There are over 30 Internet companies, including Yahoo and Microsoft, currently using behavioral targeting technology. That may seem significant. It’s not though, now that Google (arguably the most popular search engine) has committed to using behavioral targeting.

I’ve a vested affinity in the subject, having written several articles about Deep Packet Inspection (DPI) and Behavioral Targeting (BT) over the past six months. Not surprisingly, what interested me the most were the frank and enlightened responses from the members. When it comes to BT, it seems we’re hopeful, confused, and concerned all at the same time. I’d like address that, share my thoughts about what’s happening, and explain what options are available to us.

Google is about money

First and foremost, it’s paramount to understand that Google is a business and businesses are about making money. Eric Schmidt, CEO of Google in an interview with Charlie Rose alluded to a new revenue stream that would be a win-win situation for Google and those who use Google’s services. Although behavioral targeting wasn’t specifically mentioned, connecting the dots was simple.

Google’s version of BT

Google explains their version of BT in an article titled, “Advertising and Privacy.” Their methodology is divided into two separate programs, AdWords which gathers information from user search requests and AdSense which accumulates information on user activity on Web sites:

“For our AdWords program, we serve ads based on the subject matter of your search. For example, if you search for “golf” on our search engine, you’ll see golf-related ads. We also make ads geographically relevant, which we do with the help of IP addresses. If you’re in Boston searching for cab companies, you probably want ads for Boston-based, not London-based cabs.”

“For our AdSense program, we serve ads based on the content of the site you view. For example, if you visit a gardening site, ads on that site may be related to gardening. In addition, we may serve ads based on your interests. As you browse websites that have partnered with us or Google sites using the DoubleClick cookie, such as YouTube, Google may place the DoubleClick cookie in your browser to understand the types of pages visited or content that you viewed.”

What may not be as well known is that Google is also trying to present relevant ads in the Gmail application. This is done by scanning every Gmail message, finding key words in the message, and serving up ads based on keywords located in the message. Google further explains the process:

Google scans the text of Gmail messages in order to filter spam and detect viruses. The Gmail filtering system also scans for keywords in users’ emails which are then used to match and serve ads. When a user opens an email message, computers scan the text and then instantaneously display relevant information that is matched to the text of the message. Once the message is closed, ads are no longer displayed. The whole process is automated and involves no humans matching ads to Gmail content.”

Remember to be hopeful

On the surface this sounds great. For the most part none of us particularly like ads and it seems logical that irrelevant ads would be even worse. What are your feelings? Are viewing relevant ads a better experience for you? Other good news is that privacy advocates are heartened by Google’s approach to BT (using cookies). It appears to be less invasive than technologies like Phorm that are located at the ISP and use DPI.

Confused at the same time

It’s obvious why many people are confused about BT and the implications of its use. Quite simply, the responsible parties aren’t effectively communicating what BT is and why it’s being used. Sure the companies make mention on their Web sites, but that’s not enough. How many of us routinely go to Google’s Advertising and Privacy Web page to see if any policies have changed?

To prove my point, initial information I gleaned about companies using BT came through secondary sources. Google certainly didn’t shoot off any fireworks. The only indication from Google was a blog entry titled, “Making ads more interesting,” by VP of Product Management Susan Wojcicki (sister-in-law to Sergey Brin), which promised:

“At Google, we believe that ads are a valuable source of information, one that can connect people to the advertisers offering products, services and ideas that interest them. By making ads more relevant, and improving the connection between advertisers and our users, we can create more value for everyone. Users get more useful ads, and these more relevant ads generate higher returns for advertisers and publishers.”

My question is: if it’s such a great idea, why not really brag about it?

Is concern valid

At one point in his interview with Eric Schmidt, Charlie Rose took great pains to point out that Google has accumulated a tremendous amount of data on each and every one of us Internet users. Rose then asked Schmidt point blank about accountability. Schmidt, without hesitating told Rose that we all should just trust Google. Extrapolating that, I’d love to hear everyone’s conjecture on whether we should trust every business that uses BT, just Google, or none of them?

The FTC’s (governing body) response (somewhat aligned with Eric Schmidt’s) is to let the market regulate itself, but with new and stronger guide lines. I penned an article titled, “Behavioral targeting: FTC still prefers self-regulation” that explains the new guidelines.

Apparently, there are members of Congress who feel self-regulation is not sufficient when it comes to storing and using personal tracking data. Rep Rick Boucher, (D-Va.) is one such member of Congress. Rep Boucher wants government to exert more control over companies that use BT, (courtesy of the WSJ):

“What the FTC laid out is a good foundation. But the problem is that it is advisory and there is no certainty that all Web sites will meet those standards. At a minimum, it is important that consumers understand what information about them is collected by Web sites, to show how that information is used, and then to be able to let consumers make choices about whether or not that information is collected and whether or not it is use in a certain way.”

More importantly Rep. Boucher mentions that:

“Standards also should be set to regulate how data that is collected about consumers is safeguarded.”

Well, there’s never a dull moment when Google and privacy issues are used in the same sentence. I’m not sure how it all will end (more likely evolve), but now that we’re up to speed, I’d like to discuss possible options for dealing with the cookie version of BT.

Opt in

It ultimately depends on how each of us feel about companies tracking our Internet activities, retaining that information, and using BT technology to make assumptions about us. If that’s not a problem and interest-based advertisements seem like a great idea there’s nothing that needs to be done.

Opt out of Yahoo BT ads

Most companies using BT provide the opportunity to opt out of the process. For instance, the following slide shows Yahoo’s privacy page and the BT opt out option:

After reading the fine print on the Web page, the irony of having to allow cookie installation to set up an opt-out cookie is almost humorous. It also points to another way of preventing organizations from tracking your movements, but only if cookies are an integral part of the process. I’ll explain how that works later in the article.

Opt out of Microsoft BT ads

I was surprised to learn that Microsoft was using BT technology. Microsoft’s opt out option is found on their Web page, “Personalized Advertising from Microsoft.” All that’s required is to select the preferred method for not displaying personalized ads:

Is it just me or is this ironic as well? Microsoft on their opt out Web page, posts a reminder to not delete cookies especially the one pertaining to opting out of BT tracking. If the cookie is deleted, Microsoft will then be able to accumulate information on surfing habits.

Opt out of NAI member ads

The Network Advertising Initiative (NAI) is a consortium of approximately 30 companies that use BT technology. Fortunately for those who want to opt out, the group created an opt out page listing all the members includes Google and Yahoo, making it easy to create the necessary opt-out cookies.

Opt out of Google BT ads

Google has given considerable thought to their opt out policy, developing a user-friendly Ads Preferences Manager, which will allow each of us to:

“Edit your ads preferences by adding interest categories that are relevant to you. You can also remove any interest categories that don’t apply and Google will no longer use them for showing you interest-based ads.”

If controlling the cookie preferences isn’t feasable, as in large networks. Google offers two relatively simple choices for opting out:

“If you prefer not to receive interest-based advertising, you can always click on the “Opt out” button on the Ads Preferences Manager. Google also offers a number of options to permanently save your opt-out settings in your browser. After you opt out, Google will not collect interest category information and you will not receive interest-based ads.”

The two available options are:

  • Create an opt-out cookie similar to the other cookies.
  • Install a permanent Web browser plugin that eliminates having to worry about accidentally deleting the opt out cookie.

This should give everyone some idea as to what’s required to not have tracking cookies installed on the computer’s Web browser. One point to remember is that opt-out cookies must be installed on each browser individually.

Fresh start

Just today, some one asked me what to do about all of the tracking cookies that already reside on their Web browsers. That’s a great question and I’ll show you what to do using Internet Explorer and Firefox in order to start fresh.

Using Internet Explorer (IE), all that’s required is to start IE, go to Tools and click on Delete Browsing History. Next click on the Delete cookies button. It will delete the cookies in the Temporary Internet Files folder. The cookies in the C:\Documents and Settings\yourusername\Cookies folder will also be deleted, if Windows XP is the OS.

To start fresh using Firefox, open the browser, go to Tools and click on Options. Then click on the Settings button, a new window will open showing what options will be cleared when the browser closes or when the Clear Now button is clicked. Make sure the cookie option is selected and click on the Clear Now button.

Firefox is a little different from IE in that the browser can be configured to delete cookies every time the browser is closed. Make sure that the cookie option isn’t checked if opt-out cookies are installed.

The ultimate opt out

For power users and the extremely security conscious, using opt out cookies and plugins will not be a good solution. Michael Horowitz from Computerworld has written an article titled, “Defending IE7 from Google interest-based advertising cookies“. In the article, Horowitz explains why opt-out cookies aren’t a good answer:

“Setting more cookies means you have to trust how these cookies are used. This is a Defensive Computing blog and trust is not part of Defensive Computing. So, I offer another approach. An approach to prevent the creation of cookies from ad networks (such as Google’s Doubleclick) in the first place.”

The article goes on to explain that not allowing third-party cookies blocks most ads and if that doesn’t work it’s just a matter of blocking Web-site cookies on an individual basis. That approach may be somewhat cumbersome, so using one of the many TPV products that prevent cookies from installing will achieve the same results.

Final thoughts

Behavioral targeting techniques that install cookies are easier to swallow than BT technology using DPI located at each ISP. It’s still disconcerting that companies are making the default setting opt in. All security/privacy experts I’ve contacted want the default setting to be opt out and I completely agree. If it’s such a great idea, the companies promoting interest-based advertisement shouldn’t have anything to worry about. Everyone will want to opt in.

“Need to know” security news and advice delivered each Tuesday, TechRepublic’s IT Security newsletter gives you the hands-on advice you need for locking down your systems and making sure they stay that way. Automatically sign up today!