This has been a pretty wild and woolly couple of weeks in the advertising and social networking space:
On the Facebook-can’t-be-stopped front, the social advertising play Facebook outlined (Beacon, Social Ads, corporate ad pages, et al) is a really well thought-out means of making their entrance as a principal into the whole ad ecosystem not just a simple vertical integration of their inventory (how I would typify moves like MySpace’s, before their hyper-targeting announcement), but a front-on attack on the first generation behavioral targeting players and search principals.
On the Privacy-is-an-illusion front, AOL is trying to get out in front of the anticipated consumer backlash around behavioral targeting by announcing their plan to allow an opt-out capability. Consumers, you can find that opt-out at “www.reallyobscureurlthatwehopeyouneverdiscovery.com” 
On the Don’t-forget-your-old-friend-Tom front, MySpace announced two steps to address the intellectual high ground gap they have with Facebook: They agreed to be part of the OpenSocial consortium with Google, in the hopes of getting the same developer community mojo that Facebook is riding, and they announced their “hyper-targeting” capabilities for advertisers, leveraging the profile information of their members.
And finally, lest they be forgotten, on the $1000-per-share-freight-train front, Google made a great first step in addressing the assault by Facebook with their OpenSocial play. Without MySpace, it would have been irrelevant. With MySpace as a part, they are starting escalating the pressure on Facebook on opening access their social graph data. I don’t see Facebook blinking anytime soon, but each journey begins with a single step, and OpenSocial is off to a good start. Its long-term success will be determined if and when they show consumers a powerful call-to-action, in terms of a compelling value proposition that resonates with the social networking demographic (that hasn’t happened as of yet – it is still just a standards dialog/battle among the tech principals). I found the fact that it was hacked in its first week of existence to be a serious warning to all that openness relating to consumer data, without the appropriate design and software quality rigour, is a train wreck – hopefully they will learn from their first bloody nose here.
This past week, for me, was all about the privacy entitlements individuals are owed, and how they might effectively administered to the broad base of online consumers. I see no scenario where consumers’ voices aren’t heard on this issue – it’s too rich of a topic for Washington not to opine on. Given the initial dialogs on the topic, I see 5 major paths this privacy dialog takes;
Option 1: The FTC implements some form of “do not call registry” for web users. One challenge: In the phone world, the issues of identity was easy – it is my phone number. How on earth do they intend to do it for my web activities? Today, I roam from site to site without a common identity. If I now have a privacy policy I want uniformly enforced, I see no easy way to do it, short of a cookie the FTC places on my PC that sites all need to respect/use to understand my “rules”, and I see multiple issues here:
How do you know a site is respecting the policy?
How does that approach work in my multiple PC/kiosks/mobile world?
How long will it take for the FTC to design and implement the solution?
Option 2: The FCC wins its proposal to enforce “anti-spyware” efforts, defines web tracking as a potential “spyware in the cloud” model, and intervenes. If this is like the approach to SPAM fighting, it will take the form of a reactive mechanism to prosecute offenders – not a real solution in my eyes.
Option 3: The industry proposed a solution (led by the majors). Certainly, this is a proactive approach to the pending backlash, but each player is really conflicted here (hence all the leading with opt-out vs. opt-in proposals). Nothing other than point solutions by individual players has arisen, and that’s a non-starter for me.
Option 4: Grass roots solutions, in the form of third-party browser extensions, arise. There are a number of IE and Firefox add-ons that are starts at trying to address the security and privacy issues, but no solution reflects the needs of today’s consumer, who is now facing the increased use of behavioral targeting by each of the majors and the new social network profile-accessing ad schemes relatively unarmed.
Option 5: The browser manufacturers incorporate more robust privacy controls in the core shipping product that is well beyond the controls they offer today.
To me, the best answer is Option 5: the major browser “manufacturers”: Microsoft, Mozilla, Apple, Opera all need to ship as part of their standard offering (not as add-ons), a simple process to allow consumers to select, in simple terms, the level of personal information they are willing to disclose to web sites / ad networks.
Today, the core browser-based options available to consumers are really blunt instruments:
Enabling/Disabling cookie support – a hugely bad consumer experience here, in terms of ease-of-use of their popular sites
Periodic cookie sweeping – again, a bad experience rarely done by the average consumer
Site-specific cookie blocking - a rarely used feature
Blocking all third-party cookies – again, a buried option rarely used, and one that treats all third party cookies as equals as privacy offenders, which is not the case
Ad blocking tools, an economically unjust solution, in my eyes.
My rationale for developing and shipping enhanced privacy controls in the core browser at the best approach?
1. The current principals in the publishing and networking space are just way too conflicted to come up with the right solution. All the talk today centers around opt-out schemes, and that is really an intentionally weak scheme – Opt out studies have shown only 15% or less folk elect to opt out, when presented with a default opt in selection.
Past action also indicates future intent. Look at how Facebook addressed public profiles – it shows they are going to be aggressive in their data usage tactics. Beacon is just another step (and certainly not their last) in their advertising journey.
MySpace is not much better, just a few chapter behind – hyper-targeting on profile info is just a first step by them.
It’s not like Google is immune from similar criticism. It started with their archiving of web search history, to their terms of service for Gmail, and will extend to their own plans for targeting in the display ad and mobile space.
I just don’t see any thoughtful answer arising from the monetization players.
2. The browser presents a tool that can implement a near-100% privacy compliance scheme (you still have the issues of multiple PCs and mobile to wrestle with here as well, I’ll acknowledge). I’d prefer some form of white-list scheme as part of the solution to eliminate the threat of new bad actors – if you haven’t passed the test of respecting my privacy policy, your cookie gets wacked (passing through Newark NJ on the train as I now type, hence the Sopranos term
3. You have a solid means for getting the vast majority of consumers easy access to the control mechanism. This means the solution can’t be buried in detailed options rarely used – it should be part of the install/upgrade dialog.
4. You have a possible practical middle ground for consumers and publishers. The solution might even include an option to share an anonymous ”mini-profile” I am willing to expose (e.g., age/sex/location).
5. It’s a solution that could be developed and broadly deployed quickly (e.g., 6-9 months).
I think this (browser-based control) should be on a short-list of options to consider as we go forward. The biggest challenge for me (and a reality check)? The fact that the browser manufacturers themselves are conflicted in coming up with the best answer. IE’s owner, Microsoft, has made major investments in its ad business, and any approach that dilutes their efforts will get major pushback.
I even worry about Firefox – the income that the Google relationship brings into Mozilla Foundation is addictive – but hopefully the community will rule here and perhaps make privacy an “A list” initiative. Firefox is the shipping vehicle that I hold out the most hope for – if they do this, and it further helps their install momentum, it can get Microsoft to the table.
I do think there is a practical answer that works for consumers and businesses - I just don’t think I need to trade this much privacy away so quickly. I wait with baited breath to here the first real pro forma answer to emerge. It is way too critical a topic for us to let age much more than it already has…
Great article! We shouldn’t have to trade away our personal information and privacy to use tools and services on the Web. The browser as the control for the end-user is a concept worth exploring. Thanks for the link; I’ll be back to read more!
By: Sharon on November 6, 2007
at 12:42 pm
People are growing concerned about online privacy, but oddly enough, are holding it to a higher standard than offline privacy.
If you go to Safeway and buy a weeks worth of groceries, you’ll get coupons on the back of your receipt targeted to your purchases. (Including the hemorrhoid cream you reference in your title – or worse!. If you used your Safeway card to get discounts, they’ll be targeted to things you bought previously. That is way more specific than any online cookie based system!
Or take what Acxiom has – a very rich database of over 130m households in the US, including info like household income, number of kids, recent catalogue purchases, magazine subscriptions etc. They sell this to any direct marketer who wants to buy it. That is far more specific than what Myspace makes available as well.
I don’t understand why people are more concerned about online ad targeting than offline
By: jeremyliew on November 6, 2007
at 2:36 pm
great article. we were thinking of investing some $$$ in an Option 4 solution – what products have you seen out there ?
By: Amit Shafrir on November 6, 2007
at 3:13 pm
Jeremy-
Would agree we as consumers have much less privacy than we are aware of. I just think that the road back to fuller control starts with a single step. I also think that someone’s ability to track my web browsing habits without my full awareness (my view of the average consumer), and also tracking and potentially sharing my online purchasing habits with people I know is beyond acceptable as an opt-out default. Even database marketers have restrictions on sharing transactional data. Do I feel online privacy efforts persecute online businesses unfairly? No way! There is a middle ground here that can increase CPC/CPA performance and still respect the consumer.
By: John McKinley on November 6, 2007
at 6:14 pm
Amit-
Here is a good link to a list of 50 Firefox add-ons in the security and privacy space: http://mashable.com/2007/07/25/firefox-security/
IMHO, no player is even close to the mark, in terms of a policy based solution here. The first steps on host-based white/black listing is at least starting to show up in IE7, Symantec’s toolbar, and other add-ons, but this is all phishing focused. Think there is an opportunity here, but it involved organic development, not acquisition.
By: John McKinley on November 6, 2007
at 6:20 pm
cool. thanks. – checked it out. none of them do what we are working on
By: amit shafrir on November 6, 2007
at 8:16 pm
Hi John, interesting post. Note that AOL isn’t creating any new opt-out opportunity – the ability to opt-out using an opt-out cookie has been available at the AOL privacy policy for many years. But, as you imply, users don’t know about the opt-out and that is why we have launched a campaign to publicize it.
Re the browser option – the P3P implementations in the browsers seek to give users some measure of the choice and currently block by default many 3rd party cookies if they do not meet a privacy standard – but this is limited to cookies. The P3P specification, which I helped work on years ago (see http://www.w3.org/P3P/) does allow a site to provide a machine readable description of data practices that can be used (the leading browsers do not however use it, see http://www.privacybird.org/ for a plug in that can read a sites P3P policy and evaluate it). But the complexity of this quite imperfect spec illustrates how difficult it is to communicate the myriad issues involved with data use in a way a user can quickly evaluate.
By: jules polonetsky on November 6, 2007
at 10:56 pm
Jules-
First, glad to know you are still on the case for AOL – they need you! Thanks for the post, and the reminder about the initial p3p efforts from a few years ago. My views are simple – think about the energy put into the site-by-site p3p spec – now look at today: I would be hard-pressed to believe privacybird, which was a nice idea we discussed incorporating into AOL 9.0, ever got to more that 1mm users at its peak – hence my view that add-ons won’t get us there.
I would also propose that a Tacoda-enabled AOL is a way different world than before, and that was the reason for the need for the recent press push.
By: John McKinley on November 7, 2007
at 6:29 am
John,
As one of the people responsible for helping to clean up the mess from last year’s AOL Search data release, I’m very sympathetic to privacy issues.
But there is some great consumer value that can come out of sharing data on social networks. People have been doing this on Facebook and Myspace, even before Beacon, using apps like Virtual Bookshelf and Flixster.
I wrote a blog post (pre-announcement) on marketing on social networks:
http://blog.agrawals.org/2007/11/05/marketing-on-social-networks/
If my friends know that I have an iPod Touch or a Magellan GPS or that I like Keen shoes, they’ve got a reference point when they’re making purchase decisions.
The big question I haven’t seen addressed is what Facebook does with the Becaon data if I don’t choose to publish it. There are brands that I would happily associate myself with and others that provide utility (Tide) or are embarrassing (Preparation H). If I buy Preparation H and tell Facebook I don’t want to publish it, do they still keep track of the fact that I’ve bought it?
With Facebook Beacon, I see the third-party sites being more concerned than users. If I’m Amazon or Netflix, one of my competitive advantages is the database of purchasing habits that I have. Do I really want to give that away?
BTW, one Facebook privacy issue you didn’t mention was the reports of Facebook employees casually snooping on user information.
By: Rocky Agrawal on November 7, 2007
at 9:00 am
Rocky-
I think G-rated sharing on media consumption stuff (songs I listened to, movies I watched) is the right kind of data I might share (I do that today), Going beyond the media category is not something that I see people doing broadly. If my buying habits define me to my friends, I need new friends! I certainly will tell folk about new products I have a passion about, but that’s an infrequent event, imho.
Your killer question is what Facebook will do with Beacon-obtained data, even if you opt out of surfacing it in your feed. I will look into it, but if you get an answer first, I’d love to know!
By: John McKinley on November 7, 2007
at 11:46 am
[...] option to publish the information on your Facebook feed. This raises privacy issues. GigaOm and John McKinley offer sharp [...]
By: Facebook Beacon supercharges word of mouth « reDesign on November 8, 2007
at 8:05 am
well, online privacy is difficult to get now. unless you anonymouze everything and make sure that you don’t enter your private information online at all. but facebook’s issue is new to me, i never expect them to be that careless with our information.
By: Nowheet Owl on December 9, 2008
at 10:09 pm