What if it meant someone was tracking all your Internet activities and merging them with other information about you to build a comprehensive profile of your likes and dislikes?
That’s the promise and the price of a fast-expanding advertising practise known as behavioural targeting that categorizes people based on their web-browsing activity and directs relevant ads to them.
Advocates wax lyrical about the potential of behavioural targeting to enhance users’ online experience and — more importantly — generate income for revenue-hungry web operations.
“For the first time in the history of marketing,” declares author Rob Graham in his 2007 book, Fishing From a Barrel, “the ability to reach
individuals based on their needs, interests, desires and sudden urges is within reach of advertisers.”
But Mr. Graham also acknowledges the elephant in behavioural targeting’s room. “In order to learn more about individual consumers, marketers have to resort to ‘spying’,” he writes.
For privacy advocates, that’s one hefty elephant.
“We have already created a commercial surveillance system that far surpasses anything we imagined,” asserts Jeff Chester, executive director of the Washington-based Center for Digital Democracy. And it’s getting more sophisticated, he says. “They’re going to know each and every one of us.
As we live more of our lives online, “we are allowing ourselves to be digitally shadowed in a way that would be the KGB’s and the Gestapo’s biggest fantasies,” Mr. Chester says. “This is about systems that are updated second by second, that learn about us through artificial intelligence.”
Companies like Britain’s Xtract sell off-the-shelf software that allows advertisers and marketers to eavesdrop on social networks and blogs.
“Not only does it analyse what they’re saying and report back to whoever owns the software,” says Mr. Chester, “it also analyses the network of connections people have to identify what the industry calls the key influencers or brand evangelists.”
Those “Acquisition Alphas,” as Xtract calls them, can then be targeted in viral marketing campaigns to help recruit new customers.
Xtract boasts that it analyses millions of customer transactions every hour. Its customers include 50 leading telecom operators, publishing companies, banks, retailers and cellphone manufacturers, it says.
“This is a kind of unstoppable powerful force,” says Mr. Chester. “It’s being allowed to run amok.”
Most of this is happening without people’s knowledge, notes Teresa Scassa, Canada Research Chair in information law at the University of Ottawa. “I’m not sure we’ve ever had the discussion as a society about whether it is actually OK for these incredibly detailed profiles of us to be developed.”
Relatively speaking, behavioural targeting is still in its infancy. But it’s growing up fast. Last year, nearly one in four American advertisers used it, according to Forrester Research. Almost half expect to employ it this year. Similar numbers are unavailable for Canada, but the practice is established here as well.
“Behavioural targeting is really now the business case of a lot of free Internet services,” says Philippa Lawson, who recently resigned as director of the Canadian Internet Policy and Public Interest Clinic (CIPPIC). “They’re getting more and more capable of collecting, analysing and using very detailed information about online users.”
Yahoo has been involved in behavioural targeting for years. AOL now owns a behavioural targeting company called Tacota. Microsoft is considering the idea, while Google — which has long sold “contextual” ads that relate to a page’s content — is still pondering the matter.
Until recently, companies that collect, store and analyse consumer information have had to rely on clickstream data — a record of a user’s clicks while browsing or using other software applications — from a specific website or service.
But in the past year, companies such as NebuAd and Phorm have been marketing deep packet inspection technology to Internet Service Providers (ISPs). The hardware can track all of a user’s traffic to build profiles that go far beyond anything previously possible.
British Telecom has completed trials of Phorm’s technology and has said it will probably proceed with full deployment. Trials of similar NebuAd hardware with ISPs in the United States were temporarily shelved last year after a congressional committee, alarmed at the potential for privacy violations, held hearings.
No Canadian ISPs have admitted to using the technology for behavioural targeting, but NebuAd’s chief executive said last April his company was testing its hardware with a number of undisclosed Canadian ISPs.
That prompted CIPPIC to ask Privacy Commissioner Jennifer Stoddart in July to investigate and develop guidelines for ISP use of deep packet inspection for behavioural targeted marketing.
Unlike individual websites or portals, ISPs can collect data about all user activity, including browsing habits, media streaming consumption, e-mail communications, instant messaging and Skype messaging.
“This capability raises privacy concerns an order of magnitude beyond any prior form of behavioural targeting in the marketplace,” CIPPIC declared.
To protect privacy, companies that mine web traffic say they “anonymize” the data they collect, typically by storing it under a “hash number” assigned to each user. According to CIPPIC, little supplementary data is required to associate information from anonymous databases with identifiable individuals.
With few exceptions, says the University of Victoria’s Colin Bennett, websites we visit will know our IP address. That alone can’t reliably identify individual users, but that’s not really necessary, Mr. Bennett says.
“All you need to know is that this particular type of person, living in this particular area, has been more interested in this kind of product rather than that kind of product.”
Ms. Lawson believes behavioural targeting violates the Personal Information Protection and Electronic Documents Act (PIPEDA), Canada’s private-sector privacy law.
PIPEDA imposes limits on the information companies can collect, limiting them to what’s necessary for stated purposes. They also must obtain consent from affected individuals.
“The industry’s acting as if there are no limits,” says Ms. Lawson. “So that’s the fundamental issue: are there any limits to what advertisers should be able to collect about us?”
The potential involvement of ISPs “raises even more and deeper privacy concerns,” Ms. Lawson says. It would also transgress the age-old principle of “common carriage,” which says those who carry our communications should have nothing to do with its content.
“It’s really important that we don’t allow our carriers to start looking at the content of what they’re carrying,” Ms. Lawson says. “When ISPs start gathering and selling our information for their own commercial gain, I think we’re treading into an area that is dangerous, both for the ISPs and Internet users.”
Ari Schwartz, of the Center for Democracy and Technology in Washington, likens the idea of ISPs collecting user data for third parties to wiretapping.
If a phone company passed details of conversations between two customers to a third party, that would clearly be a wiretap, says Mr. Schwartz. “What’s the difference between that and a web search?” He supports a national “do not track” list, similar to “do not call” lists that restrict telephone marketers.
Ms. Stoddart says she has “huge concerns” about the privacy implications of behavioural targeting.
“Most of us cannot see how this works,” she says. “We don’t really know, as we’re going about our daily business on the web, the extent to which we may be followed and categorized.”
In the U.S., which has no national privacy law, the debate is over whether companies should be required to use an opt-in clause to obtain active consent from consumers before spying on them. As Mr. Chester puts it, “You don’t collect anything from me unless I know what’s going to go on and say yea or nay.”
Support for an opt-in approach gained momentum after a congressional committee held hearings into possible ISP involvement in behavioural targeting trials last summer.
Some American ISPs, including AT&T and Verizon, have already embraced the opt-in model, pledging to refrain from tracking their customers’ web behaviour unless they receive explicit permission to do so. But most web companies and advertisers would far prefer to force users to opt out if they object to behavioural targeting.
That’s not surprising, says Mr. Bennett, because if people have to opt in, fewer will agree to be targeted. That would mean smaller databases for advertisers. “And that means less money for direct marketing, less money for data mining.”
Canada’s privacy law says an opt-out model is appropriate only if sensitive data aren’t involved. That can be a hard line to draw, Mr. Bennett observes.
“You can go to WebMD for very innocuous and non-sensitive reasons. On the other hand, you could be looking for information about all kinds of sensitive health conditions and diseases.”
If there’s any question about the sensitivity of information, Canada’s privacy commission advises companies to assume that opt-in rules apply, “which is not what companies want to hear,” Mr. Bennett says.
Mr. Chester worries about the privacy threat posed by new media consolidation. Within the past two years, Microsoft bought online ad agency aQuantive, Google purchased DoubleClick and Yahoo acquired online ad network Blue Lithium.
“Why do we want a small elite of private National Security Agency-type entities having vast, unaccountable storehouses of data about each and every one of us?” he asks.
In a trend he finds “very, very disturbing,” global advertisers are ramping up their involvement in cognitive neuroscience research in an attempt to make their ads more effective.
“They want to be able to bypass the more rational decision-making processes and work more directly on the emotions,” says Mr. Chester. “They recognize that digital media is very good at this.”
Teens are squarely in the cross hairs, he says. “They’re particularly vulnerable to these sophisticated interactive pitches.” Politicians are beginning to use the technique as well.
However, behavioural targeting could backfire, predicts Valerie Steeves, a University of Ottawa criminologist who focuses on human rights and technology. “Once I know you’re seeking to manipulate me, I’m not going to trust you.”
Marketers assume they can use behavioural targeting to build customer loyalty, she says. “And I think they’re cutting their legs off right from underneath them.”
The solution is just more technology