Privacy pirates: Self regulation is a sinking ship

Do we need a 'Do not track' law? Internet advertisers say no, but their actions says yes.

When it comes to the online ad industry, self regulation is a bit like the Pirate’s Code in all those Johnny Depp movies: They’re really more like guidelines that can be broken whenever the script calls for it.

Bob Garfield, a blogger for Ad Age, recently offered a similar viewpoint with an Onionesque headline: “Proponents of Online Self Regulation Disadvantaged by Inability to Regulate Themselves.”

His point, essentially: Internet advertisers’ claims that they can ensure user privacy without a Federal mandate aren’t worth the paper they’re not printed on.

I think he’s right. Here’s what happens when online ad companies “self regulate.” First they band together into a quasi-coalition with an official sounding name --  like, say, the Network Advertising Initiative.

Then they all agree on a series of best practices, which translate roughly into “1. We’ll continue to keep Hoovering up all the Web sites you’re visiting and combining that with other data we’ve collected about you until you tell us not to; 2. We’re going to make it difficult for you to tell us not to; and 3. If you do manage to figure that out, we’re probably going to ignore you.”

For example, you can visit the NAI site and click the big red “Consumer Opt Out” button on its home page; this installs a cookie that tells online ad networks to not drop additional tracking cookies on your computer. That’s simple enough, provided you know enough to go looking for the button, and you do it on every browser and every machine you use, including your phone.

There are a few problems with this, and not just the fact that you may have to do this six or twelve times. One is that this Opt Out only works with big advertisers, leaving bottom feeders and small fry to do as they wish. Another is that many of the big advertisers will ignore your wishes and continue to track you anyway.

According to a preliminary report by Stanford Law School’s Center for Internet and Society, half of the NAI members the Center tested don’t remove their old tracking cookies after you opt out. Eight (or roughly 12 percent) continue to track you, regardless of their claims to the contrary. They still collect data on which sites you visit, they just stop showing you targeted ads. In other words, they keep the harm (tracking your online movements) while removing the only benefit (“more interesting” ads).

The NAI responded to the Stanford study, claiming that it was “moving the goalposts” by focusing on data collection and not on whether the sites are delivering behaviorally targeted ads. To wit:

We’ve long recognized that consumers should be provided a choice about whether data about their likely interests can be used to make their ads more relevant. But the NAI code also recognizes that companies sometimes need to continue to collect data for operational reasons that are separate from ad targeting based on a user’s online behavior. For example, online advertising companies may need to gather data to prove to advertisers that an ad has been delivered and should be paid for; to limit the number of times a user sees the same ad; or to prevent fraud. Gathering this operational data may involve the use of cookies separate from those used to enable interest-based ad targeting, or to maintain a consumer’s opt out preference.

The NAI knows that data tracking, and not behavioral ads, is the point. They’re being disingenuous. Yet these are the same folks who go to Congress and say “See, we self regulated. It’s all in consumers’ hands now. No need for any of your yucky laws.”

I’m not a big fan of Congress, or of legislation as it relates to technology, mostly because such laws tend to get written by a) people with little or no understanding of tech, or b) lobbyists for megacorps who understand the technology all too well and write them to benefit their masters, not you or me.

But the most effective privacy mechanisms we have had over the last 30 years have all come from some form of legislation or regulation. To wit:

* The FTC’s Do Not Call List. Some 200 million phone numbers later, this 8-year-old list may be the single most popular Federal program ever created.

* Disclosure laws for privacy breaches. There is only one reason that data breaches make the news, and that is because of state regulations requiring companies to fess up in public.

* The Fair Credit and Reporting Act of 1970 (FAIR) and the Fair and Accurate Credit Transactions Act of 2003 (FACTA). Want to know why you’ve been turned down for a loan, to correct errors on your credit report, or warn creditors that someone may have stolen your identity? These two pieces of legislation make that possible.

Self regulation isn’t working. It’s time for sterner measures, matey.

TY4NS blogger Dan Tynan never met an Internet ad he liked. (OK, maybe the Old Spice Guy ones). Visit his snarky, occasionally NSFW blog eSarcasm or follow him on Twitter: @tynan_on_tech. For the latest IT news, analysis and how-to’s, follow ITworld on Twitter and Facebook.

ITWorld DealPost: The best in tech deals and discounts.
Shop Tech Products at Amazon