s); Enable us to store your preferences for certain kinds of information and marketing offers; Help us to provide features such as personalized greetings; If you're a Member of Personal Solutions, allow us to store your user name and encrypted customer identification number so that we recognize you when you return to our web site; Help us combat identity theft and fraud with more reliable identity verification and authentication data."

All of that sounds good, but it'd be more reliable if Equifax.com didn't perform this extensive tracking and collection data before the home page fully loaded and before consumers had a chance to read the Equifax.com Privacy Policy. There is more:

"Cookies set by us or our agents are not interpreted or shared with any other third party. We may combine cookie data with personally identifiable information or business organization identifiable information you provide to us... We may sometimes use outside technology companies to set cookies on our web site and collect cookie information for us. We use the cookie information collected by these companies in the same manner as stated above in this section. Those companies may not use these cookies for their own internal purposes or share the information collected with any party other than Equifax."

A, "sometimes use outside technology companies?" 22+ cookie reqests at the home page tells seems far beyond "sometimes use."

And, who are Equifax's "agents" and "outside technology companies?" Who are these "third parties" that are not agents? Are they the list of companies I encountered or some other companies?

The Privacy Policy clearly indicates that Equifax works with other companies, but the policy does not disclose the companies by name. Why the secrecy? If all of this cookie usage by Equifax is so good for consumers, why not disclose it?

This secrecy leaves consumers to guess about what is going on. If everything Equifax is doing is really that good, then it shouldn't be an issue to list the technology companies, agents, and third parties.

For transparency and full disclosure, the Equifax Privacy Policy should list these companies, but it doesn't. It would help so consumers could make an informed choice.

Given this, what choice do consumers really have? I say, not much of a choice really. If you decide to secure your Web browser and reject every cookie request, then the Equifax.com site seems to quickly becomes unusable. The Privacy Policy should but doesn't state exactly which site features or mechanisms become unusable when Web cookies are rejected.

The situation was little better at the Experian.com home page. I experienced fewer Web cookie requests from fewer companies:

• 11 cookie requests by Experian.com
• statse.webtrendslive.com (2 cookie requests)
• wa.marketingsolutions.yahoo.com

If this lack of transparency bothers you (and I sincerely hope that it does), learn more about targeted advertising (a/k/a behavioral targeting). Then, write to your favorite retailers and demand more disclosure in their Web site Terms of Service and Privacy policies. If that doesn't work, write to your elected officials in Congress and demand legislation for more disclosure.