Free Cookies: Strings attached to browsing raise costs for users

Guest post by Jon Fox
A version of this post first appeared on the California Public Interest Research Group site

The recent introduction of Do-Not-Track legislation is again bringing the issue of online privacy back to the forefront in the United States. Given its mixed history, lack of widespread agreement on how to treat Do-Not-Track requests, and what sort of behavior constitutes tracking, the effectiveness of existing Do-Not-Track systems are far from adequate.

Free services are a major driving force behind the world wide popularity of the internet. But the free does not come without cost. That’s because users are tracked online, data is collected and stored, and profiles are created for companies to target ads and better sell us products.

Though using a service may be free, we pay for targeted ads in various ways. Companies pay millions to collect user information and then buy targeted ads, an expense that is ultimately passed on to consumers in higher prices. Moreover, basic economic principles dictate that consumers pay more when companies know more about how much they are willing to spend, past shopping behavior, and personal circumstances.

That’s why for some time consumer and privacy advocates have sought to address online tracking through Do-Not-Track regulation, which would allow internet users to set their web browsers to tell websites, advertising networks, data brokers, and other online entities that they do not want to be tracked online for commercial data mining.  

More than a nuisance, losing control of your data online could affect your offline life. ‘Big data’ brokers combine bits of data to complete a picture of your life and — accurate or not — sell it, in ways that could lead to illegal, racial and class-based outcomes on loans and credit scores, hiring, search results and ads, and family privacy.  

A mixed history

Recently, Senator John D. Rockefeller (D-WV) introduced the Do-Not-Track Online Act of 2013, which, along with requiring the Federal Trade Commission (FTC) to set DNT standards, would also instruct the commission to draft rules to enforce users’ request to opt out of such tracking.

But Rockefeller’s proposal is just the latest in the long, mixed history of Do-Not-Track. In 2009, privacy expert Chris Soghoian and others proposed a technical solution — inserting “DNT” into the headers of messages web browsers send. Senator Rockefeller previously put forward a Do Not Track bill two years ago, yet did not pursue it after industry groups pledged to develop voluntarily mechanisms to honor user’s browser-based Do-Not-Track flags.

Since then, negotiations to set universal Do-Not-Track standards as part of the World Wide Web Consortium (W3C) standards have fallen through and little progress has been made towards effective self-regulation.

While some companies have decided to move ahead themselves, consensus and clarity around Do-Not-Track standards is still needed. Microsoft announced it would set Do-Not-Track as a default setting in its newest web browser IE10. Mozilla recently raised the bar when it announced that it would offer to block third-party tracking cookies on its new version of the Firefox browser.

Advertisers and other online data brokers have resisted such efforts to respect users privacy preferences vigorously. A leading industry lobbyist called Mozilla’s added Do-Not-Track feature on Firefox “a nuclear first strike” against the ad industry. Without such agreement or enforcement mechanisms, self-regulation is not enough to protect users.

The public wants to have more control over when and how their online activity is tracked: In response to the advertising industry’s outcry, Brendon Lynch, Microsoft’s chief privacy officer, cited a company study of computer users in the United States and Europe which found that 75 percent wanted Microsoft to turn on the Do-Not-Track system. Access noted the FTC is getting more serious about mobile privacy disclosures. Yet industry leaders have so far failed to reach agreement on establishing Do-Not-Track mechanisms. It is time for lawmakers to act and pass a Do-Not-Track bill to protect users.

How we got here: free cookies

From the beginning of their existence, Google, Facebook, and Twitter drew new customers in with their free offers, and users quickly signed up. Some internet services successfully transitioned to paid premium service packages, like the online television streaming service Hulu’s premium Hulu Plus subscription plan, once users familiarized themselves with the product.

However, for the most part, the core of the online experience is free. Or is it?

The answer to that question is in the details, or rather, in the data. Terms of service agreements make it seem like consumers willingly made a Faustian deal to enjoy all the internet has to offer for free in return for letting online companies monitor and track them. For the most part tracking is done through browser cookies sent while the user is on a website and stored on the computer.

But the deal between users and their trackers is not completely above-board. Cookies were originally designed to help websites “remember” us on our next visit, speeding up the browsing experience and making it more enjoyable. Since then tracking cookies, and especially third-party tracking cookies, have become more sophisticated and compile a record of individuals’ browsing histories, online interactions, movements, and interests. Although services like Ghostery and DoNotTrackPlus reveal the long lists of third parties tracking you, most users have little idea that this monitoring is taking place in the background, and have even less control over what data is collected or how it is used.

Unknown third-party companies collect user data from tracking cookies and then sell it to other online businesses. This data is often used to provide consumers with a “tailored” web experience matching their interests and past behavior online. While most internet users are not familiar with the technical details, by now most aren’t surprised to see ads for sunscreen in their Gmail after receiving a hotel confirmation for a beach vacation.

For most, a few “targeted” ads seem like a small price for all the awesomeness the internet has to offer. But the costs extend beyond what most users imagine.

The costs of a personalized web

Tracking cookies allow online marketers to create “buckets” for customers meeting various criteria, offering each a different price for the same products. The Wall Street Journal found that popular retailers, including Staples, Discover Financial Services, Rosetta Stone Inc. and Home Depot Inc., were consistently adjusting prices on product offers based on a range of characteristics that could be learned about the user. For example, if a man googles “last minute Valentines gift” and then reaches a florists’ website he may see different pricing than another who simply googled “florist delivery.” Online marketers can sniff out the desperation, and can adjust prices upwards for those rushing to save a relationship.

We are told that giving up a little bit of privacy is the only way users can continue to enjoy the level of internet services we are accustomed to. Yet, even glossing over the (valid and persuasive) argument that corporate tracking of our online activity is a violation of privacy, not to mention creepy, this claim doesn’t address the problem. Online tracking isn’t done to create a better user experience: it is done for commercial gain. The collection and sale of user data is a growing business, putting user privacy behind profits. Lawmakers need to step-up and pass Do-Not-Track legislation, which regulators need to enforce.

Jon Fox is a consumer advocate and social activist who has worked in the U.S., Southeast Asia, and the Middle East on issues of technology, privacy, and human rights.