Commentary

Exposing The Beacons In Our Midst

by Steve Smith , Staff Writer, May 22, 2009

Surveys often suggest that users are not as exorcised over online behavioral tracking as are privacy watchdogs, academics, and the press. But according to Cathy Dwyer, Pace University Associate Professor in the Seidenberg School of Computer Science and Information Systems, this complacency turns quickly to shock when you sit someone down at their PC and show them explicitly all the ways in which a single site may drop cookies and beacons for others to follow. "I do this with 18-, 19- and 20-year-olds, and once they find out this is going on they go ballistic. A few of them in one of my classes canceled their Facebook accounts," she says.

Dwyer explains Web privacy issues for the rest of us in a paper she will be delivering at the 15th American Conference on Information Systems. "Behavioral Targeting: a Case Study of Consumer Tracking on Levis.com" applies browser scanning tools to determine just how much tracking goes on by third parties after a user encounters just a single retailer site.

Using Levis.com, Dwyer discovered, for instance, that a JavaScript downloaded to the browser came from Atlas and contained seven one by one image files from a range of behavioral networks. In all, Dwyer detected nine Web beacons dropped on the client machine, and one Omniture cookie that passed back a list of installed software on the machine.

While few digital marketing professionals will be surprised by these scanning results, they are the underlying reality of online advertising that can shock common users when they see it surfaced. For Dwyer, the real problem in Levis.com's background ad-serving activity is that it is all essentially clandestine. "None of the companies linked to these nine Web beacons are mentioned in Levi's privacy policy," she says in the paper. "The only third party mentioned is the digital advertising provider Avenue A, but none of these Web beacons link to Avenue A." She goes on to argue that "this study shows the amount of data collected and shared with third parties is much higher than what is described in the Levi's privacy policy. Levi's customers are not asked to consent to these practices, and the partners that Levi's shares information with are not identified."

But if that behavioral information is anonymous, as Dwyer agrees it is, then what harm is done to the user? Dwyer makes a case that is becoming increasingly popular in the field, that anonymity does not equal privacy. Privacy is not just a matter of controlling what information about oneself is disclosed to or by a third party.

Dwyer and others contend that undisclosed behavioral tracking compromises our autonomy in the market. "Privacy is valued because it protects the autonomy of the individual and preserves independence and free choice in the decision process," she says in her study.

When I spoke with Dwyer recently, she elaborated on the point. "Imagine you are going into a store or in a negotiating situation. You have a strategy in mind and you don't think there are cameras to see what your cards are. You think that your state of mind is a part of the negotiating process. But if they are inside your head and figuring out what kinds of buttons to press, then they can read you in that way."

Dwyer argues that this kind of knowledge of a consumer, whether it is personally identifiable or not, still can undermine the autonomy of that person's decision-making in a way that is different from the demographic or psychographic profiling that advertisers also use. The person may be anonymous to the advertiser, but the one-sided power that tracking confers to the vendor is exerted onto a real consumer, anonymous or not. "If you do a little surfing online, you don't think that every keystroke is revealing what your strategy is for getting something," she says.

Dwyer further argues that retailers like Levi's, whose brand was built on associations with American independence of mind, risk their reputation by letting third parties drop such tracking tools into their customers' browsers without full transparency. "Not asking for explicit consent, and using anonymity to sanitize the tagging of individuals, are components of behavioral targeting that can destroy trust in e-commerce," she says.

Dwyer insists that she is not at all opposed to advertising, but she does think that the element of trust in the marketplace is undermined by behavioral tracking without consent. If there is a clear benefit to consumers, all the better to be transparent. "There is no reason for it to be secret. If it is so valuable, people will say 'yes.'"

behavioral targeting

4 comments about "Exposing The Beacons In Our Midst".

Check to receive email when comments are posted.

Ann Betts from FetchBack, May 22, 2009 at 4:20 p.m.
"There is no reason for it to be secret. If it is so valuable, people will say 'yes.'"
What a great statement!
Even more importantly is that if an advertiser isn't doing anything malicious or unethical with consumer's data, why shouldn't they be as transparent as possible? A simple statement on a website or in a privacy policy (at least for now) stating what type of information is used for what type of advertising can go far for consumers.
Reply

Bruce May from Bizperity, May 23, 2009 at 12:18 p.m.

Cathy Dwyer's work reveals the way the government is going to look at what's really going on with behavioral tracking. An underlying theme addresses what it really means to be anonymous. If a system is tracking data and responding directly to an individual based on that data, what's anonymous about that? There may not be a human being looking at the data but as long as the system is using that data to respond directly to a user then the user is not anonymous to the system. Dwyer makes a strong case for why this becomes intrusive and potentially abusive. You may not like the argument but if you are responsible for designing such a system you should be ready to address this issue because the government is about to come calling.

Catherine Dwyer from Pace University, May 25, 2009 at 7:33 p.m.

Bruce makes a good point about what path the government will take to examine behavioral targeting. Any action by the FTC consists of determining whether a company complies with their own privacy policy. The results of my study show that most of the tracking going on is not acknowledged by Levis in their privacy policy.
What is another enormous issue is that companies have no "back end" systems (i.e., auditing, or control and compliance for privacy) in place to determine whether they are actually in compliance with their own privacy policies, let alone new legislation. Any privacy issue or breach that comes up has to be audited "by hand." If you think of all the terrabytes of consumer data floating around out there, this is a really scary thought.

Jason Smith, August 2, 2010 at 8:03 p.m.

Professor Dwyer is nothing more than another academic hoping to score headlines on a hot button issue with little league research.

The work conducted by Dwyer is amateuristic at best and doesn't address the behavioral targeting marketplace. She didn't even understand that the tags applied on the website aren't used for behavioral targeting, they are for marketing tracking and site re-targeting. Both activities which Congress and the FTC has stated are not a privacy concern.

For those that want to see the entire research, you can find it here:

http://csis.pace.edu/~dwyer/research/BT%20paper%20Dwyer%20Draft.pdf

None of pixels she notes collect personal data or create profiles for behavioral targeting. The pixels are placed on the site to register a count of a click, an order conversion or to log that a visit to the site happened. No information about the customer is stored and all pixels are for first-party use only by Levis.com.

Professor Dwyer is part of the problem we face as an industry. Her research is not even focused on what Congress is concerned with, but her PR campaign is confusing the issue for whatever agenda is underlying.