Having your cake, and eating my cookies

© Gina Guillotine

It is obvious that web users are tracked by advertisers, we all notice occasionally when one advert follows us around the Internet. If I let my fiancée use my laptop I would not be surprised if I was followed around the web by adverts for Russell and Bromley shoes. Yes this is annoying, even intrusive, but this tracking and the “Cookies” that allow it increase advertising revenues for publishers. They are part of a new economic order that has emerged without anyone pointing a gun at anyone, they are part of the emergent implicit compromise that is our culture and our economy online. We know it happens, we know people profit from it and we accept it in our own self-interest, or because life is too short to worry.

The institution of “the web”, which is not one institution at all, offers an immeasurable amount of knowledge and connects us together as a culture in a way which is unique and precious. It is shepherded, as the natural world is shepherded, by owners who each have rights to their small part of it. Users own terminal equipment and lease copper wires that connect them to networks owned by ISPs that connect them to servers owned by companies, universities, institutions, and individuals. When a user chooses to connect to their services, he sends a message from his terminal equipment out across that network to a service’s server. We must not forget that this is a voluntary act and is, for the most part, initiated by the user.

I want to explore another voluntary act to draw a useful comparison. If I have a problem and I ask for help, I will naturally want to choose who I ask. The question might be very personal, or might reveal my intent in a way that is unhelpful to my interests. If it is particularly sensitive I might check over my shoulder before I begin to speak and I might naturally wish to keep a track of to whom I have spoken and what I have revealed to make sure that I haven’t revealed too much to one person. Occasionally, I might reveal one piece of information, then decline to offer a certain second piece of information knowing that it is possible to infer something sensitive, for example, when the inferred fact would breach a confidence. Some people get really complicated about this and look out for occasions when confiding in person A changes their behaviour in a way that offers a clue to person B whom is looking out for it and thereby the secret is revealed without A ever breaching the confidence to B. Frankly, I think life is too short to worry about that kind of thing, but I know people do invest time in it, especially if they have made decisions in life that they need to lie about.

The point of talking about these scenarios is to highlight one thing about them: no one ever said that deciding who to trust and what to trust them with is the responsibility of the person receiving the information. In real life, we take responsibility for deciding whom to trust with information and for the inferences that the recipient might make. We fret about acting responsibly with what we are told, and maintaining a good impression, which means acting to avoid certain inferences being made (especially untrue ones).

Accessing a website is very much like asking someone for help (a request is made, an action might be performed, and information flows back) but some people seem to believe that users online cannot take the same level of responsibility and demand health warnings that indicate when the listener is alert to connecting together facts and making inferences. I think they are wrong.

“But Simon!” you scream, “online companies operating big databases can remember more about you than even you could remember. You are powerless to keep track of what you reveal.”. This is a matter of degree, and scale, but is not a fundamental difference. It arrises because the economics of keeping track of the facts (requests, questions, actions performed) is much more interesting for one party than it is for another, and this is especially true of advertising companies but applies in e-commerce where retailers push products based on order history rather than browsing history. The ad revenue, or future orders, offer a strong incentive to service operators to keep a detailed track, but no strong incentive exists for users. Users are left with a vague fear about what might be inferred, but rationally decide that life is too short to worry.

I said companies are incentivized to do tracking, by improved ad and order revenue, but that says nothing about the cost. As ever, the market supplies cost-effective solutions by coordinating the division of labour. Specialist firms have sprung up to do customer tracking and product recommendation effectively and cheaply for the whole array of e-commerce and media websites. Profiling software for advertising firms is lucrative so advertising brokerages run their own versions, and instead the division of labour is between the advertising brokerage (e.g. Google AdSense) and the service operator (e.g. a blog, like this one) rather than between service operator and software firm, but division of labour is still at work.

The EU’s Cookie Directive is an irritating legislative solution to the vague sense of fear experienced by users. Rather than taking responsibility for what they voluntariliy reveal, they commission a solution from politicians that is based on the implied threat of imprisment. The law obligates websites to implement silly yet expensive pop up health warnings whilst offering little clarity about what those pop ups must look like. Implementing those pop ups for an enterprise website will require a fusion of legal, business and technical knowledge that will keep a large group of very well paid people occupied in interminable meetings for a very long time, and then occupied on engineering and impact analysis tasks for a long time afterwards.

It’s wrong of users to impose those laws, when a better voluntarist solution exists.  I said earlier that users have little incentive to do the work of keeping track of all the trivial facts they reveal and agreed that they cannot win against companies with massive databases and professionally produced specialist software. All true, but users’ vague sense of fear is also an incentive for users to act to protect their privacy. The market in technology online offers a process of dividing labour in a way that matches those weak, distributed incentives with the intellectual effort of people able to do something about them; and it already has done. For example, the Do Not Track specification, implemented in Firefox etc, is a means to tell service operators that the issue bothers you, leaving it up to them to meet that preference and balance their other priorities. Identical to any other request from a customer, this is good honest process. Evidon is a company with a browser plugin called Ghostery which produces a little database of tracking that has happened to you, and puts you in control of the process in an accessible way. In fact, all web browsers have included features of this kind to some extent and even the advertising networks that can afford it have begun to offer transparency and access for users to see what they have inferred about them.

The invention of these technical solutions is a sign the market is adjusting to the new problems and incentives it now faces. Users, in their home lives, are adopting counter acting technical solutions to address the technology that their peers deploy in their work lives and there is plenty more scope for this. I worry that by running to the Government users’ have forcibly cut off the revenue that is supporting online services they use, and when they are ready to eat their cake, the users won’t have paid for it.