Current Issue
This Month's Print Issue

Follow Fast Company

We’ll come to you.


Beginning next week, the FTC will hold a series ofpublic roundtables covering the growing number of challenges to consumerprivacy on the Internet. Dubbed "Exploring Privacy," the daylong discussionswill focus on "the collection and use of information by retailers, databrokers, third-party applications, and other diverse businesses." Hold that yawn. Behavioral tracking and ad targeting have everything to do with the pesky "Warning!" pop-up blinking behind your browser window right now. The one that could shatter your online privacy.

In advance of the roundtables, Fast Company spoke withonline privacy advocates Jules Polonetsky, co-chair and director of the Futureof Privacy Forum, and Ari Schwartz, vice president and chief operating officerof the Center for Democracy and Technology. Below, Polonetsky and Schwartzhighlight five of most nefarious techniques used to trick and track you.

1. "Malvertising Gangs"

"One of the biggest challenges in the ad ecosystemright now is that it's really easy for anyone to place an ad," says Polonetsky, one ofthe attendees of next week's roundtables. "Including actual criminals who wouldlike to mug you."

Such is the case with malvertising gangs, groups of scammerswho pose as legitimate advertisers in order to infiltrate the complex system ofnearly 100 ad networks—like Google's AdSense—that distribute ads to Web sitesall across the Internet. Shortly after a fake ad has been introduced into thesystem, it morphs into "scareware," advising any and all who visit the pagethat a virus has infected their computer.

"They make your machine look infected and then sell you afake antivirus software," says Schwartz. "You actually download the problem."While the fraud often ends with the consumer forking over $40 or $50, somescams go further, racking up additional charges on consumers' credit cards andhijacking victims' computers to churn out spam.

Difficult to detect and increasingly sophisticated,malvertising gangs have launched a series of high-profile attacks in recentmonths. In early September, a group planted ads that wound up on Web site ofThe New York Times. Days later, malvertisers struck The Drudge Report. Thatsame month, Microsoft filed five lawsuits against malvertising groups with seemingly benign names such as "SoftSolutions" and "Direct Ad."

Beyond the consumers directly impacted by malware,Polonetsky notes that malvertising gangs undermine the integrity of thelegitimate ad networks and reputable Web sites they strike. "If the idea thatjust viewing an ad—not even clicking it—is bad," he says, "it poses a hugethreat to the online advertising industry."

What you can do: Check with and check out any company beforedownloading their antivirus software. You can even try calling them, an effort that pales in comparison to the hassle of a virtual infection.

2. Flash Cookies

By now, most Web users are familiar with cookies, thepackets of code that store user data, remembering our preferences and automatically filling outthe contact forms in our online shopping carts. Cookies can be blocked entirely, removed frequently or allowed to pile up (oftenslowing the browser to a crawl)—point is the user has the final word. Not sowith flash cookies.

"Cookies aren't as easy as should be, but they'recontrollable," says Polonetsky. "But flash cookies aren't. Flash cookies canstick around and reinstall the cookie after you delete it."

As with many tricks of the behavioral-tracking trade, flashcookies were intended as a helpful technology. Created as a means of storingflash preferences that would otherwise be deleted by antivirus software, flashcookies are filed away in Adobe Macromedia, so they don't show up in yourbrowser. Because of this loophole, third-party advertisers can store consumerprofiles on flash cookies and track their online behavior long after they thought they'd deleted their cookies.

A recent report by researchers at UC Berkeley found that 54of the top 100 Web sites use flash cookies, noting that "even the 'PrivateBrowsing' mode recently added to most browsers such as Internet Explorer 8 andFirefox 3 still allows flash cookies to operate fully and track the user."

What you can do: Firefox users can download a free add-on,called Better Privacy, that can be set to automatically eliminate flashcookies. Others can read more about their Adobe privacy settings here.

3. "Cookie appends"

Beyond clogging up your browser with bits of data, cookiescan track your online behavior. Schwartz says cookie tracking, or cookieappends, are the next evolution of reverse email appends—whereby advertisersaccess all sorts of personal information via your email address. Sign up for anonline newsletter recently? By crosschecking your email address, the publishermay have access to everything from your name and address to your ethnicity,personal interests, and credit score. A cookie append works in the same way.

"Say you buy something from GAP," says Schwartz. "Workingwith Experian, GAP can get all your personal information and build a personalprofile. Then they tie a cookie to you that watches everything you do," furtheradding to your profile.

Companies like Axciom (profiled here by The Wall StreetJournal) and use tracking cookies to collect and analyze consumer data, categorizeconsumers into "clusters" like "Apple Pie Families," "Young Workboots," and "Mixed Singles-Urban Scramble." The data is then sold to online retailers andused to serve up targeted ads.

What you can do: To manage what kind of information is beinglogged about you, check an online registry like Google Ad Preferences, eXelate, or Bluekai.

4. Personal Health Data

In the past, advertisers tended to steer clear of tailoringads to consumers' health interests. All those Google searches about that uncomfortablerash? That was your business. But times have changed, according to Polonetsky.

"A few years ago ad networks started offering very detailedhealth profiles," he says. "It's been hard for the industry to draw a brightline. Pharma companies are looking for this info, and it's hard to imagine asmall ad network turning down the money."

Ad networks still largely avoid targeting sensitive healthissues, like cancer, and government regulations like HIPAA bar advertisers fromaccessing your personal health records. Just don't be surprised if you startseeing ads for adult diapers after reading a news story on incontinence.

What you can do: As with cookie tracking, check with apreference manager to see what kind of personal data advertisers are storingabout you.

5. ISP Tracking

If you thought the specter of ISP tracking, or deep-packetinspection (DPI), vanished with NebuAd, the multimillion-dollar ad targetingcompany that collapsed this past May under a class action lawsuit andcongressional inquiry, you were sadly mistaken. The practice—which involveslogging individuals' surfing habits, including the terms they search and thesites they visit, and using them to serve up ads—is alive and well at companieslike Phorm and Front Porch.

While much maligned by privacy advocates, DPI appears to begathering momentum; on November 26, various news outlets reported that VirginMedia is planning to use the technique to monitor its network for illegalfilesharing, covertly examining peer-to-peer packets for copyright infringement.

"It comes down to understanding that the ISP is passing oninformation," says Schwartz. "They get everything you do online."

What to do: Stay tuned. Schwartz says the U.S. House Energyand Commerce Committee has advised ISPs that the practice is illegal, andfurther legal action is pending.