Browser optimize

Behavioral marketing: Why Johnny can't opt-out

Behavioral advertising can be intimidating if privacy is one of your concerns. Thankfully, we're able to opt-out of being tracked. Or are we? Michael Kassner investigates opt-out tools.

Whether we like it or not, behavioral marketing is here to stay. For those who disapprove, I offer solace. We at least have the option to opt out. Or so I thought.

"The current approach for advertising industry self-regulation through opt-out mechanisms is fundamentally flawed."

That quote is from, "Why Johnny Can't Opt Out: A Usability Evaluation of Tools to Limit Online Behavioral Advertising," and the conclusion reached by the research team of Pedro G. Leon, Blase Ur, Rebecca Balebako, Lorrie Faith Cranor, Richard Shay, and Yang Wang, all from Carnegie Mellon University.

Here's more good news:

"Users' expectations and abilities are not supported by existing approaches that limit online behavioral advertising by selecting particular companies or specifying tracking mechanisms to block.

Users have great difficulty distinguishing between tracking companies. They also lack sufficient knowledge about tracking technology or privacy tools to use existing privacy tools effectively."

Wonder how the research team came to those conclusions? Here's how. They first segregated the privacy tools into three groups: opt-out applications, settings built into web browsers, and cookie-blocking software. Armed with this information, the team then created a survey, specifically designed to determine how well volunteers understood each of the methods meant to inhibit tracking.

We seem to have a problem

The problem appears to be real. But, it's unclear to me whether it's user-related or software-related. And, I owe it to you, the reader, to find out which.

Thankfully, I recognized the lead author, Dr. Lorrie Faith Cranor. When I interviewed Dr. Aleecia McDonald for an earlier article, she brought up Dr. Cranor's work several times. So, I contacted Dr. Cranor, mentioning my dilemma. She was happy to clear up any confusion I had. I also had some questions on how the survey was conducted. That's where I started.

Kassner: I would think participant selection is important in a survey like this. How did you go about selecting people? Cranor: We sought nontechnical participants who were not knowledgeable about privacy enhancing tools, but interested in trying them. Since we were using IE9 on Windows 7 and Firefox 5 on Windows 7 and Mac OS X as our testing platforms, we recruited participants who had experience using one of these operating systems and browser combinations.

We recruited participants from the Pittsburgh region using Craigslist, flyers, and a university electronic message board. Recruitment material directed prospective participants to a screening survey. From those who completed the survey and met our screening criteria, we recruited five participants for each of the nine tools we tested, for a total of 45 participants.

Kassner: You tested nine tools that fit in the following categories:

How were the tests carried out?

Cranor: Each of the 45 sessions was moderated by one of two researchers. Participants were randomly assigned to the tools considering their browser and OS preferences.

We began each session with an interview to gather the participant's perceptions, knowledge, and attitude about online advertising. We then showed the participant an informational Wall Street Journal video about online behavioral advertising.

Next, we asked participants to perform three types of tasks using a computer in our laboratory configured with their assigned Internet browser and operating system.

Installation and Initial Configuration: We provided a simulated email from a friend suggesting they try the assigned tool. After installing, the participant answered questions designed to measure his or her perception and understanding of the tool. Configuration of Specified Settings: To evaluate participants' ability to use the tool, we asked each participant to configure their assigned tool to a set of specifications (fairly protective settings) we provided. The participants then answered questions related to configuration. Fine Tuning Settings to Resolve Problems: We then asked the participant to perform five browsing tasks with the tool installed and active. We advised the participant to change the tool's settings if need be. After which, participants answered questions about their experiences. Kassner: Now I'd like to look at the survey findings -- particularly the following synopsis:

"Users tend to be unfamiliar with most advertising companies, and therefore are unable to make meaningful choices. Users liked the fact that the browsers we tested had built-in Do Not Track features, but were wary of whether advertising companies would respect this preference.

Users struggled to install and configure blocking lists to make effective use of blocking tools. They often erroneously concluded the tool they were using was blocking online behavioral advertising when they had not properly configured it to do so."

The paper offered several examples in the appendix to back up their conclusions. The configuration window for TACO is one such example:

Here's a test. Do you understand Targeted Ad Networks, Web Trackers, and Cookies well enough to effectively configure the app? Most of the volunteers did not.

Professor Cranor, how would you fix these issues? Would you place more emphasis on user education? Do the tools need to be more intuitive?

Cranor: There are many things that can be done to clean up the user interfaces, including removing a lot of jargon, simplifying the interfaces, and making the workflow clearer to users.

Some of the tools have default settings that are not what users expect, so changing these settings would probably help. User education would likely help as well. I think if the ad industry is serious about their opt-out solutions, they need to run ads that explain how this works.

Internet Explorer needs a more holistic approach to privacy protection rather than providing several different privacy tools with different user interfaces that are nearly impossible for most users to figure out. Ultimately, we may need to rethink this approach to privacy protection. Where we ask users to distinguish between hundreds of trackers from companies they have never heard of.

Kassner: I'm betting most of the results were expected. Am I wrong; were there any surprises? Cranor: We expected to see many of these problems. Still, I was surprised by how frequently people were confused by these tools and had trouble using them. I was especially surprised to see so many people who mistakenly believed they had configured the tools in a highly protective way when, in fact, they had not. Kassner: One last question; it's from my writing mentor. He understands online behavioral advertising, having proofed several of my articles. In fact, on my insistence, he tried several of the opt-out tools. And, just like your survey participants, became frustrated.

With what you learned and what you know about online behavioral advertising, what would you suggest he do to avoid being tracked?

Cranor: I personally use Ghostery on a regular basis. I like the fact that it blocks trackers, but also has an easy way for me to monitor what it is blocking and to selectively unblock some trackers when they are needed to prevent the websites I am visiting from breaking.

But, to use Ghostery effectively, you have to make sure you explicitly tell it to block trackers. And, sometimes you have to do a bit of detective work to figure out what you need to unblock when things break.

Final thoughts

I'd like to thank the research team headed by Professor Cranor. They started the ball rolling. Now it's up to us. How should we proceed? Tell developers to make the tools more intuitive or help each other better understand how the tools work. Thoughts?

About

Information is my field...Writing is my passion...Coupling the two is my mission.

26 comments
Questor1
Questor1

You might be interested in the report by the Federal Trade Commission last year, it contains a call for "Do Not Track" technology. http://www.ftc.gov/os/2010/12/101201privacyreport.pdf Congress has picked up the idea and there are several bills pending to make it into law. However, the bills have not yet been full reviewed by HR Committees nor forwarded and discussed as legislation by the full House of Representatives membership. This is yet another sign of partisan politics that blocks legislation to protect citizen and consumer interests while allowing companies illegitimate profits from tracking consumers on the Internet. A final version of the report from the FTC should be issued within the next few months, but may be upstaged by the 2012 Presidential election.

Michael Kassner
Michael Kassner

It is appreciated. Your comments mirror my own findings.

Craig_B
Craig_B

I think we need improved security layers all the way around. Make the OS, browser, applications more secure to begin with. Make the security settings easy to use and understand. Educate the user. With layers or protection, we will all be more secure. Right now the blocker apps seem pretty bad. As someone in IT the TACO screen shot looks bad, let alone for someone who has little understanding of these things. I also went to the Ghostery web site and it has very little information. It shows Detect, Learn, Control and has a a download button but no information on how it works, how to configure it, what the next steps are etc. OK, I'm game, I click the download which just installs an IE plugin, no explanation. I poke around and didn't find any way to configure it, just that it's installed. I promptly uninstalled it. My issue is this is the app that was recommended and it tells you nothing. It seems like applications have a very long way to go before they are anywhere close to be ready for an end user.

HAL 9000
HAL 9000

Edumication of the End User is a [b]Lost Cause.[/b] Sure they may listen but most times there are thinking of something else or their eyes have glazed over and they are wondering just how long it will be before they have to paint the ceiling again. While they want the Security they expect it to be On By Default and they shouldn't have to configure anything. After all these things are provided by professionals so why do I have to do anything at all and put myself out. What the end user fails to grasp is that [b]Yes[/b] these things are provided by professionals but those professionals have the interests of those paying the bills uppermost in their minds not the End Users. ;) Col

bboyd
bboyd

Computers are becoming religion now so we priests of the way must dole out our sermons. Woe to the heathen who may ignore our heavenly guidance. I set up a computer to isolate my fathers financial transactions from normal activity. He listened to my desire to have a new machine never touched by random websurfing. Unplugged during downtime. set up with just the links he needs to logins that are clean of scripts and secondary non-ssl pages. then I check the logs... "Oh I was trying to get the other site set up and I had to get the link"... ignoring my request "NEVER" use it for any search of any kind. Use only known addresses, only SSL connections (Using SSL everywhere extensions). Use no script but the ones absolutely required by the operation. (No-Script) Make sure that the SSL connection is going to a valid certificate (Perspectives) This was all on the heals of a bad virus attack on his main machine. All I can do is sigh. Heck even basic security is ignored for momentary convenience why should I believe that users will get a hang of anything slightly counter intuitive for privacy control. /rant off :edited for my blatant failure of capitalizing i!

wizard57m-cnet
wizard57m-cnet

That is to make all this online tracking, profiling, trailing and trolling completely opt-in, no automatically adding you to the list, the user must specifically check the box to be included in the marketing BS!

Michael Kassner
Michael Kassner

New post Researchers have found that many users wanted to opt out of online tracking, but made mistakes in configuration. Share your thoughts in how this can be resolved.

Michael Kassner
Michael Kassner

I preach constantly about the fact that we all are forgetting who our customers are.

seanferd
seanferd

seem to have either low reading comprehension or the inability to look for information in the first place. There was an iPhone users with security concerns graphic somewhere on this site in the past week or so, which tells a story. But if the users bother to put their minds to it for a few seconds, they would figure it out. I'm not sure why, overall, these sorts of security apps/settings are so difficult to comprehend. I didn't spend endless hours of confusion learning to use NoScript or AdBlock Plus (and I never even bother with the pre-created lists). OTOH, the people who are afraid to even click on a Help icon or poke at something in the file menu bar in order to learn something or get something done are hopelessly doomed. My manager is somewhere far beyond even these sorts of people, though. (Yet somehow managed to pass courses in programming COBOL and stuff 20-odd years ago.)

AnsuGisalas
AnsuGisalas

And I'm only talking about myself, here... :D - maybe fumigation would work better :p

Michael Kassner
Michael Kassner

I'm thinking your vote is for fixing the app instead of user education.

Michael Kassner
Michael Kassner

But, I have extreme doubts that will ever come to pass. Money and advertising are ruling the roost. For example, pay attention to all the product placement the next time you go to a movie.

Michael Kassner
Michael Kassner

Your skill set is advanced beyond what many of us could hope to reach. So, that might be altering your perception. I know brilliant people, who can talk about "String Theory" all day long. Yet, have the simplest computer problems.

Michael Kassner
Michael Kassner

While doing research, I had to figure out what several of the terms meant. The complexity increases when different apps call the same thing by a different name.

HAL 9000
HAL 9000

I got feed up with all the [b]"Plastic Consultants"[/b] who where more concerned with making a Million $ this week at the expense of everything else. Nothing worse than Fools in Suits slapping each others backs boasting about how much money they have made, the car that they drive and so on while you just know that their customers are suffering at their hands. It's a perfect example where Edumication of the End Users fails completely. They have been Educated to accept incomplete packages that sort of work and not to worry why things are not better. ;) Col :D

AnsuGisalas
AnsuGisalas

to do on-the-fly cut-and-replace analysis of the pages displayed... cutting out the ad stuff, and replacing them so as to not leave blank spots

Michael Kassner
Michael Kassner

I may not call it education, but force-feeding. Something else I have wondered about: when did it become better business to cover losses rather than fix the problem.

Michael Kassner
Michael Kassner

Legacy software is always looming, but in the background.

Michael Kassner
Michael Kassner

I am starting to believe that there will have to be a different financial model. I see many similarities between online ads and "snail mail and advert flyers". Right now, in the US -- with a seven percent drop in first class mail -- junk mail is one of the few positive things in the USPS books. So, there is little incentive to get rid of it.

bboyd
bboyd

I suspect the real enemy is the wealth of pages made to comply with IE6.

bboyd
bboyd

not to block them... Myself if they hosted directly on TR I would not, but since they come in off site they get the boot. Some day I will pay for trusting too many CBS root site URL's with a nasty little infection.