For better privacy, create countermeasures

This article was originally published on Salon on August 2, 2010.

Our Web browsing habits are under growing surveillance. Can we fight back?


The next time you leave home, are you willing to have someone follow you with a video camera? The idea would be to record every step you take, everything you look at and especially everything you purchase. That information would be available to people you don’t know and whose specific reasons for wanting to see it — apart from wanting to know your habits better so they can sell you things — are considered none of your business.

This is the rough equivalent of what happens when you browse online these days, and not just at shopping sites. Data surveillance by marketers, as the Wall Street Journal is describing in a series of articlesthat started running over the weekend, is one of the online world’s “fastest-growing businesses.”

The main article begins by describing the eerily granular information that online surveillance and marketing companies have learned about Ashley Hayes-Beaty, a 26-year-old woman in Nashville, without her direct knowledge or permission. Then we are told:

In between the Internet user and the advertiser, the Journal identified more than 100 middlemen — tracking companies, data brokers and advertising networks — competing to meet the growing demand for data on individual behavior and interests. The data on Ms. Hayes-Beaty’s film-watching habits, for instance, is being offered to advertisers on BlueKai Inc., one of the new data exchanges.

“It is a sea change in the way the industry works,” says Omar Tawakol, CEO of BlueKai. “Advertisers want to buy access to people, not Web pages.”

The Journal examined the 50 most popular U.S. websites, which account for about 40% of the Web pages viewed by Americans. (The Journal also tested its own site, It then analyzed the tracking files and programs these sites downloaded onto a test computer.

As a group, the top 50 sites placed 3,180 tracking files in total on the Journal’s test computer. Nearly a third of these were innocuous, deployed to remember the password to a favorite site or tally most-popular articles.

But over two-thirds—2,224—were installed by 131 companies, many of which are in the business of tracking Web users to create rich databases of consumer profiles that can be sold.

To be sure, the Journal’s coverage is lurid — more so than necessary to make the point. And the series, at least so far, doesn’t address the disturbingly huge amount of information collection and sales by the shadowy offline industry that combines our credit-card, banking and other information into a gigantic data bazaar over which we have little or no control.

That said, the Journal’s coverage is valuable in at least one respect: It explains just how pervasive the surveillance has become and with what indifference the people doing the surveillance view your privacy.

They will say, with some truth, that it’s all in the interest of creating advertising and services aimed at your interests. Why, then, do they cloak what they do in such opaque ways?

My friend Jeff Jarvis, who leads an unusually public life, says the Journal is telling us nothing we don’t already know. Granted, the fact that websites have put cookies and other user-observation mechanisms on our computers is not news. But do we all know that tracking systems have become not just ubiquitious but also disturbingly interlinked? I pay fairly close attention to this field, and the Journal series has opened my eyes a bit wider; for those who have a vague idea of what’s going on, the stories may well come as a nasty shock.

I’m closer to what another friend, Doc Searls, concludes: This is creepy, and we need to turn it around. Doc, a Fellow at the Harvard Berkman Center for Internet & Society, writes:

There is no demand for tracking by individual customers. All the demand comes from advertisers — or from companies selling to advertisers.

For now.

Here is the difference between an advertiser and an ordinary company just trying to sell stuff to customers: nothing. If a better way to sell stuff comes along — especially if customers like it better than this crap the Journal is reporting on — advertising is in trouble.

Here is the difference between an active customer who wants to buy stuff and a consumer targeted by secretive tracking bullshit: everything.

Two things are going to happen here. One is that we’ll stop putting up with it. The other is that we’ll find better ways for demand and supply to meet — ways that don’t involve tracking or the guesswork called advertising.

Doc is working on a project to create “Vendor Relationship Management,” turning on its head the idea that sellers should manage customers. Rather, he says, we should be the ones in charge.

At best, getting there from where we are will take years. What do we do in the meantime?

It’s encouraging to see that venture funders have “spotted a new market opening and are pumping millions of dollars into privacy-related start-ups,” as the Journal reported last month. What we need, sooner than later, are tools to manage our own privacy.

When I browse I use several extra tools in the browser that help me block unwanted spying. In particular, Firefox has a well-developed add-on ecosystem including BetterPrivacy (for “super-cookies like Adobe’s irritating Flash plug-ins) and NoScript (lets me specify by domain). Whatever browser you use most, you’ll probably be able to find ways to block at least some unwanted behavior. I’m testing Abine‘s tools, which go much further than others (too far, by some accounts), as well.

One thing I don’t do is block cookies from host sites. I don’t mind at all if a website I use regularly — especially a site offering me services at no charge — wants to keep track of what I do there, or ask me to register. These are entirely fair tradeoffs.

What I mind a great deal is when that information becomes cross-referenced with what other sites and services learn about me. What I do at the Journal’s site (which I pay for, making further data collection even more outrageous, in my view) is emphatically not the business of, say,, or vice versa. Yet I have no clear idea if they or third-party data collectors are sharing or cross-referencing, or what they’re doing with the data if they are.

The alleged transparency efforts by data collectors is an illusion of openness. Read the various privacy statements and disclosures, not  just on the sites you’ve visited but the third-party trackers they don’t always tell you about, and if you can decipher it all you’re a lot smarter than the rest of us. It’s obfuscation and plainly designed to be.

A few years ago, when supermarkets started offering frequent-shopper cards that provided discounts in return  for creating shopper databases, some people I knew came up with a clever idea. They met once a month and put their cards into a hat, then drew someone else’s card out of the hat and used it. This clearly violated the spirit of the bargain, and probably the letter, too. But it reflected a wise mistrust of the corporate motives behind the shopping cards, especially because it was not clear what would happen to the data.

I suspect we’ll need to do things like this on the Web, too. Until we have vastly more transparency from the companies collecting, massaging, renting and selling this information, I’ll be inclined to mislead the marketers.