Re: UK commissioner has privacy suggestions, and supercookies in use

I agree with David, off course they know what they are paying for.  I did
an experiment on 819 newspapers in all EU countries. The result is
shocking, think collusion on steroids. The countries with the highest
usage of tracking technology on newspapersites are: Belgium, Cyprus, UK.
This is against a list of privacychoice confirmed trackers.

The results of the eu_newspaper experiment can be downloaded here:
http://www.blaeu.com/uploads/110805_results_EU_newspapers_experiment.pdf

The good news is that tracking can be reduced with a proper risk
management strategy. Whatever new cookie technology will come, when it
exchanges data with a server other than the one the content is served
from, this can be detected and therefor suppressed. The methodoly I used
is a combination of regular expressions and opt-out cookies.

A short description of the Tracking Detection System (TDS) approach can be
found here: http://www.blaeu.com/uploads/tds-rules-rdef.html

My hypothesis is that tracking can be detected in real time with baysian
markers, analog to the way spam is being detected. The experiment shows
that the number of links per node is a promising indicator. UK, Spain and
Finland have very high number of links per node: >3.5 ! Interesting to see
is that UK and Spain have 25%-30% of traffic going to/from confirmed
tracking domains. Finland however only 7%. This is due to the use of local
ad-networks instead of using the well known ad-adworks. I saw similar
effects in Latvia and Malta.

Taking into account that tracking takes place both online and offline (ie.
bricks and walls) and that tracking isn't just taking place in the
advertising sector, my broad definition of tracking is:

``The non-consensual use of technology for the purpose of collecting and
using identifiers that enable systematic monitoring and forecasting of
behavior of prospects and clients in order to maximize customer lifetime
value''

By limiting the working definition to customer lifetime value, the
collection and use of identifiers required by law, necessary for
information security (availability, integrity, confidentiality) or fraud
prevention is still possible. This working definition isn't killing the
OBA business and leaves open whether we get there through self regulatory
agreements or with help of additional laws.

Rob

Aleecia M. McDonald wrote:
> I can corroborate what Ashkan, Chris, et al found from situations a year
> prior. Corporations hire contractors. The contractors get great results
> with LSO tracking, no one thinks to question the methods (the engineers /
> management within the corporation may never have even heard of LSOs,) and
> everyone is happy. Well, until the lawsuits. Surprise!
>
> There are times I have been deeply skeptical when companies claim their
> data gathering practices were due to a "bug" (my favorite: a company
> making this claim when that same "bug" was somehow part of their
> well-documented API. Cough.) But I have also seen ernest people scratching
> their heads trying to figure out things like: how many HTTP cookies do we
> set? What data do we collect? Why? What is this backend database of
> customer data from, or for, and why was it created in the first place?
> LSOs are even more likely to go unnoticed within a company.
>
> This is not to offer excuses for companies that do not know their own data
> practices. Rather the opposite.
>
> 	Aleecia
>
> On Aug 18, 2011, at 4:58 AM, Hannes Tschofenig wrote:
>
>> Hi Richard, Hi David,
>>
>> I also believe that sounds quite reasonable to me.
>>
>> If you consider that many folks use some form of content management
>> framework or blog and I doubt that they really understand what is going
>> on under the hood. You have to know the technology in a fair level of
>> detail to understand what the implications of each and every plugin is
>> (not mentioning that they get updated regularly or even reference
>> JavaScript code hosted on some other site).
>>
>> Once you use certain tools (e.g., analytics tools, and other forms of
>> plugins) it is obviously difficult to switch to turn them off and use
>> something else because you may need a fair amount of time to re-organize
>> your site.
>>
>> Ciao
>> Hannes
>>
>> On Aug 18, 2011, at 2:46 PM, Richard Barnes wrote:
>>
>>> It's not all that implausible that the sites didn't know what was
>>> going on, for some definition of "the sites".  At least a couple of
>>> scenarios come to mind:
>>> 1. Ad company's instructions say "paste this code into your site", and
>>> a developer does it without investigating thoroughly
>>> 2. Management asks developers to implement features that require
>>> tracking (e.g., persistent sign-on), and developers add the required
>>> tracking
>>>
>>>
>>> On Thu, Aug 18, 2011 at 4:07 AM, David Singer <singer@apple.com> wrote:
>>>> the suggestions story: <http://www.bbc.co.uk/news/technology-14557364>
>>>>
>>>> and supercookies:
>>>> <http://www.mercurynews.com/business/ci_18704381?source=rss>
>>>>
>>>> contains the apparently surprising statement;  "Many of the companies
>>>> say they didn't know they were using the new techniques and stopped
>>>> after the researchers contacted them."
>>>> They didn't know what techniques they were using?
>>>>
>>>> David Singer
>>>> Multimedia and Software Standards, Apple Inc.
>>>>
>>>>
>>>>
>>>
>>
>>
>>
>
>
>

Received on Friday, 19 August 2011 08:04:03 UTC