Original at the Stanford Center for Internet and Society.
Over the past several months researchers at the Stanford Security Lab have been developing a platform for measuring dynamic web content. One of our chief applications is a system for automated enforcement of Do Not Track by detecting the myriad forms of third-party tracking, including cookies, HTML5 storage, fingerprinting, and much more. While the software isn’t quite polished enough for public release, we’re eager to share some unexpected early results on the advertising ecosystem. Please bear in mind that these are preliminary findings from experimental software; our primary aims at this stage are developing the platform and validating the approach to third-party tracking detection. Many thanks to Jovanni Hernandez and Akshay Jagadeesh for their invaluable research assistance.
Methodology
We began with a list of advertising companies that participate in the self-regulatory Network Advertising Initiative (NAI). By navigating popular websites we identified a piece of tracking content (primarily ads and beacons) from 64 of the 75 NAI member companies. We performed the following tests on each company’s content:
1) Load the content.
2) Load the content, opt out of the company on the NAI website, and then reload the content.
3) Load the content, enable Do Not Track, and then reload the content.
We manually identified tracking cookies (cookies that appeared to contain a unique identifier or substantially unique information) and how they were altered throughout each test. A spreadsheet of results is available. Please email if you would like a copy of the data we logged while testing a particular company’s content.
1. At least two NAI members are taking overt steps to respect Do Not Track.
Media6Degrees, an advertising data provider, deletes its tracking cookies and sets an opt-out cookie upon receiving a Do Not Track request.
BlueKai, a data provider and management platform, does not set tracking cookies in response to a Do Not Track request, but it does not delete any existing tracking cookies.
2. Over half Half of the NAI members we tested did not remove their tracking cookies after opting out.
NAI member companies pledge only to allow opting out of behavioral ad targeting, not tracking. Of the 64 companies we studied, 33 32 left tracking cookies in place after opting out.
3. At least eight NAI members promise to stop tracking after opting out, but nonetheless leave tracking cookies in place.
We compared our results to a survey of NAI member privacy and opt-out policies recently conducted by Carnegie Mellon’s CyLab. We identified seven companies that (in the study’s reading) promise to stop tracking when a user opts out, but nonetheless leave their tracking cookies in place.
The 24/7 Real Media privacy policy claims that a user may “opt out of receiving our ad delivery, audience management and behavioral targeting cookies.” We found that opting out deleted the company’s tracking cookies, but reloading the content reinstalled the tracking cookies.
Adconion‘s privacy policy states that a user is “free to opt out of the Adconion Cookie.” Opting out deleted one of three tracking cookies but left the other two in place. Reloading the content did not update the remaining tracking cookies.
In its privacy policy, AudienceScience describes its opt-out option as follows: “Should you choose to opt-out, we delete all previously collected information from the cookies, and put new information in the cookie which tells us to stop collecting information from that device.” We found that opting out of AudienceScience removes its unique tracking cookie but does not remove a highly unique cookie that represents the user’s interests. Subsequent loads of the content updated the interest cookie.
[See below for an update from AudienceScience.]
Netmining‘s privacy policy states that upon opting out “we will delete your existing ntmng.com or netmining.com cookie(s) and try to place a new cookie that instructs us not to track your future activities when we detect that cookie.” Opting out deleted the Netmining tracking cookie but did not delete a tracking cookie served from a retailer-specific subdomain of netmng.com (and presumably only used on that retailer’s site). Reloading the content refreshed the retailer-specific cookie.
The Undertone privacy policy notifies users: “If you would like to opt out of OBA, then we offer ‘opt-out cookies’ to block the tracking and placement of future Undertone cookies for OBA purposes on your system for five (5) years.” Opting out removed a highly unique cookie that stores the user’s interests but did not remove a unique cookie. Subsequent loads of the content updated the unique cookie.
Vibrant Media‘s privacy policy provides: “If you’d like to opt-out from having Vibrant Media collect your Non-PII in connection with our Technology, please click here. When you opt out, we will place an opt-out cookie on your computer. The opt-out cookie tells us not to collect your Non-PII to tailor our online advertisement campaigns.” Opting out of Vibrant Media does not remove the network’s unique tracking cookie; the cookie remains in place and is updated with subsequent loads of the content.
The privacy policy on Wall Street on Demand‘s advertising platform claims: “By clicking here, the unique cookie used by this system/domain and stored locally by your browser will be changed to ‘OPT_OUT’. By creating a generic cookie id instead of a unique cookie id – it is even more impossible to track your history.” Opting out deleted Wall Street on Demand’s unique cookie, but left in place a seemingly highly unique cookie that appears to store user interests. Refreshing the content renewed the interests cookie.
We identified one additional company with a privacy policy that may be interpreted to prohibit its current business practices. The TARGUSinfo AdAdvisor opt-out page explains that “[t]he AdAdvisor opt-out works by replacing the existing AdAdvisor cookie with a new cookie that clearly indicates that the user has elected to opt-out of the Services.” Opting out left TARGUSinfo’s unique tracking cookie in place. Refreshing the content did not update the tracking cookie.
4. At least ten NAI members go beyond their privacy policies and remove their tracking cookies.
In comparing our results to the Carnegie Mellon study of privacy policies we found that ten NAI members remove their tracking cookies upon opting out, even though they promise to only stop behavioral targeting of ads. The companies are: BlueKai (retains city-level geolocation), Dapper (bought by Yahoo!), FetchBack, Google, Invite Media, Media6Degrees, Mediaplex, Quantcast, TidalTV, and YuMe.
Concluding Thoughts
These early results scarcely scratch the surface of what we aim to learn with our new web measurement platform. We look forward to sharing new insights in the coming weeks and opening the software in the coming months. If you have experience in the web measurement field and would like to participate in testing the platform, please reach out. And please send web measurement questions — we’re looking for new ways to put the system through its paces!
Updates
[If you would like us to add a statement from your company, please reach out.]
24/7 Real Media has updated its privacy policy.
You may also simply opt out of receiving interest-based advertising by clicking here.
AddThis contacted us about our findings. After a reevaluation, we discovered we had mislabeled a unique session cookie associated with AddThis’s opt-out process as a tracking cookie. The post and spreadsheet have been updated. Our apologies to AddThis for the error.
AudienceScience reached out to clarify its practices. Its cookies store a compressed and encrypted data structure. When a user opts out, AudienceScience removes all interest segments and the unique ID from the data structure, but it continues to update the last time the browser contacted its servers. We have confirmed that AudienceScience now entirely removes its data structure after opting out.
BlueKai confirmed it is taking steps to honor Do Not Track.
Media6Degrees confirmed it is taking steps to honor Do Not Track.
Netmining has updated its privacy policy.
If you select the “opt out” button there for Netmining, we will delete your existing netmng.com or netmining.com online behavioral advertising cookie(s) and try to place a new cookie that instructs us not to track your future activities for the purposes of serving online behavioral advertising when we detect that cookie.
The Network Advertising Initiative has posted a response to the study.
TARGUSinfo submitted the following statement.
Immediately upon the publication of this study, we verified that our Opt-Out was fully functional both through our own www.adadvisor.net/optout.html site as well as through the NAI site. At no time was our opt-out not functioning, meaning that any consumer who had elected to opt out either through us or NAI or aboutads.info was indeed opted out, and no further activity was conducted on that user’s browser. We did identify a minor inconsistency between the opt-out running on our own site and that which was running on the NAI site. Specifically, a second cookie was deleted when the opt-out was set from our own site, but that cookie was left on the browser if the user opted out through the NAI. Despite this cookie remaining on the browser, it was rendered dormant because our opt-out prevents us from reading or accessing any other cookie. We updated the code running on NAI to ensure that this second cookie also gets deleted when a user opts-out through NAI, to ensure that there is no confusion with our actual opt-out functionality and what was stated in our privacy policy.
Undertone has posted a statement responding to the study.
Vibrant Media submitted the following statement.
We drop a user ID cookie when a user initiates engagement with one of our ad units. This collects non-personally identifiable information on keywords a user has engaged with. If the user doesn’t visit a site in our network for 10 days, we delete this data. If someone opts out, we add a do-not-track cookie.
We had been deleting any data associated with the user ID, but had not been deleting the cookie itself (this is acceptable for NAI compliance). When we encounter someone with a do-not-track cookie, we completely ignore the user ID and therefore don’t use their information to serve ads. Although the cookie was remaining, we do not reference or use the ID in any way and we completely delete all data, be it in logs or storage devices for that particular user ID. Going forward, in order to prevent any misunderstanding we will also be deleting that cookie.
We have always been vigilant about adhering to industry best practices and NAI compliance policies.
Wall Street on Demand has updated its privacy policy.
Online Behavioral Advertising (OBA) is the process of targeting specific advertisements to each individual user, based on browsing history. If you opt out of OBA from our service by clicking the link below, the OBA cookie we use to contain this information will be emptied and changed to a placeholder signaling that you have done so. . . . Opting out does not necessarily delete or replace all cookies from our domain; others may remain which are used for aggregate reporting on the performance of the advertisements we serve.