Tuesday, 15 April 2008
Posted by Dave
Traditionally, a complicated web of session tracking and cookies is responsible for targeting you with supposedly relevant online ads. It will take only a moment surfing online to realise this approach is anything but effective - irrelevant ads appear regardless. Highly targeted and relevant delivery is however the next holy grail of online advertising, especially when advertisers are paying by the display and not by the clickthrough, or when the dictated Cost Per Acquisition figure (i.e. the amount of money it has been calculated must be spent for a user/consumer to reach a defined goal, like book a test drive) is high or linked to a high value product or service.
The only way you can deliver such highly targeted and relevant content is by having sufficient individual data capable of slotting a specific user into an equally highly granular profile, and the only way you can do that is by taking their surfing data from them... and herein lies the snag.
I expect you've all heard of Phorm. They're the company that has essentially developed the technology that allows the profiling of users by collecting their surfing data direct from their ISPs, munging it, and making it available to their online ad delivery platform. Now, it should be pointed out that according to the blurb, such data is delivered to them from the likes of BT in a totally anonymous fashion... online users really are nothing more than a number, and so everyone should be happy; users get adverts that are relevant to them, and advertisers get more effective ROI, and ISPs get a bit more revenue.
I could at this point talk about the whole privacy implications with regards anonymizing data and the fact its technically unsound or legally dubious or plain bonkers. But I won't, as its been covered to death (and still going strong) in all the mainstream press. Suffice to say, if you're a privacy advocate or other speaking head in the arena, you've probably hit the roof a number of times now.
What I am interested in however is the now increasingly out of date method for indicating optin/optout preference in terms of web delivered services - the humble cookie. For years these innocuous pieces of data have sat on our computers, helping out everything from shopping baskets to session management, from visual personalisation through to reminder notifications; they are _everywhere_.
However, they simply aren't up to the job any longer in terms of optin/optout or other privacy related activities because they're so perishable. I'm not talking about cookie expiration, but rather the fact that through no fault of their own a user can instantly opt back in to any number of services they may have opted out from, by deleting their cookies. In Microsoft Internet Explorer 7 for example, deleting all your web cookies is incredibly easy. There is a big fat "DELETE ALL" button on the popup dialog, and next to it, a link that says "About deleting browsing history"... to the uninitated or those not paying attention, the proximity of that link (and the word "history") next to the button "DELETE ALL" gives no indication that you are going to remove all your cookies too.
For Phorm to claim that users can opt out of their service is therefore a complete joke. Sure, you can set a cooke to say "no thank you", but if you're a regular browser history dumper and hit that "DELETE ALL" button, you're back on Phorm as soon as you like... after all, its your ISP thats made the decision to push your data through Phorm and not you. You've just got a tiny bit of control via a very dodgy switch.
I'd therefore like to see a more robust solution - call it Cookie+. For example, when you install Windows Server 2003, Microsoft Internet Explorer is by default set to "hardened mode". This means that when you come to download a file from a website, you're prompted to add it to your secure zone; if you delete your browser history, that secure zone list remains untouched - I see no reason why there couldn't be a similar sort of approach to Cookie+ whereby you set different types of cookies too... for example a special cookie specifically for opting in or opting out; that would call the Cookie+ dialog, whereas normal session cookies would be handled as they are now.
Either way, something needs to change - Phorm and BT are in a right old mess and the privacy issues around optin/optout are not only enough to make people leave BT, but potentially kill Phorm itself, and since I have no objection to relevant ads, I think a middle ground should be looked at.