FTC Commissioner J. Thomas Rosch puts the brakes on some of the Do-Not-Track excitement that has been bubbling up in this (wouldn’t you know it) Advertising Age piece.

The concept of do not track has not been endorsed by the commission or, in my judgment, even properly vetted yet. In actuality, in a preliminary staff report issued in December 2010, the FTC proposed a new privacy framework and suggested the implementation of do not track. The commission voted to issue the preliminary FTC staff report for the sole purpose of soliciting public comment on these proposals. Indeed, far from endorsing the staff’s do-not-track proposal, one other commissioner has called it premature.

Do-Not-Track does need more vetting and consideration. Don’t get your hopes up about being free of tracking anytime soon. (Do you even know what “tracking” is?)

If Do-Not-Track goes forward, don’t get your hopes up to be free of tracking either. When you take control of what your browser sends out over the Internet? Then you can rightly anticipate being free of unwanted tracking!

You have to wade through a lot to reach the good news at the end of Time reporter Joel Stein’s article about “data mining”—or at least data collection and use—in the online world. There’s some fog right there: what he calls “data mining” is actually ordinary one-to-one correlation of bits of information, not mining historical data to generate patterns that are predictive of present-day behavior. (See my data mining paper with Jeff Jonas to learn more.) There is some data mining in and among the online advertising industry’s use of the data consumers emit online, of course.

Next, get over Stein’s introductory language about the “vast amount of data that’s being collected both online and off by companies in stealth.” That’s some kind of stealth if a reporter can write a thorough and informative article in Time magazine about it. Does the moon rise “in stealth” if you haven’t gone outside at night and looked at the sky? Perhaps so.

Now take a hard swallow as you read about Senator John Kerry’s (D-Mass.) plans for government regulation of the information economy.

Kerry is about to introduce a bill that would require companies to make sure all the stuff they know about you is secured from hackers and to let you inspect everything they have on you, correct any mistakes and opt out of being tracked. He is doing this because, he argues, “There’s no code of conduct. There’s no standard. There’s nothing that safeguards privacy and establishes rules of the road.”

Securing data from hackers and letting people correct mistakes in data about them are kind of equally opposite things. If you’re going to make data about people available to them, you’re going to create opportunities for other people—it won’t even take hacking skills, really—to impersonate them, gather private data, and scramble data sets.

If Senator Kerry’s argument for government regulation is that there aren’t yet “rules of the road” pointing us off that cliff, I’ll take market regulation. Drivers like you and me are constantly and spontaneously writing the rules through our actions and inactions, clicks and non-clicks, purchases and non-purchases.

There are other quibbles. “Your political donations, home value and address have always been public,” says Stein, “but you used to have to actually go to all these different places — courthouses, libraries, property-tax assessors’ offices — and request documents.”

This is correct insofar as it describes the modern decline in practical obscurity. But your political donations were not public records before the passage of the Federal Election Campaign Act in 1974. That’s when the federal government started subordinating this particular dimension of your privacy to others’ collective values.

But these pesky details can be put aside. The nuggets of wisdom in the article predominate!

“Since targeted ads are so much more effective than nontargeted ones,” Stein writes, “websites can charge much more for them. This is why — compared with the old banners and pop-ups — online ads have become smaller and less invasive, and why websites have been able to provide better content and still be free.”

The Internet is a richer, more congenial place because of ads targeted for relevance.

And the conclusion of the article is a dose of smart, well-placed optimism that contrasts with Senator Kerry’s sloppy FUD.

We’re quickly figuring out how to navigate our trail of data — don’t say anything private on a Facebook wall, keep your secrets out of e-mail, use cash for illicit purchases. The vast majority of it, though, is worthless to us and a pretty good exchange for frequent-flier miles, better search results, a fast system to qualify for credit, finding out if our babysitter has a criminal record and ads we find more useful than annoying. Especially because no human being ever reads your files. As I learned by trying to find out all my data, we’re not all that interesting.

Consumers are learning how to navigate the online environment. They are not menaced or harmed by online tracking. Indeed, commercial tracking is congenial and slightly boring. That’s good news that you rarely hear from media or politicians because good news doesn’t generally sell magazines or legislation.

Progress Snapshot 5.10 from The Progress & Freedom Foundation

A recent telephone poll conducted by professors at Berkeley and the University of Pennsylvania concluded, “Contrary to what many marketers claim, most adult Americans (66%) do not want marketers to tailor advertisements to their interest.” The study’s authors claim that their poll is the “the first nationally representative telephone (wireline and cell phone) survey to explore Americans’ opinions about behavioral targeting by marketers.” They also assert that the poll indicates that “if Americans could vote on behavioral targeting today, they would shut it down.” Advocates of regulating online data collection have trumpeted this poll as evidence consumers demand legislation to protect their privacy. “This research gives the F.T.C. and Congress a political green light to go ahead and enact effective, but reasonable, rules and policies,” declared Jeff Chester, a leading critic of online advertising.

But what is most surprising about this poll is not that 66% of users said they do not want tailored online ads, but that 34% of users said they did! The key, initial question of “whether or not you want the websites you visit to show you ads that are tailored to your interests,” presents no trade-off. The fact that anyusers said “yes” indicates that many users paused to do the rough mental math about the unarticulated trade-off between the benefits of receiving tailored ads and the costs of that tailoring.

The methodology of opinion polls necessarily affects respondents’ mental calculations, rendering polls not just easily manipulated, but inherently unreliable as indicators of real preferences. Every poll reflects the bias of its authors to some degree by the way questions are worded, the order in which they are asked, the sample surveyed, etc. The easiest way to bias the results of a poll is to omit any mention of the trade-offs at issue. This poll simply buried the issue of trade-offs in a heavily loaded follow-up question: After telling respondents that marketers “often use technologies to follow the websites you visit and the content you look at in order to better customize ads,” the interviewer asked whether the respondent would allow advertisers to “follow [them] online in an anonymous way in exchange for free content.” Only 10% of users said they would allow this voluntary exchange.

What does this tell us about whether, and how, government should further regulate online advertising? Precious little: Not only does this poll overstate the costs of targeted advertising, understate its benefits, and ignore the tools available to users to address their privacy concerns but, like any opinion poll, this one tells us more about the psychology of decision-making under the artificial uncertainty of polls than about the choices users would actually make in the real world.

User Uncertainty About Concepts Like “Tailoring” and “Following”

Even the word “tailoring”—though benign compared to other words the study’s authors could have used ( e.g., “track,” “monitor,” “record”)—is so vague as to leave respondents wondering what it really entails. One can only speculate as to what users thought the word meant (since the poll did not ask), but it seems likely that some of these scarier words probably flashed through the minds of respondents in the instant before they answered the question. Indeed, the word “tailoring” conflates both the costs and benefits of personalized advertising in a single, vague word. Given this ambiguity, it’s hardly surprising that most users would say “no”—not just to receiving tailored advertising (66%), but also to receiving tailored discounts (49%) and news (57%). If users had been asked about receiving “relevant” (rather than “tailored”) ads, the responses probably would have turned out somewhat differently—just as an additional 17% of users agreed to receiving tailored “discounts,” whose value to users is more readily apparent: saving money on potential purchases.

The second set of questions asked users whether it “Would be OK… if these ads [discounts/news] were tailored for you based on following what you do on the website you are visiting… [24% said yes] OTHER websites you have visited… [34% said yes] and OFFLINE—for example, in stores? [25% said yes].” Again, the term “follow” was not defined. A third set of questions explained to respondents that marketers “often use technologies to follow the websites you visit and the content you look at in order to better customize ads.” The interviewer then asked whether the respondent would “definitely allow, probably allow, probably NOT allow, or definitely not allow advertisers” to “follow you online in an anonymous way in exchange for free content”—and only 10% of users said yes. Thus, it appears that users are more, not less, hostile to tailored advertising when reminded of the trade-offs involved (35% yes in the first set of questions, 10% yes in the third). What explains this paradox?

The most obvious explanation is that, by the time the respondent got to the critical question about “allowing” tailored advertising, they had heard the word “follow” at least five times: once in each of the three questions about whether tailoring was OK, once in the introduction about how marketers customize ads and once in the question itself—each time increasing uncertainty as to how “tailoring” really works and more than negating any suggestion of “anonymity.” Furthermore, asking users whether something should be “allowed” implies that there are undisclosed reasons why it should not be. This much is simple psychology—obvious to anyone who wanted to craft a poll that would support a particular regulatory agenda.

But behavioral economics research tells us something even more profound about the way our brains work: human beings hate making choices, and loathe uncertainty even more. Indeed, such “mental accounting” or “mental transaction” costs appear to be the primary reason why, after a decade of efforts to develop a micropayments system that can fund online content and services, no such system has emerged—and thus why Internet publishers instead rely primarily on advertising revenues ($23.5 billion in 2008) to fund “free” offerings for consumers. In this case, merely forcing consumers to consider the costs of “tailoring” and being “followed,” and decide whether these things are “OK” or should even be “allowed” strongly tips the scales in favor of the outcome desired by the study’s authors because these considerations and decisions are significant psychological costs in themselves, which likely outweigh the diffuse benefits of tailored advertising, which users simply do not appreciate.

Indeed, the scale tips so strongly that the study suggests that 73% of Americans object to having ads tailored based on “what you do on the website you are visiting.” Would not this objection apply to purely contextual advertising “tailored” to the keywords entered by a user in a search engine or to the keywords that appear on a particular page to which a user has navigated within a site? If so, this study isn’t just about the bogeyman of “behavioral” advertising, but about essentially all online advertising, which is to some degree “tailored.” Indeed, must lawmakers protect us from the tailoring of news (71%) and discounts (62%) within websites? Or, if data collection is the real harm to consumers, what about the fact that hundreds of millions of people happily share far more personal information every day on social networks or using grocery discount cards? Opinion polls simply cannot answer these questions.

The Direct Benefit of Tailored Ads: Relevance

Whatever Americans tell pollsters about “tailored” ads, they also complain about irrelevant ads: A previous poll found that 72% of consumers “find online advertising intrusive and annoying when the products and services being advertised are not relevant to [their] wants and needs” and 85% say that less than 25% of the ads they see while browsing online are relevant to their wants and needs. Real-world experiments confirm that users reveal a clear preference for more relevant advertising. In a 2004 experiment, click-through rates (CTR) for behaviorally targeted ads were between 94% and 225% higher than for contextually targeted ads. A 2009 study found that the difference could be between 670% and 1000% percent, depending on how well-tailored the ads were. In other words, users in the real world were two to eleven times more likely to click on highly-tailored ads. Truly, actions speak louder than words: Users clearly “vote with their clicks” for ads they find relevant—i.e., they vote for “tailoring.”

Further reinforcing this conclusion is the fact that better tailoring increases not only click-through rates but also “conversion rates”—the percentage of users who actually complete the action desired by the advertiser, whether that be making a purchase or signing up for a list. A 2008 experiment found increased conversion rates of 400-900% (2008). This indicates that relevant ads really do help consumers find things they like—and that they like the fruits of tailoring, however they respond when asked about “tailoring” as an abstract concept that conflates costs (“How are they following me?”) and benefits (“What’s in it for me?”).

The Indirect Benefit of Tailored Ads: Free Content & Services

Even less apparent to poll respondents than the direct benefit of tailoring (increased relevance) are the indirect benefits: In particular, greater relevance to the user means more effective communication for the advertiser, and increased ad revenue for most online publishers per ad on their sites. Thus, there exists a clear quid pro quo: in effect, users “pay” for content and services by sharing information about their interests. Even more fundamentally, users “pay” for content by seeing ads. But both quid pro quos are implicit: Users can simply choose not to “pay” by using readily available tools in their browser to blocking ads and/or tracking. In essence, today’s system allows users who don’t like ads—tailored or otherwise—to opt out at little or no cost, much as if they simply decided not to pay for a product they bought at their local grocery store.

This creates a serious dilemma, given that advertising increasingly stands alone as the lifeblood of online content and services. Indeed, ads have long funded the costs of generating content for radio, television, and newspapers (with subscriptions paying only for distribution). The basic reason is simple economics: In competitive markets, prices tend to fall to the marginal cost of production. The Internet has simply borne this theory out in full:

1. Producing the first unit of content (e.g., a news story or video) remains costly, so while the marginal cost of every additional unit is essentially zero,average cost is not.
2. The failure of micropayments online seems to confirm that, no matter how low the technological transaction costs are, the mental transaction costs involved combined with even tiny payments will exceed the perceived value of most content.
3. The world of media scarcity in which consumers could choose from only a few sources of content (e.g., news, entertainment) has given way to a world of staggering media abundance and the choices of users are no longer constrained by the tyranny of physical limitations like distance and printing costs.
4. Because pure information cannot be copyrighted (and fair use allows significant referencing and quotation), very little content is so unique that users cannot find a ready substitute elsewhere if a site (or even cartel of sites) attempted to charge.

These forces have given birth to the world of “Free,” where few (if any) users will pay for something they can get for nothing. While there are a number of ways to fund content and services, advertising is far and away the leading business model for the new economy: Indeed, overall advertising market is expected nearly to double its share of total U.S. ad spending from 8.7% in 2008 ($23.4 billion) to 15.2% ($37.2 billion). But with 44% of advertising revenue going to search engines (which show highly “tailored” ads simply based on search terms), hundreds of thousands of publishers—from the mightiest to the tiniest—rely on $7.6 billion (33% of the total) in “display” ad revenue. Yet this base is tiny: Most websites earn a fraction of the revenue generated by offline ads: roughly $0.60 to $1.10 per thousand impressions (CPM) online versus average CPMs of $4.54 (radio) to $10.25 (broadcast). This unprofitability of online advertising, and the fact that certain kinds of online content (e.g., video and online services) does not provide the textual keywords necessary for basic contextual targeting is driving publishers to ad networks that offer behavioral targeting, which is expected to grow from $525 million in 2007 to $4.4 billion in 2012—when it will represent 25% of all display ad spending.

In short, advertising is indispensable to the future of online media, but it is also currently inadequate to sustain “Free” culture. As Adam Thierer and I warnedearlier this year: “The advocates of regulation pay lip service to the importance of advertising in funding online content and services but don’t seem to understand that this quid pro quo is a fragile one: Tipping the balance, even slightly, could have major consequences for continued online creativity and innovation… Something must give because there is no free lunch.” In 2001, long before Google mattered and before he worked for them, Kent Walker (now Google’s general counsel) put it best in a seminal law review article:

Privacy is both an individual and a social good. Still, the no-free-lunch principle holds true. Legislating privacy comes at a cost: more notices and forms, higher prices, fewer free services, less convenience, and, often, less security. More broadly, if less tangibly, laws regulating privacy chill the creation of beneficial collective goods and erode social values… Such regulation would likely increase both direct and indirect costs to the individual consumer, reduce consumer choice, and inhibit the growing trend of personalization and tailoring of goods and services.

Thus, as Jim Harper and Solveig Singleton concluded in their 2001 paper With a Grain of Salt: What Privacy Surveys Don’t Tell Us:

privacy surveys in particular… suffer from the “talk is cheap” problem. It costs a consumer nothing to express a desire for federal law to protect privacy. But if such law became a reality, it will cost the economy as a whole, and consumers in particular, significant amounts that surveys do not and cannot reveal.

We Need a Behavioral Economics Experiment, Not Just Another Poll

The Berkeley-Penn poll could certainly have done more to present these trade-offs to respondents and less to color their responses by inflating mental transaction costs. But even the most “fair” poll cannot meaningfully simulate the trade-offs inherent in the real world. If we really want to know how muchsubjective value consumers place on a particular aspect of their privacy, we must look to the preferences they reveal in the process of making real choices.

Of course, the best experiment is the one being conducted in the real world every day. No laboratory experiment can ever fully replicate all of the conditions of the real world, but a behavioral economics experiment could tell us more about the revealed preferences of Internet users than any poll. Unlike the real world, an economist could vary certain conditions in a lab experiment to tell us how various changes to current industry practice, user empowerment, or user education might actually affect real consumer choices. At a minimum, any experiment would require the following to inform policymaking about online advertising and privacy.

First, the experiment should vary the mechanisms by which notice is provided to users as to how tailoring works ( e.g., placement, interface, wording) and what those notices actually say.

Second, test subjects must make real choices in real use of the Internet with trade-offs in real money and their own time between either paying for access to a particular site or getting access for free in exchange for receiving tailored ads based on at least the three variables presented as questions in the Berkeley-Penn study: (i) users’ browsing activity on that site; (ii) their browsing activity on other sites; and (iii) offline activity or demographic information.

The second variable is critical because it addresses the value created by behaviorally tailored ads, which could be wiped out by regulation. Search engines are able to sell highly effective advertising based solely on information provided directly to the site (search keywords, which are highly indicative of user interest), and some sites can sell lucrative advertising based on purely contextual targeting because their content contains keywords that advertisers value highly ( e.g., a site for digital camera enthusiasts). But the vast majority of websites, and especially non-commercial websites, would produce little ad revenue if advertisers could only guess at the likely interests of visitors based on the keywords on that site. This, in a nutshell, is why so many sites stand to gain so much from behavioral targeting—particularly in the Internet’s “Long Tail.” To be useful, an experiment must reflect this dynamic.

In the real world, of course, it might be possible for the user to opt-out of tracking without losing access to content because today’s quid pro quo is implicit and most sites operate on a “No Cost Opt-Out” basis for tracking and even seeing ads. But in order to tell us how much consumers really care about tracking, the experiment must place some value on access to content that is supported by free content and services.

Third, the experiment must examine the extent to which user empowerment affects user choice: If some users are uncomfortable with having their browsing activity tracked, is it because they are concerned about all tracking or only tracking of certain sensitive activities, such as researching medical issues or—everyone’s favorite—viewing pornography? How does the availability of privacy management tools change user choices about ad-tailoring? Do Americans really want tailoring banned, or do they just want the ability to exercise easy choice about when they want to participate? How would those choices change when they come at a cost (e.g., seeing more ads) and privacy-sensitive users cannot simply free-ride off the value created by users whodon’t opt-out of targeted advertising (and also don’t block ads)?

Such an experiment would, by its very nature, be imperfect—but far less imperfect than any poll about opinions on privacy. Until a proper experiment is conducted by trained behavioral economists, all we can say with confidence is the following:

1. Users don’t understand exactly how ads are tailored;
2. Users seem to be concerned about “tailoring” or “following” in the abstract;
3. Users are generally unwilling to pay for online content and services; and
4. Better tailoring of ads means more funding for content and services.

There is only one approach that can address all these concerns: educate users about how online advertising works and how they can implement their own privacy preferences, while constantly striving to further empower users to make privacy management easier.

Mediapost has published an interview I gave to Omar Tawakol, founder of the BlueKai registry entitled “User Empowerment, Not Regulation, Is The Answer to Privacy Concerns About Targeted Ads” in which I summarize the arguments Adam Thierer and I have been making since our “Principles to Guide the Debate” piece last September.

We argue for user empowerment over restrictive defaults (like “opt-in”) for data use and collection because, as the Supreme Court held in 2000: “Technology expands the capacity to choose; and it denies the potential of this revolution if we assume the Government is best positioned to make these choices for us.” We promote tools that let users make their own decisions about privacy, not only because those decisions are fundamentally subjective, but because regulatory mandates could stifle the development of online content and commerce.

I also note the parallels between speech controls and privacy regulation, and call for a consistent, principled approach to both:

Since 1997, the Supreme Court has struck down multiple legislative attempts to censor online and offline content [especially the CDA] because there were “less restrictive alternatives” that would not so heavily burden free speech rights. In a 2000 cable-related decision, the Court held that “targeted blocking [by users] is less restrictive than banning, and the Government cannot ban speech if targeted blocking is a feasible and effective means of furthering its compelling interests.” Courts have struck down other federal and state speech controls because parents had the tools to filter their kids’ access to information online, in video games, etc., as described in my PFF colleague Adam Thierer’s ongoing catalog of these tools… Many who oppose industry self-regulation are not really “consumer advocates” because they don’t recognize that consumers have many, competing values. Those regulatory advocates are more interested in their preferred one-size-fits-all mandates than in empowering users to determine their own privacy preferences. Like advocates of censorship, privacy zealots assert great dangers to which citizens are supposedly oblivious but which urgently require government intervention-dismissing arguments to the contrary as either uninformed or irresponsible.

The comments on the interview are equally worth reading.  Jeff Chester, who has made a career out of attacking advertising, quickly posted a comment dismissing, but ignoring, my arguments about consumer welfare as corporate propaganda—just as he did with his comment on the post Adam and I wrote in June about congressional hearings on the issue featuring Chester (and Scott Cleland, the right-wing “Bizarro Chester“).  I’ve had it with Chester’s ad hominem attacks on the motives of those who disagree with him, as I explained in my reply to Chester:

Despite our profound “Conflict of Visions,” I must rush to Mr. Chester’s defense to point out [contrary to the assertion of another commenter who criticized Chester’s motives] that his salary has only reached “six figures” in one of the three years for which Chester’s group, the Center for Digital Democracy, has filed their Form 990 returns with the IRS: $101,500 in 2005, but a mere $97,925 in 2006 and $96,750 in 2007 (including benefits). Given CDD’s declining donations, Chester’s salary has grown from 35% of CDD’s income in 2005 ($288,807) to 56% ($172,852) in 2007. As a result of deficit-spending to maintain Chester’s salary, CDD’s 2007 assets were just half what they were in 2005 ($203,508 / $411,174). These returns are available on guidestar.org. I might take the same approach Chester takes in attempting to dodge our arguments: question his motives and suggest that the hysteria level of his arguments has grown in close correlation with his increased need to boost CDD’s donations, which have sagged even as his salary has remained constant. But unlike Chester and others who suffer from the “Vision of the Anointed,” I am not in the business of—as Thomas Sowell put it—”disdainfully dismissing” arguments contrary to my own “as either uninformed, irresponsible, or motivated by unworthy purposes.” I truly take Chester at his word: I think he genuinely believes the fantastical claims he makes about the evils of “targeted” advertising and that advertising is manipulative, creating what Neo-Marxists would call “false consciousness” (making people think they want things they don’t). I don’t think he’s merely trying to drum up donations (although that may be a happy coincidence of his Chicken-Little-ism). I ask only that Chester grant us the same respect by recognizing that our arguments are deeply rooted in a principled belief that online advertising creates enormous value for consumers, and that better targeting should be celebrated as a way of sustaining media in the 21st century, not an evil conspiracy by a shadowy cabal of advertisers. I take no pleasure in noting that Chester makes more money than I do (assuming his salary has not finally started to decline since 2007 along with the apparent downward trend in CDD’s donations). Moreover, since my market value as a recently-practicing lawyer is probably considerably higher than this, I gave up quite a lot to fight the battle of ideas when I joined The Progress & Freedom Foundation last year. Chester may not agree with my arguments, but for him to dismiss me as a corporate whore is simply laughable. If I really wanted to sell out, I would go back to a law firm at an annual salary greater than the donations his Center for Digital Democracy received in 2007. I would not have chosen a career as a consumer advocate at considerable personal cost if I were not utterly sincere in my convictions. So, please, Jeff, spare us all your sanctimony and engage our arguments on substance. Your dismissal of Omar Tawakol is also grossly unfair, since BlueKai has been an industry leader in empowering users with its consumer preference registry. On substance, I find it equally amusing that Chester has embraced the rhetoric of “consumer empowerment” in support of an agenda that is about just the opposite: making choices for users. Our argument is that we should to do everything we can to empower users to make their own choices about privacy preferences through tools like the BlueKai Registry, Google’s Ad Preference Manager and other more radical innovations. But Chester’s argument is that government should mandate restrictive default settings (e.g., opt-in). This is not empowerment but arrogant presumption: Chester is an elitist not only because he presumes that consumers are as paranoid about “being tracked” as he is, but also because he would impose a default (no tracking) that would destroy the economic value created by targeted advertising. That default has enormous costs for users as an “Industrial Policy for the Internet,” reducing revenues for publishers whose “free” content and services Chester takes for granted, but which benefit Internet users around the world.

The leading trade associations in the online advertising industry have just released their new self-regulatory principles—the first comprehensive self-regulatory principles industry has produced, which track closely with the suggested guidelines released by the FTC in February.

I commend the industry for setting a new standard in transparency, consumer control and data security. These Principles do much to empower Americans to make their own decisions about privacy, but I fear that many critics of so-called “targeted advertising” will never be satisfied, no matter how high industry raises the bar.

These critics have insisted that ordinary users can’t be trusted to make the “right decisions” about privacy and have insisted on imposing restrictive default “opt-in” rules for the online data collection that makes online advertising valuable to websites that rely on ad revenue.  Such pre-emptive privacy regulation would stunt the growth of revenue for the “Free” online content and services we’ve all come to take for granted.  During a time of economic recession, and as traditional media like newspapers struggle to make the transition from print to the Internet, it’s more important than ever that policymakers allow self-regulation to evolve.  Only by doing so can we expect continued innovation and creativity online. We must all remember:  There is no free lunch!

I’ll lead a panel discussion on July 10 on Capitol Hill about “Regulating Online Advertising: What Will it Mean for Consumers, Culture & Journalism?”  Please RSVP here.

What a victory for privacy and personal responsibility is Chris Soghoian’s Targeted Advertising Cookie Opt-Out (or “TACO” – documented and downloadable here). It signals to the 27 ad networks with well-configured opt-out cookies that you don’t want them to track you.

It’s a technical solution that empowers (and places responsibility with) the user to exercise dominion over his or her personal information. No need for law and regulation. No need to go pleading to politicians and bureaucrats for help.

It’s also a little more efficient than my method of controlling tracking, which is to take a glance at cookies as Web sites ask to set them on my computer.

(The answer is usually “no,” but it’s very interesting to see who all wants to get a glance at me when I visit any site. It’s a lot more than just ad networks, btw. I have no idea why people think ad-network tracking is bad and tracking by others is a matter of indifference.)

Now, Chris and I always find something to disagree about, so for good measure I’ll note that I disagree with his goal of switching targeted advertising from opt-out to opt-in.

Cookies are the wrong mechanism for universal opt-out, he correctly notes, and an opt-out HTTP header, were one adopted, would be switched on by default, so the big players won’t go there. “The only way we will get an easy to use, built-into the browser solution,” he concludes, “will be if government regulators get involved. FTC staffers — are you listening?”

Actually, an easy to use, built-into-the-browser solution is right there. In Firefox, it’s Tools > Options > Privacy > uncheck “Accept cookies from sites” or “Accept third-party cookies” (or further define what you want done with cookies). In Internet Explorer, it’s Tools > Internet Options > Privacy > Advanced > select “Override automatic cookie handling” and define what you want done.

A lot of folks think it’s jaw-droppingly difficult to look at cookies as they’re offered. It’s not. It’s easy to give cookies a quick skim as they come in. (Sometimes exercising responsibility for yourself is difficult. Walk it off.)

Now, should everyone do as I do? No. Should everyone do a Chris wants (and be untracked unless they request it)? Also, no.

The default on the street and on the Internet is for information to be available to others. If you don’t like it, you cover up your nakedness with clothes, or you figure out how to block cookies offered by sites you don’t want a relationship with. Kudos to Chris for giving people a cloak to wear, even though he advocates that regulators should tut-tut Web site operators for using their eyes to see.

As noted in the first installment of our “Privacy Solution Series,” we are outlining various user-empowerment or user “self-help” tools that allow Internet users to better protect their privacy online-and especially to defeat tracking for online behavioral advertising purposes. These tools and methods form an important part of a layered approach that we believe offers an effective alternative to government-mandated regulation of online privacy.

In the last installment, we covered the privacy features embedded in Microsoft’s Internet Explorer (IE) 8. This installment explores the privacy features in the Mozilla Foundation’s Firefox 3, both the current 3.0.7 version and the second beta for the next release, 3.5 (NOTE – The name for the next version of Firefox was just changed from 3.1 to 3.5 to reflect the large number of changes, but the beta is still named 3.1 Beta 2). We’ll make it clear which features are new to 3.1/3.5 and those which are shared with 3.0.7. Future installments will cover Google’s Chrome 1.0, Apple’s Safari 4, and some of the more useful privacy plug-ins for browsers . The availability and popularity of privacy plug-ins for Firefox such as AdBlock (which we discussed here), NoScript and Tor significantly augments the privacy management capabilities of Firefox beyond the capability currently baked into the browser.  In evaluating the Web browsers, we examine:

(1) cookie management; (2) private browsing; and (3) other privacy features

History of Firefox

Firefox descends from the very first graphical web browser, NCSA Mosaic. Mosaic was developed at the National Center for Supercomputing Applications in 1992. The co-author of Mosaic, Marc Andreessen, co-founded Netscape Communications and was the lead developer of Netscape Navigator, which was first released in 1994 and based in part on NCSA Mosaic code. In 1998, Netscape publicly released the source code for the latest version of its browser and created the Mozilla Organization to coordinate its development. AOL acquired Netscape Communications later that year, and when AOL scaled back its involvement with the Mozilla Organization in 2003, the Mozilla Foundation was launched to ensure the browser could survive without Netscape or AOL. The Mozilla Foundation released Firefox 1.0 on November 9, 2004. According to Net Applications, Firefox is currently the second-most popular Web browser after Internet Explorer, with 21.72% of the market in Q1 2009.

Cookie Management

To access Firefox’s basic cookie management and privacy settings, open the “Tools” menu, click “Options,” and then click on the “Privacy” tab to display the following options:

Instead of using a slider, as Internet Explorer does, Firefox gives more direct control over cookies. Users can choose to refuse all cookies, refuse all third-party cookies (see the previous post in this series for an explanation of the difference between first-party cookies and third-party cookies), and/or control when cookies expire. The “keep until” box gives three options:

(1) ” they expire” – Cookies determine their own expiration date.

(2) ” I close Firefox” – Cookies are deleted when you close the browser.

(3) ” ask me every time” – Every time a cookie is sent to the user’s computer, the user is asked if they want to “Allow” the cookie (accept it and let the cookie determine its own expiration date), “Allow for Session” (equivalent to the “I close Firefox” setting), or “Deny.” Firefox can also optionally save the user’s preference for all future cookies received from that website. The “Show Details” button allows true power users to view the contents of each cookie before making a decision, as seen here:

By clicking the “Show Cookies” button in the Privacy tab of the Options dialog box, users can view all of the cookies already saved on their computer and delete individual cookies or all cookies at once.

Finally, by clicking the “Exceptions” button in the Privacy tab of the Options dialog box, users can specify which websites are always or never allowed to set cookies.

In addition to having the option of deleting all cookies whenever the browser is closed, users can clear other types of private data when the browser is closed. The following dialog box is displayed when a user clicks on the “Settings” button in the Privacy tab of the Options dialog box.

Private Browsing

Similar to Internet Explorer 8’s “InPrivate Browsing” feature (see the previous post in this series for more information) and Chrome’s Incognito, Firefox 3.5 will include a new “Private Browsing Mode” that protects so-called “over the shoulder” privacy. To enable Private Browsing Mode, select “Private Browsing” from the Tools menu. To disable Private Browsing Mode and reload all tabs that appeared when you enabled Private Browsing Mode, just uncheck the same “Private Browsing” menu item in the Tools menu. There is a hidden way to make Firefox 3.1 Beta 2 always start in Private Browsing Mode and a plan to possibly provide an easier way to do this in the final 3.5 release, but the only obvious use for this would be on public computers (e.g., at a library or coffee shop) where it can’t be guaranteed that each user will close the browser before leaving.

Other Privacy Features

• Master Password – As more and more can be done online and more and more sites require user accounts (and passwords), having all those passwords stored in your web browser can be a security problem unto itself. Firefox allows you to view saved passwords, but it also allows you to protect all of your site-specific saved passwords with a single master password. Your saved passwords cannot be used to automatically log into websites and other individuals with access to your computer cannot view your saved passwords unless the master password is entered. Firefox also has a password quality meter to show you how secure your master password is from cracking attempts.

• Instant Web Site ID – For all websites with an Extended Validation SSL Certificate, this feature displays the website owner’s name to the left of the URL in the address bar. Clicking on the “favicon” on the left side of the address bar displays additional information about the certificate (whether an Extended Validation Certificate or regular SSL certificate) and whether the connection is SSL-encrypted. A second click displays the Page Info dialog box which reports whether you’ve previously visited the website and how many times, whether the website is storing cookies on your computer (which you can view with another click), and if there are saved passwords for the website on your computer (which you can also view with another click). From the Page Info dialog box you can also view all of the media embedded in the webpage, all of the meta tags in the HTML source code for the page, any RSS feeds on the page, and the permissions in effect for the page.

• Optional automatic phishing and malware protection – Two options in the “Security” tab of the Options dialog box, “Tell me if the site I’m visiting is a suspected attack site” and “Tell me if the site I’m visiting is a suspected forgery,” allow Firefox to automatically protect users from malware (attack sites) and phishing scams (forgery sites). When either of these options is enabled, Firefox automatically checks the URL of the page you’re visiting against a list of reported phishing and/or malware sites that it downloads in the background every 30 minutes. If you navigate to a page on one of these lists, Firefox will double-check that the URL is on the list by sending a cookie to google.com, who maintains the lists of identified malware and phishing sites used by Firefox. The anti-phishing site aspect of this feature is equivalent to Internet Explorer’s SmartScreen Filter.

Conclusion

In terms of privacy, what makes Firefox unique compared to the other popular browsers is the extensive number of add-ons (also called “plug-ins” or “extensions”) designed to protect users’ privacy. Google’s Chrome browser does not currently support third-party add-ons but plans to do so in an upcoming release. Microsoft’s Internet Explorer does support extensions, and Microsoft has a website devoted to cataloging those extensions, but offers nothing like the variety and complexity of the add-ons available for Firefox. The two most popular Firefox add-ons (in terms of total downloads; currently second and fourth most popular in terms of weekly downloads) are specifically related to privacy. Adblock Plus (ABP) uses dynamically-updated “subscriptions” to maintain a list of unwanted third-party content and automatically  block that content from being displayed or run by Firefox. ABP can block Flash code, images, external scripts, stylesheets, frames, tracking cookies, webbugs, html elements, text ads, backgrounds, and any class, id, and any other HTML or CSS tag. By default, ABP allows all such elements unless they are blocked by a filter.  NoScript, by contrast, blocks all Java, JavaScript, Flash, and other plugins unless you explicitly allow them on a particular website  either (i) temporarily for your current session (until you close the browser); (ii) or permanently for all future sessions. Thus, with these two add-ons, Firefox offers security-conscious users a much more secure (and thus private) browsing environment than currently available in other browsers. We already covered Adblock Plus in a previous installment of our Privacy Solutions Series. We plan to cover NoScript and other popular Firefox add-ons such as TorButton and FoxyProxy in future installments.

Additional Reading / Links

• Download Firefox 3.1 Beta 2
• New features in Firefox 3.1 Beta 2
• Privacy & Security add-ons for Firefox
• Wikipedia entry on Firefox

By Adam Thierer, Berin Szoka, & Adam Marcus

As noted in the first installment of our “Privacy Solution Series,” we are outlining various user-empowerment or user “self-help” tools that allow Internet users to better protect their privacy online-and especially to defeat tracking for online behavioral advertising purposes.  These tools and methods form an important part of a layered approach that we believe offers an effective alternative to government-mandated regulation of online privacy.

In some of the upcoming installments we will be exploring the privacy controls embedded in the major web browsers consumers use today: Microsoft’s Internet Explorer (IE) 8, the Mozilla Foundation’s Firefox 3, Google’s Chrome 1.0, and Apple’s Safari 4. In evaluating these browsers, we will examine three types of privacy features:

(1) cookie management controls; (2) private browsing; and (3) other privacy features

We will first be focusing on the default features and functions embedded in the browsers. We plan to do subsequent installments on the various downloadable “add-ons” available for browsers, as we already did for AdBlock Plus in the second installment of this series.

In this installment, we’ll be taking a look at the privacy-related features in the most popular browser in use today, Microsoft’s Internet Explorer. Specifically, we’ll be examining the most recent version of the browser, IE 8, Release Candidate 1. We’ll make it clear which features are new to IE 8 and those which are shared with IE 7.

Basic Background

Microsoft’s Internet Explorer browser was launched in 1995 and quickly became America’s most popular web browser, displacing Netscape’s Navigator browser. In recent years, IE has faced new challenges from the Mozilla Foundation’s “Firefox” browser, Apple’s “Safari”, the open source “Opera” browser, and others. (For an excellent history / timeline of web browsers, click here.) Despite these new challenges, IE still commands over 70% of the browser market. Like most other web browsers, Internet Explorer is free. So too are the features we are describing here.

Before we get further in the discussion of privacy controls, it’s important for readers to understand the difference between “first-party” and “third-party” content on webpages. Many webpages today contain a combination of content from many different websites, which enables powerful “Web 2.0” functionality like an interactive Google map displayed along with an address or a “Digg This” link in a blog post. Third-party content can also be used to track users across websites and to serve up advertising. All content loaded from the same domain as is displayed in the Address bar is first-party content. All content loaded from other domains is third-party content. Internet Explorer has a “Privacy Report” function that can show you the source for all the different content elements in the current webpage. To access it, select Webpage Privacy Policy from IE7’s Page menu or IE8’s View menu.

Basic Cookie Management Controls

To access Internet Explorer’s basic cookie management and privacy settings, open the “Tools” menu, click “Internet Options,” and then click on the “Privacy” tab to display the following options:

Users can configure the slider on the upper left-hand side of the window to establish their preferred level of cookie privacy. There are 6 options on the sliding scale from which to choose. Starting from the top of the slider bar:

(1)   ” Block all cookies” — Blocks IE from receiving any new cookies and blocks websites from reading any existing cookies on your computer. (Of course, that would greatly inconvenience users that regularly access websites that require information from the user, such as a Web-based email site that requires users to log in every time they access the website.)

(2)   ” High” — Blocks all cookies from websites that do not have a P3P compact privacy policy or that have a compact privacy policy which specifies that personally-identifiable information is used without your explicit consent. Cookies already on your computer can only be read by the site that created them.

(3)   ” Medium High” — “Blocks third-party cookies that do not have a compact privacy policy,” “Blocks third-party cookies that save information that can be used to contact you without explicit consent,” and “Blocks first-party cookies that save information that can be used to contact you without your implicit consent.”

(4)   ” Medium” — This setting “Blocks third-party cookies that do not have a compact privacy policy,” “Blocks third-party cookies that save information that can be used to contact you without your explicit consent,” and “Restricts first-party cookies that save information that can be used to contact you without your implicit consent.”

(5)   ” Low” — This setting “Blocks third-party cookies that do not have a compact privacy policy” and “Restricts third-party cookies that save information that can be used to contact you without implicit consent.”

(6)   ” Allow all cookies” — This setting allows all cookies from any website.

A P3P compact privacy policy is a machine-readable summary of the full P3P specification, which is a standardized method for explaining a website’s privacy policy. So when IE states that it will “block[] third-party cookies that save information that can be used to contact you without your explicit consent,” it means that the cookie will be blocked unless the site has a P3P compact privacy policy that either indicates that only non-identifiable (NOI) information is collected, or that for every data collection PURPOSE and every type of RECIPIENT that the website shares collected data with, the site’s policy is that the user must opt in (“explicitly consent”) to the practice.

When the slider bar is set anywhere other than the “High” and “Low” levels, users can also click the “Sites” button and then specify different cookie security levels for individual websites. The advantage of this approach is that it lets users create their own personal “white lists” and “black lists” of sites for which they either never want cookies blocked, or for which they always want cookies blocked. This increases the privacy-configurability of the browsing experience. For example, the following screen shows two sites that have been whitelisted and two hypothetical sites that have been blacklisted.

In addition, if the user wishes to manually delete their cookies, web browsing history, form data, personal passwords, or other stored information, they can do so on the “General” tab under the “Browsing History” section. Or, in the new IE 8, they can do so under the new “Safety” drop-down menu (in the Command toolbar) under the first option, “Delete Browser History.” They can also configure IE 8 so that all of this data is deleted each time the browser is closed (essentially converting “persistent cookies” into “session cookies,” concepts Adam Marcus has explained previously). The following screen shows how this user is choosing to delete just their temporary Internet files, cookies, and browsing history. Favorite websites are websites the user has bookmarked.

Using these controls, a particularly privacy-sensitive user who only trusted two or three sites-say, their bank and their employer’s website-could allow cookies for only those sites and block cookies for all other websites. Again, this assumes that they do not mind the potential hassles associated with logging-in to many other sites each time they visit or losing custom preferences that would otherwise be stored in a cookie.

Advanced Cookie Management – “InPrivate Filtering”

Microsoft explains its InPrivate Filtering feature as follows:

Today websites increasingly pull content in from multiple sources, providing tremendous value to consumer and sites alike. Users are often not aware that some content, images, ads and analytics are being provided from third party websites or that these websites have the ability to potentially track their behavior across multiple websites. InPrivate Filtering provides users an added level of control and choice about the information that third party websites can potentially use to track browsing activity.

InPrivate Filtering is off by default and must be enabled on a per-session basis. To use this feature, select InPrivate Filtering from the Safety menu.

In “Automatically Block” mode, InPrivate Filtering will automatically block a site if IE finds that site’s content embedded in more than a user-specified number of other sites (the default is 10) visited by the user.  You can also manually control which sites are blocked, and import and export your list of white/blacklisted sites to share that list with others.

The beta version of IE8 included a subscriptions feature that would have allowed users to automatically receive updated white or blacklists from others-much like the subscription feature in AdBlock Plus that we discussed previously. However, this functionality was removed in the “Release Candidate 1” version of IE8 (released Jan. 26, 2009) for unspecified reasons.  While we recognize that not every beta feature makes it into final releases because of challenges in implementation, we very much hope Microsoft will ultimately add the subscription feature to Internet Explorer 8.  InPrivate Filtering goes a long way in empowering truly privacy-sensitive users to take more granular control over their own privacy, but a subscription feature would allow less sophisticated users to rely on groups or other individuals they trust to help them avoid specific sites according to their concerns about privacy or security.  Indeed, we hope that other browser manufacturers consider incorporating such tools into their browsers.  Perhaps the privacy advocates who currently focus on inventing one-size-fits-all regulatory or legislative solutions could channel their enthusiasm about user privacy into actually developing whitelists and blacklists.

Private Browsing

Another new privacy-related feature in Internet Explorer 8 is called InPrivate Browsing mode (akin to “Incognito” mode in Chrome), which protects so-called “over the shoulder” privacy, although that’s a somewhat misleading term. By not saving any record of your web browsing while InPrivate Browsing mode is turned on, this feature ensures that others with access to your computer will not know what websites you have accessed. Some people like being able to refer to their browser history and don’t want to delete all of their cookies, but want to hide all traces of some of their browsing activities-such as shopping online for a surprise gift, searching for information about a medical condition you don’t want to disclose and, most obviously, enjoying pornography).

When the InPrivate Browsing mode is enabled, none of the varieties of “browsing history” data is saved-but none of your previous history is deleted, either. This comes in handy because, if someone with direct access to your computer is monitoring your browser history to see what you’ve been up to, deleting all of your browsing history would suggest that you’ve been doing something you wanted to hide. But InPrivate Browsing mode allows you to surf anonymously when desired-without making it obvious that you’re doing so. Parents who are concerned about their kids using the InPrivate Browsing mode can use the parental controls in Windows Vista to disable it. But there does not appear to be a way to disable InPrivate Browsing on Windows XP.

Below is a screenshot of the InPrivate Browsing mode-which, again, can be enabled by clicking on the new “Safety” drop-down menu in IE 8 and selecting “InPrivate Browsing.”

While InPrivate Browsing is active, the following takes place:

• New cookies are not stored:
  • All new cookies become “session” cookies
  • Existing cookies can still be read
  • The new DOM storage feature behaves the same way
  • New entries will not be saved to the browsing history
• New temporary Internet files will be deleted when the Private Browsing window is closed
• The following data will not be stored:
  • Form data
  • Passwords
  • Addresses typed into the address bar
  • Queries entered into the search box
  • Visited links

Other Privacy Features

• SmartScreen Filter – Called “Phishing filter” in IE 7, this feature monitors and blocks links to malicious downloads. In IE 8, it also monitors links distributed via email and instant messaging (assuming IE is the default Web browser).
• Cross Site Scripting (XSS) filter – Cross-site scripting attacks allow hackers to “inject” malicious scripts into trusted websites, which can then steal the account credentials of users who access these websites. XSS attacks are dangerous because everything looks fine to users and the attackers can gain almost complete access to users’ computers. The XSS filter in IE constantly scans the data received from websites to determine if there is a likely XSS attack and re-writes the data to neutralize the attack.
• ActiveX Opt-In – By default, ActiveX Opt-In disables most ActiveX controls. When a Web page tries to run an ActiveX control, the following text is displayed in an Information Bar: “This website wants to run the following add-on ‘ABC Control’ from ‘XYZ Publisher.’ If you trust the website and the add-on and want to allow it to run, click here …” The user can then choose whether or not to run the ActiveX control.
• Per-Site ActiveX – If a website tries to access an installed ActiveX control that is not permitted to run on the website, this new feature in IE 8 gives the user the option of blocking the attempt, allowing the ActiveX control for the current site, or to allow all websites to access the ActiveX control.
• Domain Highlighting – The domain name of the site you’re viewing is highlighted in the address bar. By making it clearer to the user which website they’re accessing, this feature serves to protect users against phishing attacks from domain names that look like trusted domain names (e.g., www.paypal.com.hax0r.net, which is not PayPal’s actual website).

Additional Reading / Links

• Download Internet Explorer 8
• IEBlog: IE8 and Privacy
• IEBlog: Privacy Beyond Blocking Cookies: Bringing Awareness to Third-Party Cookies
• Jesse Ruderman’s blog post on new security features in IE 8 – Has links to the first five IEBlog posts about new security features in IE 8.
• Wikipedia entry on Internet Explorer

Jerry Yang’s departure as Yahoo! CEO opens the door to a renewed bid by Microsoft to buy Yahoo!’s search business (or Yahoo! itself).  Such a merger could produce a significantly stronger challenger to Google in the search market.  With this possibility in mind, the WSJ just ran a fascinating history of the “paid search” business—the placement of “contextually targeted” ads next to search engine results based on the search terms that produced those results.

In a nutshell, Microsoft failed to see (back in 1998-2003) the enormous potential of paid search—just as small start-ups (such as Google) were starting to develop the technology and business model that today account for a $12+ billion/year industry, which is  twice the size of the display ad market and which supports a great deal of the online content and services we have all come to take for granted online.  Microsoft first put its toe in the water of paid search with a small-scale partnership with Goto.com in 1999-2000.  But this partnership failed because of internal resistance from the managers of Microsoft’s display-ad program.  In 2000, Google launched Adwords and thus began its transformation from start-up into economic colossus.  By 2002, Microsoft realized that it needed to catchup fast, and approached Goto.com (by then renamed Overture) about a takeover.  But Microsoft ultimately chose in 2003 not to buy the startup because  Bill Gates and Steve Ballmer “balked at Overture’s valuation of $1 billion to $2 billion, arguing that Microsoft could create the same service for less.” 

Microsoft, meanwhile, spent the next 18 months deploying hundreds of programmers to build a search engine and a search-ad service, which it code-named Moonshot. The company launched its search engine in late 2004 and its search-ad system in May 2006.

But Microsoft’s ad system came too late:

Advertisers applauded Moonshot for its technical innovation. But Microsoft had trouble coaxing people to migrate to its search engine from Google; advertisers were unwilling to spend large sums on MSN’s search ads. By building a new system instead of buying Overture, Mr. Mehdi says, “we really delayed our time to market.”

What’s most fascinating about the piece is that it seems to suggest that Microsoft missed its opportunities to get into paid search not because it was “dumb,” “uninnovative” or a “bad” company, but for the same sorts of reasons that big, highly successful and even particularly innovative companies fail.  The reasons companies generally succeed in mastering “adaptive” innovation of the technologies behind their established business models are the very reasons why such great companies struggle to encourage or channel the “disruptive” innovation that renders their core technologies and business models obsolete.  This dynamic was described brilliantly in Harvard Business School professor Clayton Christensen’s classic 1997 book The Innovator’s Dilemma:  When New Technologies Cause Great Firms to Fail.  (Read chapter one here and Tim Lee’s recent discussion of the book here.)  

Whatever one thinks about the debate over whether antitrust intervention is necessary to restrain Google’s growth, I’m sure we’d all applaud the evolution of increased competition in the paid search market through market forces.  Let’s hope that Microsoft—as well as Yahoo!—have carefully studied the vast literature produced by business schools in the wake of Christensen’s book about how big companies can avoid the Innovator’s Dilemma by promoting—and capitalizing on—radical innovation from within.  Indeed, this seems to be precisely what has guided Google’s own strategy as it has grown from “disruptive innovator” to become the very sort of behemoth that cannot easily escape the Dilemma, even if corporate managers are fully aware of the problem on a theoretical level.  If Google can do it, Microsoft should be able to, too.  But let’s also not discount the possibility that, no matter how hard Google’s management might try to retain the innovative culture of a start-up, the giant  can’t do that well enough to prevent its own apparent market dominance from being disrupted by new upstart innovators in search and advertising technologies.  

The head of Google Research talked about some of these possibilities in July 2007 and the Google has recently covered other possibilities.  Here are my own bets—for what little they’re worth—as to what such “disruptors” might be:

• Semantic search and social search – whichever search engine masters these tools will likely dominate the market for search, and thus search advertising.
• Micro-payments to search users for using a search engine and discounts for clicking on ads – something Microsoft has pioneered with its Cashback system but which is probably still only in its infancy.
• Behavioral targeting that can make display ads competitive with search ads by making display ads as relevant to consumers as search ads (or even more so), rather than simply trying to target display ads based on the context of a page—which limits the economic value of the ad “display inventory” that websites try to fill with ads, especially for smaller websites in the Internet’s “long tail” whose subject matter might have little relevance to the keywords for products or services that are more highly valued by advertisers.  
• Technologies that allow contextual targeting of ads in or around videos based on the contents of the video (and associated discussion by viewers in comments). Even the imperfect ability to automatically create transcripts of a video, and then search for keywords, could hugely increased the value of advertising associated with video content.

I suspect we’d all be at least a little surprised if we could see what search engines—and online advertising—really looked like in, say, 2019.  But I won’t be terribly surprised if Google—for all its ingenuity—ends up making some of the same mistakes Microsoft made with Search 1.0 ( c. 1998-2005).

The Progress & Freedom Foundation has just launched the new Center for Internet Freedom.  CIF offers an alternative to the proliferation of advocacy groups calling for government intervention online by offering timely analyses and critiques of proposals that diminish the vital role of free markets, free speech and property rights.  We aim to drive the Internet policy debate in new directions by emphasizing a layered approach of technological innovation, user education, user self-help, industry self-regulation, and the enforcement of existing laws consistent with the First Amendment.  Such an approach is a less restrictive—and generally more effective—alternative to increased regulation.  

Here are some of the issues I’ll be working on as CIF’s Director in conjunction with my esteemed colleagues Adam Thierer, Adam Marcus, and adjunct fellows: 

• Defending online advertising as the lifeblood of online content & services, especially in the “Long Tail”;
• Emphasizing market solutions to problems of privacy protection, especially regarding the use of cookies and packet inspection data;
• Protecting online speech and expression both in the U.S. and abroad;
• Defending Section 230 immunity for Internet intermediaries;
• Opposing online taxation and legal barriers to e-commerce and digital payments, especially at the state and local levels; and
• Ensuring that Internet governance remains transparent and accountable without hampering the evolution of the Internet.

By Berin Szoka & Adam Thierer Progress Snapshot 4.19 (PDF)

Since the fall of 2008, a debate has raged in Washington over “targeted online advertising,” an ominous-sounding shorthand for the customization of Internet ads to match the interests of users.  Not only are these ads more relevant and therefore less annoying to Internet users than untargeted ads, they are more cost-effective to advertisers and more profitable to websites that sell ad space.  While such “smarter” online advertising scares some—prompting comparisons to a corporate “Big Brother” spying on Internet users—it is also expected to fuel the rapid growth of Internet advertising revenues from $21.7 billion in 2007 to $50.3 billion in 2011-an annual growth rate of more than 24%. Since this growing revenue stream ultimately funds the free content and services that Internet users increasingly take for granted, policymakers should think very carefully about what’s really best for consumers before rushing to regulate an industry that has thrived for over a decade under a layered approach that combines technological “self-help” by privacy-wary consumers, consumer education, industry self-regulation, existing state privacy tort laws, and Federal Trade Commission (FTC) enforcement of corporate privacy policies.

In an upcoming PFF Special Report, we will address the many technical, economic, and legal aspects of this complicated policy issue-especially the possibility that regulation may unintentionally thwart market responses to the growing phenomenon of users blocking online ads.

We will also issue a three-part challenge to those who call for regulation of online advertising practices:

1. Identify the harm or market failure that requires government intervention.
2. Prove that there is no less restrictive alternative to regulation.
3. Explain how the benefits of regulation outweigh its costs.

The Online Advertising Market

While there are other forms of targeted advertising based on who you are (“demographic”) or where you are (“locational”), the most important varieties are based on what you’re searching for, seeing or doing online at any particular moment (“contextual”) and the pattern of what you’re searching for, seeing or doing over time (“behavioral”). The bulk of Internet advertising falls into one or both of these last two categories, with behavioral advertising growing rapidly.

Search engines deliver contextual ads on search results pages based on the search keywords entered by a user, while third-party advertising networks (some of which also run search engines) deliver contextual ads on behalf of website operators who sell ad space to the network, with the ads displayed on each page chosen according to keywords on that page. Contextual advertising is far “smarter” than displaying the same “dumb” untargeted banner ads to every user, because the contextual ad uses keywords to “guess” what the user is interested in based on the context of each page. But the purely contextual ad network doesn’t “remember” what the user has looked at in the past, so its insights into what the user would find relevant are very limited, especially for some websites. Online behavioral advertising (OBA) solves this problem and increases the value of advertising space on all websites by targeting ads based on a “profile” of the user created by tracking websites the user has visited—as well as limiting the number of times a user is shown a particular ad.

The Perceived Harm Driving Calls for Regulation

For a decade, the basic technology behind OBA has changed little: When a user visits the typical webpage, they download not only the webpage contents but also a small piece of code that allows the website to distinguish that user’s browser from other browsers (a “cookie”)—without personally identifying the user. Some cookies are required to make sites work properly (“site cookies”) while others (“tracking cookies”) are used by the third party ad network in which that site participates to recognize that browser across multiple sites participating in the ad network, and thus create a “profile” of what the user might be interested in. Even though such profiles themselves are anonymous, many privacy advocates have pointed to four reasons why online profiling is becoming “too invasive:” (i) It is sometimes possible to infer the actual identity of the user; (ii) though all browsers allow users to opt-out of tracking by “cleaning out” their tracking cookies, a website may be able to restore deleted tracking cookies through the use of cookie alternatives such as “Flash cookies”; (iii) certain vulnerabilities in current browser design make it theoretically possible to “sniff” a user’s browsing history, cache or bookmarks; and (iv) the use of “packet inspection” by Internet Service Providers (ISPs) (instead of the use of cookies) to track online browsing amounts to illegal wiretapping.

The other concerns expressed by the advocates of regulation vary significantly. Some fear that browsing profiles could be captured by hackers, somehow associated with personally identifying information, and used for identity theft. These advocates demand limits on data retention as well as data security mandates. Others demand that users have access to their own profiles—a goal inherently in tension with data security. Most share a vague queasiness about “being tracked” and about advertising in general, while downplaying the effectiveness of self-regulation or user self-help.

Perhaps most legitimately, others fear that the real “Big Brother”—the government—will gain access to a “honeypot” of surveillance data that might be associated with individual users. A variety of other solutions have been proposed to what is, for the most part, a poorly defined problem, including a government-run “Do Not Track” registry to make it easier for users to block tracking cookies; mandating opt-in for some or all forms of profiling; and banning completely the collection of tracking data about sensitive subjects, cross-referencing of data sets, and use of packet inspection data for OBA.

The Less Restrictive Means: A Layered Approach

But how should policymakers decide which, if any, of these interventions are really necessary–or would even be effective? Ironically, those who demand immediate OBA regulation to protect user privacy are often the first to insist on less burdensome approaches whenever a policy “problem” involves purely non-commercial speech. For example, emphasizing personal and parental responsibility is often favored as the more sensible approach to dealing with free speech and child protection concerns. But, as Chapman University Law Professor Tom Bell has asked, why not apply the same standard across the board? Why not expect those especially privacy-sensitive users who object to OBA to do something about it? To the extent effective self-help privacy tools exist, they provide a means of solving policy problems that is not only “less restrictive” than government regulation but generally more effective and customizable as well. Why settle for one-size-fits-all solutions of incomplete effectiveness when users can quite easily and effectively manage their own privacy? Indeed, those who advocate personal responsibility and industry self-regulatory approaches to free speech and child protection issues should be advancing the same position with regards to privacy.

Fortunately, a wide variety of self-help tools and “technologies of evasion” are readily available to all users and can easily thwart traditional cookie-based tracking, as well as more sophisticated tracking technologies such as packet inspection. While cookie management tools that allow users to delete their cookies have been standard in browsers for some time, the latest generation of browsers incorporates far more advanced control over what kind of cookies browsers will accept from websites in the first place. Furthermore,  the extensible nature of modern browsers allows any freelance software developer who sees a way to improve a browser to do so by writing an add-on that “plugs in” to the browser using standard programming interfaces designed by each browser developer.  Many such add-ons are wildly popular, but even those users who never install a single one benefit from the acceleration of browser evolution made possible by add-ons.  We will be documenting examples of these tools in our upcoming Special Report and in an ongoing  series of blog essays.

The Benefits of Smarter Advertising

The “free” Internet economy is based on a simple value exchange: Users get access to an ever-expanding collection of content and services at no cost from websites that are able to generate revenue from “eyeballs” on their pages by selling space on their sites to advertisers, usually through ad networks. The smarter that advertising, the more free content and services it can support. This is the same value exchange that has supported free, over-the-air television and radio content for decades. The only difference is technological: Because websites can connect directly with the user, they need not rely on crude profiling tools such as Nielsen ratings.

There are larger economic benefits of smarter online advertising. First, it makes the overall economy more open and competitive by allowing small market entrants to reach consumers with messages about their products. Second, those who attack the use of packet inspection by ISPs for OBA fail to see that it is precisely the kind of “game-changer” that could disrupt Google’s currently dominant market position. Third, the involvement of ISPs in OBA could help defer broadband costs: Even if OBA revenue does not completely subsidize monthly service costs, smarter advertising could at least keep prices in check and potentially lower them significantly going forward.

But smarter advertising isn’t just about selling products or services. It is ultimately about making all kinds of speech more cost-effective. The ability to “target” listeners more narrowly also increases the ability of political and other not-for-profit speakers to communicate their messages. In short, smarter advertising means more voices, more choices, and more speech. The line between “advertising” and “content” is already blurring rapidly, as the technologies used to customize advertising are also used to customize webpages and ad networks themselves are used to deliver content.

The Larger Implications of Potential Regulation

As if reducing the advertising revenue generated by each web ad didn’t do enough to reduce the total amount of funding for free web content and services, government regulation of targeted online advertising could reduce advertising revenues even further by aggravating the problem of adblocking in two ways. First, the less relevant ads are, the more annoying users will find them, and the more likely users are to try to block them. Increased relevance is perhaps the most important remedy for adblocking and the best way to maintain the implicit value exchange that currently supports free Internet content and services

Second, regulation could short-circuit the eternal battle of technological one-upmanship between online advertisers and those users who rely on the technologies of evasion to “opt-out” of seeing ads or being tracked. Such privacy-conscious users are “free-riding” off of those users who don’t opt-out, since (at present) they generally don’t lose access to the free content and services supported by the targeted advertisements that other users do see. The user who blocks tracking, but not ads, is still free-riding off those users who don’t opt-out of tracking. On a large enough scale, such self-help has the potential to disrupt the value exchange of the Internet, just as automatic commercial-skipping has already disrupted the value exchange of television. As with all “Spy v. Spy” battles, this long-term trend is inevitable: As more sophisticated technologies of evasion are incorporated seamlessly into browsers and can be used without significantly degrading the browsing experience, their use will become increasingly mainstream. But ultimately, just as with television commercial-skipping, market forces can and will, if permitted, respond through technological means and the development of new business models. Today’s implicit quid pro quo may become, of necessity, explicit: Websites and ad networks will have to find increasingly creative ways to grant access to certain content and services for users who do not block ads or the tracking that makes ad space more valuable. Policymakers should take care not to ban such technologies or cripple such business models (e.g., through requiring opt-in), which may rely on more sophisticated forms of targeting such as the use of packet inspection data.

As users face an increasingly clear choice between (i) getting content and services for free supported by behavioral advertising and (ii) paying to receive those same services and content without tracking or even without ads altogether, policymakers will finally see whether users are really as bothered by profiling as the advocates of OBA regulation insist. Given the ongoing and widespread replacement of fee- or subscription-supported web business models with ad-supported models, it seems likely that the vast majority of consumers will continue to choose ad-supported models, including profiling.

Conclusion

The questions raised above—about the harm that supposedly requires intervention, the availability of less restrictive means, and the cost/benefit analysis of regulation—are vital considerations for the future of the Internet. Indeed, if smarter online advertising will not fund the Internet’s future, what will? As both the desire for “free” services and content and the need for bandwidth expand, OBA has the potential to offer important new revenue sources that can help support the entire ecosystem of online content creation and service innovation, while also providing a new source of funding for Internet infrastructure and making ads less annoying and more informative. That would certainly seem preferable to increased user fees or other “pay-per-view” pricing models for Internet content and services.

But looming legislative and regulatory action could stop all of that by replacing the current regime—in which the FTC merely enforces industry self-regulatory policies—with one in which the government preemptively dictates how data may be collected and used. The more enlightened approach is a “layered” approach to privacy protection that combines industry self-regulation, enforcement of industry-established privacy policies, consumer education, and user “self-help” solutions. These and other issues will be addressed in greater detail in our upcoming PFF Special Report.

By Berin Szoka & Adam Thierer

As we noted in our intro to this ongoing series, Google’s tenth anniversary has passed with Googlephobia reaching new heights of hysteria.

But is Google really too big and dangerous, or are people just too lazy to find other alternatives to each of the wonderful services that Google offers?  If one is truly paranoid about the firm’s supposed dominance, it doesn’t take much effort to live a Google-free life. To prove it, we set out to find alternatives to each of the services that Google provides.  After awhile, we got a little tired of compiling alternatives in each category and just provided links for the additional choices at your disposal.  It’s tough to see what the fuss is about with the cornucopia of choices at our disposal.  If you don’t like Google, then just don’t use it or any of its services.  The choice is yours.

In each case, we’ve listed Google first, even though Google may not be the market leader ( e.g., Google’s relatively unknown social network Orkut).

Search Engines

• Google
• Microsoft Live Search
• Yahoo!
• Ask.com
• AltaVista
• Cuil
• others: en.wikipedia.org/wiki/List_of_search_engines

eMail

• Google Gmail
• MSN Hotmail
• Apple .Mac/MobileMe
• Yahoo!
• AOL
• others: www.emailaddresses.com/email_web.htm

Encyclopedia

• Knol (Google)
• Wikipedia
• Citizendium
• Microsoft Encarta
• Britannica Online
• World Book Online
• others: www.surfnetkids.com/encyclopedia.htm

Instant Messaging

• Google Talk
• Yahoo Messenger
• Windows Live Messenger (Microsoft)
• AOL AIM
• Jabber
• others: en.wikipedia.org/wiki/Instant_messaging#User_base

Web Browsers

• Chrome (Google)
• Firefox (Mozilla Foundation)
• Internet Explorer (Microsoft)
• Safari (Apple)
• Opera
• Flock
• others: en.wikipedia.org/wiki/List_of_web_browsers

Social Networks

• Orkut (Google) – (not popular in the U.S.)
• Facebook
• Myspace
• Bebo
• LinkedIn
• Friendster
• LiveJournal
• others: en.wikipedia.org/wiki/List_of_Social_network_service

Mapping

• Google Maps
• Microsoft Live Search Maps
• MapQuest
• WikiMapia
• Google Earth
• Virtual Earth (Microsoft)
• others: en.wikipedia.org/wiki/List_of_online_map_services

Mobile Search / Portal Services

• Google mobile
• Yahoo! mobile
• Microsoft Windows mobile & Mobile Live Search
• AOL Mobile

Video Hosting

• YouTube (Google)
• Google Video
• Flickr (Yahoo!)
• Yahoo Video
• Vimeo
• Photobucket
• BlipTV
• others: en.wikipedia.org/wiki/List_of_video_sharing_websites

Photohosting

• Picasa (Google)
• Flickr (Yahoo!)
• Apple .Mac/MobileMe
• Photobucket
• Snapfish
• Shutterfly
• Imageshack
• AOL Pictures
• others: en.wikipedia.org/wiki/Photo_sharing#Online_photo_sharing_websites

Document / Spreadsheet Creation

• Google Docs
• Microsoft Office
• OpenOffice
• ThinkFree Office
• EditGrid
• NumSum
• Zoho Sheet
• Zoho Writer
• ajaxWrite
• Glide Write
• others: www.editgrid.com/user/siulung/Web-based_Spreadsheets_Comparison_Matrix

Online File Storage

• Google Docs
• Windows Live SkyDrive (Microsoft)
• Apple .Mac/MobileMe
• Mozy
• Buzzword (Adobe)
• Xdrive
• Box.net
• others: http://www.listible.com/list/online-file-storage

Blog hosting services

• Blogger (Google)
• Wordpress
• Windows Live Spaces (Microsoft)
• Skyrock (based in France, but bigger than WordPress and almost as big as Blogger)
• LiveJournal
• Note: many social networking services also have a blogging component
• others: http://en.wikipedia.org/wiki/Blog_hosting_service#Developer-hosted

RSS blog feed aggregators

• Google Reader
• My MSN
• My Yahoo!
• NewsGator Online
• Bloglines
• FeedBucket
• others: dmoz.org/Computers/Software/Internet/Clients/WWW/Feed_Readers/Web_Based
• others: www.newsonfeeds.com/faq/aggregators

WebClipping Services

• Google Notebook
• Digg
• Del.icio.us (Yahoo)
• Reddit
• Clipmarks
• Zotero
• WebResearch
• ScrapBook
• Diigo

News Aggregators

• Google News
• Yahoo News
• MSN News & MSNBC (Microsoft)
• News Directory.com
• Reuters
• CNN.com
• Digg
• Topix
• others: news.nettop20.com
• others: newsonfeeds.com/faq/aggregators

Calendar Services

• Google Calendar
• Microsoft Outlook
• Lotus Notes
• Lightning/Sunbird (Mozilla Foundation)
• Apple .Mac/MobileMe
• others: www.calendarzone.com

By Berin Szoka & Adam Thierer as part of an ongoing series

With Google celebrating its 10th anniversary this week, many panicky pundits are using the occasion to claim that Google has become the Great “Satan” of the Internet.  Nick Carr wonders what the future holds for “The OmniGoogle.” The normally level-headed Mike Malone worries that Google is “turning into Big Brother.”  And Washington Post’s Rob Dubbin says that he can’t escape Google’s “tentacles,” even for just 24 hours.  Meanwhile, speculation abounds that the Justice Department is preparing a major antitrust lawsuit against Google concerning its advertising partnership with Yahoo! or perhaps even a broader suit concerning Google’s “dominance” of online advertising generally.

Carr quotes Google co-founder Sergey Brin’s now-famous 2003 interview:

I think people tend to exaggerate Google’s significance in both directions.  Some say Google is God.  Others say Google is Satan.  But if they think Google is too powerful, remember that with search engines, unlike other companies, all it takes is a single click to go to another search engine. People come to Google because they choose to.  We don’t trick them.

In the last five years, Google has become far more than just a search engine.  As Google’s suite of suite of complementary products continues to grow, so too does the specter of Google as an all-knowing and therefore all-powerful economic colossus.  Yet Google isn’t even close to being the sort of nefarious monopolist out to destroy user privacy at every turn, as some seem to imply—if not exclaim.  Indeed, in our view, the Net is overall a far better place because of the existence of Google and the many free services it provides consumers.

Our point is not that Google should be immune from criticism.  Indeed, healthy criticism of corporate actions plays a vital role in the free market by disciplining corporate policies and behavior—often thus providing an effective alternative to government regulation.  This is particularly important in the area of consumer privacy protection, as demonstrated by Google’s quick response to public concern about its Chrome EULA.

We hold no brief for Google and our aim is not to be Google apologists.  In fact, we’ve had more than a few run-ins with Google on many important policy issues in the past ( e.g., on net neutrality, spectrum policy, and the need for “baseline Federal privacy legislation”) and will likely continue to do so in the future.  We are always willing to engage serious, rational discussions about other policy issues involving Google, such as concerns about its alleged market power, but it seems to us that the hysteria about Google’s supposed dominance of the Internet is clouding rational discussion of the policy issues raised by Google, its innovations and its success.  Indeed, the creeping paranoia about all things Google-related that is most evident throughout the blogosphere (but that reaches far beyond it) has produced an environment that resembles nothing so much as a lynch mob:  Angry, short-tempered, out for corporate blood, and unwilling to engage in reasoned discussion.

The specter of Google’s market power driving—and confusing—so many of today’s Internet policy debates is reminiscent of the previous generation of conspiracy theories about how Microsoft, like the Borg (perhaps sci-fi’s scariest villains), would assimilate all in its path—forever controlling the digital revolution.  We don’t want Google to become the victim of the same regulatory & antitrust ordeal that Microsoft has endured over the past decade, with the kind of hysterical claims of Chicken Little-ism that drove a ten-year crusade against Microsoft.  Short-sighted, heavy-handed government intervention can cripple a creative company while doing little to actually benefit consumers because regulators cannot keep pace with technological change—perhaps the only constant fact in the every-changing digital world.

Of course, like all temporal things, Microsoft’s seemingly permanent “monopoly” has faded, and the bulk of the criticism it once faced has shifted focus to Google.  Microsoft continues to be the subject of many unfair attacks because of its success (a/k/a “dominance”) in the OS, office product, and browser markets.  Other companies have experienced similar attacks on a smaller scale:  Facebook and the once-angelic Apple have both been subject to increasing criticism for their success in certain sectors of the digital economy, customer complaints about openness ( e.g., “locked” devices or portability of social networking data) and privacy policies.  The hysteria surrounding Google is not unique in kind, yet it is clear that the mantle of “Great (digital) Satan” has clearly passed from Microsoft to Google.

Thus, we have decided to start a new series of essays on “Googlephobia” (a term that seems to have taken off in the spring of 2005, when the French government seriously proposed creating its own alternative to the Google search engine).  We’ve already penned a few essays on the topic here (as have a number of our TLF colleagues) and, therefore, our next installment in the series will be #5—in which we will outline the many competitors to Google’s many products.

But here are a few of our past essays on the topic, which clearly belong on the list even though they weren’t part of a series at the time:

• Market Forces At Work: The PR Backlash Against Google Chrome’s EULA, by Berin Szoka, September 4, 2008.
• “Cry [Censorship] and Let Slip the Dogs of [Regulation]!” – A Lesson in the Dangers of Googlephobia, by Berin Szoka, July 14, 2008.
• Google, California’s Privacy Policy Law & Our Sci-Fi Future, by Berin Szoka, June 4, 2008
• Is Google Evil? The Never-Ending Search for High-Tech Villainy, by Adam Thierer, June 30, 2005.

And here’s an oldie on the same topic:

• “Google as a Public Utility? No Results in This Search for Monopoly,” by Adam Thierer and Wayne Crews, November 14, 2003.

As we’ve discussed here before, newspapers are struggling. We all know that. The question is what, if anything, will save them? Most pundits tend to point to a two-fold solution: (1) get serious about leveraging the natural local advantages newspapers hold; (2) and find away to do so online as quickly as possible before they lose the bulk of the local online ad market to other competitors. This is why there’s a lot of talk these days about turning traditional papers into “hyper-local” web portals for their communities. Of course, there’s no guarantee that will work, especially in light of changing attitudes about “media localism.”

But let’s assume that that is indeed the best path forward. Will it really save newspapers? As eMarketer reports in today’s newsletter on “Can Local Web Ads Save Newspapers,” it’s a bit of a good news–bad news story:

The good news is that newspaper site ad revenues are growing along with other online ad spending, especially for local news sites. Local newspaper online ad revenues are predicted to reach $3.7 billion this year, according to eMarketer calculations based on Borrell Associates data. The bad news is that this spending will not make up for print ad losses for some time, according to Lisa Phillips, senior analyst at eMarketer. Ms. Phillips noted that advertisers still pay more for print readers than for online readers. “This is a transition that will take several years,” she said. “Local advertisers are paying attention to the shift in reader behavior, but it will take a while for everyone to adjust.”

And so we will have to wait to see how it all plays out. But I am highly skeptical that traditional newspapers operators will be able to make up anywhere near the amount of revenue online that they are hemorrhaging over on the print side of the business. There’s just too much other competition out there online already for our eyes and ears. The age of “protectable scarcity” is dead and that means newspapers just don’t have the lock on local or regional markets they once did.