Just how bad is online tracking?

February 16, 2012, 6:06 PM — You might say TY4NS has a one-track mind these days. Today’s topic: How bad is online tracking, really?

The harm from having your movements tracked across the Web depends in part on how anonymous this data really is. For example, the Ghostery folks put together a clever Periodic Table of the most common 100 Web trackers, using data from its GhostRank surveys.

Click on any of the “elements” and you get a snapshot of each tracking company, its industry affiliations, the kinds of data it gathers, how long it holds onto it, and links to its privacy policies. Like this one for Audience Science:

Like a lot of trackers, Audience Science gathers both anonymous data and pseudonymous data such as Internet Protocol addresses. An IP address isn’t a precise indicator of your identity because it is often shared (like via a WiFi connection), but it’s pretty good. At the very least it can indicate what city you live in and who your ISP is. Any Web site, including the one you’re now reading, can record your IP address. If the same IP address is logged doing things it shouldn’t – like downloading copyrighted material from Bit Torrent sites -- that’s certainly enough evidence to slap a subpoena on the ISP to get the name and address of the person who’s paying for it.

Stanford researcher Jonathan Mayer discovered that as trackers Hoover up our search histories they sometimes gather much more information, such as user names and email addresses, that gets sent as part of referral URLs. (The trackers generally deny doing anything useful with this data, which they say gets gathered unintentionally and is discarded.)

Still, IP address + user name and/or email = very good indicator of exactly who you are. So what could happen?

Worst case scenario: Web tracking companies gather up anonymous and pseudonymous data and merge them, so that your Web histories, search terms and clickstream get connected to your IP address and maybe your user name or email. Evil Government Entities (EGEs) and/or Aggressively Amoral Hackers (AAHs) gain access to this profile information, resulting in your imprisonment and/or embarrassment, depending on what you’ve been up to.

Far fetched? Yes. But not out of the realm of possibility. And as computing power grows and gets cheaper, increasingly more possible. Still, definitely on the tin-foil-hat side of the spectrum.

Here’s a more likely harm scenario, and it doesn’t require any use of pseudonymous or identifying data at all. 

You surf the net under the watchful gaze of Web tracking networks. They record the Web sites you visit and your clickstream. They compile that into an anonymous profile, which they then market to various interested parties. Some are advertisers who want to deliver targeted ads to you. Others are insurance companies, credit card processors, or background investigators who want to run business intelligence software on this data and score it, the same way they run BI software on your financial history to create your credit score.

They discover that people who visit the same kinds of sites you like to visit tend to be bad credit risks, file more health insurance claims, or are involved in more employee lawsuits than the average bear. So you are denied that new credit card, your health insurance premiums shoot through the roof, or that job you coveted goes to the second most qualified person who applied. You of course, will be aware of none of this, because it happens entirely in the background. And if you share your computer/browser with someone else, their anonymous data could get mixed in with yours. 

Behavioral targeting already happens in the real world, and now it’s moving to the virtual one. (This is also what Columbia law professor and privacy purist Eben Moglen says Facebook is doing with its data, though he offers no tangible proof.) The poster child for this is Kevin Johnson, whose American Express credit limit was slashed after he used his card at a nearby Wal-Mart, because his fellow Wal-Marters apparently don’t pay their bills.

Am I smoking crack? Nope. In fact, this is so much a part of the online tracking economy that the Digital Advertising Alliance, a consortium hell-bent on making self regulation work, issued new rules for how its members could use data gathered across multiple sites. Per Evidon’s blog, the rules…

…specifically prohibit the use of multi-site data for a range of itemized adverse decisions, including employment eligibility, credit eligibility, health care treatment/eligibility, and insurance eligibility.

So it’s against the rules now. Self regulation to the rescue, no problem. Right? That is the topic for the next, and hopefully last, post in this series.

Got a question about social media? TY4NS blogger Dan Tynan may have the answer (and if not, he’ll make something up). Visit his snarky, occasionally NSFW blog eSarcasm or follow him on Twitter: @tynan_on_tech. For the latest IT news, analysis and how-to’s, follow ITworld on Twitter and Facebook.