Microsoft Hopes to Win Over Consumer Privacy Advocates

Event Summary

By announcing a beta version of several privacy and cookie management features, Microsoft responded to recent news stories against online advertisers and other parties who obtain aggregate data through clickstream technologies. In Microsoft's new browser privacy model, before reporting through any cookie, Microsoft's browser will tell the user what type of cookie. It also can be customized to request further permission before proceeding with the website's cookie request. Figure 1, taken from Microsoft's press information, shows what a typical cookie warning would look like. What makes these features different from the cookie management features in previous versions of Microsoft's and Netscape's browsers is that they add some more information to the surfer when a cookie is reported, and allow a finer level of control for blocking cookies.

Figure 1.

Consumer advocates say that though this is a technical improvement regarding use of demographic and personal information derived from Internet activities, it does nothing to prevent the misuse of prior clickstream data obtained without permission.

Users can expect to have access to the new privacy enhanced Internet Explorer 5.5 following feedback from 2,000 beta testers. The 5.5 release is expected in mid August.

Market Impact

The story starts with a big company making a nasty PR mistake. Some months ago DoubleClick purchased Abacus Direct, a company engaged in off-line marketing. Abacus had huge databases of personally identifying information about people who shopped through catalogs and other Abacus customers. This created the possibility that DoubleClick could put these personally identifying data together with the data it collects about individuals - who it cannot identify - by serving ads. Indeed, DoubleClick intended to do this, though an opt-out model; that is, surfers would have to refuse to allow their personal information to be correlated with their cookie data. (See "DoubleClick Takes Bath, Throws in Towel").

Unfortunately, DoubleClick did a poor job of explaining its model and of making sure that surfers were clearly notified about the opt-out possibilities. The result was a major news story that culminated with DoubleClick doing a public mea culpa and significantly strengthening its privacy policies. Among these policies is an explicit promise never to sell any data to a third party.

With the public still sensitive to that issue, and to the recent reports that failed dot-com ToySmart wanted to sell the data it had collected, Microsoft's announcement makes a good deal of sense. It will probably be followed (or one-upped) by Netscape when it is ready to announce the next release of its own browser.

It is important to note that Microsoft is in no way opposed to the use of cookies. Far from it; cookies are important to Microsoft for its own advertising, for gaining information about the visitors to its own websites, and as a feature of its web servers and commerce servers. Microsoft, like most other software companies, has come to understand that if users feel comfortable about the use of cookies they will ignore them. Indeed, one recent study suggests that even now only about 3% of users bother to turn off cookies in their browsers. Microsoft's Director of Corporate Privacy, Richard Purcell, is working to help craft better standards and regulations about Internet privacy. However, Purcell states that "Cookie management alone is not the answer to consumer privacy." In supporting consumer privacy empowerment, Microsoft said that the new cookie agents will include technology based on P3P, an acronym for Platform for Privacy Preferences. P3P is a standard developed under the auspices of the World Wide Web Consortium. It specifies a machine-readable language with which websites can encode their privacy policies. This will enable browsers to automatically steer surfers away from sites whose policies do not match the surfer's level of comfort. P3P does not in itself say anything about the kinds of policies sites should adopt.

User Recommendations

Advertising is what makes the Internet as free as it is. Most users and privacy advocates understand this. Different individuals and groups do have differing perceptions about how much data it should be possible to collect, and how trusting consumers should be. These are issues that will be worked out by consumer advocates, industry groups and lawmakers.

The lesson for a website operator is a simple one. Have a clear privacy statement that explains what kinds of data you collect and how you intend to use it. Make sure that you reference any partners who might use your data in raw or aggregated form, and that their privacy policies are equally clear. An opt-in policy clearly provides more protection to surfers than an opt-out policy; just as clearly it can have the effect of scaring users for no good reason. As Microsoft itself notes, cookies offer many advantages to surfers if they are not misused.

Surfers should know that they can block cookies in their browsers even now. There are also software packages that can block ads from appearing on web pages. For the truly paranoid, security engineers do have the ability to block Internet ads from their users. On an agency-by-agency basis, engineers can block ad servers from DNS zone maps, or firewall off TCP port7, which some agencies use to deliver ads to surfers. However, except for some security conscious companies that do not allow any cookie dropping, and a small percentage of surfers who have their own firewalls and know how to use them, we can't imagine such drastic actions being taken in large numbers.

comments powered by Disqus