Event
Summary
By announcing a beta version of several privacy and cookie management
features, Microsoft responded to recent news stories against online advertisers
and other parties who obtain aggregate data through clickstream technologies.
In Microsoft's new browser privacy model, before reporting through any
cookie, Microsoft's browser will tell the user what type of cookie. It
also can be customized to request further permission before proceeding
with the website's cookie request. Figure 1, taken from Microsoft's press
information, shows what a typical cookie warning would look like. What
makes these features different from the cookie management features in
previous versions of Microsoft's and Netscape's browsers is that they
add some more information to the surfer when a cookie is reported, and
allow a finer level of control for blocking cookies.
Figure
1.
Consumer
advocates say that though this is a technical improvement regarding use
of demographic and personal information derived from Internet activities,
it does nothing to prevent the misuse of prior clickstream data obtained
without permission.
Users
can expect to have access to the new privacy enhanced Internet Explorer
5.5 following feedback from 2,000 beta testers. The 5.5 release is expected
in mid August.
Market
Impact
The story starts with a big company making a nasty PR mistake. Some months
ago DoubleClick purchased Abacus Direct, a company engaged in off-line
marketing. Abacus had huge databases of personally identifying information
about people who shopped through catalogs and other Abacus customers.
This created the possibility that DoubleClick could put these personally
identifying data together with the data it collects about individuals
- who it cannot identify - by serving ads. Indeed, DoubleClick intended
to do this, though an opt-out model; that is, surfers would have to refuse
to allow their personal information to be correlated with their cookie
data. (See "DoubleClick
Takes Bath, Throws in Towel").
Unfortunately,
DoubleClick did a poor job of explaining its model and of making sure
that surfers were clearly notified about the opt-out possibilities. The
result was a major news story that culminated with DoubleClick doing a
public mea culpa and significantly strengthening its privacy
policies. Among these policies is an explicit promise never to sell any
data to a third party.
With
the public still sensitive to that issue, and to the recent reports that
failed dot-com ToySmart wanted to sell the data it had collected, Microsoft's
announcement makes a good deal of sense. It will probably be followed
(or one-upped) by Netscape when it is ready to announce the next release
of its own browser.
It
is important to note that Microsoft is in no way opposed to the use of
cookies. Far from it; cookies are important to Microsoft for its own advertising,
for gaining information about the visitors to its own websites, and as
a feature of its web servers and commerce servers. Microsoft, like most
other software companies, has come to understand that if users feel comfortable
about the use of cookies they will ignore them. Indeed, one recent study
suggests that even now only about 3% of users bother to turn off cookies
in their browsers. Microsoft's Director of Corporate Privacy, Richard
Purcell, is working to help craft better standards and regulations about
Internet privacy. However, Purcell states that "Cookie management alone
is not the answer to consumer privacy." In supporting consumer privacy
empowerment, Microsoft said that the new cookie agents will include technology
based on P3P, an acronym for Platform for Privacy Preferences. P3P is
a standard developed under the auspices of the World Wide Web Consortium.
It specifies a machine-readable language with which websites can encode
their privacy policies. This will enable browsers to automatically steer
surfers away from sites whose policies do not match the surfer's level
of comfort. P3P does not in itself say anything about the kinds of policies
sites should adopt.
User
Recommendations
Advertising is what makes the Internet as free as it is. Most users and
privacy advocates understand this. Different individuals and groups do
have differing perceptions about how much data it should be possible to
collect, and how trusting consumers should be. These are issues that will
be worked out by consumer advocates, industry groups and lawmakers.
The
lesson for a website operator is a simple one. Have a clear privacy statement
that explains what kinds of data you collect and how you intend to use
it. Make sure that you reference any partners who might use your data
in raw or aggregated form, and that their privacy policies are equally
clear. An opt-in policy clearly provides more protection to surfers than
an opt-out policy; just as clearly it can have the effect of scaring users
for no good reason. As Microsoft itself notes, cookies offer many advantages
to surfers if they are not misused.
Surfers
should know that they can block cookies in their browsers even now. There
are also software packages that can block ads from appearing on web pages.
For the truly paranoid, security engineers do have the ability to block
Internet ads from their users. On an agency-by-agency basis, engineers
can block ad servers from DNS zone maps, or firewall off TCP port7, which
some agencies use to deliver ads to surfers. However, except for some
security conscious companies that do not allow any cookie dropping, and
a small percentage of surfers who have their own firewalls and know how
to use them, we can't imagine such drastic actions being taken in large
numbers.