Two reports show how Web companies track online user behavior.
When you order a book on Amazon, catch up on the day’s news at NYTimes.com, or watch a few videos on YouTube, you leave a digital trail on the Web, and chances are you’re being tracked. According to two Berkeley studies, dozens of Web companies—including some of the most popular ones—track online consumer behavior, often contravening websites’ privacy policies.
In one study, School of Information graduate students Joshua Gomez, M.I.M.S. ‘09, Travis Pinnick, M.I.M.S. ‘09, and Ashkan Soltani, M.I.M.S. ‘09, found that 117 different “Web bugs” track user behavior on the nearly 400,000 websites monitored in the project. A Web bug, or Web beacon, is an invisible graphic embedded in a webpage, allowing company affiliates or third parties to follow users’ activity. Blogspot.com (a subsidiary of Google) was found to be the most bugged site, with as many as 100 different bugs cluttering its code. Google is the most prevalent spy, with Web bugs planted on 92 of the 100 most popular sites. These findings, along with the rest of the study, can be viewed at the researchers’ website, knowprivacy.org.
“The goal is to better target you,” says Soltani, who worked on both reports. “The Internet model evolved to where it’s so purely ad-based that everyone’s trying to extract all the value from the ad model, and to do that they need to do it better and better and better, and they’re trying everything they can. That may not be the best thing for consumers.”
Here’s how it works: When you visit a website, it automatically collects a code called an IP address that identifies your computer and location. A third party, such as an advertiser, can access that information by embedding a bug on the page. The bug then reports back a user profile for each IP address, including what sites were visited. By spreading bugs over the most popular websites, the advertiser is able to build an accurate picture of consumer behavior over time. That advertiser can then target specific users for tailored ads based on what sites were visited.
Although there is nothing inherently nefarious about collecting this information, Soltani is concerned that the companies are doing so surreptitiously. The researchers examined consumer complaints made to the Federal Trade Commission (FTC), the California Office of Privacy Protection, and other privacy watchdogs, comparing those complaints to Web companies’ privacy policies and information-sharing practices. The verdict: A gap exists between what companies say and what they do.
Often, companies craft policies that suggest users control their information, says Chris Hoofnagle, Director of Information Privacy Programs at the Berkeley Center for Law & Technology, “but they’re using technologies that make choice very difficult to effectuate.” One such technology is the “persistent cookie” that monitors user behavior. In tech-speak, a cookie is a file sent from a website to a visitor’s browser, allowing the site to identify the visitor by assigning a unique identification code. Visitors can delete cookies from their browsers and so appear as new users each time they visit that site.
But according to the second study, jointly conducted by the I School and Berkeley (Boalt) School of Law and led by Hoofnagle, companies have figured out a way to use Adobe Flash, a multimedia platform commonly used to view video or listen to audio content online, to “respawn” the original deleted information in a visitor’s browser. The visitor can then be tracked even after the original cookie has been deleted. The report found that 54 of the 100 popular websites surveyed use these Flash cookies, but only a fraction disclosed this practice in their privacy policies. “This kind of regeneration of cookies is actually subverting user control,” says Soltani, who participated in the study. “In the policy framework, that could be considered unfair or deceptive practice.”
So far, regulation on Web tracking has been slight, but new FTC rules may be on the horizon. “I think the regulators are sensitive to the idea that consumers perceive tracking as creepy,” says Hoofnagle. “If someone was in the grocery store following you around, even if they didn’t know your name, you’d still think that was creepy. Something similar is happening here. I think there’s a fear that if there isn’t some meaningful redress for tracking, consumers will begin to have a negative attitude toward online commerce.”
