Google plan to link online behavior to offline shopping is creepy, even with privacy protections

Scroll down for FTC tracking guidelines

This post first appeared in the San Jose Mercury News

On Tuesday, KCBS co-anchors Jeff Bell and Patti Reising and I talked about Google’s new plan to track brick-and-mortar transactions with online behavior during my daily live radio segment. But before I started explaining the plan, Patti began by saying, “Larry this sounds creepy to me.” And even after I explained Google’s claim that the data is purely aggregate and not associated with any individuals, she still found it creepy. And she was right. Regardless of how well Google encrypts and anonymizes data, any linkages between consumers’ online and offline behaviors will creep people out.

Lots of people are already creeped out when they see ads on third-party sites associated with a previous search either on a seemingly random webpage or an e-commerce site such as Amazon. We’ve all seen these ads pop up on Facebook, in Google searches or other sites we visit, and you may have been creeped out by the fact that they are displaying ads for the very products we searched for on Google, Amazon or other sites. It’s especially creepy when the ad appears on a site that doesn’t appear to be affiliated with the site that actually gathered your information.

How you are tracked

There are several ways that advertisers can track you online. One, of course, is if you’re logged in. So if you’re shopping on Amazon, the company knows who you are. Google also encourages users to log in, which allows it to know where you’ve been on Google sites. And Facebook always knows who you are when you’re logged in to its site or using its app. But even if you’re not logged in, there are tracking cookies –- little files that are placed on your device’s storage to track where you have been. In addition to first-party cookies that store information, like user names and passwords, there are third-party cookies that can be placed by someone other than the site you are on, such as advertising networks or analytics companies that have partnered with the site you’re visiting. There are also Flash cookies that work with Adobe Flash player for tracking and advertising. Another trick is “device fingerprinting,” which can identify your device or browser without the use of cookies, regardless of whether you’re on a PC, a phone or another device. Another tool is the HTTP referrer, where the website you’re on passes your information to the next site you visit. To learn more, scroll down to the section on FTC Tracking Tips.

It may actually get worse because Congress recently voted to allow internet service providers to sell your data, which means any site you visit is fair game since ISPs can know everything you do and everywhere you go when you’re on their network. Most internet service providers have privacy policies that limit how they use personal data, but any legal obstacles to disclosing it are diminishing.

Regardless of whether the information being collected or even displayed can be tracked back to an individual, it can still be creepy. For example, a few years ago, a friend told me she saw an ad on Facebook directed specifically to “50-year-old women in Palo Alto” and wondered how the advertiser knew her age and location. It didn’t, but Facebook does. Facebook didn’t sell this woman’s information to the advertiser. Instead, it did something that’s a lot more profitable in the long run. It kept that information to itself but sold the demographic by displaying that ad on the Facebook page of anyone who met whatever criteria the advertiser specified. Aside from not violating Facebook’s privacy policy, it also gives Facebook a big financial advantage because it means that the advertiser will have to pay Facebook each time it wants to reach those users.

When I explained this to my friend, she was relieved to know that her information wasn’t sold, but she still found it creepy to log on to Facebook and find an ad that mentioned her age, gender and location.

How Google’s offline tracking works

Google’s new online and offline matching service for advertisers helps brick-and-mortar businesses know whether people who click on their online ads are actually shopping at their stores by matching credit and debit card transactions with online behavior. Google says that the data is encrypted and anonymized and that even Google can’t see any personally identifiable data or payment information. Google says that the data is presented in aggregate form so that both Google and the advertiser could, for example, know how many people who clicked on their ad wound up buying something from the store.

“While we developed the concept for this product years ago, it required years of effort to develop a solution that could meet our stringent user privacy requirements,”  a Google spokesperson said. “To accomplish this, we developed a new, custom encryption technology that ensures users’ data remains private, secure and anonymous.”

The spokesperson also said that “Google only learns of the aggregate value over multiple purchases, not individual transactions or individual products or who the individual person is. Also, we only measure for users who have consented for Web and App History. They have the option to make changes to this setting using the My Accounts page.”

 For advertisers, Google’s plan means better insight into the effectiveness of their online campaigns. For Google, it’s a great marketing tool because it can point to its successes when selling ads. For the rest of us, as my colleague Patti said, it’s just plain creepy.

The fuel that monetizes free stuff

Targeted advertising isn’t going away. It’s the fuel that monetizes all of the free online services we’ve come to rely on, and without targeted ads many of these services would lose money or at least operate at a smaller profit. Personally, I prefer the old advertising model used in print, TV and radio where the advertiser knows something about the type of person who reads or tunes in but nothing about that person’s habits. But that type of advertising doesn’t bring in as much money as ads that are targeted and even ads don’t necessarily generate as much money as data about the individuals visiting sites and using apps.

So having to deal with sharing out data may be the price we must pay for all the free services we get online, but I sure hope we find ways way to make it more transparent, more controllable and a lot less creepy.

Larry Magid is CEO of ConnectSafely.org, a nonprofit internet safety organization that receives support from Google and other companies.

 ————————————————————————————-

FTC Tracking Tips

This article is reposted from the FTC website. Because its from a federal agency. it’s non-copyrighted public domain information.

What is a cookie?

A cookie is information saved by your web browser, the software program you use to visit the web. When you visit a website, the site might store a cookie so it can recognize your device in the future. Later if you return to that site, it can read that cookie to remember you from your last visit. By keeping track of you over time, cookies can be used to customize your browsing experience, or to deliver ads targeted to you.

Who places cookies on the web?

First-party cookies are placed by the site that you visit. They can make your experience on the web more efficient. For example, they help sites remember:

  • items in your shopping cart
  • your log-in name
  • your preferences, like always showing the weather in your home town
  • your high game scores.

Third-party cookies are placed by someone other than the site you are on. For example, the website may partner with an advertising network to deliver some of the ads you see. Or they may partner with an analytics company to help understand how people use their site. These “third party” companies also may place cookies in your browser to monitor your behavior over time.

Over time, these companies may develop a detailed history of the types of sites you frequent, and they may use this information to deliver ads tailored to your interests. For example, if an advertising company notices that you read a lot of articles about running, it may show you ads about running shoes – even on an unrelated site you’re visiting for the first time.

Understanding Other Online Tracking

What are Flash cookies?

A Flash cookie is a small file stored on your computer by a website that uses Adobe’s Flash player technology. Flash cookies use Adobe’s Flash player to store information about your online browsing activities. Flash cookies can be used to replace cookies used for tracking and advertising, because they also can store your settings and preferences. Similarly, companies can place unique HTML5 cookies within a browser’s local storage to identify a user over time. When you delete or clear cookies from your browser, you will not necessarily delete the Flash cookies stored on your computer.

What is device fingerprinting?

Device fingerprinting can track devices over time, based on your browser’s configurations and settings. Because each browser is unique, device fingerprinting can identify your device, without using cookies. Since device fingerprinting uses the characteristics of your browser configuration to track you, deleting cookies won’t help.

Device fingerprinting technologies are evolving and can be used to track you on all kinds of internet-connected devices that have browsers, such as smart phones, tablets, laptop and desktop computers.

How does tracking in mobile apps occur?

When you access mobile applications, companies don’t have access to traditional browser cookies to track you over time. Instead, third party advertising and analytics companies use device identifiers — such as Apple iOS’s Identifiers for Advertisers (“IDFA”) and Google Android’s Advertising ID — to monitor the different applications used on a particular device.

Does tracking of other “smart devices” occur?

Yes. More and more, consumer devices, in addition to phones, are capable of being connected online. For example, smart entertainment systems often provide new ways for you to watch TV shows and movies, and also may use technology to monitor what you watch. Look to the settings on your devices to investigate whether you can reset identifiers on the devices or use web interfaces on another device to limit ad tracking.

Controlling Online Tracking

How can I control cookies?

Various browsers have different ways to let you delete cookies or limit the kinds of cookies that can be placed on your computer. When you choose a browser, consider which suits your privacy preferences best.

To check out the settings in a browser, use the ‘Help’ tab or look under ‘Tools’ for settings like ‘Options’ or ‘Privacy.’ From there, you may be able to delete cookies, or control when they can be placed. Some browsers allow add-on software tools to block, delete, or control cookies. And security software often includes options to make cookie control easier.  If you delete cookies, companies may not be able to associate you with your past browsing activity.  However, they may be able to track you in the future with a new cookie.

If you block cookies entirely, you may limit your browsing experience. For example, you may need to enter information repeatedly, or you might not get personalized content that is meaningful to you. Most browsers’ settings will allow you to block third-party cookies without also disabling first-party cookies.

How can I control Flash cookies and device fingerprinting?

The latest versions of Google Chrome, Mozilla Firefox, and Microsoft Internet Explorer let you control or delete Flash cookies through the browser’s settings. If you use an older version of one of these browsers, upgrade to the most recent version, and set it to update automatically.

If you use a browser that doesn’t let you delete Flash cookies, look at Adobe’s Website Storage Settings panel. There, you can view and delete Flash cookies, and control whether you’ll allow them on your computer.

Like regular cookies, deleting Flash cookies gets rid of the ones on your computer at that moment. Flash cookies can be placed on your computer the next time you visit a website or view an ad unless you block Flash cookies altogether.

How can I control tracking in or across mobile apps?

You can reset the identifiers on your device in the device settings. iOS users can do this by following Settings > Privacy > Advertising > Reset Advertising Identifier. For Android, the path is Google settings > Ads > Reset advertising ID.  This control works much like deleting cookies in a browser — the device is harder to associate with past activity, but tracking can start anew using the new advertising identifier.

You also can limit the use of  identifiers for ad targeting on your devices. If you turn on this setting, apps are not permitted to use the advertising identifier to serve consumers targeted ads. For iOS, the controls are available through Settings > Privacy > Advertising > Limit Ad Tracking. For Android, Google Settings > Ads > Opt Out of Interest-Based Ads. Although this tool will limit the use of tracking data for targeting ads, companies may still be able to monitor your app usage for other purposes, such as research, measurement, and fraud prevention.

Mobile browsers work much like traditional web browsers, and the tracking technologies and user controls are much the same as for ordinary web browsers, described above.

Mobile applications also may collect your geolocation to share with advertising companies. The latest versions of iOS and Android allow you to limit which particular applications can access your location information.

What is “private browsing”?

Many browsers offer private browsing settings that are meant to let you keep your web activities hidden from other people who use the same computer. With private browsing turned on, your browser won’t retain cookies, your browsing history, search records, or the files you downloaded. Privacy modes aren’t uniform, though; it’s a good idea to check your browser to see what types of data it stores.

But note that cookies used during the private browsing session still can communicate information about your browsing behavior to third parties. So, private browsing may not be effective in stopping third parties from using techniques such as fingerprinting to track your web activity.

What are “opt-out” cookies?

Some websites and advertising networks allow you to set cookies that tell them not to use information about what sites you visit to target ads to you. For example, the Network Advertising Initiative (NAI) and the Digital Advertising Alliance (DAA) offer tools for opting out of targeted advertising — often by placing opt-out cookies. If you delete all cookies, you’ll also delete the cookies that indicate your preference to opt out of targeted ads.

Cookies are used for many purposes — for example, to limit the number of times you’re shown a particular ad. So even if you opt out of targeted advertising, a company may still use cookies for other purposes.

What is “Do Not Track”?

Do Not Track is a setting in most internet browsers that allows you to express your preference not to be tracked across the web. Turning on Do Not Track through your web browser sends a signal to every website you visit that you don’t want to be tracked from site to site. Companies then know your preference. If they have committed to respect your Do Not Track preference, they are legally required to do so. However, most tracking companies today have not committed to honoring users’ Do Not Track preferences.

Can I block online tracking?

Consumers can learn about tracker-blocking browser plugins which block the flow of information from a computer to tracking companies and allow consumers to block ads. They prevent companies from using cookies or fingerprinting to track your internet behavior.

To find tracker-blocking plugins, type “tracker blocker” in your search engine. Then, compare features to decide which tracker blocker is best for you. For example, some of them block tracking by default, while others require you to customize when you’ll block tracking.

Remember that websites that rely on third party tracking companies for measurement or advertising revenue may prevent you from using their site if you have blocking software installed. However, you can still open those sites in a separate browser that doesn’t have blocking enabled, or you can disable blocking on those sites.