Cookies for Kiddies

Back on July 31 I posted The Data Bubble in response to the first of The Wall Street Journal‘s landmark series of articles and Web postings on the topic of unwelcome (and, to their targets, mostly unknown) user tracking.

A couple days ago I began to get concerned about how much time had passed since the last posting, on August 12. So I tweeted, Hey @whattheyknow, is your Wall Street Journal series done? If not, when are we going to see more entries? Last I saw was >1 month ago.

Then yesterday @WhatTheyKnow tweeted back, @dsearls: Ask and ye shall receive: http://on.wsj.com/9DTpdP. Nice!

The piece is titled On the Web, Children Face Intensive Tracking, by Steve Stecklow, and it’s a good one indeed. To start,

The Journal examined 50 sites popular with U.S. teens and children to see what tracking tools they installed on a test computer. As a group, the sites placed 4,123 “cookies,” “beacons” and other pieces of tracking technology. That is 30% more than were found in an analysis of the 50 most popular U.S. sites overall, which are generally aimed at adults.

The most prolific site: Snazzyspace.com, which helps teens customize their social-networking pages, installed 248 tracking tools. Its operator described the site as a “hobby” and said the tracking tools come from advertisers.

Should we call cookies for kids “candy”? Hey, why not?

Once again we see the beginning of the end of fettered user tracking. Such as right here:

Many kids’ sites are heavily dependent on advertising, which likely explains the presence of so many tracking tools. Research has shown children influence hundreds of billions of dollars in annual family purchases.

Google Inc. placed the most tracking files overall on the 50 sites examined. A Google spokesman said “a small proportion” of the files may be used to determine computer users’ interests. He also said Google doesn’t include “topics solely of interest to children” in its profiles.

Still, Google’s Ads Preferences page displays what Google has determined about web users’ interests. There, Google accurately identified a dozen pastimes of 10-year-old Jenna Maas—including pets, photography, “virtual worlds” and “online goodies” such as little animated graphics to decorate a website.

“It is a real eye opener,” said Jenna’s mother, Kate Maas, a schoolteacher in Charleston, S.C., viewing that data.

Jenna, now in fifth grade, said: “I don’t like everyone knowing what I’m doing and stuff.”

A Google spokesman said its preference lists are “based on anonymous browser activity. We don’t know if it’s one user or four using a particular browser, or who those users are.” He said users can adjust the privacy settings on their browser or use the Ads Preferences page to limit data collection.

I went and checked my own Ads Preferences page (http://www.google.com/ads/preferences) and found that I had opted out of Google’s interest-based advertising sometime in the past. I barely remember doing that, but I’m not surprised I did. On the whole I think most people would opt to turn that kind of stuff off, just to get a small measure of shelter amidst the advertising blizzard that the commercial Web has become.

Finding Google’s opt-out control box without a flashlight, however, is a bit of a chore. Worse, Google is just one company. The average user has to deal with dozens or hundreds of other (forgive me) cookie monsters, each with its own opt-out/in control boxes (or lack of them). And I suspect that most of those others are far less disclosing about their practices (and respectful of users) than Google is.

(But I have no research to back that up—yet. If anybody does, please let me have it. There’s a whole chapter in a book I’m writing that’s all about this kind of stuff.)

Meanwhile, says the Journal,

Parents hoping to let their kids use the Internet, while protecting them from snooping, are in a bind. That’s because many sites put the onus on visitors to figure out how data companies use the information they collect.

Exactly. And what are we to do? Depend on the site owners and their partners? Not in the absence of help, that’s for sure. The Journal again:

Gaiaonline.com—where teens hang out together in a virtual world—says in its privacy policy that it “cannot control the activities” of other companies that install tracking files on its users’ computers. It suggests that users consult the privacy policies of 11 different companies.

In a statement, gaiaonline.com said, “It is standard industry practice that advertisers and ad networks are bound by their own privacy policy, which is why we recommend that our users review those.” The Journal’s examination found that gaiaonline.com installed 131 tracking files from third parties, such as ad networks.

An executive at a company that installed several of those 131 files, eXelate Media Ltd., said in an email that his firm wasn’t collecting or selling teen-related data. “We currently are not specifically capturing or promoting any ‘teen’ oriented segments for marketing purposes,” wrote Mark S. Zagorski, eXelate’s chief revenue officer.

But the Journal found that eXelate was offering data for sale on 5.9 million people it described as “Age: 13-17.” In a later interview, Mr. Zagorski confirmed eXelate was selling teen data. He said it was a small part of its business and didn’t include personal details such as names.

BlueKai Inc., which auctions data on Internet users, also said it wasn’t offering for sale data on minors. “We are not selling data on kids,” chief executive Omar Tawakol wrote in an email. “Let there be no doubt on what we do.”

However, another data-collecting company, Lotame Solutions Inc., told the Journal that it was selling what it labeled “teeny bopper” data on kids age 13 to 19 via BlueKai’s auctions. “If you log into BlueKai, you’ll see ‘teeny boppers’ available for sale,” said Eric L. Porres, Lotame’s chief marketing officer.

Mr. Tawakol of BlueKai later confirmed the “teeny bopper” data had been for sale on BlueKai’s exchange but no one had ever bought it. He said as a result of the Journal’s inquiries, BlueKai had removed it.

The FTC is reviewing the only federal law that limits data collection about kids, the Children’s Online Privacy Protection Act, or Coppa. That law requires sites aimed at children under 13 to obtain parental permission before collecting, using or disclosing a child’s “personal information” such as name, home or email address, and phone and Social Security number. The law also applies to general-audience sites that knowingly collect personal information from kids.

So we have pots and kettles calling each other black while copping out of responsibility in any case—and then, naturally, turning toward government for help.

My own advice: let’s not be so fast with that. Let’s continue to expose bad practices, but let’s also fix the problem on the users’ end. Because what we really need here are tools by which individuals (including parents) can issue their own global preferences, their own terms of engagement,  their own controls, and their own ends of relationships with companies that serve them.

These tools need to be be based on open standards, code and protocols, and independent of any seller. Where they require trusted intermediaries, those parties should be substitutable, so individuals are not locked in again.

And guess what? We’re working on those. Here’s what I wrote last month in Cooperation vs. Coercion:

What we need now is for vendors to discover that free customers are more valuable than captive ones. For that we need to equip customers with better ways to enjoy and express their freedom, including ways of engaging that work consistently for many vendors, rather than in as many different ways ways as there are vendors — which is the “system” (that isn’t) we have now.

There are lots of VRM development efforts working on both the customer and vendor sides of this challenge. In this post I want to draw attention to the symbols that represent those two sides, which we call r-buttons, two of which appear [in the example below]. Yours is the left one. The vendor’s is the right one. They face each other like magnets, and are open on the facing ends.

These are designed to support what Steve Gillmor calls gestures, which he started talking about back in 2005 or so. I paid some respect to gestures (though I didn’t yet understand what he meant) in The Intention Economy, a piece I wrote for Linux Journal in 2006. (That same title is also the one for book I’m writing for Harvard Business Press. The subtitle is What happens when customers get real power.) On the sell side, in a browser environment, the vendor puts some RDFa in its HTML that says “We welcome free customers.” That can mean many things, but the most important is this: Free customers bring their own means of engagement. It also means they bring their own terms of engagement.

Being open to free customers doesn’t mean that a vendor has to accept the customer’s terms. It does mean that the vendor doesn’t believe it has to provide all those terms itself, through the currently defaulted contracts of adhesion that most of us click “accept” for, almost daily. We have those because from the dawn of e-commerce sellers have assumed that they alone have full responsibility for relationships with customers. Maybe now that dawn has passed, we can get some daylight on other ways of getting along in a free and open marketplace.

The gesture shown here —

— is the vendor (in this case the public radio station KQED, which I’m just using as an example here) expressing openness to the user, through that RDFa code in its HTML. Without that code, the right-side r-button would be gray. The red color on the left side shows that the user has his or her own code for engagement, ready to go. (I unpack some of this stuff here.)

Putting in that RDFa would be trivial for a CRM system. Or even for a CMS (content management system). Next step: (I have Craig Burton leading me on this… he’s on the phone with me right now…) RESTful APIs for customer data. Check slide 69 here. Also slides 98 and 99. And 122, 124, 133 and 153.

If I’m not mistaken, a little bit of RDFa can populate a pop-down menu on the site’s side that might look like this:

All the lower stuff is typical “here are our social links” jive. The important new one is that item at the top. It’s the new place for “legal” (the symbol is one side of a “scale of justice”) but it doesn’t say “these are our non-negotiable terms of service (or privacy policies, or other contracts of adhesion). Just by appearing there it says “We’re open to what you bring to the table. Click here to see how.” This in turn opens the door to a whole new way for buyers and sellers to relate: one that doesn’t need to start with the buyer (or the user) just “accepting” terms he or she doesn’t bother to read because they give all advantages to the seller and are not negotiable. Instead it is an open door like one in a store. Much can be implicit, casual and free of obligation. No new law is required here. Just new practice. This worked for Creative Commons (which neither offered nor required new copyright law), and it can work for r-commerce (a term I just made up). As with Creative Commons, what happens behind that symbol can be machine, lawyer or human-readable. You don’t have to click on it. If your policy as a buyer is that you don’t want to to be tracked by advertisers, you can specify that, and the site can hear and respond to it. The system is, as Renee Lloyd puts it, the difference between a handcuff and a handshake.

Giving customers means for showing up in the marketplace with their own terms of engagement is a core job right now for VRM. Being ready to deal with customers who bring their own terms is equally important for CRM. What I wrote here goes into some of the progress being made for both. Much more is going on as well. (I’m writing about this stuff because these are the development projects I’m involved with personally. There are many others.)

You can check out some of those others here.

Bonus link: Tracking the Companies that Track You Online. That’s a Fresh Air interview by Dave Davies of Julia Angwin, senior technology editor of The Wall Street Journal and the lead reporter on the What They Know series.

Tags: , ,

6 comments

  1. Jeff Chester’s avatar

    In order to protect privacy, it’s also critical to understand the role of the interactive ad applications designed to encourage users to provide data. The problem isn’t only about cookies and other tracking apps. It’s about the use of pervasive and sophisticated interactive ad techniques–”immersive” rich media, neuromarketing, and social media marketing, for example–deployed to persuade a consumer or young person to interact and share information. We have filed complaints with the FTC on this; but for a good overview on how the online ad system really works, see the reports at digitalads.org

  2. KD’s avatar

    I sent you an email about this on the 19th, but I guess it did not reach you.

    There is some mangled HTML in the first block quote, right after the sentence:

    ‘ Its operator described the site as a “hobby” and said the tracking tools come from advertisers.’

    As a result, it seems that some of the text you wrote does not display, and it appears to me that more is included in that block quote than you intended.

    I’m not sure exactly what went wrong, but I’m sure you don’t need my help to fix whatever it is.

  3. Doc Searls’s avatar

    Thanks, KD. You’re right that I missed the email.

    I can’t figure the problem. The HTML looks fine. I’ll need to go over it later today. Meanwhile, apologies.

    Sometimes I wish it were easier to edit this stuff in pure HTML, but alas…

  4. KD’s avatar

    This might be a little more help in fixing the problem.

    When I look at the HTML for the post via View Source, it appears to me things go south at the apparently unclosed quote in the anchor tag for Starfall that contains:

    title=”http://Starfall.

    I hope that makes it into the comment post without, itself, getting mangled. There seems to be no preview here, so I cannot check it.

    There seems to be an inappropriate br tag there, too, and some other stuff that looks weird to me, but since I’m no HTML expert, I cannot say whether it is wrong or not.

    From your comment, you aren’t editing the HTML directly yourself, so I have no idea what went wrong at the level where you are composing/editing, but maybe you will be able to figure it out given this description (if I’m actually right about where the problem starts).

  5. Doc Searls’s avatar

    KD, this has taken hours to figure out. What you see in the source for the page didn’t appear in the HTML view in the WordPress dashboard editor. The WYSIWYG view looked fine, but not like the published version. When I copied the source and went into a real text editor to take out the Wall Street Journal’s HTML cruft, and pasted the cleaned up text into the site editor, it looked fine, but still had the same problem in the published version. I finally took out the whole paragraph that had Starfall in it, and now it works.

    In any case, what we had here was HTML that appeared in source but not in the editor. Strange.

    Again, thanks for the flag, and the advice. Much appreciated.

  6. reviewsive’s avatar

    Hey, thanks for clarifying.

    Even I sent you an email about this but I guess you didn’t get it and then it slipped off my mind.

    There is some mangled HTML in the first block quote, right after the sentence: ‘ Its operator described the site as a “hobby” and said the tracking tools come from advertisers.’

Comments are now closed.