Friday, 16 October 2009


The all-seeing eye

How would you feel about a piece of software that watches all your web browsing and builds a profile of your interests so that the adverts you are shown are more relevant than the generic ones you see today?

There was a lot of fuss earlier this year about a service which proposed to do just that. Initially picked up by the tech press, the furore migrated into mainstream media and eventually those involved appeared to have lost interest in the UK market. Yesterday the OFT began to make noises about a related idea.

Chalk one up for the people, right?

I'm puzzled that the privacy activists who were most vocal in the campaign didn't notice when another company quietly stepped up to the plate. And you know that company. Its name is Google.

Have a look at Google Ads Preferences.

According to Google I'm interested in Activism & Social Issues as well as Winter Sports. They decided this by tagging my Google ID (a number stored in my browser at their request) with interest categories based on the websites I recently visited.

Their trick is that rather than watching users' activity by from the ISP's network, Google can see web pages each time a website includes a reference to JavaScript hosted by one of their servers. So every time a browser loads a page that embeds a Google advert, Google gets a chance to examine the displayed page, find frequent keywords, associate an interest category and hook it into the user's ID.

Google claim to do this only on YouTube and pages that show Google Ads, but why should they stop there? There are many more opportunities for Google to review what a user's browsing. Any page that shows a Google map, embeds FriendConnect, uses Google Analytics - or indeed any of Google's products - does so by instructing the browser application to download a piece of software which has free run of the page being shown.

Did you ever wonder why Google offer so many webmaster-friendly tools for free? Google's opportunity is massive - they have hooks everywhere.

Of course the same could be done by any of the other big players. What does the Twitter profile widget do behind the scenes? Or AddToAny and friends? Or the various hosted comments service such as the one I currently use on this blog?

The root of the problem is twofold. Web page authors have got used to including scripts from third parties without thinking, and the security model of the scripting technology is very limited. Authors are essentially inviting persons unknown to do anything they like to pages served from their sites. But they're too busy "monetizing" to stop and think about the implications.

Am I being unkind? Maybe webmasters do think. Maybe they think Google can be trusted. After all "don't be evil" is Google's unofficial motto. (If only they defined what "evil" is.) But is that trust well placed?

Those with a long memory may recall a similar storm about behavioural advertising ten years ago. Back then the bête noire was a company called DoubleClick. Although defeated after a time, they didn't go away. They were bought by Google last year. Guess what powers Google's latest Ad Preferences technology?

So I won't be adding any new third-party scripts to this website, and I'll be working to remove the one which I currently use: it's the only way to safeguard the privacy of visitors to this site.

Targeted advertising is remarkably good at reviving itself. It's not dead yet and will continue to fight back until there's a wider public debate about privacy and the proliferation of our digital shadow.

Posted by pab at 12:09 | Comments will be back later in the year. Please email me instead!