Weed Thought

Tuesday, March 29, 2011

Is tracking web users a no-no?

I saw an interesting question today from IEEE.org:
Is Tracking Web Users a No-No?
Several countries are considering new policies to give individuals more control over the information that Web sites collect and share about them. In November, the European Union announced plans for updating its privacy regulations to give consumers more control over online tracking. And in December, the U.S. Federal Trade Commission proposed a "Do Not Track" mechanism to prevent Web sites from sharing details about a person's online activities. Critics of tracking are concerned that companies can record which sites users visit online, often without their knowledge. Others say tracking is necessary because it helps keep Web sites cost-free; advertisers pay for the information gathered about users' browsing or purchases so that they can place targeted ads.
To answer the question in short, I support laws regulating what is tracked and how that data is used, but I don't support another user mechanism that requires the user to activate or deactivate it to control tracking. A website is relatively inexpensive to operate and the world would go on just fine if we had a 'Do Not Track' mechanism or if we lost the ability to do advertising on-line. Perhaps it would help alleviate the issue of IPv4 address space {grin}. However, supporting another mechanism makes developers' jobs harder, is unenforceable and won't stop tracking. Mandating another user mechanism would be a snake oil solution - a placebo to ease consumers' minds, possibly resulting in more harm than good.

On-line tracking has been a massive part of business for many of the companies I've done development for over the last few years. Most consumers aren't aware of how tracking works or how extensive it is, if they are aware they are being tracked at all. I'm loathe to fill out a website form anymore, because I'm aware that the information I put in will most likely be sold and used for marketing purposes. I don't want companies pestering me - when I need something, I'm happy to go find it.

There are some forms of so-called 'Do-Not-Track' mechanisms already. Many browsers have private browsing modes, and people are free to clear their cookies, cache, history, and other data off their own computers. This can affect tracking, but is dependent upon the user. They have to know what they are doing and what happens to data they submit to sites. It also doesn't affect what is stored on the servers the user visits.

It is worth differentiating between different types of data and where it's stored. There's personal data, historical data, statistical data...and correlations between much of it becomes identifiable.

A website owner should be free to track information about accesses to his own website - referrer, hit counts, unique visitors, browser type (for compatibility). The owner can do what he wants with that information. That leaves in place the ability to do pay-per-click and keep ad revenue without compromising privacy or being invasive. A client however, should be able to submit personal information with confidence it won't be given or resold to any other entity. A form should be required to state clearly what will happen with the information submitted. More detailed tracking, such as browser history beyond referrer, ip address and other detailed information about the client should not be allowed to leave the website that creates that data. Any data outside of a user's account should age out of existence in a reasonable amount of time (say, 1 week). Inside an account, it would be nice if the user could clear (most of or sections of) their tracks or set their track-length and opt-in to data sharing with sites they choose. I'd like to see the practice of reselling leads go away.

For example, I like that I can go to Amazon.com and see items or songs related to other ones I've been viewing. However, I don't want to start getting emails from another company just because I happened to view their product on Amazon. My Amazon history should be confidential to Amazon. In a similar fashion, I shouldn't be getting advertisements from Google based on a different website I visited last week. So, there should be limits on what's allowed to be done with data about me and how far it's allowed to propagate from where it was generated.

Lastly, enforceability has to be considered. Laws provide a working set of guidelines for how an honest company will do business, and hopefully a way for the public to deal with violations of that law. However, only the honest companies will abide by laws. Governments do not always abide by laws. Criminals do not abide by laws. In other words, people will still be tracked by the ones they are trying to avoid, regardless of law. Ultimately, user privacy comes down to the user. People have to understand there is no data anywhere that they are not responsible for having provided at some point in time - if not explicitly, then just by existing. You cannot walk through mud without leaving your track. Just as a footprint is a requirement of stepping in the dirt due to physics, leaving your IP address at a website is a requirement of the protocol needed to communicate with that website. Because we live in the physical world, we leave our mark. The on-line world operates the same way.

Companies do what works. They research which methods earn them the most, and invest in those. If you don't like a targeted on-line ad, don't click on it. If you want the product but don't like the ad, purchase it through a different method - direct on their site, in a store, or call them. But as long as people respond in ways that make tracking profitable, it will continue to happen. If you don't like being tracked, there are legitimate ways to be anonymous. It's much simpler to choose where to leave your tracks and what tracks you want to leave, then to pay more taxes and expect the legal system to vainly attempt to clean up as we wantonly romp around the planet.


Post a Comment

<< Home