Cross-Device Tracking: How the Ad Industry Will Follow You Wherever You Go
Image: FTC.gov
Does your smartwatch know you’re reading this on your laptop?
If the ad industry’s ambitions pay off, online marketers will be able to do the next best thing: fine-tune the sales pitches displayed on one device based on what you’ve seen on the others. It’s called “cross-device tracking,” and you’re probably going to start hearing a lot more about it.
No IP address is an island
As participants at a workshop hosted Monday by the Federal Trade Commission in Washington, D.C., explained, the basic problem here is one you experience every time you fumble for the right charger or cable: We use too many devices.
Yet many of the traditional tools and networks employed to present ads we might care about — such as “cookie” files that identify particular browsers — date to a time when most of us used just one.
“It’s harder to get a consistent viewpoint on what [people are] doing online,” observed FTC Policy Director Justin Brookman as he opened the discussion.
Lest you see that as a feature, not a bug, remember that you are probably already subject to one of two techniques that sites use to track your online activities across devices now.
In “deterministic tracking,” sites rely on the credentials you use to log in from any device: Think of Apple and Google syncing your Web browsing across different copies of Safari or Chrome, or Facebook pinging you about updates on both your phone and laptop.
Wherever you go, whatever you do… (Photo: Thinkstock)
Things get more interesting when you look at “probabilistic tracking,” in which a site combines different data points to detect your presence. For example, as Brookman explained, if a site sees a specific phone connecting from one Internet Protocol address during work hours and another during nights and weekends, it reasonably interprets that to mean you’re connecting from your work and home networks.
(An “IP address” is the numeric identifier every device on the Internet carries, usually automatically assigned by an Internet provider. For example, as I type this, my laptop’s IP is 205.201.255.5: Enterprising readers should be able to identify that location.)
Sites can then correlate those IP addresses with specific browsing patterns. (Brookman cited his own habit of reading news about technology, sports at the University of Virginia, Capitol Hill, and England’s Arsenal soccer team.) Result: a high degree of advertiser confidence that you are a single user using multiple machines without any common sign-in among them. Advertisers can then track those different devices over time by sending the same cookie to the browsers on each.
SilverPush: Pushing its luck?
But if an advertiser can get its code into a smartphone app, it can engage in much more ambitious cross-device tracking. Take, for example, the “Unique Audio Beacon” system offered by an Indian startup named SilverPush.
In this system, a TV ad broadcasts a high-frequency sound that humans can’t hear — but which apps built with SilverPush’s software can. An advertiser can then target people based on whether they (or, at a minimum, their phones) were in the room when the ad played.
“The cookie is looking mighty wonderful these days compared to some of this stuff,” said Joseph Hall, chief technologist at the Center for Democracy and Technology, during a panel discussion at Monday’s FTC workshop. He wondered whether the next venture into cross-device tracking would involve visual beacons — such as infrared paint on a wall that your phone’s camera could detect.
It’s unclear how big a risk sensor-driven tracking is in the real world. SilverPush has its technology in very few apps, and it has said it doesn’t let ad clients see information that would personally identify you. Further, the ability to yank an app’s access to a phone’s microphone or camera — once confined to iOS, now included in Android — gives us a veto over this behavior.
But less ambitious, less obvious app-level tracking remains possible. (This site’s publisher, Yahoo, bought a mobile ad-tech firm named Flurry last year, which gathers audience data from mobile apps.) And that, in turn, can generate detailed profiles that may not identify us by name but can give advertisers a better picture of what we want.
Defeating all of this monitoring is a task for the technically astute. FTC Chief Technologist Ashkan Soltani told me after the workshop that he does most of his browsing over virtual private networks and also loads custom system software on his Android phone to get ad-blocking to work comprehensively.
What is to be done?
There are, as some participants in Monday’s workshop noted, some non-hostile reasons for ad tracking: You don’t want to show the same ads to a given reader 50 times in a row; you do want to present ads that cater to that reader’s interest; you want to deter non-human bots from committing ad fraud.
But those benefits accrue far more to advertisers than to readers. And there’s no guarantee that the latter will even know this is happening. That’s the bigger problem for advertisers: When people learn about some complicated marketing machinery that lets a site send an email to a potential customer who has never given that site his address — true story! — they’re not likely to be amused.
At a minimum, they may respond by using ad blockers. Such tools are blunt instruments that can cause larger problems (on a Web in which people largely don’t pay to read things). But nobody can be too surprised at their growing popularity.
FTC headquarters. (Photo: Carol M. Highsmith collection)
And while federal privacy laws remain thin, the FTC does retain the right to step in if a company’s settings for opting out of tracking don’t work as advertised. Maneesha Mithal, associate director of the commission’s Division of Privacy and Identity Protection, closed the proceedings by reminding attendees that Section 5 of its founding statute gives it that authority.
But that leaves this downside: If a privacy policy and its opt-out accurately describe how little privacy you have because of a company’s tracking scheme, you’re on your own.
Email Rob at [email protected]; follow him on Twitter at @robpegoraro.