The National Advertising Initiative: The NAI is Broken and Does Not Protect Consumers
Report home | Read the report (PDF) | Previous section | Next section
Although it is possible to identify many aspects of the NAI that are broken, this report focuses on four areas in particular:
1) the effectiveness of the NAI opt-out cookie as the primary tool for stopping tracking;
2) the applicability of the NAI to types of tracking that extend beyond the traditional cookie and to business models not expressly covered by the NAI;
3) the constantly shifting membership of the NAI; and
4) auditing and enforcement of the NAI.
NAI “Opt-out Cookie” is a Failure
NAI opt-out cookies are a failure from a policy perspective and from a technical perspective.
Consumer Confusion
From a policy perspective, the concept of an opt-out cookie was too convoluted for consumers to understand from the beginning. It is counter-intuitive for consumers to go to a page to download a cookie onto their computer so that cookie will tell companies not to track them. Downloading one cookie so other cookies don’t track you is a message most consumers never really heard or understood. Studies indicate that consumer confusion already exists regarding standard uses of cookies. [27]
Further, a new study finds that consumers, when they see the words “privacy policy,” expect that their information will not be shared. [28] This suggests that many consumers will have difficulty fully understanding cookie functions in a meaningful way. It is reasonable to conclude that the opt-out cookie is just one more confusing aspect of cookies for consumers, and that consumers are not clear on what the opt-out cookie does or does not do in regards to privacy protections.
Consumers have other barriers regarding cookies: the shifting membership of the NAI has created an environment where a consumer has to be exceptionally vigilant to know if they have every downloaded every available opt-out cookie. When a member drops out of the NAI, a consumer has no way to know if a previously set opt-out cookie for that member still functions. Asking or expecting consumers to monitor the NAI website for this information is unreasonable.
Cookies by the Numbers
Some of the questions that need to be asked about opt-out cookies are: how many consumers have downloaded opt-out cookies? How long do most consumers keep opt-out cookies? How do network advertisers pro-actively make consumers aware of their opt- out cookies? The answers to these questions are known by the network advertisers, who generally keep excellent track of their cookies.
One of the key issues that needs to be assessed is how many consumers actually know about opt-out cookies. One way to get at this is to determine how many consumers use opt-out cookies. If NAI members have detailed information about consumer use of opt- out cookies, that information has been shared with the public. The information would inform the debate, but it is also possible that the information would show further holes in the NAI self-regulatory scheme.
Some numbers do exist. TRUSTe, the current enforcer of the NAI agreement, used to report on NAI complaints about opt-out cookies. In March 2002, TRUSTe’s first report on NAI enforcement documented that there were 30 complaints about the NAI, and every one of the complaints was about opt-out cookies. Complaints about opt-out cookies continued all the way through December 2004, the last month that TRUSTe reported opt- out cookie complaints publicly. It is unknown how many consumers are still complaining about opt-out cookies, as there is no longer any public reporting on them from TRUSTe. But even the limited TRUSTe reports that are available are revealing.
The Network Advertising Initiative, in public comments filed with the FTC in October 2007, said that in 2001, the NAI web site was visited 30,000 during its first week of operation. [29] NAI also commented that: “…in 2006 we estimate that our opt-out page was visited 1,003,750 times.” It is unknown if these were unique visitors, and it is unknown how many of those visitors opted-out successfully. It is also unknown what percentage of visitors to the opt-out site this constitutes compared to the universe of consumers who have had behaviorally-targeted network ads served to them. [30]
What policy makers need to know is how many consumers are opting out, and for those who are not opting out, why they are not opting out. Is it because the majority of consumers have never heard about an NAI opt-out? Or is it because consumers cannot opt-out easily? Or are there other reasons?
Technical problems have cropped up with the opt-out cookie — NAI opt-outs are not simple to accomplish for everyone. Unfortunately, those consumers who manage to hear about an NAI opt-out and who go to the NAI opt-out page with browser cookies turned off encounter unfriendly error messages. These consumers may have increased barriers in finding detailed instructions on opting out. Consumers who have cookies turned on may still have problems opting out, something the NAI admits on its own pages.
Opt-out Web Pages do not Always Work
Those seeking to opt-out of tracking by NIA members must visit <www.networkadvertising.org> with cookies turned on. After landing on the home page, consumers who click the opt-out button on the page are sent to the NAI opt-out page. The page offers checkboxes that correlate to an opt-out for different NAI members. Each check box should result in the setting of a separate opt-out cookie on the consumer’s computer. However, the results are highly variable, and the opt-outs often are not successfully set.
In a series of tests using different computers, IP addresses, browser types, and operating systems, the World Privacy Forum tested how well the official NAI opt-out page was working. [31]
The Forum also invited others to opt-out and report on their experiences. One individual who tried to opt-out sent in a pithy note: “It didn’t work so well” accompanied by a screen shot of the results of his opt-out effort. The screen shot revealed that only two of the opt-outs on the page had actually worked for this consumer. [32]
World Privacy Forum tests demonstrated that opt-outs on the NAI page do not always work even when browsers are optimally set to accept all cookies. Even when different kinds of web browsers were set to accept all cookies, the opt-out cookies were not always set properly. It is difficult to offer a hard number for the failure rate for setting NAI opt- out cookies due to the high variability in the causes for failure. However, for some standard computer operating systems and browsers, the failure rate exceeds 50 percent, depending on the computer set-up, firewall settings, and many other factors.
For example, in one test run, using computers running Firefox or IE on MS Windows and Safari on Mac OSX, World Privacy Forum tests found that checking the multiple opt-out boxes offered by NAI resulted in only some NAI opt-out cookies being set successfully. (The NAI opt-out page has a feature that tells users whether the opt-out was successful or not.) Using a computer running Mozilla on a SUN Ultra, and a computer running Firefox on Mac OSX, one test found that the opt-out worked. However, firewall settings can influence these results, so there is high variability of opt-out success or non-success.
The NAI opt-out page – Having Trouble Opting Out? – addresses these issues and says:
The performance of the global opt-out tool might be affected by a number of factors outside the control of the NAI and/or its member ad networks. These factors include corporate network security, telecommunications breakdowns, browser settings, ISP or infrastructure anomalies and client-side technical glitches, among other possible issues. [33]
The NAI is well aware of the problems with the opt-outs. In its public comments to the FTC in October 2007, the NAI wrote:
The single most common issue raised by consumers about the NAI Principles program relates to the functionality of the opt-out. It is rather common for consumers to request assistance to ensure that their opt-out cookie is functioning properly (browser compatibility concerns). The vast majority of these concerns are successfully addressed by having a staff member work directly with the consumer to resolve the problem they had been experiencing. [34]
It would be helpful to know how often consumers spoke to or communicated with NAI staff, and the specific results of those contacts.
Another problem with the NAI opt-out site is that if a computer is set not to accept cookies at all, the consumer who clicks on the NAI opt-outs will see an unfriendly error page. The NAI does not offer an explanation on the error page that in order for the opt- out to work, that cookies must be accepted. Because cookies are at the heart of the NAI self-regulatory model, helping consumers to understand cookies would seem to be a core element of any well-intentioned program.
Given the large variety of computer types, machine configurations, corporate and personal firewall configurations, web browsers and browser configurations, it would be appropriate for NAI to provide detailed assistance on its website that reflects the variety and complexities of Internet usage.
Even if NAI provided the information that consumers need to make use of opt-out cookies, problems with the NAI opt-out will remain. It is far from clear that any opt-out cookie should be the mechanism of first choice for consumer protection at all, given all of the difficulties.
The Opt-Out is Susceptible to Deletion
Opt-out cookies only work when they have been downloaded to a user’s hard drive and stay there. Opt-out cookies may be deleted by users who delete all of their cookies at one time, no matter what kind of cookies they are. Consumers who run a security protection program that removes spyware and malware may erase NAI opt-out cookies. Some consumers operate these programs as a standard part of their computer hygiene routine.
Unless a consumer is highly knowledgeable about cookies and is able to distinguish opt- out cookies from other cookies, consumers may not be able to maintain their opt-out cookies over time. These problems with reliance on opt-out cookies are not new, and they have been known for many years.
There is no simple or universal solution for this problem of deleting the opt-out cookie. One solution that has been proposed is Tacoda’s so-called “hardened opt-out.” This approach uses a file stored in a user’s browser cache to restore an opt-out cookie that was deleted. An undisclosed overriding of a consumer’s choice may be a chilling precedent, and it is discussed in more detail below under the heading Browser Cache Cookies.
Can any self-regulation effort rely on a mechanism so fragile that every time a consumer runs a computer security program, the core aspect of consumer protection disappears from a consumer’s computer? It doesn’t make sense to base a self-regulatory scheme on something like the NAI opt-out cookie given its high failure rate.
Even if some of the difficulties can be attributed to developments with computers (e.g., the spread of anti-spyware and malware programs), it is curious that NAI made no apparent attempt to change or update its methodology. It is entirely possible that NAI members are happy to continue offering the consumer NAI opt-out program, despite the acknowledged problems with the NAI opt-out and despite low consumer adoption of the program.
Cookie Blocking Has Led to the Use of Other Persistent Identifiers and Tracking Mechanisms
Several studies have reliably shown that about 30 percent of consumers delete cookies. [35]
One response to this by the advertising industry has been the development of ways to identify or re-identify users who have blocked or deleted cookies. For example, a patent filed by David R. Morgan and others in 2005 – Network for matching an audience with deliverable content – addresses how to circumvent cookie blocking. The patent boasts that users can be re-associated with their profiles even if they have deleted cookies, and even if they are using different machines:
Cookie blocking technologies have become an increasing problem for online publishers. […]
That is, an audience member can be reconnected with their data after cookies may have been deleted – or even if the audience member moves to a different client machine.
[…]
In connection with a visit to any site within the network, an authoritative identification is received 2008. This information may be received in the absence of the NPRID. The authoritative identification identifies the profiled audience member in connection with activity, and is used 2010 to correlate the profiled audience member in the NPRID. In turn, the NPRID is associated to the cookie related information as described. This allows a comparison 2012 of the cookie information connected with the current activity with that stored in association with the NPRID. Such information can be used to update 2014 the cookie information in association with the audience member’s browser, even if the cookies have been deleted between past profiling and the current browsing activity, or even if the audience member uses a different machine (if desired). Such updating may of course entail restoring the cookie information previously established for this particular audience member. [36]
Re-identification of users is not a surprising or even a new application of technology. The application goes beyond the limited NAI conception of cookies and tracking and illustrates how irrelevant it is becoming. Nevertheless, the expanded tracking capability that technology allows is something that the NAI has ignored. In the absence of constant external pressure, the NAI seemingly has no incentive to address new technology used to track consumers. The failure of NAI to change raises the question of NAI effectiveness as a self-regulatory organization.
________________________________
Endnotes
[27] A number of studies point to continuing consumer confusion about cookies. In particular, in a July 2007 study, InsightExpress found that “individuals who choose to delete cookies for one or more reasons possibly misunderstand the roles and functions served by cookie technology.” The 2007 study found that 63 percent of respondents believed they had deleted their cookies, when only 23 percent actually had. The study was a repeat of a 2005 InsightExress study that found that of 59 percent of respondents who tried to delete cookies, only 35% of the “deleter group” studied were able to successfully delete their cookies. See InsightExpress Study Sheds New Light on Cookie Deletion, Business Wire, July 17 2007. See also New Research Reveals Significant Consumer Misunderstanding of Cookies; Few Understand the Function of Cookies and Only 35% of Online Consumers are Able to Successfully Delete Them. Business Wire, April 21 2005. These numbers are in line with comScore’s examination of approximately 400,000 U.S. users in December 2006 which found that about 31 percent of U.S. computer users clear their first-party cookies in a month, with similar numbers for clearing third party ad network cookies. See The Impact of Cookie Deletion on the Accuracy of Site-Server and Ad-Server Metrics: An Empirical comScore Study, comScore, June 2007. <http://www.comscore.com>.
[28] See Research Report: Consumers Fundamentally Misunderstand the Online Advertising Marketplace, Joseph Turow, Deirdre K. Mulligan, Chris Jay Hoofnagle. University of Pennsylvania Annenberg School for Communication and UC-Berkeley Law’s Samuelson Law, Technology & Public Policy Clinic.
[29] Public Comments of the Network Advertising Initiative, Network Advertising (NAI) Written Comments for the FTC’s Ehavioral Advertising Town Hall Forum, October 19, 2007. <http://www.ftc.gov/os/comments/behavioraladvertising/071019nai.pdf>.
[30] The privacy policy on the NAI website says that NAI becomes the “sole owner of all information collected on this site.” If a consumer who is confused about an opt-out cookie fills out an NAI “contact us” form, the privacy policy language suggests that NAI becomes the “sole owner” of the consumer’s name, email address, and other information. It isn’t clear whether the statement in the privacy policy has any real meaning or effect, but it is an example of where a self-regulatory body has not adequately thought through the consumer perspective of the process. <http://www.networkadvertising.org/about/privacy.asp>.
[31] The page the WPF tested was <http://www.networkadvertising.org/managing/opt_out.asp>.
[32] The email is on file at the WPF offices and is available, but is only available redacted of personally identifiable information about the consumer.
[33] NetworkAdvertising.org < http://www.networkadvertising.org/managing/optout_problems.asp>.See also < http://www.networkadvertising.org/managing/faqs.asp#question_16>.
[34] Public Comments of the Network Advertising Initiative, FTC, October 19, 2007. <http://www.ftc.gov/os/comments/behavioraladvertising/071019nai.pdf>.
[35] See supra note 27.
[36] United States Patent Application 0050166233, Sections -0199-0200, 0212.
Roadmap: The National Advertising Initiative – Failing at Consumer Protection and at Self-Regulation: Part II: Discussion – The NAI is Broken and Does Not Protect Consumers