Behavioural advertising can be defined as a system that delivers adverts to users on the basis of their previous activity. Records of their activity could include purchases or items recently looked at. It is different to contextual advertising which services adverts based on the content being viewed. Behavioural advertising poses a number of privacy concerns, but some systems are significantly more problematic than others.
Types of behavioural advertising
Behavioural advertising in single services
Some services like Amazon or Facebook profile their users and serve adverts based on their knowledge of the customer. For some businesses, like Faebook, the main business model arguably is this type of advertising. Some argue that the 'free' services are paid for by this type of profiling, and it is simply the true cost of free web services. They also argue that they provide benefits for customers, such as more relevant advertising.
Others argue that imbalances in negotiating power make these business models unreasonably and unnecessarily intrusive, and that they go against the principle of data minimisation.
Privacy problems here include:
- Lack of consent. Although the user signs terms and conditions agreeing to being profiled and adverts being served, they may not
- understand, or even have read the terms and conditions.
- negotiate: often it is impossible to disagree to elements of an agreement like profiling
- be informed when T&Cs change: often T&Cs change without people being made aware, especially in advance
- Use of the profiling and access to the data
- It is not always clear who might gain access to the profiling data, either commercially, or perhaps for law enforcement purposes.
- It is not always clear if the profiles can be deleted
- It is not usually possible to gain access to the profiling information without paying significant fees
DPI-based behavioural advertising, such as Phorm
Phorm is a special case, basing its system on interception of web traffic within an ISP in order to profile users. It was widely believed to be illegal in the EU, and was eventually withdrawn. BT and government officials had initially seen a strong business case for the system, which had been viewed as a way to capture revenues from companies like Google. The case provoked complaints and threats of action from the European Commission.
Cookie-based behavioural advertising
Cookie-based advertising is currently the most controversial and legally uncertain type of behavioural advertising.
How it works
When you first visit a website that uses these type of adverts, the page you visit asks to give you a Cookie from a third party advertising network. Each time you visit a website that uses the same network, the cookie is requested from you, which identifies you to the advertising network as you visit different websites in its network. The result is that the ad network can produce a profile of your interests based on the websites you visit. This profile is then used to serve you adverts.
- This model of behavioural advertising does not require your active consent to profiling. Instead, you "opt out"
- The opt outs are based on placing an "opt out" cookie. This makes the user opt out every time they clear their cookies or change web browser
- It is not clear that users will not be profiled if they "opt out". It appears they are instead not served the profile-based adverts
Profiling and Data Protection
The industry and IAB has argued that they comply with the Data Protection Act because the information they collect is not identifiable with an individual. Therefore, they argue, the information is not "personal information" and thus they do not need to seek the individual's prior consent.
Under the Data Protection Directive they would be likely to be incorrect, since the information collected can be linked to an individual. The different standards of personal information between the UK Act and EU Directive is a well known problem with our data protection regime.
Advertisers also argue that the fact of allowing cookies (in an individual's "browser settings") is a form of implied consent. If there was no consent, they have argued, then cookies from locations other than the website the person is visiting would be blocked.
It is noted by Cory Doctorow and others that it is possible to break profiling cookies by preventing them being sent back to the advertising companies.
To do this, you would alter your /etc/hosts file to point the profiling domains to 127.0.0.1 - effectively instructing your browser to "send" the cookies to your computer rather than the ad networks - although you need a full list of the domains serving the cookies to ensure your privacy in this manner.
It is possible to detect and block cookies and other tracking mechanisms via browser plug-ins. These include:
Other profiling techniques
Online profiling is not limited to behavioural advertising, and traditional browser cookies are not the only means of tracking users. LSOs (flash cookies) and browser fingerprinting are two possible methods of tracking users that can be used in a similar way.
Responses to behavioural advertising
Legal changes in the EU
The so-called Cookie Directive - an amendment to the E-Privacy Directive attempts to create a model of consent for the use of non-essential cookies. This has provoked worries from some web services, and from organisations such as the Internet Advertising Bureau who are opposed to any active opt-in measure. Different countries within the EU are now arguing about whether it is technically possible for users to consent without prior notification. Common sense would suggest that prior knowledge is required for consent, but, in a leap of startling legal and mental agility, industry representatives and the UK government disagree.
The industry has argued that consent may be based, for instance, on browser settings, such as allowing cookies. They also argue that their members now allow access to Cookie-based opt-outs, again providing an additional layer of consent.
Consultations in the UK and EU
Both the UK and EU have held workshops with industry and citizen groups to discuss how to implement the E-Privacy Directive. These have been attended by ORG, Privacy International and Which on behalf of users and citizens. The UK meetings have also included representatives from the Information Commissioners Office and Internet Advertising Bureau.
While there remain some possible concerns about what constitutes a non-essential Cookie, the main concerns are in fact about consent to user profiling. There is considerable pressure to maintain a model which does not require the specific, prior consent of an end user.
Adverse reactions to the Cookie Directive
Based on the idea that the Cookie Directive would require prior consent, some people portrayed the Directive as being likely to create a flurry of consent pop-ups for advertising and other profiling cookies. A number of campaigns appeared taking this position.
However, in reality, websites would be very unlikely to operate in this way. Websites could simply choose a different type of advertising, such as contextual advertising, or networks could seek prior consent in different ways, for instance through membership of a specific website. It is possible to imagine many different ways that advertising could work, mixing profiled users and non-profiled users, just as they do today.
Looked this way, the concerns seem to be more about advertisers not wishing to have to change or alter their business models.
The Netherlands are putting in place what is expected to be a strict implementation of the E-Privacy Directive's amendment. This has led to campaigning by the IAB, for instance at this Cookie Demo Site which makes the claim that insisting on consent for profiling and user data rights will mean the Internet becomes highly inconvenient.
Industry information and opt-outs
The IAB has produced a website to explain cookie-based behavioural advertising, called Your Online Choices in response to the new regulations. The site is linked to by a small, nearly invisible link in the corner of behavioural adverts served by IAB members. This link and the sites' information are supposed to provide sufficient grounds for believing that Internet users are consenting to being profiled and served adverts.
Their site also allows users to opt out or in to the services of its members. As explained, this does not mean profiling does not take place. There are also a number of unanswered questions not addressed in their information to users:
- If a user can gain access to their profile
- If a user can prevent themselves from being profiled at all
- If an opt-out cookie prevents profiling
- If user profiles can be removed or deleted
- If deleting an opt-in cookie results in deletion of the profiling information
- What websites participate in each network and what browsing information is being retained
- Whether the profiles are ever sold, used by third parties or relinked to other information sets relating to you
- In what circumstances the IAB believes data protection rights apply to these profiles, and their justification for their position
- How the IAB can realistically act as representative of their members, lobby and campaign group, and industry self-regulator
TPLs and Do Not Track
Do Not Track is a standard being developed by W3C, which allows a user to send an http header requesting that the end website does not track them. The exact scope and meaning of Do Not Track is currently being debated. Meanwhile, very few companies have agreed to respect it.
Do Not Track is available and implemented in a number of web browsers, including current versions of Firefox, Internet Explorer and Safari. Currently, in each case, it has to be activated by the user, so would not answer a requirement for prior consent, nor will setting it one place set it across all applications on a device.
Many websites include content from third party websites. This third party content is usually advertisements. Third party content does not only advertise on the first party’s website, the presence of the third party’s advert on the website the user is viewing means that the website will be sending information about the user back to that third party, enabling them to build up a profile for that user without the users knowledge or permission.
Two technologies being developed to protect user privacy from behavioural tracking are Tracking Protection Lists, proposed by Microsoft, and Do Not Track, developed by Mozilla.
Tracking Protection Lists can be created by a user to accept or decline a third party’s ability to track or monitor a user’s browsing habits. There are a number of problems with TPLs. They cannot provide absolute protection or privacy and, although they can be suggested by the Internet provider, it would be the responsibility of the individual user to monitor and update their own TPL which is not an easy task. The use of a tracking protection list presumes that the user has some prior knowledge of third party tracking in order for that user to know, and compile a list of what they would like to allow or block. The user must also trust the list providers, as it is not easy to verify whether third party sites are actually being blocked or not.
Do Not Track is a simpler way that users can opt out of being tracked by third parties. Many third parties do not currently offer this Do Not Track option. DNT does not have to be monitored and updated by the user like TPLs. It is a one off opt out option that will send this Do Not Track message to all third party websites.
Do Not Track and Tracking Protection Lists are not mutually exclusive. They can be used in conjunction with each other to provide a higher level of privacy. However, it is unclear whether TPLs and DNT actually prevent third parties from tracking the browsing behaviour of a user, or if opting in to DNT or creating a TPL merely prevents third parties using the gathered information to target advertisements at the user.