It’s not your data!

(Originally published under the title “Our industry’s Unethical, Indefensible behavior”, in iMediaConnection, April 2011) by Eric Picard

I’ve been writing a lot lately on the topic of online privacy at the intersection of advertising, and particularly the way the third-party tracking ecosystem has been evolving for the past few years. There is an ongoing onslaught of discussion about legislation and how we’re probably going to get regulated. Some of my closest friends in the industry are at odds with my position, and many people are finding themselves diametrically opposed to people they respect over this issue. People are claiming that if we stop the targeting, all the value in this industry will bottom out — that another bubble will burst, and advertising Armageddon will follow. I disagree. I believe a huge amount of value can be generated without marginally ethical behavior.

To me, it’s a very clear issue — one based on ethics and logic. If companies are tracking people across multiple websites without their consent, and without providing any recognizable value, and those people want the tracking stopped — then it should probably stop. There is real money on the table for the companies that do this data collection, and changing the opt-out model to an opt-in model would decimate their financial outlooks. But this ultimately doesn’t matter. As an industry, we are doing something that most people simply don’t want us to do.

When a publisher tracks what its visitors do on that one publisher’s site, tracking is a defensible practice. The online users who visit a publisher’s site are electing to visit that publisher, and as long as the publisher is collecting data to be used only on its own website, then this falls into the standard quid pro quo relationship that already exists.

People get free or reduced-cost content that they desire to consume from a publisher. The publisher shows them ads, and frequently requires that the consumer register or subscribe (regardless of if this is a free or paid subscription) and hand over some data to be used to better sell ads to advertisers. While a person is visiting a publisher’s site, the publisher certainly has the right to track his or her behavior. There are lots of reasons justifying this right. And consumers can choose to simply avoid visiting that particular publisher if they disagree with the publisher’s privacy policy. And having a user specifically opt out of being tracked on that publisher’s site is a great option to provide.

However, my issue is with the practice that has exploded over the past few years, where third-party companies place tracking tags all over the internet — across multiple publishers — and create comprehensive profiles of consumer behavior. This without any discernable value given back to the consumer (I have lots more to say on this issue below) and without their direct knowledge or consent. This tracking is all enabled by third-party tracking using third-party cookies. This capability was not what the browser designers created cookies for, and it is a sort of hack of the way browsers operate. If “hack” is too strong a word, it’s at least an unintended loophole in browser design that has been used in ways that are hardly defensible.

While I am passionate on this topic, I actually think this argument is a moot point in many ways. I predict that the browsers are going to very elegantly enable consumers to block third-party cookies in the next few releases, and the whole house of cards built on top of this loophole in cookie security is going to fall to the ground.

The Internet Explorer team at Microsoft has already announced that IE 9 will make it extremely easy to block third-party cookies and content. And most technical people running the browser groups at Firefox (keep in mind, there really are no business people involved in this open-source browser) and Google (where technology drives most decisions) are all pretty smart; they understand the tracking behavior that they want to shield the public from. This is clearly an issue that technologists understand better than the general population, and most technical people I’ve talked to have arrived at the same conclusion: Blocking third-party tracking is in the best interest of consumers, it should be extremely easy to do, and the decision should be pre-populated as an opt-out.

Most of the discussions I’ve had on the opposite side of this issue have been with business people. They believe that there is no danger to consumers from what they perceive to be anonymous tracking of online behavior. And they continue to look at people who don’t agree with them as privacy fanatics who are irrationally trying to limit their businesses from succeeding. This isn’t the case, and I certainly am not fanatical about privacy. But I’ve learned a lot over the past 10 years about this topic, and on top of this, the market has radically shifted in the past three years. The amount of tracking going on has seen a huge increase, and the safeguards on the data being collected are quite squishy.

There is a real issue here that apparently hasn’t been understood by a lot of non-technical people. So-called anonymous tracking is fairly easily cracked open. And now that there are many mechanisms that have been created for matching cookies across domains and companies, there are numerous broadly correlated profiles of user behavior floating around. Many of the companies that have copies of these profiles are small startups, many without nearly the funding or maturity needed to build extremely secure environments. And even some of the biggest companies out there have had significant security breaches over the last few years — breaches that have leaked millions of people’s data into the public domain.

Many of the executives at the companies operating in this sphere are very reputable and honorable people who are certainly not being malicious or trying to hurt people. But what happens if their companies are purchased by less-reputable entities? Clearly those with scruples will simply quit and find other work. But now we’ve got a company run by unethical and dangerous individuals with access to a ton of data that can pretty quickly and easily be reverse-engineered to do diabolical things.

Or what if a startup isn’t successful and goes into bankruptcy — and the data assets get auctioned off to the highest bidder? Or what if there is a security breach and a hacker gets access to the company’s log files or plants spyware on its servers? There have been cases in this industry of crackers getting into server farms and hosting software there that gave them access to a lot of data. And of course, there is the other problem of companies that are just unethical to begin with.

Many proofs have been created that show how easy it is to reverse-engineer anonymous tracking. With a small amount of data to correlate with non-private activity, any decent engineer can take apart the anonymous shell around a person’s profile and merge it with personally identifiable information from other sources. And suddenly we’ve got non-anonymous profiles with all sorts of data in the hands of not-so-scrupulous people. Not a recipe for comfort.

At this point, the business people typically try to argue that without the work they do, consumers will have the horrible (never mind that it’s what already exists) experience of having to see advertising that is not relevant. The fallacy of this argument states that if we have better targeting, the ads that consumers see will be more relevant, and they will have a better experience visiting websites that are ad-funded.

There is no persuasive argument to be made that consumers benefit (really at all) from third-party tracking. The ads are not perceptibly more relevant (to the consumer), despite the advertiser’s ability to do deep statistical analysis and see a measurable lift in performance. The only groups really benefiting from the third-party tracking that’s going on are the companies that sell it, and to some degree the advertisers that are able to make use of it for a tiny percentage of their overall spend.

This argument is really hard to defend, and has been made by the ad industry for the past 15 years. I’ve made this argument myself a bunch of times. See this video for definitive proof. Please note that watching myself in this video drove two major shifts in my life: First, I saw that even I didn’t really believe this argument anymore, and I stopped championing this position. Second, I realized I needed to lose a ton of weight (which I’ve since done).

The argument of more relevant display ads is a fallacy. There is simply not enough ad inventory available to really improve relevance to a degree that it would meet the bar of a consumer. Getting a tiny percentage lift on CPAs that are already tiny doesn’t matter enough to justify the issues I’m complaining about from a consumer perspective.

Just because I looked at a pair of shoes online and then one out of 50,000 of the ads I see afterwards are for the same pair of shoes doesn’t mean that we’re making advertising more relevant. It means we’re making a few ads more relevant. A tiny handful. A handful that is so small that it won’t for a moment change the way that consumers feel about online ads. And in order to make ads more relevant, we’d need hundreds of thousands or even millions of ads from a similar number of companies in order to make advertising feel more relevant to consumers.

One argument I hear a lot is that consumers prefer the ad experience from paid search because they feel the ads are more relevant. But there is no real comparison to make here. There are something like 5,000 advertisers that make up more than 90 percent of the U.S. ad spend on display, across approximately 5 trillion monthly impressions across hundreds of millions of ad locations. Paid search has more than 400,000 active advertisers at any given time, with only about 250 million impressions per month and only something like 2-3 million commercially viable keywords. Paid search has more relevant ads than display because of this high concentration of advertisers across a small number of ads. We’d need a similar kind of ratio to really appear more relevant to consumers based on targeting in display ads — and we’re nowhere close to this. If someone ever figures out how to get local advertisers to buy display advertising, this could happen — but we’re a long way from this nirvana.

Another argument I hear is that we’re “not as bad as the offline direct marketers, who have been doing much more of this for years, and who have way more data than the online marketers.” And generally the argument is included that consumers clearly haven’t rebelled against direct mail, so they shouldn’t have a problem with what online marketing does.

This is simply silly from my point of view. First, the companies that lead the offline direct marketing industry are exactly the pivotal players that are enabling much of the third-party tracking going on in the online space. They’re the ones gluing together the cookies from multiple parties, so there is no “them vs. us.” We are the same exact industry, and the players are active across the board, across any perceived boundary.

Second, just because consumers have given in on the offline tracking that is going on and data sharing that happens regularly across the credit card and finance industry, this doesn’t imply their implicit acceptance of similar behavior in other venues. Like a frog dropped in warm water and slowly boiled, they didn’t understand what was happening in the offline world until it was too late. Now most consumers understand the issues, and they are not happy about this happening again in the online space where companies are more visibly collecting data about their behavior without permission. At least with the credit card companies, consumers get tangible benefit from the use of the credit card. In the online space, there is no perceptible value.

If you still believe that there is a credible argument to make to the average consumer on this topic, try explaining to an acquaintance who doesn’t work in the online advertising industry what tangible value they get from allowing a third party to track them. And be sure to explain what is really happening, including how many different sites they’re being tracked on without their consent. See if they call foul on you.

And frankly, you need to really question this issue yourself. Imagine your reaction if you found out that some company was hiring people to follow your wife, husband, mother, or children around and note what they do all day in order to build segmentation models for marketing. Imagine that when you confronted them, that their response was, “But we anonymize the data — trust us.” It just doesn’t cut the mustard from my point of view.

I have discussed this issue with lots of consumers, and not a single one — not one person — has ever said that he or she was satisfied with the ability to opt out. Every single one has complained about the fact that this was done without permission.

From a moral and ethical standpoint, I can’t any longer say that third-party tracking is OK with a straight face. I simply don’t believe it. There is no justification I can see from a consumer point of view that they should simply sit back and swallow all this tracking that doesn’t benefit them. Companies are making money off of their personal activity data. Every person I’ve talked to outside of our industry believes they have the right to expect that someone should need to ask permission before tracking.

I now believe that companies with no direct relationship with a consumer should not have the right to track that consumer’s behavior across multiple websites, make money off that consumer’s data, and potentially put that user’s privacy at risk without explicitly asking permission first. First-party tracking is acceptable and justifiable. If I visit a publisher’s website, there’s an understood quid pro quo that all consumers are fairly aware of at this point; they know they need to put up with advertising in order to get access to content and free or reduced-cost tools (e.g., email, IM, etc.).

On the advertiser side, consumers generally don’t have a problem if they are tracked when they visit the website of a company of which they are a customer. Amazon is often used as an example here. Just as there is a reasonable expectation that a shop owner would watch what you’re looking at and make suggestions to you inside their store, Amazon has legitimate reasons to track shopping behavior and provides customer value by doing it.

In the end, just because we can do something doesn’t mean we should do something.

Tagged , ,

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: