How to stop cookies stealing your personal information

The Office of Fair Trading reported in May on the effects on consumers of online advertising presented as a result of tracking the user's online behaviour, writes Steve Smith, managing director at Pentura.

The Office of Fair Trading reported in May on the effects on consumers of online advertising presented as a result of tracking the user's online behaviour, writes Steve Smith, managing director at Pentura.

The study followed consumers' objections to online behavioural advertising practices. These centre on privacy issues and the opportunity to misuse personal data.

The Office of Fair Trading (OFT) found consumers would object very strongly to pricing based on their actions, such as previous purchases, browsing behaviour or geographic location. It concluded that consumers who knew that targeted prices were being applied would change their behaviour. As a result, a failure to inform consumers about the practice could breach consumer protection rules, and in such an event the OFT would consider enforcement action.

The OFT stipulates that sites that use online behavioural advertising (OBA) have to ensure consumers are aware that information about them may be stored and used to target advertising. It is now encouraging the trade association for online advertising to work with the industry to provide consumers with clear notices alongside behavioural adverts and information about opting out.

OBA is only part of the story. Targeted pricing based on behaviour is similar to the tactics used by market traders. If you look rich and dress in expensive looking clothes the traders will increase their prices for you.

The same is true with OBA, only it's more subtle. Firms can collect information from cookies on a consumer's web browser to monitor their behaviour to understand what they do, what websites they visit regularly, and how and where they spend their money.

They can sell this information to others or use it to price advertisements that they serve to consumers. As a result, other sites might use this information against a consumer in the same way a market trader might, and increase their prices for consumers that are considered more affluent than others, as a result of their online behaviour.

There is also the potential for unfair trading. For example, a consumer may already be at the online check-out when an aggressive advert from a competitor brand appears, causing the consumer to change their mind. This will mean competition becomes far more aggressive and somewhat intimidating for users.

Neither the OFT nor Ofcom are stepping up to the responsibility of policing and penalising organisations that abuse OBA. To be fair, there is no clear answer as to who should police OBA, and matters now proceed on a case by case basis.

Presently consumers have to ensure they are aware of what sites do with the information they collect. This is not good enough. Not only are most consumers naïve about this aspect of the web, but many might part with even more information if there was something in it for them.

Hence, there must be a clear governance and ownership of responsibility around OBA. The OFT must provide and enforce unambiguous guidelines for OB advertisers that warn consumers explicitly what information is collected and stored and how it is used to target them.

Information Commissioner's Office (ICO) regulations require firms to inform consumers clearly about the purpose of storing a cookie or other tracking systems on a user's computer and to allow the user to opt out or delete such cookies.

Consumers can control tracking cookies in other ways too. One way is clear all cookies from the browser at the end of each session, and ensure the appropriate security settings are configured on cookie management.

Many users do not do this as they see security and clearing cookies as a nuisance. But as they use their browser for banking, social networking and other potentially risky activities, online security becomes more important.

Nearly all browsers now allow private modes. These let users browse anonymously, and ensure no information is stored about them on cookies.

Adobe Flash "super cookies" or "Flash cookies", which use Local Shared Objects (LSOs), are trickier to erase and clear. A normal cookie can store a maximum of 4k of data, whereas a super cookie can store around 100k by default. With 98% of computers globally using Adobe Flash Player there is a phenomenal amount of users unaware of the risks involved.

The problem is that super cookies are not linked to a browser, so information is not erased when users delete cookies through their browser. It is also very difficult for a user to find these super cookies on their computer.

The best way for a user to avoid super cookies storing information that OBAs can access is to download the Adobe Flash Player settings manager. This allows them to monitor and take control of their information security.

Deleting cookies usually means you lose some convenience. Users have to decide if this reduced functionality is worth increased security.

But there are programs that can block advertising from companies users choose. This helps reduce users' exposure to potential data privacy breaches. It can also speed up access to some sites, as there is no advertising to download.

For complete anonymity, the most secure way to browse the internet is to use the private browsing modes available in many of today's browsers. This thus prevents cookies of any type from being downloaded and stored on the local machine, but the digital highway could develop a few bumps as a result.

Online behaviourally targeted advertising is worth between £64m and £95m, a fraction of the £3.35bn the total online advertising market was worth in 2008, set to rise significantly in the future, the Office of Fair Trading says in a market study of the issue.

The OFT found that industry self-regulation addressed some concerns about behavioural advertising, but more could be done to provide consumers with better information about how personal information was collected and used.

It also set out how regulation might apply to these new and emerging practices.

The OFT found that behavioural advertising offered benefits to consumers such as free access to content, critics were concerned about privacy issues and the possible misuse of personal data.

The OFT said it would encourage the Internet Advertising Board, the trade association for online advertising, to work with the industry to provide clear notices alongside behavioural adverts and information about how to opt out from cookies.

Signatories to the IAB's good practice principles are AOL/AOL Advertising, Audience Science, Crimson Tangerine, Google UK, MSN/Microsoft Advertising, Specific Media UK, Yahoo! And SARL.

Read more on IT risk management