New tool offers privacy without crippling browsing habits

You already know all about cookies, right? They might know your name and address, and they almost certainly know sites you've searched for, flights you've booked online, products you've considered buying, and maybe even medical information.

Depending on your point of view, this information-gathering could be sinister, benign or even helpful. Ad networks like DoubleClick, the focus of much scrutiny over the issue, collect the information in order to target advertisements that are meant to appeal to users by knowing what they like. A known sports nut will be more likely to see an ad for a fantasy football game, but less likely to see ads for baby clothes.

Ad companies get most of this information through cookies, one or two lines of text kept on your computer's hard drive acting as a constant trail of your likes and dislikes. Cookies have gotten a bad rap for their record-keeping, but many sites use them to personalize logins and regionalization. In fact, some sites won't work at all if a browser's cookies are disabled.

One company, IDcide.com, has developed a cure for this by providing a browser plug-in that discriminates between first-party (coming from the site you're visiting) and third-party (coming from other servers) cookies. The tool, called the Privacy Companion, can provide varying levels of security -- either blocking no cookies, just third-party cookies, or all cookies.

How they track

For example, the New York Times on the Web requires a free login before entering. If you have cookies disabled, you won't be automatically let back in when you return to the site. But a tool like Privacy Companion can allow the first-party cookie from the Times to let you into the site, but disallow third-party cookies from ad companies that track your habits while you're there. As the tracking networks work through the banner ads, those ads appear broken with the security in place.

If the networks are allowed to track, they can record all sorts of information about your habits. Security consultant and privacy watchdog Richard M. Smith showed how DoubleClick can mine personal data from a user's habits on such popular Web sites as AltaVista, Travelocity, DrKoop.com, Buy.com and the Internet Movie Database. By visiting less than 10 sites, the network had his name, street address, e-mail address and birthday. The ad company also saved transactional information such as the route of a plane trip, what search terms he used in a search engine, and what products he browsed on e-commerce sites.

'We could solve the problem'

Privacy Companion is Israel-based startup IDcide's first product, and it was born from the founders' own personalization projects.

We found out that this is a big issue when we started working on another personalization tool that infringed on privacy, says co-founder Ron Perry. We weren't comfortable with the amount of information given out, and we found the solution worked with a lot of things. We reached the conclusion that we could solve the problem for a lot of companies.

When installed, the program adds a small toolbar to each browser window. A single eye appears when there is possible tracking from the visited site, and multiple eyes appear when there is tracking from external networks. When either of the tracking is being blocked, a cross appears over the icon.

By clicking on the icons, users can see a log of what networks are attempting to track them and how often. While it's not foolproof, according to Perry, it does always see when unique identifiers are being passed between networks and your browser. By discriminating between the two types of cookies, sites continue to work normally.

I have never encountered any changes, Perry says, but I've received less targeted advertising.

Whether that's a plus is in the eye of the beholder, of course, but even Perry isn't against the idea of personalization. Instead, he wants to give the power of personal information back to the user.

The privacy-personalization gap

Our intention is to benefit from bridging the gap between privacy and personalization, he says. We don't think the companies are evil. They have a legitimate need for information, but we think the user should be in control.

While the tool is free, Perry plans to sell their services to e-commerce sites to develop privacy-aware opt-in tools that help users to decide how much information to give to marketers.

Privacy Companion works with Microsoft Internet Explorer versions 4 and 5 on the Windows operating system. Versions for Netscape and AOL browsers are in the works, as are Mac and Linux flavors.

How much protection do you want?

There are two current types of technologies that focus on Web privacy, says Ari Schwartz, policy analyst with the Center for Democracy and Technology (CDT) in Washington.

Cookie managers, like Privacy Companion, are one. Schwartz says he's hopeful that browser companies may incorporate such technology into future versions -- rather than the all-or-nothing functionality now.

Another tactic is an complete cloaking tool, such as Anonymizer or Zero Knowledge Technology's Freedom software. These tools are much broader, able to cloak everything from e-mail address to your computer's IP address. Freedom can set up separate identities for each user, or even separate work and play identities for a single user.

CDT is working along with the World Wide Web Consortium, almost known as W3C, to develop P3P, the Platform for Privacy Preferences. This standard not only comprises cookie management and information harvesting but also what companies do with the information they collect.

While CDT doesn't endorse individual products, Schwartz did have the opportunity to see Privacy Companion and is heartened by the variety of privacy technologies become available.

A marketplace is a good idea for privacy-enhancing technologies, Schwartz says. We've already had a marketplace for privacy-invading technologies.

Like Perry, Schwartz isn't anti-personalization. The two principles should be able to co-exist.

Personalization and privacy don't have to be at odds. You can do personalization in ads and services and still protect privacy, Schwartz says. The question is when you take that information and sell it to other people.

That matter is temporarily settled for the king of ad banners and tracking networks, DoubleClick. In response to private lawsuits and government inquiries, the company has appointed a prominent consumer advocate as its new privacy czar. In a press release, DoubleClick has also agreed not to connect personally identifiable information with preferences until industry and government work out standards.

To Schwartz, that equation is still missing an element: you.

We hope the public will be involved as well, he says. It can't just be government and industry coming to an agreement.


a few useful links:
IDcide.com
DoubleClick
Freedom
PrivacyBank.com
Richard M. Smith: What are banner ads saying about us?