The State of State Management

On Monday, the FTC holds a half day program to discuss Cross-Device tracking.  The Future of Privacy Forum has put together a report, explaining why companies track in the first place.  We explain how tracking based on cookies is crumbling, for a number of reasons:

1.Mobile apps don't support cookies,

2. The mobile Safari browser blocks third party cookies

3. Mobile Web and Mobile apps operate in different environments

4. Consumers split their web browsing time now on phones, tablets, laptops, desktop home computers, work computers, smart TVs and more.

As a result, companies have worked hard over the last several years to "fingerprint" devices, in order to link Mobile App activity to Mobile Web browsing.  They have found partners who have authenticated relationships with consumers and who set either a cookie or a mobile app ad identifier, in order to link cookie to mobile ad identifier.  Some companies, like Facebook, Google, ISPs and others have authenticated relationships with consumers and can recognize consumers across multiple channels.  Others leverage the fact that consumers have home IP addresses and home MAC routers that are linked to home locations, thereby enabling the appending home addresses and then other data.  

In our report, we provide a review of the various technologies used.  Over the years, we have been briefed by companies implementing everyone of these technologies and have suggested options to provide consumers with enhanced transparency and opt-out options.  Some have succeeded in doing so, others continue to struggle. 

It can be easy to get caught up in the technologies used and the different business models, but at the end of the day, every one of these companies is trying to understand the effectiveness of ads displayed to the consumers on one type of screen or another.  Some companies are also seeking to use data to customize the ads they display. Our advice is that the rules should be simple, no matter the technology - is there a clear and easily accessible explanation to the consumer about what is happening? And is the consumer provided with meaningful controls?

This last bit about meaningful controls is turning out to be an increasing challenge in today's complex ad ecosystem.  When I started out in ad tech in 2000, as the Chief Privacy Officer for ad network leader DoubleClick, consumer controls were straightforward.  When consumers blocked or cleared third party cookies, they prevented ad network tracking.  When they used the central industry opt-out, they might still be tracked, but ads would no longer be tailored based on web surfing data or appended data.

Today, meaningful control for consumers has become incredibly complex, with options that are likely only understood by a handful of experts who work at the intersection of ad tech and privacy.  Cookie controls are increasingly meaningless, because companies that fingerprint consumer devices track without cookies.  Central industry opt-outs are effective to decline ad targeted based on web surfing, but not based on appended data. Mobile ISP data provider opt-outs disable ISP tracking, but when you are on home WiFi they cant track you, so you then need to think about the companies that are targeting you based on your home WiFi IP address.  If you don't want your home WiFi IP address linked to your location, add to the name of your home router the letters "_NOMAP", for Google and Mozilla to opt you out.  But for Skyhook, Microsoft and most others, find your home router MAC address and submit it at each of the opt-out pages provided by those companies.  And the Do Not Track option offered by web browsers?  Only about a dozen or so companies respect that setting (see our list at www.allaboutdnt.org).  Many more companies do respect the "Limit Ad Tracking" settings that iOS and Android provide, but that is just for mobile app tracking, and not every ad network cooperates.  

Has your head exploded yet?  No? Then let's continue.  Today, most of this tracking activity is subject to FTC jurisdiction, so an unhappy consumer can complain to that agency, regardless of the technology involved.  But the FCC is considering extending its privacy rules to ISPs, which would mean that consumers would have to know to turn to that agency if an ad was targeted with tracking enabled by an ISP.  

Want more?  You just interrupted your reading of this column to download an ad blocker, hoping to be free of this muddle? You need to understand that the leading ad blocker blocks many ads, but does not block ads from a many of the largest ad companies who pay in order to get through the blocking and promise to only deliver non-intrusive ads.

At the FTC program, we expect the debate will focus on whether a cross device opt-out is effective only on the device the consumer is using at the time or across all the linked devices.  Is it an opt-out of all tracking or only for ad targeting?  There is certain to be criticism of the sneaky audio beacon cross device tracking, exposed last week by our colleagues at the Center for Democracy and technology.  But as participants at the program debate the issues, we hope industry leaders and policymakers will take a step back and look at the big picture.  How can we avoid adding even more complexity and more detail as we search for solutions?  How can we move past paying lip service to transparency and choice and consider ways to do so that are meaningful across all technologies and all business models?

Your ideas are welcome in the comments here - and the FTC will be taking formal comments following the program, so do consider filing a formal statement with them as well! 

Jules Polonetsky is Executive Director of the Future of Privacy Forum.  In earlier roles, he managed advertising tech privacy issues as the Chief Privacy Officer of AOL and as the Chief Privacy Officer of DoubleClick.  He was also the Consumer Affairs Commissioner of New York City, a legislative aide to then Congressman Charles Schumer, and an attorney.  He clicks on ads, so that reporters at online newspapers can get paid.  But he blocks ads at sites that trigger intrusive pop-ups.