TOPIC:

KEEPING YOUR CLICKSTREAM PRIVATE IS
GETTING HARDER

Do you ever have the feeling that
you no longer control your
computer screen, or your e-mail
inbox? Today, upwards of 75% of
all e-mail is unsolicited junk mail called
spam. In a year, thousands of ads will appear on
your screen that you never asked for and are often
irrelevant to you. Yet one of the virtues, or vices
(depending on your perspective), of e-commerce
technology is that it permits online merchants to
send you advertising that supposedly reflects
personal information the merchant has gathered
about you. This is called “one-to-one” marketing
or “personalization.” This personal information
might include what products you have previously
purchased from the merchant, what kind of
content you have viewed at its site, how you
arrived at the site (where you were previously), as
well as all of your clicking behavior at the site.
This clickstream becomes the basis for
constructing a digital profile of you. Your
clicksteam and resulting profile is a marketer’s
and merchant’s goldmine: if you know what people
like and what they have recently purchased,
you stand a good chance of being able to sell them
something else. How does a Web-based company
find out about your clickstream?
One way is through advertising networks
such as DoubleClick, ValueClick Media, and 24/7
Real Media. These advertising networks insert
themselves between you and the merchant. When
you visit any of thousands of Web sites in the network,
the network firms log your access to the
site, and then follow your movements through the
site (as does the merchant). Your clickstream
behavior is merged with that of thousands of
other consumers, and then these firms pop banner
ads on your browser when visiting the network
member sites. For instance, ValueClick Media is
one of the largest online advertising networks,
representing more than 6,000 online sites of all
sizes, including top portals, leading vertical
content sites, and niche content sites. Chances are
very good that every day you go on the Web your
clickstream behavior will be picked up by
ValueClick Media. ValueClick Media uses this
information to deliver pop-up ads to your screen
and send other marketing messages to you.
In general, the advertising networks do not know
who you are personally—they do not know your
name, address, or other personally identifiable
information. What they do know is the
in-network Web sites that you visited and what
pages you viewed, what boxes or items you
clicked, and any other information generated in
the browser-client interaction with the exception
of secured or encrypted information entered onto
secured pages (such as a shopping cart). At this
point, you are just another Internet customer with
a cookie.
Merchant sites also keep a complete contact
log of every click you make and every object you
choose to see on their Web sites. This is a built-in
capability of Web server software. This data is
stored and can be mined to create a profile of
your behavior on the site. All Web sites use
cookies and many use Web bugs. A cookie is a
small text file downloaded onto your hard drive by
a Web site. The cookie file contains whatever
identifying information the merchant chooses to
put in it. They can be read by other Web sites you
visit and used to track your movement among
sites. A Web bug is a tiny graphic, typically one
pixel wide and one pixel deep, embedded within a
Web page or e-mail. It usually is transparent or
blends into the background color. A Web bug in a
INSIGHT ON SOCIETY

Web page can report information such as a
visitor’s IP address, cookie information, and
referring URL back to the sending server or to the
server of a third party, such as a Web advertising
company. Hidden inside e-mail messages, a Web
bug can tell the merchant whether you opened the
e-mail, and even more alarming to privacy
advocates, can match the e-mail address with a
previously set cookie, thereby allowing the merchant
to coordinate a specific individual with
their actions on the Web. The merchant then has
a great deal of both clickstream behavior and personal
information about you generated at the
merchant’s site, including all the information
entered into shopping carts and payment
information. So when you return to Amazon,
Amazon knows your purchase history and can
recommend new titles.
Now let’s go over the top: the latest Internet
privacy pest is spyware, also known as adware.
People often make a distinction between adware
and spyware: adware is designed to serve you ads,
and spyware is designed to record information
from your computer (such as your credit card
number or any other personal information) and
send it to a remote server. Both operate on the
same principle: these are small software
programs that secretly install themselves on your
computer by piggybacking on larger applications,
or by downloading potentially any file from the
Web. The most common source of adware and
spyware are file-sharing programs such as Kazaa
and online contests where you need to download a
program in order to participate. Once installed,
adware calls out to other sites to send banner ads
and other obnoxious unsolicited material to your
screen. Spyware also can report your movements
on the Internet to other computers. If, for
instance, you ask your browser to go to
www.llbean.com, adware can divert you to a
competitor, or pop a banner ad on your screen
offering a 10% discount if you visit the competitor’s
site. Spyware really lives up to its name
when it is used to transmit user keystrokes to
remote servers. In this application, anything you
enter on your keyboard—including passwords,
personal names, your address or financial information—
can all be sent to remote servers without
you knowing about it.
Many people feel that efforts to market products
and services to you based on your online
behavior is an invasion of their privacy. They
believe that while it may increase sales in the
short term, violating personal privacy on the Web
is bad business. For instance, in its annual Digital
Future Report, the USC Annenberg School found
88% of Internet users reported some level of
concern about the lack of online privacy, and 45%
were “very or extremely concerned” about
privacy while shopping online. The percentage of
“very or extremely concerned” is down from
previous years, but the average level is the same.
eMarketer and Forrester Research report that
52% of Internet users think Web sites ask for too
much information when registering, 45% believe
their privacy has eroded since going online, and
56% oppose Web sites collecting non-personally
identifiable information even if it results in more
relevant advertising. On the other hand, millions
of online consumers willingly give up their private
information in return for a benefit such as
premium information content (reports and white
papers), or simply the chance to win a contest.
Can you protect your privacy in the Internet
age (and still use the Web for convenient shopping)?
There are several kinds of solutions: merchant
privacy policy, advertising network privacy
policy, technology, and enforcement of existing
and new laws. Some new technologies that can
help are called anonymizers. Companies such as
Zero-Knowledge Systems and Anonymizer.com
have developed software packages and their own
Web servers that you can use to hide your identity
online. Software programs such as SpySweeper
and Ad-aware can help remove spyware
programs. In May 2005, New York State AttorU
n d e r s t a n d i n g E - c o m m e r c e : O r g a n i z i n g T h e m e s 43
ney General Elliot Spitzer filed a lawsuit against
Intermix Media for illegal distribution of adware
to more than 3.7 million New York residents without
proper notification or consent. The companies
were charged with deceptive business practices
and false advertising, traditional laws on the
books for many years. As a result of the growing
unpopularity of adware and lawsuits, a leading
distributor, Claria Corporation (formerly Gator
Corporation), has changed its business model to
one of selling online ad space on sites that agree
to use its software, and making it easier for people
to reject loading the software in the first
place, and easier to remove the program.
As we describe in later chapters (especially
Chapter 9), efforts to regulate online privacy and
create new laws to protect online commercial
privacy have not been widely successful, although
self-regulation by advertising networks has
produced some progress.
Most Web merchants are learning that it
pays to be sensitive to customers’ concerns
about privacy. Trust is critical to successful
e-commerce. Almost all sites have “opt-out”
check boxes that allow visitors the option to not
receive e-mail and other marketing information
from the site. Many sites have “opt-in” policies
that require customers to check a box if they
want to receive additional marketing messages.
All of the Web’s top 25 e-merchants, as well as
many others, have privacy policies posted on
their sites. The question remains: Do these Web
site privacy policies achieve
SOURCES: “Take My Privacy, Please!” by Ted Koppel, New York Times, June 15, 2005; “Lawsuit May Roil Online-Ad World,” by Riva Richmond,
Wall Street Journal, May 11, 2005; “Claria Seeks to Burnish Image, Move Beyond Pesky Pop-Ups,” by David Kesmodel, Wall Street Journal, May 6, 2005;
“The Digital Future Report: Surveying the Digital Future,” by USC Annenberg School Center for the Digital Future, September 2004; “A Trail of Cookies? Cover
Your Tracks,” by Thomas J. Fitzgerald, New York Times, March 27, 2003; “Eluding a New Web Hazard,” by Alex Frangos, Wall Street Journal, March 4, 2003;
“Send Spyware Into the Cold,” by Alex Frangos, Wall Street Journal, March 2, 2003. See also Privacyexchange.org and Epic.org for recent surveys on consumer
privacy fears.