Saturday, November 24, 2007

Online Behavioral Profiling

In preparation for an appearance on KFNX (Phoenix) radio's Tech Talk show with Tom D'Auria, I did my homework and researched the topic. Here are my notes. I am sure there is more here than we will be able to cover in the time available on the program.

1 - What is behavioral profiling?

Behavioral profiling is the practice of drawing conclusions about or categorizing someone based on a limited set of behaviors. Behavioral targeting is the related practice of categorizing people or segmenting a market to provide them with advertising and sales messages designed to appeal to or work with the group they belong to.

For example, if a policeman, or anyone for that matter, sees a car swerving down the road, they may think that the driver is drunk. We speak of someone who is shifty-eyed as being not trustworthy. In the old cowboy movies the bad guys wore black hats. These are all examples of behavioral profiling.

The bride and baby magazines somehow know when weddings and birthdays are expected in everybody's family, and they send targeted promotional materials to the engaged women and the expectant mothers. These are examples of behavioral targeting.

2 - What's wrong with that?

The Federal Trade Commission held a Town-Hall meeting on November 1 & 2nd in Washington, DC on Behavioral Profiling and the Internet. There were a lot of interesting presentations, and I encourage anyone who is concerned about this issue to go to the FTC web site and watch the recordings of the meeting.

One of the big problems is that people do not understand what behavioral profiling and behavioral targeting are. Therefore people may consent to having companies, governments and other organizations collect information about them and track their activities on the Internet, but it is not informed consent.

It turns out that nobody reads privacy policies and End-User License Agreements, except lawyers when they are being paid to read them. Everybody else just clicks through them on the web to get to the content they want.

The problem boils down to this. Organizations online and in the real world are covertly spying on you.

3 - Why would organizations be spying on you? What do they hope to learn?

They are doing it, they say, in order to do a better job serving you. Other motivations include making money, avoiding losses, beating the competition, and making more money.

Governments are interested in identifying criminal behavior and avoiding terrorist plots.

The good news in this is that there is not a lot to learn from spying on most of us. The state of the art is such that there is a) an enormous amount of data being generated constantly and b) there are serious limitations to the data. The volume of data involved limits what can be done with it. You cannot drink from a fire hose. And as all of us who have designed and implemented systems know, garbage in, garbage out.

4 - What kind of data are we talking about? What is being collected?

This gets into the nuts and bolts. Some of the data is very good. has a good handle on you and what you do on their web site. You have a username and password that you use to sign in to make a purchase. And they use ¨1st party cookies¨ to capture information about what you are searching for how you navigate around their website. This lets Amazon and sites like MySpace, present pretty well targeted recommendations and information to you.

But when you go from site to site, there is currently no reliable mechanism for tracking you. What happens is that you collect 3rd-party cookies from various advertising networks that provide ads to most major web sites. Double-Click, and other such ad networks pay your content publishers to carry the ads. The 3rd-party cookies tell Double-Click where else on their ad network your browser has visited, and that helps them know what ad to serve you. Unlike Amazon, they do not know who you are, where you live, what you buy and other valuable information. If you use a different computer, Double-Click doesn't know its you and not somebody else. When you erase your cookies, you become once again a blank slate to Double-Click.

Google is in the process of buying Double-Click. Google has been coining money by putting targeted ads all over the internet. So far, Google has targeted ads based on the content of the pages showing the ads, not based on the behavior of web surfers. So this marks a worrisome development for privacy experts given the size and strength of Google, and the FTC is reviewing the proposed transaction.

5 - What about Internet Service Providers?

Internet Service Providers are in a position to collect data about everything that each of their subscribers does online, and marry that with names, addresses, credit cards, etc. Your ISP knows all and sees all. You may not want them sharing that information with advertisers and the law.

Yahoo! has been strongly criticized because it complied with a lawful request by the Chinese government for emails written by a dissident in China on his Yahoo! email account. The government jailed the dissident based on emails that Yahoo! turned over.

Interestingly enough, while AOL no longer regards itself as an ISP, for years it was in the unique position of knowing almost everything about almost everyone online. They used that information to sell ads and target ads to their subscribers. Arguably, that model that failed to sustain AOL.

But now there are new companies springing up like Adzilla that are setting up alliances with ISPs to get access to all the information about each of their subscribers. Adzilla got $10m in venture capital this past August, and their web site says they currently have alliances with 8 ISPs.

How this kind of activity does not run afoul of laws against wiretapping is still an open question. Their position is that it´s not wiretapping if no human beings are involved; if there are only machines listening and serving ads based on pre-programmed heuristics. It's no different from a spam filter or anti-virus program that scans everything coming and going.

6 - Who are the bad guys in the behavioral profiling space and what are they doing?

It is not easy to say exactly who they are. There are many layers involved. Content and advertising on a given website may come from many different places. Advertising, especially, may come from other places. There are a lot of intermediaries that buy, sell, aggregate, serve and track online ads. They may be doing behavioral profiling, even if the site displaying the ads does not.

That makes it very difficult to identify who's responsible when something bad happens. But we can say what they are doing or not doing as the case may be. We can profile the bad guys.
There are more than a few bad apples among advertisers:
Scammers, people selling get rich quick schemes, quick weight-loss programs, instant credit, and so forth have found the online world to be a fertile place to practice their trade. If something sounds to good to be true, it probably is. That goes double online.

Online fraud can happen when a product or service you buy does not do what it was advertised to do.

Hackers can embed malicious code in advertisements and on sites that ads might take you to. They could steal your usernames and passwords, credit card numbers and bank information if you are not careful. They could erase your hard drive.

And these bad guys can be almost anywhere in the world, beyond the reach of authorities in this country.

Intermediaries go bad when they pay lip-service to privacy and security but then fail to live up to their own policies and market expectations. There is an interesting case where a firm called Gator several years ago had an form filling browser plugin that people downloaded under false pretenses. The application was sending transactions data back to Gator for profiling purposes. Spyware protection programs were programed to delete the Gator app. Gator sued them.

In the end, Gator reformed its ways and survived. Gator changed its name to Claria and now it is one of the more respected names in online advertising.

Trouble happens when intermediaries do not do a good job knowing their customers and vetting the ads they run. That is how the scammers and the hackers get access to legitimate web sites.

Web sites are also known as content publishers. They have more at stake and they can get away with less than the intermediaries. They are more likely to be blamed if something bad happens, whether it is their fault or not. But shame on them if they do not take reasonable precautions to prevent bad things from happening.

For example, banner ads containing malicious code that infects users' machines if they are not properly patched have appeared on, and other mainstream web sites. It wasn't their malicious code, but they should have made sure that the ads they displayed were properly screened.

Many mainstream websites are profiling their users' behavior and selling that information to advertisers. The least they should do is let their users opt-out of such profiling.

Advertising on social networking sites is a new frontier for behavioral profiling. MySpace recently opened its doors to targeted ads where MySpace will keep its data under wraps but sell access to various demographic and behavioral populations. So, MySpace or their agents will say to advertisers, if you advertise on MySpace, we can target your ads to girls taking drivers-ed classes or boys with severe acne. They claim that they will be careful not to let objectionable ads reach our kids. But how do they know what is objectionable?

7 - What is the upside or what are the benefits to consumers of behavioral profiling?

Marketers claim that behavioral profiling allows them to present fewer, more relevant ads to consumers. But that is not sound economic reasoning. If the marginal return from advertising expenditures rises, advertising expenditures will rise. Additionally, if advertising becomes more effective, more companies will engage in it, meaning that consumers will see more advertising, not less. Online advertising is growing at the rate of 20% per year. That means a lot more ads, not fewer.

The principal benefit to consumers is that advertising allows them access to almost all the content on the web for free. It is estimated that advertisers will spend $40 b online this year and that number is growing at a rate of 20% per year. which is owned by Microsoft started as a subscription news and opinion service. It failed to attract enough subscribers to make a profit. It switched to a free, ad-supported site and it is now making money.

One of Rupert Murdoch's first steps after acquiring the Wall Street Journal was to change it's online content from a subscription model to a free, ad-supported model.

One commentator has said that the success of the internet in the market boils down to people's perceptions that, "It's all about me, and its all free."

8 - How can we protect our privacy and still enjoy free stuff?

We all can´t. Some of us can. But like Television, if everybody records shows and skips the commercials, the TV networks will die. So for now, some of us like you and me can block ads in our browsers and erase our cookies after every session. That will keep us safe, allow us to travel incognito, and still enjoy the convenience and content of the internet.

9 - What does the future hold?

In the future, there will be more information collected about people. Organizations will know much more about you and me. And there will be additional avenues for these organizations to reach out and touch you.

RFID tags will be embedded in everything we own. And tag readers will be everywhere we go, so not only will they know where we are at all times, they will know what we are wearing, everything that is in our handbags.

When you walk into a store, they will address you by name, and they will know your size and your likes and dislikes. As you drive down the street, a billboard may show you a message specifically for you. Your cell phone might ring to tell you that you missed your morning coffee and there are 4 Starbucks shops in the next block.

10 - Where can people find out more about this subject?

  1. FTC Town Hall Meeting: eHavioral Advertising
  2. Center for Digital Democracy
  3. Electronic Privacy Information Center

1 comment:

Paradise5000 said...

It seems that there is no way around this. I have spyware detector software to eliminate having my personal info falling into the wrong hands. But if big brother on the internet is trying to keep and eye out for the bad guys, is not much we can do. I personally do not have anything to hide, but I sure will like keep scam artist at bay.