White House Cookies Stir Controversy

To bring more communication and transparency to the White House, a new Whitehouse.gov site was rolled out precisely at the stroke of noon on Inauguration Day. Within hours, there was already controversy.

The new White House Website makes use of cookies from WebTrends and from YouTube Inc. The concern centers on whether the cookies are capable of tracking an objectionable amount of private information about visitors to the site.

Much of this is not even news, as WebTrends had been in use on the White House Website for several years, though the Youtube cookies are new.

The information tracked by the cookies is as follows:

The White House, and WebTrends, the vendor, know the referring URLs that bring users to the WhiteHouse.gov site. They know the ID of any WebTrends cookie already installed on the visitor's system; the language the browser is set to; the time since the last visit; the current time; and whether Java, Flash, or Silverlight is installed.

YouTube, or, more broadly, Google (Nasdaq: GOOG), knows how many times YouTube videos are viewed by people via the White House Website. None of this data is tied to an individual. None of the data reveals that I visited Whitehouse.gov on Inauguration Day.

I think the challenge comes down to what is public and what is private. Let’s take an example: Say I am a rabid supporter of U.S. statehood for Quebec.

If I make a phone call from my house or cellphone to the offices of "Quebec the 51st State," that is clearly private information. The police, or any other government agency, would need a court order to learn that I made the call -- or that I called the offices of Internet Evolution just before phoning the Quebec campaign.

If I participate in a rally supporting Quebec statehood that is held on the streets of D.C., then my participation can be freely observed. It can be recorded, it can be taped -- there is nothing private about my actions. It may be seen via any number of cameras that now watch the streets in most major cities that I left Restaurant X and walked to the Quebec statehood rally.

The most private item that WebTrends could report to the White House is the summary data of how many people visited a site, say the Website for Restaurant X, immediately before visiting Whitehouse.gov. Is that data even private? Is that data like my sample phone call?

I, for one, am pleased to see the government using WebTrends (again, a decision that predates the current administration). It means they are buying an affordable software solution instead of spending my taxpayer dollars building unnecessary software. Plus, it means they are looking to track the success or value of their work.

If they build a new section on the Website that they think will provide a public service, they can then use the analytics from WebTrends to discover if many people or few people visit. If few people visit, then they can spend their limited dollars and staff time on other projects. These metrics help provide accountability!

I am quite biased when it comes to Web analytics. I implemented a Web analytics tool (a WebTrends competitor) back in 1999, and today that site represents the longest continually running implementation of Web analytics on the Internet. I have seen the value it brings.

Eating too many Girl Scout cookies is bad. But there is a time and a place to have a few. Likewise, computer cookies can be bad -- but at the same time, there are many times when using them provides great value.

Komando's Q & A: Don't worry about cookies

Question: I was recently alerted to a feature of Yahoo Groups. The site uses Web beacons to track users. So, how do I defeat the Web beacons? I clear the cookies from my browser, but is this enough?

Answer: All Yahoo sites use Web beacons. These are small image files, undetectable to the eye. They let Yahoo servers access your browser's cookies. I think you're worrying too much about the Web beacons. Information obtained through Web beacons won't be shared. You could clear the cookies from your browser, but this is a pain. Plus, I think people worry too much about cookies. They aren't dangerous, but many people still dislike them. If you're still bothered, I can help. You'll find some helpful tips at www.komando.com/news.

Q: I teach eighth grade and I'm worried about my students. Most use MySpace and many are posting inappropriate information. They don't seem to understand the risks the site poses. Can you help me persuade them to be safer on MySpace?

A: There is a lot of inappropriate content on MySpace. Some teens post sexual and drug-related messages. Others post sensitive information that predators could use. Your students may understand potential risks associated with MySpace. However, teenagers tend to think that they are invincible. So, present them with news stories about the dangers of misusing MySpace. You'll find many of these stories at www.komando.com/news. You'll also find my MySpace quiz. Here, students will have to find what's wrong with a typical MySpace profile.

Q: I heard about some changes in the iTunes music store. ITunes will be offering high-quality downloads. I'm really excited about this, but do I need a special iPod to play them?

Cookies - delicious or malicious?

It's a fact of modern life that we have to learn new skills if we are to keep up with the younger generation.


I don't mean we have to wear pants that could sleep a family of six, baseball caps with the beak sticking out to one side and adopt hand movements as if we are "scratching" on twin "decks" while "kicking rhymes".

What I mean is that as we get older and everything gets more complicated, we need to adapt to the technology of the day.

Our grandparents had radio and television to contend with, while our parents broke in video-recorders, CD audio technology and alarm clocks. While many are still 12:00 flashers (they never remember how to set the clock, hence the display shows a perennially-flashing 12:00), they did their best in an ever- changing technological landscape.

Fast-forward a decade and computers are our toy of choice. Many lament that computers are hugely complicated contraptions that we love to hate and the first time they break down we find we can't do without them.

The kicker is we need to learn all that computer lingo - words and terms we must know if we are to ever be the master of our machines.

Take cars, for example. We have to know at least some related jargon so we can explain what is wrong to our mechanic.

A typical exchange goes like this; "The engine makes a funny noise and won't start".

This, of course, isn't much help and the mechanic has to practically start from scratch to assess the problem.

On the other hand, if we rocked up and said "the cam-belt perambulator has failed, forcing a piston and valve contraction in the number three pot which caused the big-end to choke the gudgeon pin journal and now we're pretty certain the head will need to be planed", our mechanic would probably give us one of those looks that they reserve for "special" customers.

It may surprise you to learn that the computer universe is very close to this example.

It seems everyone knows someone who "knows about computers" and often those in the computer repair business only see machines after they have passed through several pairs of "helping" hands, which, it turns out, often make things worse.

My point is, there is all this computer-related jargon we have to learn, just to give the impression we know what we are doing.

Even something as simple as surfing the internet involves seemingly mission-critical messages telling us to make sure "cookies are enabled", or "Javascript is turned on" and other equally mysterious dialogues.

What does it all mean? What happens if we click Yes and navigate away from a secure site without it being encrypted? Will we be robbed? And aren't cookies dangerous?

Didn't we hear that allowing scripts to run spreads viruses? Our anti-malware software keeps finding "tracking cookies" and makes it sound like we should be scared.

Should we be? Well, yes and no.

Like everything with computers, the issue isn't so cut and dried.

To help websites be more clever, developers use snippets of code to make everything work properly. Cookies are just small scripts that are temporarily stored on our machines while we surf the web and are used for a wide variety of tasks like security, tracking our movements within the site, helping with logins, forms and shopping-cart systems, or simply to help sites provide the best content for our particular web browser.

Other scripts and Browser Helper Objects are there to make certain everything works as it should. This is a widely acceptable use of web technology.

The problem is that anything used for good can also be used by bad people to do bad things.

For example, very few cookies are malicious, but most anti-virus (AV) software treats them as a potential threat because one might be nasty.

Besides, AV software likes to be seen to be doing something to justify the price tag or, if it is free, validating your decision to use it.

Shopping sites like Amazon require you to have cookies enabled because, besides other uses, the shopping-cart system uses cookies to keep track of your products and purchases.

While it is unlikely you will ever see a truly malicious cookie, they are a reality, which is why opening your browser settings and enabling "delete cookies on exit" is a good idea.

Likewise, JavaScript and other scripting can be malicious but the majority of it is harmless. My advice is surf with JavaScript and cookies disabled and simply turn them on if required.

Learning any new language is hard but you only need to know a few choice words to be computer literate. I'll leave it up to you to decide which ones.

Porn mode - no longer a dirty little secret

People like porn, but some web browsers have been slow to acknowledge this naked 800 pound gorilla sitting in the corner.

Whenever you surf the web, you leave behind all kinds of clues on your computer as to what you've been doing, such as cookies, images in the cache and addresses in the browser history. Anyone who knows even the slightest bit about computers can easily tell what you've been up to unless you cover your tracks. Thus the popularity of "porn mode" in web browsers.

Of course they don't call it porn mode, it's more likely to be labelled "private browsing mode" or "stealth mode". There are lots of legitimate reasons why you might want to engage such a mode, but surely the number one reason for most people is so they can look at porn without leaving behind incriminating evidence that their loved ones might stumble across.

There are porn mode plugins for some browsers, but it seems Safari on Mac OS was the first to get a built-in porn mode back in April 2005. Google's Chrome browser launched with "Incognito mode" in 2008. Surprisingly the two browsers with the biggest market share have been very slow off the mark. Mozilla Firefox still doesn't have a built-in porn mode, although it's expected to be included in the upcoming 3.1 update. Likewise Internet Explorer doesn't let you peruse unsavory sites with impunity, but an "InPrivate mode" is coming in IE8.

The usual suspects will naturally come out of the woodwork to declare porn mode yet another sign of the coming apocalypse, but if you don't give the people what they want they'll go elsewhere. I doubt IE and Firefox consider Safari much of a threat, but once Google Chrome launched on Windows with porn mode last year, the pressure was on IE and Firefox to follow suit. I'd say it's the kind of feature that would encourage people to switch browsers, or at least to install a second browser for their clandestine browsing sessions. If people install Chrome just for looking at porn, they might decide they like it better than IE or Firefox and make the switch completely.

If you've got a dirty little secret, and you'd like to keep it that way, porn mode is coming to a browser near you.

Yahoo Slashes Data Retention to Three Months

In a move to one-up its search-engine rivals, Yahoo on Wednesday announced a new global data-retention policy that far surpasses what Google and Microsoft have proposed.

Indeed, Yahoo is setting the industry standard for data retention with its promise to anonymize user log data within 90 days -- with limited exceptions for fraud, security and legal obligations. Yahoo is also expanding its policy to apply not only to search-log data but also page views, page clicks, ad views, and ad clicks.

"In our world of customized online services, responsible use of data is critical to establishing and maintaining user trust," said Anne Toth, Yahoo's vice president of policy. "We know that our users expect relevant and compelling content and advertising when they visit Yahoo, but they also want assurances that we are focused on protecting their privacy."

Yahoo Gets Aggressive

Privacy advocates, including European Union regulators, have put pressure on search engines to slash data-storage times. The current industry standard is 18 months. Microsoft last week told European regulators it's ready to cut the time it holds users' search data from 18 months to six months -- if other search-engine companies do the same.

"What we've done since April is evaluate the multiple uses of search data to ascertain if we can, in time, move to a six-month time frame," said Peter Cullen, Microsoft's chief privacy strategist. "Our answer is yes, we can, but we don't believe it makes sense for us to make this change until our competitors also commit to meeting this higher standard with respect to both the method and time frame for anonymization."

Yahoo isn't waiting for other search engines to cooperate. Instead, the heads of the business and engineering units at Yahoo worked with the privacy and data-governance teams to review data needs. Their goal was to ensure that Yahoo retains data only long enough to serve its business and user-experience needs while maintaining the ability to fight fraud, secure systems, and meet legal obligations.

"This policy represents Yahoo's assessment of the minimum amount of time we need to retain data in order to respond to the needs of our business while deepening our trusted relationship with users," Toth said. "We're proud this new policy sets a new benchmark for the industry."

What Will Google Do?

Yahoo said users won't see a difference in their experience with Yahoo products or services, and advertisers will continue to leverage its interest-based advertising systems to deliver the most relevant ads. That revelation begs the question: Do users really care how long search engines retain their search data?

"I question to what extent consumers have any awareness of data-retention issues," said Greg Sterling, principal analyst at Sterling Market Intelligence. "They do have awareness that their behavior is tracked online, and there is considerable discomfort with that, but in terms of specific issues as to how long data is kept, I think there is total ignorance on the part of regular consumers."

Yahoo's move also begs questions about what Microsoft, Google and others will do in response to this aggressive policy. Sterling said it puts pressure on the search-engine industry to at least shave time off their data-retention policies. The European Union has pushed for a six-month limit.

"We might see Microsoft quickly come out and say it will cut its policy to six months, or maybe match Yahoo," Sterling said. "If that happens, certainly Google will have to follow suit. Google may not come down to three months, but they may come down to six months. If Google were to be isolated in this, it would not only incur the wrath of the EU regulators but it would also suffer in the press as the other two key players stepped up to the requested standard."

Privacy Proponents Prompt President-Elect To Police

Privacy advocates met Tuesday with members of President-elect Barack Obama's Federal Trade Commission transition team to urge that the government more aggressively regulate the online advertising industry.

"The overall message was that the Bush FTC gets an 'F' on privacy," said Jeff Chester, executive director of the Center for Digital Democracy. "We're expecting the Obama team to take a better approach."

Chester, who two years ago filed a complaint with the FTC about online behavioral targeting, is pressing for new laws that would require marketers to seek Web users' permission before tracking them for ad purposes.

Other groups at the one-hour meeting Tuesday with FTC transition team heads Susan Ness and Phil Weiser included the ACLU, Consumer Federation of America, Electronic Frontier Foundation, and World Privacy Forum.

Online ad executives and the Interactive Advertising Bureau have argued that the FTC should not restrict behavioral targeting because the practice does not harm consumers. Ad companies also say that behavioral targeting is often anonymous because they don't collect names, addresses or other so-called personally identifiable information. Instead, companies track users anonymously via cookies as they go from site to site, compile profiles, and then serve ads to users based on their presumed interests.

But privacy advocates have questioned just how anonymous this type of targeting really is. They say that in some circumstances, it might be possible to identify specific individuals from detailed profile information.

In addition, some consumer advocates say behavioral targeting is inherently problematic.

"Behavioral tracking and targeting is actually deceptive on its face because consumers' information is being collected by entities with whom they have no relationship, to whom they didn't give their information, and for purposes of which they're unaware," said Susan Grant, director of consumer protection at the Consumer Federation of America.

Grant added that her organization was concerned that some consumers could face tangible consequences due to behavioral targeting. For instance, she said, companies could potentially use information gleaned from tracking people online to make different offers to different people.

Some of the advocates also criticized the Network Advertising Initiative's new privacy guidelines to the transition team. Pam Dixon, executive director of the World Privacy Forum, said those standards don't adequately protect the privacy of people's medical information.

"To say they're non-starters is an understatement," Dixon said.

The new NAI guidelines call for ad companies to refrain from collecting data about sensitive medical information or serving ads related to such information, unless consumers expressly consent. The prior guidelines said marketers should never collect such data if it was personally identifiable, but allowed them to do so if the information was anonymous and people could opt out.

Google Wants Its Own Fast Track on the Web

The celebrated openness of the Internet -- network providers are not supposed to give preferential treatment to any traffic -- is quietly losing powerful defenders.

Google Inc. has approached major cable and phone companies that carry Internet traffic with a proposal to create a fast lane for its own content, according to documents reviewed by The Wall Street Journal. Google has traditionally been one of the loudest advocates of equal network access for all content providers.

At risk is a principle known as network neutrality: Cable and phone companies that operate the data pipelines are supposed to treat all traffic the same -- nobody is supposed to jump the line.

But phone and cable companies argue that Internet content providers should share in their network costs, particularly with Internet traffic growing by more than 50% annually, according to estimates. Carriers say that to keep up with surging traffic, driven mainly by the proliferation of online video, they need to boost revenue to upgrade their networks. Charging companies for fast lanes is one option.

One major cable operator in talks with Google says it has been reluctant so far to strike a deal because of concern it might violate Federal Communications Commission guidelines on network neutrality.

"If we did this, Washington would be on fire," says one executive at the cable company who is familiar with the talks, referring to the likely reaction of regulators and lawmakers.

Separately, Microsoft Corp. and Yahoo Inc. have withdrawn quietly from a coalition formed two years ago to protect network neutrality. Each company has forged partnerships with the phone and cable companies. In addition, prominent Internet scholars, some of whom have advised President-elect Barack Obama on technology issues, have softened their views on the subject.

The contentious issue has wide ramifications for the Internet as a platform for new businesses. If companies like Google succeed in negotiating preferential treatment, the Internet could become a place where wealthy companies get faster and easier access to the Web than less affluent ones, according to advocates of network neutrality. That could choke off competition, they say.

For computer users, it could mean that Web sites by companies not able to strike fast-lane deals will respond more slowly than those by companies able to pay. In the worst-case scenario, the Internet could become a medium where large companies, such as Comcast Corp. in cable television, would control both distribution and content -- and much of what users can access, according to neutrality advocates.

The developments could test Mr. Obama's professed commitment to network neutrality. "The Internet is perhaps the most open network in history, and we have to keep it that way," he told Google employees a year ago at the company's Mountain View, Calif., campus. "I will take a back seat to no one in my commitment to network neutrality."

But Lawrence Lessig, an Internet law professor at Stanford University and an influential proponent of network neutrality, recently shifted gears by saying at a conference that content providers should be able to pay for faster service. Mr. Lessig, who has known President-elect Barack Obama since their days teaching law at the University of Chicago, has been mentioned as a candidate to head the Federal Communications Commission, which regulates the telecommunications industry.

The shifting positions concern some purists. "What they're talking about is selling you the right to skip ahead in the line," says Ben Scott, policy director of Free Press, a Washington-based advocacy group. "It would mean the first part of your business plan would be a deal with AT&T to get into their super-tier -- that is anathema to a culture of innovation."

Advocates of network neutrality believe it has helped the Internet drive the technology revolution of the past two decades, creating hundreds of thousands of jobs.

The concept of network neutrality originated with the phone business. The nation's longtime telephone monopoly, nicknamed Ma Bell, and its regional successors were prohibited from giving any public phone call preference in how quickly it was connected. When the Internet first boomed in the 1990s, content largely traveled via telephone line, and the rule survived by default.

'Dumbpipes'

The carriers picked up the unflattering nickname "dumbpipes," underscoring their strict noninterference in the Internet traffic surging over their networks. The name heightened resentment among the carriers toward the soaring wealth of the content providers, such as Amazon.com Inc., that couldn't exist without the networks of the telecom and cable companies.

In August 2005, amid a deregulatory environment, the FCC weakened network neutrality to a set of four "guiding principles." The step had the effect of making the FCC's power to enforce network neutrality subject to interpretation, emboldening those looking for ways around it.

Stirring the waters further, major phone companies including AT&T and Verizon announced they intended to create new fast lanes on the Internet -- and would charge content companies a toll to use it. They claimed Internet companies had been getting a free ride.

That unleashed a firestorm of criticism. A diverse group including Internet companies Google, Microsoft and Amazon joined the likes of the Christian Coalition, the National Rifle Association and the pop singer Moby in what they characterized as a fight to "save the Internet." The coalition claimed such steps could endanger freedom of speech.

Advocates of network neutrality also claimed that dismantling the rule would be the first step toward distributors gaining control over content, since they could dictate traffic according to fees charged to content providers. The fortunes of a certain Web site, in other words, might depend on how much it could pay network providers, rather than on its popularity.

That concern would grow if the carriers themselves offer content, which some have tried, with mixed success. AT&T, the country's largest broadband provider, recently launched its own online video service, called VideoCrawler, to compete with YouTube and others.

"One way AT&T can win that competition is to give their own video service preferential treatment on their network," says Robert Topolski, a networking engineer based in Portland, Ore. An AT&T spokesman says the company has no plans to give VideoCrawler preferential treatment on its network.

Mr. Topolski discovered that Comcast was slowing a video file-sharing service called BitTorrent. That discovery eventually led to sanctions against Comcast by the FCC. Comcast has appealed the decision, arguing the FCC did not have the authority to make such a ruling.

In 2006, Microsoft felt strongly enough about the issue that it wrote Congress to declare that saving network neutrality "could dictate whether the U.S. will continue to lead the world in Internet-related technologies."

The debate eventually reached a stalemate. Legislation to codify network neutrality failed to pass, and carriers backed off their plans for a tiered Internet.

During his presidential campaign, Mr. Obama spoke frequently about the Internet, which was a critical tool in his grass-roots effort to reach new voters, and the importance of network neutrality. "Once providers start to give privilege to some Web sites and applications over others, then the smaller voices get squeezed out," he told Google employees a year ago when he campaigned at the company. "And then we all lose."

Obama Advisers

But some of those who advise the new president on technology have changed their view on network neutrality. Stanford's Mr. Lessig, for one, has softened his opposition to variable service tiers. At a conference, he argued that carriers won't become kingmakers so long as the faster service at a higher price is available to anyone willing to pay it.

"There are good reasons to be able to prioritize traffic," Mr. Lessig said later in an interview. "If everyone had to pay the same rates for postal service, than you wouldn't be able to differentiate between sending a greeting card to your grandma versus sending an overnight letter to your lawyer."

Some telecom experts say that broadband is the most profitable service offered by phone and cable companies, and they are simply trying to offset declining revenue from their traditional phone business.

In the two years since Google, Microsoft, Amazon and other Internet companies lined up in favor of network neutrality, the landscape has changed. The Internet companies have formed partnerships with phone and cable companies, making them more dependent on one another.

Microsoft, which appealed to Congress to save network neutrality just two years ago, has changed its position completely. "Network neutrality is a policy avenue the company is no longer pursuing," Microsoft said in a statement. The Redmond, Wash., software giant now favors legislation to allow network operators to offer different tiers of service to content companies.

Microsoft has a deal to provide software for AT&T's Internet television service. A Microsoft spokesman declined to comment whether this arrangement affected the company's position on network neutrality.

Amazon's popular digital-reading device, called the Kindle, offers a dedicated, faster download service, an arrangement Amazon has with Sprint. That has prompted questions in the blogosphere about whether the service violates network neutrality.

"Amazon continues to support adoption of net neutrality rules to protect the longstanding, fundamental openness of the Internet," Amazon said in a statement. It declined to elaborate on its Kindle arrangement.

Amazon had withdrawn from the coalition of companies supporting net neutrality, but it recently was listed once again on the group's Web site. It declined to comment on whether carriers should be allowed to prioritize traffic.

Yahoo now has a digital subscriber-line partnership with AT&T. Some have speculated that the deal has caused Yahoo to go silent on the network-neutrality issue.

An AT&T spokesman said the company should be able to strike any deal it sees fit with content companies. Yahoo said in a statement that carriers and content companies "should find a consensus on how best to ensure that Americans have access to a world-class Internet."

Google Connections
Google, with its dominant market position and its perceived ties to the Obama team, may hold the most sway. One of President-elect Obama's most visible supporters during the campaign was Eric Schmidt, Google's chief executive officer. Mr. Schmidt remains an adviser during the transition.


Eric Schmidt
Google's proposed arrangement with network providers, internally called OpenEdge, would place Google servers directly within the network of the service providers, according to documents reviewed by the Journal. The setup would accelerate Google's service for users. Google has asked the providers it has approached not to talk about the idea, according to people familiar with the plans.

Asked about OpenEdge, Google said only that other companies such as Yahoo and Microsoft could strike similar deals if they desired. But Google's move, if successful, would give it an advantage available to very few.

The matter could come to a head quickly. In approving AT&T's 2006 acquisition of Bell South, the FCC made AT&T agree to shelve plans for a fast lane for 30 months. That moratorium expires in the middle of next year. A Democratic lawmaker has already promised new network-neutrality legislation early in 2009. And a new chairman of the FCC could take a stricter position on forcing companies to comply with network neutrality.

Richard Whitt, Google's head of public affairs, denies the company's proposal would violate network neutrality. Nevertheless, he says he's unsure how committed President-elect Obama will remain to the principle.

"If you look at his plans," says Mr. Whitt, "they are much less specific than they were before."

Center For Democracy Calls For New Privacy Laws

The Center for Democracy & Technology has issued its wish list for the Obama administration and, high on the agenda, is a call for new privacy laws.

"President Obama should work with Congress to enact a comprehensive, technology-neutral consumer privacy law establishing meaningful safeguards for the personal information that companies collect from consumers," the document states. "Such a law should be broad enough to protect American consumers both online and in the 'brick and mortar' world."

The Center for Democracy & Technology's document is quite broad -- deliberately so, to leave room for interested parties to weigh in on the specifics.

Even so, the organization begs the critical question of what, exactly, constitutes "personal information." For years, many online ad executives involved in behavioral targeting or analytics have said they don't deal in "personally identifiable information" because they aren't collecting users' names, addresses, email addresses or telephone numbers. Therefore, Web execs argue, behavioral targeting and/or analytics companies don't need to obtain people's explicit consent before collecting data.

But the reality is that people can be identified even without so-called "personally identifiable information." For instance, it's possible to deduce a computer user's identity by looking at all of the searches originating at that computer -- as the world learned when AOL released search queries of 650,000 "anonymous" users. Within days of the data breach, The New York Times identified one AOL user based on her search history and ran front-page story about her.

If there's going to be new legislation addressing privacy, one of the first orders of business should be shedding old definitions of "personally identifiable information" and coming up with new standards setting out what types of personal information will be protected.

Delete Cookies, Says New Privacy Forum

The AT&T-backed think tank Future of Privacy Forum has launched its first initiative: a campaign warning consumers how search engines store their queries and marketers use online cookies.

"You may not be aware that when you visit a site you're actually a part of a complex advertising and marketing mechanism," the group cautions. "Very few things on the Internet are completely anonymous."

The group goes on to instruct people about options to enhance privacy. The advice includes directives to delete cookies and use Microsoft's Internet Explorer 8 browser -- which includes a feature that can block the cookies that track users across sites for ad-serving purposes. The organization also suggests that searchers use IAC's Ask Eraser, which deletes some log files tying search queries to IP addresses.

With these recommendations, the group appears to be setting itself up as close to the polar opposite of industry organizations like Safecount or the Network Advertising Initiative. Safecount, founded in 2005 in response to reports that users routinely deleted cookies, touted their benefits. "Cookies help advertisers understand if their ads are working, and they help researchers make accurate counts through the surveys they invite you and other consumers to participate in. ... In most cases, it's this advertising that enables us all to visit and access our favorite websites for free," Safecount says on its site.

Additionally, AT&T has gone on record as favoring an opt-in model to behavioral advertising, or serving ads to people based on their Web-surfing activity. The company not only says it intends to require opt-in consent for behavioral targeting, but also believes all companies should obtain users' explicit consent before tracking them online. This stance is at odds with groups like the Network Advertising Initiative or Interactive Advertising Bureau, which typically call on companies to notify users about tracking and allow them to opt out.

Separately, while the Future of Privacy Forum, hasn't mentioned Google by name, it's becoming increasingly clear that the think tank is no fan of the world's largest search engine. This stance isn't a huge surprise when you consider the group is backed by AT&T -- which, like other ISPs, has been at odds with Google about both net neutrality and privacy.

In general, network operators say they should be able to decide how to manage traffic, while Google is one of the biggest advocates of net neutrality, or the principle that ISPs should treat all traffic equally. Some ISPs, like Verizon, have made it clear they specifically resent Google profiting off of Web visits they enable.

Privacy advocates in general have criticized Google for its decision to store IP logs tying search queries to specific IP addresses. Among other reasons, there's a concern that Google would combine records about search activity with information gleaned from other sources about which Web sites people visit to create profiles that would be used for marketing purposes.

The Future of Privacy Forum suggestion that searches use Ask.com's Ask Eraser indicate that it, too, isn't happy about the sheer quantity of data that Google has on hand about Web users. If nothing else, the recommendation seems designed to intensify scrutiny of the company and its data collection practices.

NebuAd Faces Suit Alleging Privacy Violations

A group of 15 Web users filed a lawsuit Monday against behavioral targeting company NebuAd and six Internet service providers that tested the company's platform.


The lawsuit, brought in federal district court in San Jose, Calif., alleges that NebuAd's platform violated Web users' privacy. NebuAd purchased information about subscribers' Web activity from Internet service providers and used that data to send people targeted ads.

"The collection of data by the NebuAd device was wholesale and all-encompassing," the lawsuit alleges. "Like a vacuum cleaner, everything passing through the pipe of the consumer's internet connection was sucked up, copied, and forwarded to the California processing center. Regardless of any representations to the contrary--all data--whether sensitive, financial, personal, private, complete with all identifying information, and all personally identifying information, was recorded and transmitted to the California NebuAd facility."

Several months ago, the Redwood City, Calif.-based company said it was going to retreat from behavioral targeting based on data provided by Internet service providers. But before making that decision, the company tested its platform with at least six broadband service providers--Bresnan Communications, Cable One, CenturyTel, Embarq, Knology and WOW, all of which were named as defendants in the lawsuit.

NebuAd said that all data collected was anonymous, in that the company did not know users' names or phone number and did not retain copies of the IP address associated with users. NebuAd also said that it did not collect sensitive data, and that users would be able to opt out of the platform.

But privacy advocates and other critics were skeptical. Among other concerns, advocates said it might be possible to figure out people's identities from the massive clickstream information that NebuAd was collecting.

Consumer advocates also were alarmed by the sheer scope of information available to NebuAd. Unlike older behavioral targeting companies that only collected data from a network of publishers, Internet service providers have access to everything--including activity at search engines and at non-commercial sites, such as sites operated by religious groups.

Congress held hearings this summer after learning of NebuAd's platform. As part of its investigation, the House Energy and Commerce Committee sent letters to 29 Internet service providers, asking if they had worked with the company.

The six Internet service providers named in the lawsuit all answered that they had tested NebuAd's platform. One of the companies, the Washington Post Company's Cable One, acknowledged that it did not notify customers about the NebuAd test or allow them to opt out.

The plaintiffs, who are seeking class-action status, allege that NebuAd violated a federal wiretap law, California privacy law and computer fraud law, among others. They are asking for damages as well as an injunction ordering the company to delete any data about them.

The lawyers who brought the case--Alan Himmelfarb and Scott Kamber of the firm Kamber Edelson, based in Vernon, Calif. and New York, and Joseph Malley of Dallas--recently sued Facebook for violating members' privacy with the Beacon ad program. That program, launched last November, initially informed users about their friends' purchases, unless they opted out. Facebook later made the program opt-in only.

Ringleader's Privacy Problem: No Opt-Out Of Tracking

NebuAd might think it had problems with privacy advocates, but that's nothing compared to what's in store for nascent mobile ad networks.

One such network, Ringleader Digital, has unveiled its new "media stamp" -- a cookie-like item that creates and stores profiles about cell users based on the mobile sites they visit. Unlike online advertising cookies, however, the media stamps are stored on Ringleader Digital's servers and not browsers, which means users can't delete them.

Ringleader Digital collects information based on characteristics of the device, but says it can gather enough data this way to create unique, "anonymous" stamps for every mobile phone user.

"We track devices, not individuals," the company said in a privacy statement issued today. Ringleader Digital adds that it doesn't collect mobile phone number, names, addresses or other so-called "personally identifiable information."

But the notion that anything other than name, address or phone number is "anonymous" has been discredited for a long time now. Consider, nearly every privacy organization, not to mention U.S. courts and lawmakers, hold that people have a privacy interest in their IP addresses -- even though they weren't traditionally considered personally identifiable. One reason is because examining enough activity associated with the same IP address can reveal that user's identity -- as famously happened when AOL released search histories for 650,000 "anonymized" IP addresses.

Thelma Arnold, formerly known as AOL User 4417749, was identified by The New York Times within days of the breach.

Cell phones are even more likely to be tied to a specific individual than an IP address. After all, one person sometimes connects to the Web from different IP addresses (at home and at work, for instance), just as family members might share the same IP address. But many users just have one cell phone, and they keep it with them all the time.

Unlike the doomed ISP-based behavioral targeting company NebuAd, the media stamp only collects information about users when they visit sites of participating publishers. That makes the company seem more similar to a Web-based behavioral targeting company like Tacoda or Revenue Science, and possibly more palatable to privacy advocates.

But, unlike the case with Tacoda, Revenue Science or other behavioral targeting companies, there is no way for consumers to avoid being tracked by Ringleader Digital. The company says people will be able to opt out of receiving targeted ads, but not out of the profile creation and storage. There's little chance that this kind of opt-out will satisfy privacy advocates.

For now, Ringleader Digital has signed up four publishers, including local search company go2 Media and mobile entertainment company Thumbplay. The mobile ad network plans to test the platform early next year.

The PPC Buying Cycle: Buyer Beware!

How often have you heard that keyword level performance data can be misleading? That PPC managers need to consider the phases of the buying cycle when evaluating terms? That specific keywords tend to steal conversions from the more general keywords that started the customer's consideration, and that you should keep spending money on the general terms even though the efficiency looks awful?

It's pretty obvious why the engines might want to trumpet this story: it makes them money. By convincing advertisers that they should spend money on general search terms regardless of the observed efficiency advertisers are encouraged to spend without the moorings associated with ROI goals.

Real data about the buying cycle

Google and Compete Inc. presented a study of the buying cycle that managed to answer none of the salient questions.

We presented a study almost three years ago at SES that challenged the notion of the buying cycle, but decided it was time to revisit the topic.

First, we grabbed data from a number of retail clients representing different verticals and different business models (such as pure plays, catalogers, brick and mortar retail). We then sought to answer the questions:

1. How often do potential customers see multiple ads before placing an order?

2. Does the interaction happen the way search engines say it does?

3. Did we find that the first ad, the last ad, or a combination of ads a potential customer saw led to a purchase?

4. Do the different types of retail businesses witness different behaviors?

Impact of cookie window length

First, let's talk about cookie windows. Longer windows show greater impact by multiple ads. But for a retailer, unless your Average Order Value (AOV) is huge, you need to place some "make sense" limits on how long to give credit to an ad. Most of our clients have windows of 14 to 30 days with some shorter and some longer depending on what the data suggests. Out of respect for the argument that there is this long consideration cycle, I went ahead and looked at a 45 day window for these clients.

Impact of non-branded searches

We looked the complete list of searchers that someone did before purchasing, and for the purposes of the study, only looked at data for buyers who did at least two non-branded searches. We define "brand" as the retailer's trademark and variants exclusively, hence "Sony Cybershot" is a non-brand phrase for Best Buy, but a brand phrase for Sony.com. For well known retailers there is a 4% - 8% impact of non-brand clicks being followed by brand clicks as customers remember that they found the perfect ring at Zales. We count these as non-brand orders, and and not used for our study unless there was more than one non-brand keyword involved. With those parameters understood, we found that interesting cases of multiple non-brand keyword touches occurred in between 10% and 15% of the orders for the vast majority of retailers. A few higher, a few lower. That's not zero, but it's not earth-shattering either.

More interesting: when we spent some time studying the impacted orders we found that in only about 35% of the cases did the story play out as advertised, with general searches being followed by more specific searches; in about 15% of the cases the other keywords were simply slight variations on the initial search (eg: "VCR sales" and "Buy VCR", or "Nikon lens" and "Nikon lenses") and in 50% of the cases the initial keyword had no relationship whatsoever to the last keyword prior to the order (eg "loveseat slipcovers" and "gold earrings").

The more we extend the cookie window the greater the propensity for the keywords to be unrelated, indicating that, in fact these were separate shopping events, and that person looking for loveseat slipcovers, bought from someone else :-( Our research on what the person actually purchased was anecdotal, we just tested 15 or 20 samples and found that in each case the order related to the last keyword, not the first.

Those sites that appeal to hobby enthusiasts see more customer interactions from views of multiple ads than general retailers. Indeed, the impacts of AOV, business type and vertical were all quite interesting.

What this means about the buying cycle

To our thinking this confirms several tenets of search marketing strategy:

• The engines are not evil, but neither should they be expected to look out for your interests
• Cookie windows matter and should be carefully considered. I'll publish our methodology for helping retailers determine their window over on the RKG Blog in the next week or so.
• Within paid search, "last click" credit allocation schemes seem to be a better proxy for the truth than either "first click" or "shared credit"
• If Keyword level performance data suggests a keyword is underperforming, it probably is.

Researching your own search data is a valuable exercise. It may help you determine whether the Buying Cycle should impact your keyword efficiency targets, or whether, for you, it's much ado about nothing.

Report: Big Three Agree To Code Of Conduct For Repressive Regimes

In 2004, Chinese journalist Shi Tao used what he believed was an anonymous account from Yahoo to tell an overseas organization that the Chinese government had warned his newspaper against covering the 15th anniversary of the Tiananmen Square crackdown. Another Chinese dissident, Wang Xiaoning, had posted a message calling for political reform to a Yahoo Group.

Both were arrested and sentenced to 10 years in prison after Yahoo revealed their names to the Chinese authorities. Since then, the company has taken a lot of flak for that decision, including a public condemnation by Congress. The families of the dissidents also filed a lawsuit, which Yahoo settled last year.

Additionally, shareholder Andrew Knopf sued the company this summer for breaching its fiduciary duty by cooperating with the Chinese authorities -- a move that he said harmed the company's "goodwill and reputation."

Now, Yahoo, along with frenemies Microsoft and Google, has agreed to a voluntary code of conduct for dealing with repressive regimes, according to the San Francisco Chronicle. That paper reports that the guidelines call on companies like Yahoo to push back, somewhat, by interpreting governmental requests for information narrowly.

But these types of voluntary agreements only go so far.

Yahoo -- which sold its China division to Alibaba Group and became a minority stakeholder in 2005 -- has always said it had no realistic choice other than to honor the Chinese government's request for information.

U.S. companies like Yahoo tend to argue that they must follow the laws in other countries where they do business -- even if that means disclosing names of users whose only crime was to criticize their leaders.

But if Yahoo and other U.S. businesses want to protect their users, they're going to have to consider flat-out defying foreign governments. Yes, it's possible that this course of action could result in companies shuttering abroad. Even so, there's a long-term benefit to standing up for human rights.

Video: What are computer cookies?

Verizon: Trust Us, We Won't Sell Data!

Verizon recently told lawmakers that it had no plans to provide data about subscribers' Web activity to behavioral targeting companies like Phorm or NebuAd unless consumers specifically consented.

Verizon, along with Time Warner and AT&T, also indicated they believe that all behavioral targeting companies should only track Web users that had affirmatively opted in. While none of the companies went on record as supporting new laws requiring opt-in consent, the remarks certainly suggested that they might favor new regulations.

"The largely invisible practices of ad networks and search engines raise at least the same privacy concerns as do the online behavioral advertising techniques that ISPs could employ," Dorothy Attwood, chief privacy officer at AT&T, testified. "A policy regime that applies only to one set of actors will arbitrarily favor one business model or technology over another."

Now, however, Verizon appears to oppose new privacy laws. A recent post on the company's policy blog (first reported by GigaOm), concludes that self-regulation will suffice to protect people's privacy, because companies know they will face bad publicity if they violate users' trust.

To some limited extent, that might be true. No ISPs are currently testing NebuAd's platform, and that's probably at least in part because they weren't prepared for the bad PR. But it also seems likely that Congressional pressure, including the threat of new regulation, made them back down.

With or without Verizon's support, new legislation might be coming. House member Ed Markey, a Democrat from Massachusetts, has said ISPs should not sell information about subscribers' Web histories unless users have given opt-in consent, and some observers think he might introduce legislation to that effect next year.

Meanwhile, NebuAd rival Phorm is still facing pressure abroad. While U.K. authorities cleared the company recently, E.U. officials aren't happy about the secret tests that were conducted two years ago. Last week, a regulator sent a second letter to the U.K. government, demanding to know how the country intended to enforce European privacy laws that restrict companies' ability to collect personal data about individuals.