Rethinking Consumer Privacy

As advertisers and publishers explore their best privacy options, there’s been a lot of buzz about ETags and flash cookies. Yet as we examine these new tracking technologies, the issue that matters most is the impact on consumer trust.

Brand marketers increasingly want to know how their ads contribute to actual offline purchases, but any attribution model needs this kind of disclosure. Offline to online solutions are key to the advancement of online advertising, but they must avoid personally identifiable information and provide notice and choice about the use of cookies.

Why the concern for ETags, HTML5 local storage and other client-side persistence mechanisms when these new tools have similar tracking capabilities as cookies? Perhaps it’s because they are new and are, therefore, perceived as more sinister alternative cookies. Or maybe it’s because browser settings and tools often ignore the new technologies, making them more insidious.

The most important concern regarding these new technologies is that they aren’t subject to the most widely deployed and effective privacy-enhancing technology on the Internet: P3P (Platform for Privacy Preferences Project), or specifically P3P compact headers. P3P is a protocol allowing websites to declare their intended use of information they collect about browsing users. Designed to give users more control of their personal information when browsing, P3P was developed by the World Wide Web Consortium and first introduced in 2002.

One can argue that standard privacy policies and in-advertising notices give consumers ample disclosure of the use of cookies and a practical means of removing or blocking them. It’s remarkable that one third of consumers know about cookies, and many exercise their choice by clearing cookies, using blocking technologies, or opting out. Yet this remains a minority, so it is debatable whether this constitutes an adequate framework for protection.

However, HTTP cookies have one trick up their sleeve that the new technologies lack: the P3P compact header. The P3P protocol was developed to help websites inform users of how they collect and use browsing information. But P3P itself has become something of a joke, with the major Web browsers eschewing the technology and thereby failing to realize any compelling consumer benefits.

The original grand vision in the 1.0 specification process was an automated negotiated exchange of consumer information in return for content and services. That ideal was abandoned and replaced with the more practical machine-readable privacy policy. Even so, other than rudimentary acknowledgement by Internet Explorer and Mozilla, no widespread implementations of P3P occurred.

If browsers aren’t utilizing the technology, there’s little reason for websites to use it either. At this point, consumers would need to install third-party software to effectively use P3P. In truth, the industry could use something as simple as a warning dialogue on completion of a registration form saying: “This site shares your personal information with third parties that follow different privacy policies.”

The P3P compact header, a late addition to the standard driven by a small group who recognized that HTTP cookies had inherent privacy implications, goes a step further.

The technology automatically discloses a site’s policy and allows browsers to block cookies that lack an adequate privacy policy. Essentially, only the third-party sharing cookies that collect non-personally identifiable information are allowed.

Today, only one mainstream browser, Internet Explorer, supports P3P compact headers (Mozilla dropped its support with the introduction of Firefox).  Yet as long as Internet Explorer retains a significant market share, every ad network, analytics firm, OBA data syndicator, or SSP/DSP/DMP/exchange must make a definitive statement, using P3P, that its third-party cookies only collect non-PII. This establishes an enforceable hard floor for privacy practices while ensuring fair and non-deceptive business practices.

None of the other client-side tracking mechanisms (ETags, Java, HTML5) have this protection. They offer no transparency, no notice and, hence, no legal safeguards for the consumer. Third-party HTTP cookies may have equally sinister potential, but they practically operate under a technical requirement for disclosure.

P3P compact headers are far from perfect.  First and foremost, there is nothing to prevent “the bad guys” from labeling malware cookies as innocuously as they do.  P3P compact headers need some sort of authentication mechanism to close this loophole. In addition, their vocabulary for describing policies is limited and insufficient in the world of social network data sharing and unified logins.

Do-not-track proposals are a complement to P3P compact headers. They help browsers express consumer preference while punishing an ad server that ignores that preference. Perhaps do not track and P3P compact headers will jointly evolve into the sort of user-controlled negotiation that underpinned the original P3P vision.

Today, P3P compact headers are the only ubiquitous technology for Web privacy. We as an industry have no business using alternative client-side persistence mechanisms such as ETags or Flash Cookies until they contain safeguards equal or superior to P3P.