What They Know Is Interesting — But What Are You Going to Do About It?

The Wall Street Journal has stirred up a discussion of online privacy with its "What They Know" series of reports. These reports reveal again the existence and some workings of the information economy behind the Internet and World Wide Web. (All that content didn't put itself there, y'know!)

The discussion centers around "tracking" of web users, particularly through the use of "cookies." Cookies are little text files that web sites offer your browser when you visit. If your browser accepts the cookie, it will share the content of the text file back with that domain when you visit it a second time.

Often cookies have distinct strings of characters in them, so the site can recognize you. Sites use cookies to customize your experience. If you voted on a poll, for example, a cookie will cause the site to tell you how you voted. Cookies enable the "shopping cart" function in online stores.

Advertising networks use cookies to gather information about web surfers. Ads are embedded on the main sites people visit, just like the video above and the Amazon Kindle widget in the column on the right. They're served by different servers than most of the content on the page. Embedded content acts as a sort of  "third party" to the main transaction between web surfers and the sites they visit. Embedded content can offer cookies just like main sites do---they're known as "third-party cookies." 

A network that has ads on a lot of sites will recognize a browser (and by inference the person using it) when it goes to different web sites, enabling the ad network to get a sense of that person's interests. Been on a site dealing with SUVs? You just might see an SUV ad as you continue to surf.

This is important to note: Most web sites and ad networks do not "sell" information about their users. In targeted online advertising, the business model is to sell space to advertisers---giving them access to people ("eyeballs") based on their demographics and interests. It is not to sell individuals' personal and contact info. Doing the latter would undercut the advertising business model and the profitability of the web sites carrying the advertising.

Some people don't like this tracking. I think some feel it undignified to be a mere object of impersonal commerce (see Seger, Bob). Some worry that data about their interests will be used to discriminate wrongly against them, or to exclude them from information and opportunities they should enjoy. Excess customization of the web experience may stratify society, some believe. Tied to real identities, this data could fall into the hands of government and be used wrongly. These are all legitimate concerns, and I share some of them more, and some less, than others.

One I understand but dislike is the offense some people take at cookies for their "surreptitious" use. How many decades must cookies be integral to web browsing, and how many waves of public debate must their be about cookies before they lose their surreptitious cast? Cookies are just as surreptitious as photons and sound waves, which silently and invisibly carry data about you to anyone in the vicinity. We'd all be in a pretty tough spot without them.

Though cookies---and debate about their privacy consequences---have been around for a long time, many people don't know even the basics I laid out above. They also don't know that cookies are within the control of every web user.

As I testified to the Senate Commerce Committee last week, In the major browsers (Firefox and Internet Explorer), one must simply go to the "Tools" pull-down menu, select "Options," then click on the "Privacy" tab to customize one's cookie settings. In Firefox, one can decline to accept all third-party cookies, neutering the cookie-based data collection done by ad networks. In Internet Explorer, one can block all cookies, block all third-party cookies, or even choose to be prompted each time a cookie is offered.

Yes, new technologies make cookie control an imperfect protection against tracking, but that does not excuse consumers from the responsibility to exercise privacy self-help that will get at the bulk of the problem.

Some legislators, privacy advocates, and technologists want very badly to protect consumers, but much of what is called "consumer protection" actually functions as an invitation for consumers to cede personal responsibility. People rise or fall to meet expectations, and consumer advocates who assume incompetence on the part of the public may have a hand in producing it, making consumers worse off. 

If a central authority such as Congress or the Federal Trade Commission were to decide for consumers how to deal with cookies, it would generalize wrongly about many, if not most, individuals' interests, giving them the wrong mix of privacy and interactivity, for example. And it would leave consumers unprotected from threats beyond their jurisdiction (i.e. web tracking by sites outside the United States). Education is the hard way, and it is the only way, to get consumers' privacy interests balanced with their other interests.

But perhaps this is a government vs. corporate passion play, with government as the privacy defender (... oh, nevermind). One article in the WSJ series has interacted with lasting anti-Microsoft sentiment to produce interpretations that business interests are working to undercut consumer privacy. Engineers working on a new version of Microsoft's Internet Explorer browser thought they might set certain defaults to protect privacy better, but they were overruled when the business segments at Microsoft learned of the plan. Privacy "sabotage," the Electronic Frontier Foundation called it. And a Wired news story says Microsoft "crippled" online privacy protections.

But if the engineers' plan had won the day, an equal opposite reaction would have resulted when Microsoft "sabotaged" web interactivity and the advertising business model, "crippling" consumer access to free content. The new version of Microsoft's browser maintained the status quo in cookie functionality, as does Google's Chrome browser and Firefox, a product of non-profit privacy "saboteur" the Mozilla Foundation. The "business attacks privacy" story doesn't wash.

This is not to say that businesses don't want personal information---they do, so they can provide maximal service to their customers. But they are struggling to figure out how to serve all dimensions of consumer interest including the internally inconsistent consumer demand for privacy along with free content, custom web experiences, convenience, and so on.

Only one thing is certain here: Nobody knows how this is supposed to come out. Cookies and other tracking technologies will create legitimate concerns that weigh against the benefits they provide. Browser defaults may converge on something more privacy protective. (Apple's Safari browser rejects third-party cookies unless users tell it to do otherwise.) Browser plug-ins will augment consumers' power to control cookies and other tracking technologies. Consumers will get better accustomed to the information economy, and they will choose more articulately how they fit into it. 

What matters is that the conversation should continue. If you've read this far, you're better equipped to participate in it, and to take responsibility for your own privacy.

Do so.