Saturday, March 21, 2009

The benefits of using opt-outs

This blog post provides a legal/policy argument in support of opt-out cookies. While the author knows a decent amount about Internet law, he is not a lawyer, and this is not legal advice.

While the response to my Targeted Advertising Cookie Opt-Out (TACO) Firefox add-on has been hugely positive, a number of users have questioned the utility of this tool, as compared to other pro-privacy and anti-advertising solutions.

As just one example of this line of mild criticism, Jim Harper over at the Tech Liberation Front, suggests that users can simply make use of the "block third party cookies" feature available in most Web browsers.

This is an approach that is similarly recommended by Google, which only provided an opt-out software extension to users of Internet Explorer and Firefox. Users of other browsers (such as Safari and Chrome) are advised to just block all advertising cookies.

The problem with blocking any form of unwanted behavior, is that it just leads to an arms race.

Arms races, and the lessons from the pop-up war

Consider, for example, the scourge that was pop-up advertisements. These were a huge problem on the web, and continue to be so for anyone unlucky enough to be using an ancient browser. Their over-use by Web sites can make browsing an unpleasant, and at times, unusable experience.

So how did we do away with them? First, a number of browser add-ons began to offer pop-up blocking functionality. However, these were only used by technically savvy users. It wasn't until similar functionality was included in Firefox and Safari, often by default, that the tables really turned.

Once anti pop-up technology came baked into the browser, the advertising industry effectively lost one of its most powerful tools.

These firms had a strong incentive to find a way around this blocking, and so, over the past few years, new, sneakier forms of advertising, some even using pop-up style effects, have become commonplace.

Advertisers didn't observe the blocking of their previous techniques, and think, 'Oh, I guess we should respect people's preference to not see annoying ads", but instead took it as an invitation to innovate, and create newer, more aggressive and unblockable forms of advertising.

That is, pop-up blocking technology, while providing users with some temporary relief, merely added fuel to the arms race.

Targeted advertisements use more than cookies

Over the past ten years, cookies have gotten a lot of criticism from privacy circles. Browsers have evolved to include sophisticated cookie handling tools, particularly in Safari and IE8. As a result, cookies have become far less useful as a way to track users. After all, every Safari user automatically rejects third party cookies by default.

Just as with the pop-up example mentioned above, this use of blocking technologies has merely encouraged an arms race, with advertisers turning to other methods for long term tracking. Technologies like Adobe's Flash, AIR, Microsoft's Silverlight, and the offline content in HTML5 can all be used to provide cookie-like tracking functionality.

Better yet for the advertisers, most users don't know that these technologies can be used to invade their privacy.

Ending the arms race

Should we follow the traditional approach, and just escalate the arms race? For example, the excellent BetterPrivacy Firefox add-on allows users to protect themselves against the tracking Flash cookies/LSO files used by YouTube, eBay and many other sites.

In my opinion, this cat and mouse game is a huge waste of energy. What we need is a way to remove ourselves from this cycle, and I think that opt-out cookies are a way to do this.

Unlike all of the previous anti-advertising technologies, the opt-out mechanism provides users with a way to positively affirm that they do not wish to be tracked and targeted. This opt-out cookie is something that advertisers cannot ignore.

Now, consider the following hypothetical situation: In a year or two Google/Doubleclick sees that 50% of Web users have opted out of their targeted advertising. In an attempt to innovate around this, the company switches to the use of Flash-based cookies to target and track users.

While the company's privacy policy specifically talks about the use of cookies, it would be tough to see how Google could argue that it had the right to use alternative tracking technologies to track users who had opted out of its older cookie-based system.

The Federal Trade Commission and Congress would likely take an interest, and any attempt by Google's lawyers to argue that opt-outs only applied to html cookies, even if their privacy policy stated as much, would draw laughter and ridicule.

Simply put, opt-out cookies are a game changer. Once consumers affirmatively state their desire to not be tracked, companies can not continue the cycle of innovating around blocking technologies. For the advertisers, the game is over.

Best practices, defense in depth

The funny thing is, you don't need to actually accept third party cookies to get the benefits of opt-out cookies.

On my own computer, I disable all third party cookies, I've set the browser to clear all cookies upon starting, I use the awesome AdBlock Plus and NoScript. However, I still use my own opt-out cookie add-on.

With the other technologies and policies that I've set, no advertising network can use the existing cookie based technologies in order to track and target me. Some might say that the opt-out cookies provide no added value.

However, I see them as a form of defense-in-depth. If these advertising firms find a way around AdBlock Plus, and innovate around the third party cookie block, my positive declaration of my desire to not be targeted might provide me with some more protection.

At the very least, if the advertisers are ever caught tracking opt-ed out users via some other technology, my own use of opt-outs will give me a far better position, should I wish to take legal action.

So -- what are you waiting for? Download the Targeted Advertising Cookie Opt-Out (TACO) add-on today.


Anonymous said...

Chris, I think your defense-in-depth strategy is the best one. I don't think even prevalent use of opt-out cookies will stop the arms race, there are just too many interested parties all with more power than individual consumer-citizens. Plus, the damage will already have been done if/when some of them do continue the arms race. It continues in any case today. The protections you lay out for the future are US only (the web is not) and there are no guarantees. I'll continue to use all means necessary to prevent opaque commercialization of my online behavior.

Anonymous said...

Thanks for your great work.
I haven't seen a email address to ask questions about your great Firefox extension. I have CS lite installed and I had to first enable cookies globally with it before your cookies would load. Also SwitchProxy Tool 1.4.1 will remove your cookies and I must then re-allow re enable... What I'm getting at is can you implement a keyboard shortcut or button to re-install/set the Good opt out cookies when I need to and perhaps an indicator to show when they've bees removed?

אברא כדברא