1

Do Not Track:

A Guide for Information Technology Professionals

Anna LongFounder and Principal AnalystWeb AnalyticaSM

2

1 - 2

Agenda

• Online privacy and Do Not Track initiatives

• What do CMG members think about tracking issues?

• What can you do to prepare?

3

Online Privacy – What’s the Problem?

In the past eighteen months:

•The Wall Street Journal, The New York Times, Time Magazine, and other news organizations have written articles raising concerns about abuse of privacy online.

•The Privacy Rights Clearinghouse, Consumer Watchdog, Consumer Action, and the Center for Digital Democracy have voice concerns about online privacy.

•Politicians and regulators in the US and other regions have conducted studies, held hearings, and introduced legislation attempting to address online privacy violations.

4

Technology’s Impact on Privacy

Concerns about technology’s impact on privacy pre-date the commercialization of the World Wide Web.

March 18, 1992

5

Technology’s Impact on Privacy

“A new protocol being developed by the Internet Engineering Task Force (IETF) has raised privacy concerns. Internet Protocol Version 6 (IPv6) is the "next generation" protocol designed by the IETF to replace the current version Internet Protocol (IPv4)...

“The new addressing structure, however, may mean that every packet can be traced back to each user's unique network interface card ID… That information... forms the basis of the privacy concerns raised by some observers of the IETF process.”

Concerns about the Internet’s effect on privacy go back to the last century.

October 12, 1999

6

Online Privacy – Is This The Problem?

7

Online Behavioral AdvertisingOnline Behavioral Advertising (OBA) accounts for a large portion of all online advertising activity (which totaled 26 billion dollars in the US alone for 2010).

•OBA allows advertisers to target ad content very specifically, making it more efficient and cost effective.

•OBA builds profiles of online activity to tailor advertising for the individual web user.

• OBA requires tracking the activities of the web user.

•A recent Wall Street Journal study found that the top fifty websites install on average 64 tracking technology items on the computer of a typical site visitor. A dozen sites stored more than 100 such items.

8

What Should Be Done About Online Tracking?

Concern about the extent of online tracking has lead to cries for its control, but this issue has many dimensions that defy a quick answer.

•Look to Industry self-policing or government regulation?

•Is some form of a “Do Not Track” list feasible?

• Implement control at the browser or the website?

•Affect all databases containing tracking data in any form, or only databases supporting OBA?

•Anonymize affected data or delete it entirely?

•Restrict only third-parties who collect data and promote offerings on other organizations’ websites? Or should first-party website owners also be restricted?

9

Survey of CMG Membership:Approach

To understand CMG members’ opinions on online tracking issues, a survey was conducted at 2011 CMG events held in North America and Europe.

• Attendees were asked opinion questions and demographic questions.

•Three opinion questions addressed specific implementation issues.

• Opinion questions were posed from the viewpoint of a website visitor and a website team member.

• Surveys with incomplete opinion responses were rejected.

• Remaining 101 surveys were tabulated and the results analyzed.

10

Survey of CMG Membership:Demographics of Respondents

Respondents split into the following segments:

•Age: - 18-34 – 15%, - 35-49 – 27%, - 50 and up – 55%, - unidentified – 3%

• Gender: - 79% male, - 7% female, - 14% unidentified

• IT Experience: - 1-4 years – 5%, - 5-9 years – 5%, - 10 or more years – 84%, - unidentified – 6%

11

Opinion Question 1Integrating Anonymous Activity with Customer Data

For both viewpoints, a sizeable majority opposed integrating the data, with approximately one-quarter to one-third supporting integration.

Website Visitor Viewpoint Website Team Member Viewpoint

1.As a consumer, you visit a website for months or years without providing any personally identifiable information such as name, address, or credit card number. Then you submit a contact form or make a purchase during which you provide personal information. Should the website’s owner be allowed to attach all your previous anonymous activity to your contact form or purchase data for analysis?

__ Yes __ No

4. Visitors come to your company’s website for months or years without providing any personally identifiable information such as name, address, or credit card number. Then they submit a contact form or make a purchase during which they provide personal information. As a website team member, should you be allowed to attach all their previous anonymous activity to their contact forms or purchase data for analysis?

__ Yes __ No

Viewpoint Yes No

Q1: Website Visitor 28 % 72%

Q4: Website Team Member 37 % 63%

12

The majority choice reversed between viewpoints, with deletion being selected much more often for the website team member view.

Website Visitor Viewpoint Website Team Member Viewpoint

2.To support Do Not Track Initiatives, web browser developers are adding functionality to send an optional no-tracking parameter with each webpage request. As a consumer, if you configured your browser to send a no-tracking parameter to a website, would you expect the website to:

__ store no record of your navigation through the website, or __ store an anonymized record of your navigation through the website.

5. To support Do Not Track Initiatives, web browser developers are adding functionality to send an optional no-tracking parameter with each webpage request. As a website team member, if a visitor’s browser sends a no-tracking parameter to your site, would you want your website to:

__ store no record of your navigation through the website, or ___store an anonymized record of your navigation through the website.

Viewpoint Anonymize Delete

Q2: Website Visitor 54% 46%

Q5: Website Team Member

30% 70%

Opinion Question 2Altering Data When a DNT Request is Received

13

Opinions varied, whether the viewpoint was visitor or team member. For both views, a majority believed DNT should affect all three databases or the marketing analysis database and CRM Of the three, the database that was most commonly picked for alteration was the CRM.

Website Visitor Viewpoint Website Team Member Viewpoint

3.As a consumer, if you configured your browser to send a no-tracking parameter to a website, which of the following should the no-tracking request affect?

__system administration log __customer relationship management database __marketing analysis database

6. As a website team member, if a visitor’s browser sends a no-tracking parameter to your site, which of the following should the no-tracking request affect? __system administration log __customer relationship management database __marketing analysis database

Opinion Question 3Which Database(s) Should a DNT Instruction Affect?

Table 4 -- Which Database(s) Should a DNT Instruction Affect?

Viewpoint SA MA CRM SA, MA SA, CRM MA, CRM SA, MA, CRM

Q3: Website Visitor 11% 13% 5% 4% 3% 35% 30%

Q6: Website Team Member

12% 15% 8% 4% 4% 36% 22%

14

Additional ObservationsComparing Variation in Individual Responses with Viewpoint

• 50% of respondents changed their answer to at least one opinion question when answering from different viewpoints

• 5% of respondents change their answers to all three opinion questions when answering from different viewpoints.

The opinions of individual respondents often changed when considering a question from the website visitor viewpoint and the website team member viewpoint. Out of 101 respondents:

• 50 changed no answers between viewpoints• 27 changed one answer between viewpoints• 19 changed two of their answers between viewpoints• 5 changed all three of their answers between viewpoints

15

Additional ObservationsComparing Responses from North America and Europe

Considerable variation in responses from both Europe and North America show lack of consensus is not restricted to one region.

Comparison of Responses from Europe and North America Events

Question Response Categories Europe North America

Q1: Integrate Data? (Website Visitor)Yes:No:

41%59%

22%78%

Q4: Integrate Data? (Website Team Member)Yes:No:

50%50%

30%70%

Q2: Anonymize DNT Data? (Website Visitor)Anonymize:

Delete:50%50%

57%43%

Q5: Anonymize DNT Data? (Website Team Member)Anonymize:

Delete:34%66%

28%72%

Q3: To Which Database(s) Does DNT Apply? (Website Visitor)Sys Adm:

WA:CRM:

Sys Adm, WA:Sys Adm, CRM:

WA, CRM:Sys Adm, WA, CRM:

16%13%0%3%3%

44%22%

9%13%7%4%3%

30%33%

Q6: TO Which Database(s) Does DNT Apply? (Website Team Member)

Sys Adm:WA:

CRM::

Sys Adm, CRM:WA, CRM:

, CRM:

16%22%6%0%3%

28%25%

10%12%9%6%4%

39%20%

16

What Can You Do?

Even with this uncertainty, there are steps you can take to help your organization prepare for DNT outcomes.

1.Stay abreast of legislation and regulations that will have an impact on your organization’s online tracking.

2.Take tracking-control technology into account when architecting, developing, testing, and operating your web applications.

3.Implement a consistent set of policies and processes to support tracking control and handling of tracking data.

17

Step 1: Legislative

Receptiveness to government involvement in online privacy protection varies from region to region. Legislative and regulatory responses have varied considerably, as illustrated by these three examples:

1) Europe -- acting

2) US – proposing

3) Canada -- observing

18

Legislative ActivityEurope

Europe has traditionally been at the forefront of government involvement with privacy issues.

• European Commission established Directive 2002/058 on Privacy and Electronic Communications (the ePrivacy Directive).

• 2002 version required website owners to inform visitors about cookie placement and offer a method of refusing cookies

• 2009 version requires website owners to gain permission from visitors before storing any cookies not essential to basic site operation.

• European Commission directed all EU members to incorporate the amended ePrivacy Directive into their national laws by 25 May 2011.

• Many members did not meet that deadline.

• UK enacted regulations requiring opt-in checks as of 26 May 2011.

• European Data Protection Supervisor is urging quick action.

19

LegislativeUnited States

The US has traditionally looked to industry and the marketplace for privacy solutions not involving medical or financial data, but initiatives addressing online tracking are countering that trend.

• In December 2010, the US Federal Trade Commission released a study of online tracking’s impact on consumer privacy. The study concluded that industry self-policing had failed and urged Congress to legislate a “choice mechanism for behavioral tracking”.

•The US Congress has responded, holding hearings and introducing legislation addressing the issue in various ways. To date, no legislation has become law.

• At the state level, a legislative bill was introduced in California to require establishment of an opt-out mechanism tor tracking. The bill also mandates that websites honor the mechanism. This bill has not become law.

20

LegislativeCanada

Privacy issues are important in Canada and legislation has addressed important privacy issues in the past.

• In 2000, the Canadian Government enacted PIPEDA (Personal Information Protection and Electronic Documents Act). PIPEDA addresses various privacy issues but does not explicitly cover online tracking data.

• In 2010 Canada’s Office of the Privacy Commissioner reviewed PIPEDA’s adequacy to address tracking and discovered many challenges.

• The Office is “following with interest the U.S. Federal Trade Commission’s proposal for a Do Not Track mechanism…”

21

Step 2: Technology

Technology work has begun but is in the early stages of development:

• Two candidate approaches are being promoted to put tracking control in the hands of web users:

1) The DNT flag

2) Tracking Protection Lists

• The World Wide Web Consortium formed a working group to initiate development of standards recommendations.

22

DNT Flag – Mozilla Example

Mozilla Firefox has implemented tracking control as a “Do Not Track” flag.

When enabled, the browser appends the DNT flag to each URL sent to a web server.

This approach is easy to use and easy to implement in the browser.

The approach relies on the website owner to honor the request and implement some sort of tracking disablement.

Mozilla added tracking control in its June 2011 release and claims that 5% of the version’s users have already enabled the feature.

23

Tracking Protection Lists – Microsoft Example

Microsoft has implemented tracking control in Internet Explorer 9 (IE9) as a set of lists.

This approach relies on one or more lists and lists can be of allowed or blocked sites.

With multiple lists, the control can be very finely controlled, but it is also complex.

24

Third Party TPLs: Truste Tracking Control List

Truste is one supplier of tracking control lists that can be imported into IE9.

25

W3C Tracking Protection Working Group

In Spring 2011, the World Wide Web Consortium (W3C) created its Tracking Protection Working Group to deliver standards recommendations.

• The Working Group will work with parts of W3C and Internet Engineering Task Force to develop standards to support tracking control.

• Standards are planned for both the header method and the tracking selection list method.

• In initial meetings standardization of tracking selection lists is having trouble gaining traction.

The Working Group has set a deadline of July 2012 for delivery of recommendations.

26

Step 3: Policies and Processes

Decide on your approach to tracking control and incorporate it into your policies and processes

• Policies to be addressed include your website’s online privacy policy as well as policies for data storage, data retention, and data integration.

• These policies need to be folded into your data management processes, specifying the tracking data to be collected, how long it is used, and how long it will be retained.

• Data to be considered includes IP addresses, website interaction streams, configuration and geolocation data, and any tracking data that can be used to identify or profile users.

• Consult guidance from professional organizations and industry alliances such as the Web Analytics Association and the Digital Advertising Alliance as you develop your approach.

27

Digital Advertising Alliance

The Digital Advertising Alliance (DAA) is a group of national and international organizations supported by the Council of Better Business Bureaus and includes industry groups such as the Interactive Advertising Bureau.

The DAA promotes principles for collection of web activity supporting behavioral advertising in the areas of education, transparency, consumer control, accountability, and proper handling of sensitive data.

DAA website includes education for the consumer and a beta feature where consumers can elect to remove themselved from the audience for OBA.

DAA Member

Icon

28

Anna LongFounder and Principal Analyst

Web AnalyticaSM

anna.m.long@webanalytica.net

linkedin.com/in/annamlong

126 Colchis Court Cary, NC 27513

919 349-5725