Back on July 31 I posted The Data Bubble in response to the first of The Wall Street Journal‘s landmark What They Know series of articles and Web postings on the topic of unwelcome (and, to their targets, mostly unknown) user tracking.
A couple days ago I began to get concerned about how much time had passed since the last posting, on August 12. So I tweeted, Hey @whattheyknow, is your Wall Street Journal series done? If not, when are we going to see more entries? Last I saw was >1 month ago.
Then yesterday @WhatTheyKnow tweeted back, @dsearls: Ask and ye shall receive: http://on.wsj.com/9DTpdP. Nice!
The piece is titled On the Web, Children Face Intensive Tracking, by Steve Stecklow, and it’s a good one indeed. To start,
The Journal examined 50 sites popular with U.S. teens and children to see what tracking tools they installed on a test computer. As a group, the sites placed 4,123 “cookies,” “beacons” and other pieces of tracking technology. That is 30% more than were found in an analysis of the 50 most popular U.S. sites overall, which are generally aimed at adults.
The most prolific site: Snazzyspace.com, which helps teens customize their social-networking pages, installed 248 tracking tools. Its operator described the site as a “hobby” and said the tracking tools come from advertisers.
Should we call cookies for kids “candy”? Hey, why not?
Once again we see the beginning of the end of fettered user tracking. Such as right here:
Many kids’ sites are heavily dependent on advertising, which likely explains the presence of so many tracking tools. Research has shown children influence hundreds of billions of dollars in annual family purchases.
Google Inc. placed the most tracking files overall on the 50 sites examined. A Google spokesman said “a small proportion” of the files may be used to determine computer users’ interests. He also said Google doesn’t include “topics solely of interest to children” in its profiles.
Still, Google’s Ads Preferences page displays what Google has determined about web users’ interests. There, Google accurately identified a dozen pastimes of 10-year-old Jenna Maas—including pets, photography, “virtual worlds” and “online goodies” such as little animated graphics to decorate a website.
“It is a real eye opener,” said Jenna’s mother, Kate Maas, a schoolteacher in Charleston, S.C., viewing that data.
Jenna, now in fifth grade, said: “I don’t like everyone knowing what I’m doing and stuff.”
A Google spokesman said its preference lists are “based on anonymous browser activity. We don’t know if it’s one user or four using a particular browser, or who those users are.” He said users can adjust the privacy settings on their browser or use the Ads Preferences page to limit data collection.
I went and checked my own Ads Preferences page (http://www.google.com/ads/preferences) and found that I had opted out of Google’s interest-based advertising sometime in the past. I barely remember doing that, but I’m not surprised I did. On the whole I think most people would opt to turn that kind of stuff off, just to get a small measure of shelter amidst the advertising blizzard that the commercial Web has become.
Finding Google’s opt-out control box without a flashlight, however, is a bit of a chore. Worse, Google is just one company. The average user has to deal with dozens or hundreds of other (forgive me) cookie monsters, each with its own opt-out/in control boxes (or lack of them). And I suspect that most of those others are far less disclosing about their practices (and respectful of users) than Google is.
(But I have no research to back that up—yet. If anybody does, please let me have it. There’s a whole chapter in a book I’m writing that’s all about this kind of stuff.)
Meanwhile, says the Journal,
Parents hoping to let their kids use the Internet, while protecting them from snooping, are in a bind. That’s because many sites put the onus on visitors to figure out how data companies use the information they collect.
Exactly. And what are we to do? Depend on the site owners and their partners? Not in the absence of help, that’s for sure. The Journal again:
An executive at a company that installed several of those 131 files, eXelate Media Ltd., said in an email that his firm wasn’t collecting or selling teen-related data. “We currently are not specifically capturing or promoting any ‘teen’ oriented segments for marketing purposes,” wrote Mark S. Zagorski, eXelate’s chief revenue officer.
But the Journal found that eXelate was offering data for sale on 5.9 million people it described as “Age: 13-17.” In a later interview, Mr. Zagorski confirmed eXelate was selling teen data. He said it was a small part of its business and didn’t include personal details such as names.
BlueKai Inc., which auctions data on Internet users, also said it wasn’t offering for sale data on minors. “We are not selling data on kids,” chief executive Omar Tawakol wrote in an email. “Let there be no doubt on what we do.”
However, another data-collecting company, Lotame Solutions Inc., told the Journal that it was selling what it labeled “teeny bopper” data on kids age 13 to 19 via BlueKai’s auctions. “If you log into BlueKai, you’ll see ‘teeny boppers’ available for sale,” said Eric L. Porres, Lotame’s chief marketing officer.
Mr. Tawakol of BlueKai later confirmed the “teeny bopper” data had been for sale on BlueKai’s exchange but no one had ever bought it. He said as a result of the Journal’s inquiries, BlueKai had removed it.
The FTC is reviewing the only federal law that limits data collection about kids, the Children’s Online Privacy Protection Act, or Coppa. That law requires sites aimed at children under 13 to obtain parental permission before collecting, using or disclosing a child’s “personal information” such as name, home or email address, and phone and Social Security number. The law also applies to general-audience sites that knowingly collect personal information from kids.
So we have pots and kettles calling each other black while copping out of responsibility in any case—and then, naturally, turning toward government for help.
My own advice: let’s not be so fast with that. Let’s continue to expose bad practices, but let’s also fix the problem on the users’ end. Because what we really need here are tools by which individuals (including parents) can issue their own global preferences, their own terms of engagement, their own controls, and their own ends of relationships with companies that serve them.
These tools need to be be based on open standards, code and protocols, and independent of any seller. Where they require trusted intermediaries, those parties should be substitutable, so individuals are not locked in again.
And guess what? We’re working on those. Here’s what I wrote last month in Cooperation vs. Coercion:
What we need now is for vendors to discover that free customers are more valuable than captive ones. For that we need to equip customers with better ways to enjoy and express their freedom, including ways of engaging that work consistently for many vendors, rather than in as many different ways ways as there are vendors — which is the “system” (that isn’t) we have now.
There are lots of VRM development efforts working on both the customer and vendor sides of this challenge. In this post I want to draw attention to the symbols that represent those two sides, which we call r-buttons, two of which appear [in the example below]. Yours is the left one. The vendor’s is the right one. They face each other like magnets, and are open on the facing ends.
These are designed to support what Steve Gillmor calls gestures, which he started talking about back in 2005 or so. I paid some respect to gestures (though I didn’t yet understand what he meant) in The Intention Economy, a piece I wrote for Linux Journal in 2006. (That same title is also the one for book I’m writing for Harvard Business Press. The subtitle is What happens when customers get real power.) On the sell side, in a browser environment, the vendor puts some RDFa in its HTML that says “We welcome free customers.” That can mean many things, but the most important is this: Free customers bring their own means of engagement. It also means they bring their own terms of engagement.
Being open to free customers doesn’t mean that a vendor has to accept the customer’s terms. It does mean that the vendor doesn’t believe it has to provide all those terms itself, through the currently defaulted contracts of adhesion that most of us click “accept” for, almost daily. We have those because from the dawn of e-commerce sellers have assumed that they alone have full responsibility for relationships with customers. Maybe now that dawn has passed, we can get some daylight on other ways of getting along in a free and open marketplace.
The gesture shown here —
— is the vendor (in this case the public radio station KQED, which I’m just using as an example here) expressing openness to the user, through that RDFa code in its HTML. Without that code, the right-side r-button would be gray. The red color on the left side shows that the user has his or her own code for engagement, ready to go. (I unpack some of this stuff here.)
Putting in that RDFa would be trivial for a CRM system. Or even for a CMS (content management system). Next step: (I have Craig Burton leading me on this… he’s on the phone with me right now…) RESTful APIs for customer data. Check slide 69 here. Also slides 98 and 99. And 122, 124, 133 and 153.
If I’m not mistaken, a little bit of RDFa can populate a pop-down menu on the site’s side that might look like this:
All the lower stuff is typical “here are our social links” jive. The important new one is that item at the top. It’s the new place for “legal” (the symbol is one side of a “scale of justice”) but it doesn’t say “these are our non-negotiable terms of service (or privacy policies, or other contracts of adhesion). Just by appearing there it says “We’re open to what you bring to the table. Click here to see how.” This in turn opens the door to a whole new way for buyers and sellers to relate: one that doesn’t need to start with the buyer (or the user) just “accepting” terms he or she doesn’t bother to read because they give all advantages to the seller and are not negotiable. Instead it is an open door like one in a store. Much can be implicit, casual and free of obligation. No new law is required here. Just new practice. This worked for Creative Commons (which neither offered nor required new copyright law), and it can work for r-commerce (a term I just made up). As with Creative Commons, what happens behind that symbol can be machine, lawyer or human-readable. You don’t have to click on it. If your policy as a buyer is that you don’t want to to be tracked by advertisers, you can specify that, and the site can hear and respond to it. The system is, as Renee Lloyd puts it, the difference between a handcuff and a handshake.
Giving customers means for showing up in the marketplace with their own terms of engagement is a core job right now for VRM. Being ready to deal with customers who bring their own terms is equally important for CRM. What I wrote here goes into some of the progress being made for both. Much more is going on as well. (I’m writing about this stuff because these are the development projects I’m involved with personally. There are many others.)
You can check out some of those others here.
Bonus link: Tracking the Companies that Track You Online. That’s a Fresh Air interview by Dave Davies of Julia Angwin, senior technology editor of The Wall Street Journal and the lead reporter on the What They Know series.