Tag Archives: device fingerprinting

Q&A: LBI’s Manley on preparing for the EU cookie directive

Manley is SEO Director at LBi, and he has been working with clients recently, preparing for the full implementation of the EU cookie directive. 

This directive (here’s the pdf if you have a few hours spare) was introduced in the name of privacy, but has serious implications for online businesses.

I’ve been asking Manley about what the directive will mean in practice for online businesses, and what they should be doing to prepare themselves…

What was the thinking behind the EU cookie regulations?

The reason the EU has introduced this directive is due to concerns about privacy, especially from Scandinavia. The idea is to prevent organisations collecting information about web users without their permission.

The problem is that the people who have introduced this have very little idea of what a cookie is and what they are used for. Considering the privacy of individuals is no bad thing, but the law is slightly misguided.

It was announced at the beginning of the year, and the UK is the first country to have introduced it.

The idea behind this early adoption was that we could manipulate the law, and the initial guidance was that browser settings would deal with the need for users’ consent.

However, it soon became clear that that wouldn’t cut it.  Now we have a situation which is unclear for many businesses.

What does the ICO’s decision to delay implementation mean in practice?

The law is in force now, and has been since May 26. However, the ICO has said it will not prosecute anyone under this rule until May 2012.

You can make complaints against websites though, and just because businesses may operate websites within the UK, it doesn’t mean they have nothing to worry about until next year.

If your visitors are coming from other EU countries including Ireland, Sweden, Estonia, Finland and Malta, you may be liable.

What do the cookie regulations mean for online business?

The ICO will not currently pursue companies for not gaining users’ consent for cookies, but this is no excuse not to be doing anything about it.

As the ICO’s Christopher Graham has said, those who choose to do nothing will have their lack of action taken into account once the regulations are enforceable.

The sort of organisation that will be likely to be complained about should have the resources to be able to make the necessary changes.

They should be concerned, as the penalty for flagrant flouting of the rules is £500,000. Any organisation with several websites and brands, some financial services companies for example, will therefore be liable for each property, meaning fines could add up to millions of pounds.

What should online businesses be doing in preparation?

Although you can be fined, what constitutes a serious breach is flagrant disregard for the directive, and the ICO says that a phased approach is acceptable.

Right now, you should be examining your existing current cookies, looking at:

  • How much information are you holding?
  • How necessary is it?
  • What measures can you put in place for gaining consent from visitors?

Even the ICO’s cookie consent message (below) isn’t enough to comply. Users have to be able to make an informed decision and give overt and informed consent.

If you have done an audit, have an acceptable and clear privacy policy, and a reasonable strategy on place for May 2012, ready to be implemented, then you will be prepared.

What are the various options for websites to ensure that they comply with the cookie law? Is it possible to comply without affecting the user experience?

Websites face a dilemma over how overtly they ask for user’s consent to store cookies.

They could put a notice on the page when new visitors arrive, one which asks for users to consent, but which still allows them to use the site as normal if they choose to ignore it.

This will mean a better user experience, but the flipside is that the amount of traffic picked by analytics packages will be a fraction of normal levels.

The other option is to use a lightbox to ask for consent. The user only has to opt in once, and this would solve the problem of losing analytics data, but it does mean that some visitors will drop out.

People don’t like being interfered with, and frequently ignore lighboxes when used to gather user feedback on sites. We find it offensive that something online is interacting with us, rather than us with it.

When someone arrives at a site for the first time, there will be higher bounce rates as they see this interruption.

Another approach is to have a tiered structure for visitors. For example, a ‘bronze’ level may mean no cookies are stored from that user, a sliver level with a minimal level of cookie data, and gold, where customers opt in, in return for the fullest possible experience on a site.

This will be the first time that most web users will become aware of this legislation, and in many cases, what cookies are. The potential effect of this change on the internet could be massive. As well as online retailers, massive sites like YouTube and Facebook all rely on cookies.

It also threatens many business models, retargeting, behavioural targeting, attribution CRM, display advertising, and of course, analytics.

Analytics could be seriously affected by these changes. For example, on May 26, when the ICO began to ask for consent to store cookies the visits shown in analytics were down to 11% of normal traffic.

Is there anything companies can do to educate web users in advance?

Perhaps, but since all businesses are looking for is a quick yes from visitors, education may not serve businesses particularly well.

Has there been much resistance to this law? Are companies lobbying against it?

I’ve done some work on this with financial services and telecoms companies. There are some who say this is unworkable, but in all honesty, it’s not, it’s just a bit irritating.

Others are accepting it and trying to work within the guidelines.

This isn’t going to go away, though whether the ICO actively seeks to prosecute businesses is debatable.

The answer is to embrace the law, and to have everything ready for its full implementation, except the last consent step, a lightbox or notice for new visitors.

When it’s clear that the law is in place and will be enforced, then this will need to be implemented.

How exactly the law will be implemented is still not 100% clear. The ICO has asked the industry for feedback, and it’s not certain how they will adapt to this. Until we see the legislation in practice, it’s difficult to know, bit just hoping it’s going to go away is not going to help.


Start-Up Ensighten Aims to Let Websites Enforce ‘Do Not Track’

Online ad companies have been debating for months about how to respond to people’s requests not to be tracked on the Web.

But now a company called Ensighten may just take the decision out of advertising companies’ hands, giving website owners the power to block companies that don’t honor “do not track” requests.

With a new system launching formally this week, the start-up will allow websites to keep a closer eye on tracking tools such as cookies on their site — and even set rules for what trackers to accept.

The idea for the system, dubbed Privacy Sentinel, comes as concern grows about online data collection. The Wall Street Journal reported last year that more Web publishers were trying to rein in the tracking tools on their sites and thatseveral start-ups were stepping in to help them.

The Journal had earlier found that the most popular U.S. websites placed dozens of trackers on average, and many website owners were not aware of the number of tracking tools on their pages.

It’s common for website developers to have deals with several companies to run ads on their site. Each of those companies can in turn make deals with multiple other tracking firms to embed trackers within ads. A study last year by start-up Krux Digital found that nearly a third of the tracking tools on 50 popular sites were installed by companies that didn’t have the publisher’s permission.

“If you’re a large site owner, how do you control all of that?” said Josh Manion, the chief executive of Ensighten.

Founded in 2009, Ensighten is one of several companies that offer a system to help websites manage data-collection tools. Its new product expands on that by letting Web developers funnel traffic to and from tracking companies through the Privacy Sentinel system. That way, the Website owner can see and control just what trackers are on the site, even if those trackers are placed within ads from other companies.

Privacy Sentinel allows the website to dictate what trackers are allowed, limiting those from companies that don’t have a strong privacy policy or follow industry standards, for example, or those with code that slows down the loading of the page.

Ensighten
A diagram showing how Privacy Sentinel works by allowing some data to pass through and blocking other data.

One of the key rules that website owners can set: whether to accept trackers if a person’s browser is set to “do not track.”

Internet Explorer, Firefox and Safari now let users automatically send a message to sites indicating that they don’t want online behavior recorded as they surf the Web. But a major problem with the “do not track” system is that it requires tracking companies to abide by the request, and relatively few ad companies are doing so at this point.

Mozilla, which began including “do not track” controls in its Firefox Web browser earlier this year, said at least a half dozen companies – including Bluekai, Bluecava, Chitika, Media6Degrees and EffectiveMeasure – are honoring the requests. But that is a drop in the bucket when it comes to the online advertising ecosystem.

“Many advertisers and publishers have also announced their support for Do Not Track,” a Mozilla spokeswoman said, as has the Federal Trade Commission staff. But discussions continue about how it should be implemented.

“For the site owners or publishers, it is a hand-wringing activity,” Manion said. “They have to wait for vendors to upgrade technology,” even if they want to give their users more options when it comes to tracking.

Ensighten has teamed with PrivacyChoice, a firm that provides privacy-consulting services to websites. PrivacyChoice maintains data on the policies of more than 450 online ad companies. The Journal used information from PrivacyChoice as part of its study of trackers last year.

Ensighten has been beta testing its Privacy Sentinel system with six clients over the past few months and will publicly launch this week, Manion said. The tool, which is aimed at large site owners, is priced at $2,000 a month and up, he said.

The company declined to name the clients that had been testing the service, and it’s unclear how publishers will respond, or whether they will find that using such a tool strains their relationship with advertising networks.

Source: http://blogs.wsj.com/digits/2011/07/21/start-up-ensighten-aims-to-let-websites-enforce-do-not-track/?mod=google_news_blog


TapAd Brings Retargeting to Mobile

Mobile-focused ad technology company TapAd officially launched its inaugural product today, designed to help advertisers retarget users on mobile devices as they’re now accustomed to doing on the desktop web. The company hopes to service advertisers that have found particular success with retargeting technology in the past, such as those in the retail and automotive categories, for example, the company’s CEO Are Traasdahl told ClickZ.

The fledgling firm, which lists a number of high profile ad technology veterans amongs its investors, is already running campaigns for at least eight brands, and purchasing between eight and ten million impressions a month across both applications and mobile websites. Traasdahl said the company has been amazed at the enthusiasm for the product when pitching it to prospective customers. “We thought we’d be seeing $20,000 test budgets, but so far it’s been more like $10,000,” he claimed.

As a company, TapAd intends to launch a range of products designed to take advantage of real-time media buying, and to apply that technology to different devices including smartphones and tablet devices.

Despite the continued growth of exchange-traded media for desktop inventory, the mobile exchange space remains largely nascent, so the majority of inventory currently purchased by the firm comes directly from supply-side platforms such as AdMeld (just acquired by Google), as well as direct relationships with publishers. As mobile exchanges mature, they’ll likely play a larger part in the company’s operations, however.

Rival ad technology companies and vendors are also experimenting with data-driven mobile targeting as the audience and advertiser opportunity around the devices continues to grow. A number of demand side platforms have announced support for mobile inventory, and players such as Google are also readying capabilities to target mobile ads based on user behavior.

To date, advertisers have had difficulty behaviorally targeting or retargeting ads to mobile devices because of limitations around the use of cookies on mobile devices – the technology most commonly used to target desktop machines. Each mobile device handles cookies in a slightly different manner, and some reject them entirely by default, meaning no single solution works universally.

To overcome that issue, TapAd’s technology uses a range of methods to try to identify a user and his previous online behavior, such as browser and session cookies, HTML5 databases, and tracking pixels.”The majority of what we do is cookie-based,” Traasdahl said.

Unlike some rival mobile targeting and data companies such as BlueCava and Ringleader, TapAd said it does not make use of device fingerprinting technology. That targeting method analyzes a range of attributes belonging to a device, and assigns it a unique identifier based on those factors, which is stored server-side, rather than locally on handsets. As a result users have little control over the process, which has raised privacy concerns in some camps.

TapAd’s opt-out process is similar to BlueCava’s and Ringleader’s, and requires users to visit the firm’s site to express that desire. Simply deleting their cookies and local storage databases will not prevent behavioral tracking, as it wouldn’t with the majority of desktop browsers.

Traasdahl said he hopes to add around five new advertisers to TapAd’s retargeting platform in the next two months, before the company explores the introduction of other products and offerings based around its real-time capabilities.

Based in New York, the company’s array of investors includes Brian O’Kelley, founder of Right Media and AppNexus; Dave Morgan, founder of Tacoda; and ex DoubleClick CEO David Rosenblatt, to name a few.

Source: http://www.clickz.com/clickz/news/2079675/tapad-brings-retargeting-mobile


MobileLeads.com Selects BlueCava Device Identification Technology to Enhance Mobile Targeting Capabilities and Combat Lead Fraud

MobileLeads.com, a marketing communications firm headquartered in Tempe, Arizona, and BlueCava (http://www.bluecava.com), the leading provider of advanced technology that enables businesses to identify and profile the devices used by their customers, today announced a strategic partnership to embed BlueCava’s Device Identification technology into its newest mobile lead generation platform.

MobileLeads.com’s new platform offers a Cost-per-Lead (CPL) format through which advertisers and publishers converge to buy and sell live inquiries via the mobile web. BlueCava’s Device Identification Platform is a patented technology that identifies internet-connected computing devices and creates a permanent, unique fingerprint for each. Embedding device fingerprinting capabilities into MobileLeads’ lead generation platform will enable clients to benefit from more sophisticated mobile ad targeting and a way to significantly prevent lead fraud.

“Our clients rely on MobileLeads.com’s lead generation platform to generate targeted, real-time inquiries from consumers browsing the mobile web. We saw a huge advantage in offering our advertisers a technology that will help to not only verify every high-quality lead, but also to enhance audience targeting in each mobile campaign they deploy,” said JT Benton, Chief Executive Officer at MobileLeads.com.

“MobileLeads.com was wise to arm its clients with BlueCava’s device ID technology,” said Jim Misuraca, Vice President of Channel & Partner Sales at BlueCava. “Having access to both real-time and historical data about devices participating in any touch point of a mobile ad campaign helps advertisers quickly identify trends and more accurately spot anomalies.”

Source: http://insurancenewsnet.com/article.aspx?id=263164&type=newswires


Device Fingerprinting…coming to a device near you

The security experts don’t like to talk about this much, but most agree that today the hackers have the advantage. Even top security firms are vulnerable to attack, as the hacking of RSA demonstrated. What this means is that if the computer is linked to the Internet it, and all data on it, is ultimately vulnerable despite even the best security efforts.

Of course that doesn’t mean that your computers will be hacked, nor does it mean that security is worthless. Given the huge numbers of computers on the Internet, obviously many are not going to be attacked by the most sophisticated methods. SMBs in particular may very well avoid problems simply through anonymity – bad guys can’t attack something if they don’t know it exists, and they are not likely to attack a random computer installation if they do not have some reason to do so.

Also, not all attackers are sophisticated enough, or determined enough, to defeat a strong security setup. Good security practices, including care to avoid downloading malware that can open the door to bad guys, can defeat the most pervasive, randomized attacks. But still, even experts sometimes get fooled, even known Web sites sometimes are infected and spread malware to all who log into them until they are cleansed, even RSA’s own defenses can be broken.

So I was heartened to learn at last week’s SAPphire 2011 that Intel is moving ahead rapidly to implement strong security tools including encryption and device “fingerprinting” on the silicon. This is exciting and promises to change the balance of power in the security war in the favor of the good guys.

One of the big problems with most computer security today is that it is implemented in software. Any security expert will tell you that hardware-level security is always stronger than the same tools in software. For instance, software encryption is more vulnerable, more difficult to manage, particularly in a distributed environment, and requires much more CPU time than hardware encryption. For those reasons, today it is, for instance, impractical at best to encrypt more than a small faction of company data, and then usually it has to be decrypted before it can be sent over the network. But put that encryption algorithm onto into silicon, and it becomes very practical to encrypt everything and to keep it encrypted while the data is distributed. And the keys will be very hard to steal or break.

With hardware-based security, malware, even root kits, become much less powerful, because the security boots before any software, even at the lowest levels. And device fingerprinting will allow users to identify individual devices at the company “front door” and turn away any that are not registered for access. And because the fingerprint is unique and implemented in the hardware, it will be extremely difficult to fake.

And this gets even more powerful as a company moves completely to hardware-based security. Then the end-user computers can work closely with the servers to create a complete, highly secured environment, even when those edge devices are somewhere out on the Internet, not in the office.

So in the meantime, do not skimp on security, work hard to ingrain secure practices among all your employees, and look forward with optimism.


Google Wins Mobile Payments Race With Summer Launch Of ‘Wallet’ App

Well I guess you could say if Google is gonna get into this space, then all with be looking and wanting to follow.

A couple of interesting things I see in this space unfolding – one around the opportunity for targeted, relevant advertising ( with a bit of social location thrown in for good measure) and the second for a robust solution that tackles the area of fraud. Maybe device fingerprinting from a company such as Bluecava could provide a solution that tackles both these areas. Let’s see….

The race to make mobile payments mainstream is one of the most competitive contests in the wireless industry, pitting telecom operators against credit card companies, payment processors, handset makers and operating system providers. With its May 26 announcement that it is poised to launch a national mobile commerce network (using its Android phones), Google now appears to be in the lead.

The service, called Google Wallet, will store credit cards in electronic form on Android phones. Users will be able to pay for purchases by wirelessly “tapping” their handsets against special readers in participating stores. Users can also receive targeted offers, such as coupons for products they have bought in the past or have indicated they like, directly on their phones while in stores. Loyalty rewards will be automatically tallied within Wallet and receipts will be electronic, as well, popping up on the phone instead of printing out on paper.

Merchants have already started testing the setup and will begin trials in San Francisco and New York City before expanding nationally this summer. American Eagle, the Container Store, Macy’s, Subway, Toys “R” Us and Walgreens are part of the initial group of retailers that will support the system.

As the name Wallet suggests, the app will support a variety of different cards, including credit cards, loyalty cards and gift cards. At first, Google Wallet will only work with Citi MasterCards, since both companies are Google Wallet launch partners. Users can also opt to load money onto a prepaid, Google-hosted card that can be funded by another type of credit card. Google says it will add more cards over time and hopes to eventually include other types of ID and passes, such as drivers licenses, event tickets and electronic hotel keys.

Retailers, says Google, will benefit from a corresponding service called Google Offers that will enable consumers to search for special offers and save them to their Google Wallet. Those stored coupons can then be redeemed by tapping a Wallet-equipped phone at a cash register or showing the phone screen to a cashier.

Merchants will be able to customize incentives based on a customer’s location and transaction history. A particularly frequent customer can receive a higher-value deal than a less loyal customer, for instance. Google Offers will go live in Portland, San Francisco and New York City this summer.

Google also plans to support location-based “check-in” offers, offers that are placed like ads in Google searches and offers that are situated in Google’s local business/maps service, Google Places.

Using a cellphone as a wallet is convenient but could be risky. Google says its Wallet app contains multiple levels of security, including a phone screen lock and a required Google account and pin number. The search giant also says credit cards are encrypted on a secure element within the phone and never fully displayed.

Part of the security comes from a chip developed by European semiconductor maker NXP, which collaborated with Google on its latest flagship smartphone, the Samsung-made Nexus S. That chip also enables Google Wallet to communicate wirelessly with all the various Wallet partners, via a technology called NFC (near-field communication).

Google’s vision appears similar to strategies espoused by organizations like ISIS, the mobile commerce startup backed by AT&T, T-Mobile USA and Verizon Wireless. New York-based ISIS is about a year behind Google, though it may have an advantage in being compatible with a greater variety of phones once it launches.

During Google’s Thursday New York event, its Vice President of Payments, Osama Bedier, argued that Google is “uniquely positioned” to roll out a mobile commerce program because of its wide-ranging partnerships forged through Android and its search and advertising businesses. Bedier, who was a top executive at eBay’s PayPal until January, noted, “This has to be an ecosystem; it can’t just be one company.”

Bedier also acknowledged Google’s lead in the mobile payments race by adding, “This is not just an idea or announcement…this is up and running.”

Source: http://blogs.forbes.com/elizabethwoyke/2011/05/26/google-wins-mobile-payments-race-with-summer-launch-of-wallet-app/