Commentary

Report Details How Trackers Can Learn Users' Names

Earlier this month, the Stanford Center for Internet & Society's Jonathan Mayer reported that ad networks violate their privacy policies by continuing to track people after they have opted out of behavioral targeting.

While self-regulatory standards only require companies to stop serving targeted ads to people who opt out, some of the ad networks named by Mayer had promised to go farther and stop tracking users who opted out. After his research came out, several of those companies changed their privacy policies to reflect that they continue to collect some data about people even after they opt out.

Last week, Mayer again caused a stir by reporting that one member of the Network Advertising Initiative, Epic Media Group, is using controversial "history-sniffing" techniques to see where Web users previously visited.

Today, Stanford post-doctoral fellow Arvind Narayanan posted an item that's likely to also spark debate in the online ad world. In the piece "There is no such thing as anonymous online tracking," Narayanan argues that information about people's Web activity can frequently be tied to their names.

"In the language of computer science, clickstreams -- browsing histories that companies collect -- are not anonymous at all; rather, they are pseudonymous," Narayanan writes.

Narayanan -- who previously published research showing that some Netflix users who posted reviews could be identified -- presents several scenarios showing how marketers and others can associate people's browsing behavior with their names. For instance, publishers can leak users' names via referrer headers; Facebook can track people's browsing activity when they visit sites with a "like" button.

Online marketers frequently say they have no interest in de-anonymizing clickstream data because advertisers generally don't want to market to just one specific person but rather to a particular segment of the population. But Narayanan raises the possibility that some companies deliberately convince people to reveal their identities in order to combine that information with clickstream data about their browsing behavior.

"Ever seen one of those 'Win a free iPod!' surveys?" he asks. "The business model for many of these outfits, going by the euphemism 'lead-generation sites,' is to collect and sell your personal information."

He asserts that these companies are increasingly tying people's personal information with their browsing history. One way this can happen is if the survey site already has third-party cookies on other sites, and therefore can tie information given by users with clickstream data that's already been compiled.

He's not overtly calling for an end to online behavioral targeting, but says that companies should acknowledge that tracking isn't necessarily anonymous. "As a computer scientist, I find it unfortunate that the misconception is being peddled around in policy circles that non-collection of 'PII' [personally identifiable information] renders clickstreams safe to collect and store," he writes. "It's time we stopped accepting this excuse and started a more honest discussion of the privacy implications of online tracking."

Next story loading loading..