Who Sees What You Did?

We can always count on the privacy issue to provide us with shocking examples of counterfactual discourse. Brian Fung’s article on the FCC’s stay of one part of the Wheeler privacy regulations quotes consumer groups making a familiar (but false) claim:

Consumer groups argue that Internet providers are uniquely situated to monitor Americans’ behavior. Unlike Google or Facebook, which can track people’s activity generally only when they use their services, broadband companies enjoy a wide-ranging view into customers’ browsing habits because their entire function is to get users from one website to another, privacy advocates argue.

Obviously, ISPs can only track us when we use their services: The cable company can’t track us when we’re using our mobile provider’s LTE network, and the Wi-Fi hotspot at the coffee shop isn’t necessarily provided by the same ISP as the ones that serve us at home or at work. But that’s the small deception.

The large error is the implication that Google can only track us when we’re using Google and Facebook can only track us when we’re using Facebook. In fact, Internet advertising networks embed trackers in web pages of all kinds, even non-commercial ones such as those operated by “consumer groups”. These trackers record our movements across the web even though they don’t show Google and Facebook logos. Read on to see how this works.

Consumer Groups Petition FCC

Public Knowledge sent a letter to the FCC on February 3 asking the Commission to deny the stay of the Wheeler privacy regulations sought by the affected firms. PK – a group generally friendly to Google on such issues as copyright, net neutrality, and privacy – enlisted 10 similar groups to sign on. The signatories included Consumer Action, Consumer Federation of America, Consumers Union et al. The consumer groups argue that ISPs pose a unique threat to consumers that can cause economic and psychological harm:

The Commission has found a “strong public interest in protecting consumers’ privacy interests when they use communications services. Consumers are uniquely dependent on telecommunications networks to communicate some of their most personal information.” ISPs use consumers’ web browsing history and application history to determine very personal information about the consumer’s life. This information can be used to discriminate against, embarrass, or intimidate individuals. Because this information cannot be made private again once it is known, it can also result in psychological harm.

While this statement is quite colorful, the part that interests me is the claim that ISPs can do us special harm because we’re “uniquely dependent” on them. This is wrong because any firm that can convince web sites to install tracking code can see where we go and what we do on the web, but ISPs can only see unencrypted data generated by their own customers.

Easy Sell

It appears to be easier to convince a site to install tracking code than to sell a consumer an ISP service. The way Google did it was by offering useful widgets: the ubiquitous search widget, Ad Words, Google Analytics, and DoubleClick. When these trackers are combined with Gmail, Maps, and search, Google has a comprehensive view of who we are, how much disposable income we have, and what kinds of things we can be induced to buy. And buying rather than inflicting psychological harm is what this is all about.

The tracking sell is so easy the consumer groups themselves are tracking us for Google. Using the Ghostery plugin, I looked at the trackers employed by the signatories of the Public Knowledge letter to the FCC on the stay. Here’s what I found: Consumer Action, Consumers Union, Center for Digital Democracy,  Center for Democracy & Technology, have Google Analytics on their web sites and no other trackers.

Others step up the game by including Google’s DoubleClick along with analytics: Consumer Federation of America, Benton Foundation, Public Knowledge, Institute for Public Representation, and New America’s Open Technology Institute fit this description. If five of the nation’s 11 most hardcore privacy hawks are happy to track our visits to their web sites on behalf of Google, how hard can it be for Google to convince others to do the same thing?

What Google Knows

Last June, Google advised users it was merging its search, maps, and email databases together with its DoubleClick database. This move enables Google to build more comprehensive profiles of its users:

Google asked its users in June to opt-in to a new privacy policy that allows the company to merge users’ browsing data with their search and email data to create more robust user profiles, which enable it to better sell ads. Google had kept the two data sets separate since its 2008 acquisition of DoubleClick, a unit that collects users’ browsing history on third-party websites.

Commercial competitors such as Oracle object to Google’s practice, as do some privacy advocates and government officials in other countries.

Bottom Line: Google Sees More

With “super profiles” Google can see essentially all the websites we visit and can read them in clear text. In contrast, ISPs can only see the websites we visit while using their particular services and cannot read those that are encrypted:

“ ‘Super profiles’ now a reality,” reads a headline on one slide of a presentation Oracle provided to regulators and The Wall Street Journal, referring to the detailed profiles Google cobbles together based on users’ preferences, location and other data. “Policy change gives Google, exclusive, unprecedented insight into users’ lives.

There is an information asymmetry between advertising networks such as Google, Facebook, and Oracle on the one hand and ISPs on the other. But the advantage goes to the edge services who even track us on non-commercial sites.

I hope the advocates who actively track us on behalf of DoubleClick will realize what they’re doing before they make their next factually unsound request to the FCC.