Advertising and user privacy

With Clickmaniac 2012 well in progress, the students in our class have a chance to take the role of an advertiser. We try to construct ads that cater to specific demographics, and perform analysis to separate the strategies that produces the most clickthroughs from the ones that generates nothing. While this is a very fine (and fun) exercise, when do we stop to consider the people on the other side? How do consumers, data collection, and privacy fit into the equation?

Before going any further, let's review how advertisers collect user information for targeting. Traditionally (unlike Facebook, which simply enumerates your profile), advertising networks set what's known as a "cookie" in your browser to give you a unique identity. There exists two types of cookies--first party cookies and third party cookies. First party cookies are designed to store your browsing state, for instance, if you've logged in to a website or not. These cookies are almost always essential to the proper functionality of a website. Third party cookies, on the other hand, are set by websites from other domains that happen to present content on the current page. In the case of advertising networks, the third party cookies are used to track your web surfing habits. For example, if you visit 5 websites, all of which display ads from a single network (e.g. DoubleClick, owned by Google), that ad network is able to track the exact path through which you move from one site to another. Not all hope is lost for the consumers, however. Many modern browsers implement some sort of privacy controls that allow users to fine-tune their settings pertaining to cookies. Many browsers, like Safari, even have certain privacy protections enabled by default.

Early last week, the Wall Street Journal reported that Google had been bypassing the privacy provisions of the mobile version of Safari for iOS. While the default settings in Safari were to block third party cookies, Google was using a workaround to still set these cookies. The result (one may debate whether this was intentional or not) was that DoubleClick tracking cookies were set, despite the user's preferences. The story caused widespread outrage as to the privacy violations incurred by the internet company. It was later shown that Facebook was doing the exact same thing.

Around the same time last week, The New York Times Magazine ran another interesting story on how one retail chain, Target, was keeping track of customer shopping habits. In addition to assigning each customer a unique ID linked to their name and credit card for in store purchases, Target also obtained data of web surfing and shopping habits of their customers. In fact, the statisticians at Target had so much information from one particular customer's habits that they were able to tell she was pregnant even before her parents knew.

In light of these recent stories, we see that consumer privacy on the internet is still at its infancy. Just like car manufacturers had a responsibility of safety, which led to the seat belt, will internet companies develop responsibilities of their own in terms of protecting a user's personal information? As an advertiser, it's easy to get caught up in pushing the limits when it comes to reaching an audience, but when does it become too much?