ADOTAS – For Halloween, I was thinking the scariest thing I could dress up as would be a third-party online data collector. I mean, what is more horrifying than a member of the cyberazzi? I figure I could go to cafés and spy on what sites Internet users are browsing, conspicuously taking notes and grouping the various patrons into behavioral buckets. No personal information would be collected, of course.
Then I was hoping a friend would join me dressed up as a privacy advocate, draped in a robe bearing the “expectation of privacy” segment of the Fourth Amendment to the U.S. Constitution. He or she could scream while pointing me out to the various what I was doing and then beat me with a baseball bat reading “DO NOT TRACK.” At the very least, it could make for a nice piece of performance art.
I kid, I kid — but I can do that because I have a general understanding of data collection issues. A lot of consumers are freaked out about who is taking their data to do what with because they simply don’t get it. And a new academic study (PDF — abstract here) — “Why Johnny Can’t Opt Out: A Usability Evaluation of Tools to Limit Online Behavioral Advertising,” assembled by Pedro G. Leon, Blase Ur, Rebecca Balebako, Lorrie Faith Cranor, Richard Shay and Yang Wang of Carnegie Mellon University — explains that the variety of user data management tools out there are possibly increasing the confusion.
“The research from Carnegie Mellon supports a position that we have long advocated at eXelate – that the industry needs to make opt-out tools less scary,” said David Lundell, vice president of product management at eXelate (the company that tipped me off to the study). “Consumers understand that digital content cannot be free and that advertising must support it. Subsequently, consumers want to be co-participants in the advertising process and manage it in a direct, honest and transparent manner.”
But what may be scarier for third-party data collectors and the behavioral targeting industry — especially since the Federal Trade Commission is no doubt listening — is the researchers’ conclusion that “self-regulation through opt-out mechanisms is fundamentally flawed.”
“Users’ expectations and abilities are not supported by existing approaches that limit OBA by selecting particular companies or specifying tracking mechanisms to block,” the report claims. “Even with additional education and better user interfaces, it is not clear whether users are capable of making meaningful choices about trackers.”
OK — how did they get there? Using 45 participants without knowledge of tracking tools, the researchers tested nine tools for user data management, including third-party cross-network opt-outs (in particular, those provided by Evidon and the Digital Advertising Alliance), browser DNT tools and ad and tracking-blocking browser add-ons. After conducting the research, the academics concluded that none of the tools “empowered study participants to effectively control tracking and behavioral advertising according to their personal preferences.”
The key findings (though the whole report is worth reading):
• No middle ground in terms of explanation of function. “The tools we investigated tended to present information at a level that is either too simplistic to inform a user’s decision or too technical to be understood.” In addition the report claims that the opt-out mechanisms do not make it clear that consumers are opting out of targeted advertising rather than data collection.
• Participants not only didn’t understand what it meant to be opted out, but also were unsure of whether their opt-outs were working. Same with DNT — how do you know companies are honoring it?
• On the cross-network opt-out service (as well as browser add-ons Ghostery and TACO) and users can’t distinguish between various data collecting services, leaving them unable to set opt-out or blocking preferences meaningfully on a per-company basis. Instead, the researchers found most of the users simply used the same settings for each company listed.
• The report also suggested that the default settings for privacy tools were “inappropriate” for users concerned about their online privacy, since users interested in privacy tools are likely seeking them out to block tracking. The report goes on to say: “Ghostery and TACO do not block any trackers by default, and enabling tracker blocking involves multiple clicks. Similarly, no advertising companies are selected by default on the DAA and Evidon opt-out sites.”
So perhaps the scarier getup between those two costume choices in the beginning might be the privacy advocate. I could totally don that robe and give some real frights by running around third-party data collectors’ offices with a DO NOT TRACK bat. Boo!