Sunday, April 20, 2008

adware and why tracking usage sucks

phorm, the isp-side adware/spyware technology being tested out in the UK, has been getting a lot of attention in the press for the past couple of weeks... on reading the description of it on the f-secure blog i got to thinking about why exactly this sort of advertising is so bad...

leaving aside the question of all the company's past bad acts (which i know is important but i'm focusing on the type of advertising, not this particular instance) and the isp-side implementation (and all the consequences that has for informed consent), i want to look at just the basic idea of targeting ads based on where a user has browsed in the past...

obviously this requires tracking the user's activities and adware companies will no doubt try to assuage our privacy fears by claiming they don't keep identifying information... for my purposes i'm going to assume they live up to their word, regardless of how unlikely that may seem... my contention is that simply displaying ads based on past browsing behaviour represents a privacy breach because we very often don't use our computers in a vacuum...

what do i mean by that? let's consider the scenario of the road warrior employee... he (or she) has a laptop they take with them on the road and most likely also take home with them... chances are good they will do some personal browsing at some point... chances are also good that at some point they're going to come back into the office and turn on their computer... what happens then is that their co-workers or perhaps even their boss may see ads linked to browsing they were doing while in the privacy of their own home... maybe the ads are of an adult nature (porn), maybe they're of an immature nature (cartoons), or maybe they reveal employment intentions the employee isn't prepared to share with their boss (why are there ads for monster.com on your computer?)...

of course there are those who would say that such an employee shouldn't be doing private browsing on the work computer anyways (ignoring the possibility that they're actually doing work on their own personal laptop - something that can happen in smaller companies) so how about a more reasonable scenario... lets say you're a single guy browsing the web the way single guys do... lets further say you get a new girlfriend and she comes over to spend time with you... at some point she may ask to use your computer to check her webmail because she's been staying over quite a bit and hasn't been home in a while... you concede because letting her use your computer is the least you can do for her considering all the time the two of you have been spending together... then she sees the ads linked to your past browsing behaviours and stops coming over and doesn't return your calls anymore... alternatively, perhaps you're over at her place fairly often and all of a sudden dating site ads start showing up on her computer...

accurately targeted ads are a wet dream for the advertising industry - their efforts would be so much better received and have so much more impact if only they could get the right ads in front of the right people at the right time... developing sophisticated profiles based on past usage makes a certain amount of sense in that context... unfortunately, when it comes to computer use it's pretty much impossible to accurately tell who's looking at the screen, so there's a very real risk of revealing things about people and what has meaning to them to the people around them if your ad targeting is based on anything other than what the user is doing right this instant... you cannot capitalize on knowledge of the user through ad targeting without revealing that knowledge to the user and possibly others as well...

when people can start inferring things about you based on ads targeted at you then then the ads themselves represent a privacy breach, regardless of what personal information the ad company may or may not be keeping... the more accurate the targeting the more likely you are to breach the user's privacy... the more you try to protect the user's privacy by throwing random ads into the mix, the less accurate the targeting becomes and the less impact the ads have because they get buried amongst garbage ads...

advertising is big (and arguably legitimate) business, but those considering the kind of optimization that phorm or really any kind of targeted ad serving represents should be aware of these kinds of less obvious privacy implications...

0 comments: