You won’t find out from this New York Times front-page story from yesterday, which is disappointingly long on alarmism but scarce on details, a phenomenon all too frequent in privacy reporting. In the third sentence — immediately after anthropomorphizing smartphones — the story tells us that “advertisers, and tech companies like Google and Facebook, are finding new, sophisticated ways to track people on their phones and reach them with individualized, hypertargeted ads.” Boy, that sounds bad — exactly what horrible new thing have they come up with now?
The third paragraph tells us only what privacy advocates fear. The fourth mentions the National Security Agency. The fifth quotes privacy scholar Jennifer King saying that consumers don’t understand ad tracking.
The sixth paragraph finally gives us a specific example of the “new, sophisticated ways” advertisers and tech companies are “track[ing] people on their phones”: Drawbridge. What does Drawbridge do? It’s “figured out how to follow people without cookies, and to determine that a cellphone, work computer, home computer and tablet belong to the same person, even if the devices are in no way connected.” But this doesn’t tell us much. There are more and less innocuous ways to accomplish the goal of tracking users across devices. On the innocent end of the scale, a website could make you sign into an account, which would allow it to tell who you are, no matter what computer you use. On the malevolent end of the scale, it could hack into your devices and access personal information that is then linked to your activity. The key question is, how is Drawbridge getting the data it is using to track users, and what is in that data?
On to the seventh paragraph: the COO of Drawbridge says whatever it’s doing, it isn’t “tracking.” OK. The eighth paragraph says that Drawbridge claims to have matched 1.5 billion devices. Somehow. The tenth paragraph tells us that Drawbridge and similar companies — like Flurry, Velti, and SessionM — are “exploiting” intimate knowledge of users, “largely based on monitoring the apps we use and the places we go,” making it “ever harder for mobile users to escape the gaze of private companies.” “Gaze” — that sounds bad! But we still don’t know how this “monitoring” is occurring, or what information it is gathering.
The eleventh paragraph tells us that tech giants, who sell advertisements, are keen on this new technology, as are advertisers. (Presumably they have more of an idea how it works.) The twelfth paragraph gives us a quote from an advertiser saying it’s much better than advertising to a broad demographic category — e.g., women 25-45. The next several paragraphs then lay out the challenge for advertisers in the new environment where people use multiple internet-connected devices. In the old days of a few years ago, advertisers could rely on ad exchanges, which contract with individual websites to place ads on their sites. Ad exchanges can tailor these ads by placing a cookie on an individual’s computer as they browse the member sites, which might give some idea what that person is interested in. So for example, you’ve no doubt noticed that sometimes if you go to a travel site and price an airline ticket to Florida but then leave without buying it, you might see ads for airline tickets to Florida as you browse other sites.
But this system comes undone when individuals use multiple computers, and in particular mobile device apps, which do not use cookies at all. As a result, it’s difficult to tailor ads for smartphone apps, and difficult to know how often they pay off if the eventual purchase is made on a different device.
So Drawbridge is one proposed solution to this problem. And the solution is . . . Well, in the 21st paragraph, we learn, finally, that:
Drawbridge . . . has partnerships with various online publishers and ad exchanges. These send partners a notification every time a user visits a Web site or mobile app, which is considered an opportunity to show an ad. Drawbridge watches the notifications for behavioral patterns and uses statistical modeling to determine the probability that several devices have the same owner and to assign that person an anonymous identifier.
So this is where Drawbridge is getting its data. The problem is that this is nearly incomprehensible. What sends partners a notification? The ad exchanges? Are the ad exchanges sending a notification each time a person visits one of the thousands of websites they place ads on? That’s a lot of notifications. Then Drawbridge is watching these notifications somehow — by receiving them? — which contain unknown content, and using statistical modeling on that unknown content to determine the probability that several devices have the same owner. Whatever this means, it doesn’t sound as nefarious as the headline let on. The probability that two devices have the same owner is hardly entering 1984 territory.
The next paragraph gives us an example of what Drawbridge is supposed to do — serve ads to the same person using different devices — but doesn’t give us any more detail how it’s accomplished. Then Drawbridge’s CEO claims that the service’s algorithm is so accurate that it can distinguish between two people using the same device. Through magic, I guess.
The article closes out, still having not explained what Drawbridge is doing, by giving us three other examples of ways in which companies can track smartphone usage. Google, Facebook, and Amazon can track your use of their sites no matter what device you are using because — as the article fails to mention — they make you log into an account, and obviously what you do after you log in can be associated with your account. The article also cites Flurry, which is a service that app developers build directly into their apps to track what users are doing with their apps. Flurry is using that data to categorize users into broad categories, which the Times article calls “detailed,” but which doesn’t seem any different than the marketing categories American Express used twenty years ago. Finally, the article mentions wireless carriers, who can track what their users are doing but fails to mention that they are now legally restricted with what they can do with that information, thanks to the FCC’s CPNI rules.
Here is what Drawbridge is up to. It’s trying to help figure out what ad to serve to Visitor X to a certain website. Recall my example of the person who visits a travel site but then doesn’t purchase the ticket to Florida. Later, Visitor Y, using an iPad, looks at the New York Times. What ad should they get? Drawbridge analyzes the data resulting from those two website visits to determine what the probability is that Visitor X = Visitor Y, meaning that an ad for tickets to Florida would be appropriate. Here’s how MIT Technology Review explains it:
Drawbridge works by looking at the cookie data that comes with a request from a mobile or desktop browser or app to an ad exchange, and using its “bridging” algorithm to assess the probability that any two arbitrary cookies from different devices are associated with the same person. The Web cookies that Drawbridge uses contain anonymous, relatively benign information, such as the browser client, the site accessed, and a time stamp. Unlike a method known as device fingerprinting, Drawbridge doesn’t rely on technologies that directly track user activity, or report geolocation or other invasive device identifiers, [CEO] Sivaramakrishnan says.
So Drawbridge is looking at cookie data, or the app equivalent. Perhaps this is something to be worried about, but third-party advertising use of cookies has been with us a long time, and this just seems to be an extension of it to mobile devices. But I guess “Cookie Profiles Extended to Smartphones” doesn’t get on the front page of the New York Times.
Flurry is more worrisome — not for what Flurry itself is doing, which seems kind of innocuous, but because it serves as a reminder that many app developers are entirely unconstrained in what data they can gather directly off the device and what they do with it. Software developers for the PC face a severe PR backlash if they send all sorts of unrelated information from the PC to third parties — it’s typically labelled “spyware,” or even worse, “malware” — but so far app developers have not faced the same pressure.
The Times article closes by making this assertion: “Neither state nor federal law prohibits the collection or sharing of data by third parties.” But this is too broad to be true. There are some laws or regulations that apply to third parties to a transaction — the sector-specific Gramm-Leach-Bliley, HIPAA, and COPPA all have provisions that would apply to contractors, and the FTC’s general Section 5 authority would apply in egregious cases. But no law — yet — specifically governs the situation the Times seems concerned about: third party placement of ads. Is this a problem? I think it will take a more detailed understanding of the situation than reports like this one seem inclined to provide.
[Cross-posted at Madisonian.net.]
The New York Times article has mongered a scare: Sen. Markey has asked the FTC to investigate cross-device ad targeting.