Date post: | 28-Dec-2015 |
Category: |
Documents |
Upload: | kathryn-bradley |
View: | 214 times |
Download: | 1 times |
Tag You're It - Business RisksWhen Customers Find Out You are Tracking Them
Cathy Dwyer, PhD.Seidenberg School of Computer Science & Information SystemsPace University
(c) Catherine Dwyer, 2010 Tech Talk March 5, 2010
2
OutlineWhat is online behavioral advertising?Who are the major behavioral
targeting companies?Brief overview of targeted advertising
technologyTools that reveal tracking of consumersExamples of sites that use targetingWhat are the risks from using these
services?Some recommendations
(c) Catherine Dwyer, 2010 Tech Talk March 5, 2010
3
What is online advertising?“Online Behavioral Advertising means the
collection of data from a particular computer or device regarding Web viewing behaviors over time and across non-affiliate Web sites for the purpose of using such data to predict user preferences or interests to deliver advertising to that computer or device based on the preferences or interests inferred from such Web viewing behaviors.”-source: IAB Self-Regulatory Principles
Requires a tagging mechanism (such as a cookie) and a tracking mechanism (collection of clickstream actions over time, creating a “digital profile”)
(c) Catherine Dwyer, 2010 Tech Talk March 5, 2010
4
Who are the dominant behavioral targeting (BT) companies?
Source: knowprivacy.org
(c) Catherine Dwyer, 2010 Tech Talk March 5, 2010
5
How widespread is BT?
Source: knowprivacy.org
(c) Catherine Dwyer, 2010 Tech Talk March 5, 2010
7
Who represents consumer interests?Federal Trade Commission (FTC)Federal Communications
Commission – (FCC)Center for Digital DemocracyCenter for Democracy and Techn
ologyElectronic Privacy Information Ce
nterThe Future of Privacy Forum*
Overview of BT TechnologyBT is a generic name for a set of
technologies that collects click stream data, develops data warehousing structures, applies data mining algorithms to uncover consumer browsing patterns, and serves targeted ads matched to an individual
BT customizes messages to individuals based on shopping interests, as well as gender, age, and ethnicity
BT terminology
Advertising network –establishes relationships with partner Web sites, collects visitor browsing data, and serves ads matched by algorithm to information known about the online visitor
Tagging – BT embeds digital tags to identify and track consumers. Tags can be placed within any persistent browser state, the most common means being cookies, Web beacons, and Flash cookies
BT terminology cont.Web beacon – 1X1pixel gif file loaded by your
browser as an image -- but it is an image in name only◦ Web beacons are invisible◦ Their purpose is tracking, exploiting the cache as a
place to store tags◦ Browser will block cookies, but not Web beacons
Flash cookies – Adobe Flash uses a local data store that it refers to as shared data objects (Adobe provides an online tutorial describing how to use Flash for tracking)
(c) Catherine Dwyer, 2010 Tech Talk March 5, 2010
11
To manage Flash cookies:Required to visit this web site:
http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager07.html
(c) Catherine Dwyer, 2010 Tech Talk March 5, 2010
12
Analysis of Omniture Web bug
This web bug passes back to the advertising network Omniture my Google search term (“moms,” the page I viewed (nycmomslikeme.com), and plants a unique etag value in my browser cache.
ETAG VALUE “4B8ADDFE-3B65-691578AA”(tag values can be used to connect non-contiguous browser sessions)
(c) Catherine Dwyer, 2010 Tech Talk March 5, 2010
13
What is the appeal of behavioral targeting?Every business needs to grow with new customersHow can your reach only those customers
interested in your products and services?Answer – target themHere is an actual “sales pitch” from a behavioral
targeting company (made to Pace U!):“The retargeting strategy is totally invisible to
the public …Students, faculty, administration, alumni and the public will not be impacted by retargetingstrategies….it is completely unobtrusive, behind-the-scenes, and relevant to the interests ofyour community.”
Translation: no one will know
(c) Catherine Dwyer, 2010 Tech Talk March 5, 2010
14
Another sales pitch: We can track anyoneLin Maio, CEO of Tatto Media:
“We are interested in methods that slow the ability of consumers to delete cookies from their computers. Flash cookies are no different that regular cookies in terms of privacy, but on average remain on a person’s computer for more than three months.” – Source: MediaPost
Translation: even if you try to block tracking, we will figure out another way to do it
(c) Catherine Dwyer, 2010 Tech Talk March 5, 2010
15
My 2009 study found Levis.com planted tracking files from nine different companies to site visitors, but only identified one advertising partner in its privacy policy, Microsoft-owned Avenue A.
When asked by BusinessWeek to explain, Levis said:
“Microsoft lines up these other partners and changes them frequently, therefore it didn't seem necessary to list these other companies in the privacy policy.”
(c) Catherine Dwyer, 2010 Tech Talk March 5, 2010
16
Day of reckoning is coming
Speaking at the NY OMMA Behavioral conference, Adam Kasper, director of digital media at Media Contacts, warned that a "watershed moment" is coming for behavioral targeting when consumers gain greater awareness of the extent to which their online activity can be tracked and targeted, triggering a backlash.
“It's the elephant in the room, and there's going to be a point where consumers get it and there's going to be a big public outcry”
– Source: MediaPost
(c) Catherine Dwyer, 2010 Tech Talk March 5, 2010
17
FTC Refers to tracking “ecosystem”Browser plug-ins are available that
identify who is tracking you while you browse (Ghostery and Privacy Choice)
Tracking “radar detectors” uncover the extent of tracking, and are real game changers
Reveal how tracking is carried outTracking is no longer hidden, we must
assume all tracking is (or will soon be) visible to customers
(c) Catherine Dwyer, 2010 Tech Talk March 5, 2010
20
Analysis of tracking on this page provided by Ghostery
Who is tracking ‘green’ consumers?
(c) Catherine Dwyer, 2010 Tech Talk March 5, 2010
22
Who is tracking queries for medical information?
(c) Catherine Dwyer, 2010 Tech Talk March 5, 2010
23
How should you think about using BT for your company?
Pay attention to your customers and what they expect from you
Commercial relationships – between buyer and seller – are carried out under a “social contract” of the market
Social expectations of seller – buyer will value their services and not try to defraud them
Social expectations of buyer – seller will respect their autonomy and not take advantage of opportunistic differences in information access
(c) Catherine Dwyer, 2010 Tech Talk March 5, 2010
24
Unfortunate cycle of privacy management“drift -- threat -- react”Your customers have social
expectations of how they will be treated when they visit your web site
If those expectations don’t match how their data is handled, then customers will blame you (not some unknown third party)
You may lose legitimacy and damage your reputation
(c) Catherine Dwyer, 2010 Tech Talk March 5, 2010
25
Risks to companies who use targeted advertisingWho exactly are you doing
business with?Who are you trusting with your
most valuable asset – your relationship with your customers?
(c) Catherine Dwyer, 2010 Tech Talk March 5, 2010
27
173 tracking companies identified by Privacy Choice
(c) Catherine Dwyer, 2010 Tech Talk March 5, 2010
34
RecommendationsPrivacy governance structureCreate a culture of privacy that
begins at the top of the organization
Create an accountable governance process for privacy
Use “personal insights” in evaluating the impact of privacy practices
From Culnan, Williams, MISQ Dec 2009
(c) Catherine Dwyer, 2010 Tech Talk March 5, 2010
35
AICPA/CICA Generally Accepted Privacy PrinciplesRecently (2006) The American
Institute of certified Public Accountants and the Canadian Institute of Chartered Accountants released Generally Accepted Privacy Principles (GAPP)
Provides framework for governance structure for internal corporate privacy management of customer data
(c) Catherine Dwyer, 2010 Tech Talk March 5, 2010
36
Use personal insight for guidanceConsider whether you would be
comfortable if your data was handled the same way
Consider how your web site treats customers:◦ If your web site were replaced by an ideal
human sales person [albeit constrained to act through this interface], how would that sales person behave?
◦ If a human sales person were to act this way, how would he or she be perceived by your customers?
(c) Catherine Dwyer, 2010 Tech Talk March 5, 2010
37
Questions?Thank you!Contact me for copy of slides:
[email protected] me on Twitter: ProfCDwyer
(c) Catherine Dwyer, 2010 Tech Talk March 5, 2010
38
Advertising Attribution Model: What if a consumer sees 10 ads? How will we know which one was the most effective? Brian Lesser’s answer: “we need tracking, we must have tracking” at OMNA Adnets, 11/3/09
Brian LesserGeneral ManagerMedia Innovation
Group(a WPP
company)
(c) Catherine Dwyer, 2010 Tech Talk March 5, 2010
39
IAB Consumer choice principle
Consumer choice principle – “users of Web sites at which data is collected for online behavioral advertising [may] choose whether data is collected …. The choice will be provided by the third party entities collecting and using data for online behavioral advertising and the mechanism will found either at the [third party] Web or industry-developed Web sites.”
Translations – customers may be tracked on your site, and may blame you for it, but we will manage how and whether consumers can opt-out
(c) Catherine Dwyer, 2010 Tech Talk March 5, 2010
40
I do want to suggest there needs to be an internal conversation at Levis about the specific risks that behavioral targeting brings to your company. Whatever industry practices may be, the fact is your brand is particularly vulnerable to any practices that involve deception. If your company has not done so already, I would recommend conducting focus groups where the behavioral targeting methods you are using are demonstrated in detail, and then consumers are asked for their feedback and reactions. This may be a better guide as to how you handle this technology in the future.
One concern I have about the NAI guidelines is that the behavioral targeting companies insist that only they can provide any opt out mechanisms or privacy controls. This means a web site like yours are completely dependant on the targeting company to handle the privacy options correctly. But your customers have a relationship with you, not with some hidden technology company, and they want to know that Levis is managing their privacy, not kicking the can down the road. If it doesn't work or the targeting being conducted on your site becomes apparent and visible, then your customers will blame you.
One thing that hasn't really happened with this issue is that companies like yours have not been vocal in this debate. I think that should change. You have an interest to protect that is different from consumers, and also different from the targeting companies. I don't think it is good policy to defer to targeting companies when there is the potential to damage your public reputation.
(c) Catherine Dwyer, 2010 Tech Talk March 5, 2010
41
The Internet “needs” targeted advertisingAll the wonderful services of the
Internet, Facebook, YouTube, Twitter, and other social media are available to consumers who have come to expect no cost for them
The only way we can provide these services for no cost is through targeted advertising
(c) Catherine Dwyer, 2010 Tech Talk March 5, 2010
42
Data transmitted via Web bugScreen size (&s=1280x1024)Referring site (&r=http
://www.google.com/url), query (&q =moms)List of installed software: &p=Move Media
Player; Mozilla Default Plug-in; Turner Media Plugin 1.0.0.10; QuickTime Plug-in 7.3; Windows Genuine Advantage; Microsoft Office 2003; 2007 Microsoft Office system; Adobe Acrobat; Shockwave Flash; iTunes Application Detector; Google Earth Plugin; Picasa; Silverlight Plug-In; Windows Presentation Foundation; Google Updater; Google Update; Java™ Platform SE 6 U4; Microsoft® DRM;
(c) Catherine Dwyer, 2010 Tech Talk March 5, 2010
43
Picture of a cookie
Cookie name _csuid
tag value4b76c7261b8ff9eb
BT Terminology cont.
Browsing data collected is divided into Personally identifiable information (PII) and non-PII. Categories of PII include name, email address, SSN. Non-PII is everything else
Platform for Privacy Preferences (P3P) – mechanism for communicating machine readable privacy preferences developed by World Wide Web Consortium (W3C)
(c) Catherine Dwyer, 2010 Tech Talk March 5, 2010
47
Culnan MISQ, Dec. 2009“Because consumers are vulnerable
in their dealings with businesses due to a lack of information about and an inability to control the subsequent use of their personal information, we argue that organizations have a moral responsibility to [consumers] to avoid causing harm and take reasonable precautions toward that end.”