Archive for 'Cookies'

Those of you paying close attention to issues regarding consumer privacy on the Internet are probably at least a little familiar by now with Flash Local Shared Objects (also called Flash “Cookies” by some.) I wrote a white paper on the subject Flash objects’s use in web analytics on behalf of BPA Worldwide back in February and had to update the blog post I wrote when I noticed  that Adobe had wisely written a letter to the Federal Trade Commission regarding the use of Flash to reset browser cookies.

After writing that update I got in contact with Adobe’s Chief Privacy Officer, MeMe Rasmussen, who politely agreed to answer a few questions that I had about their letter and Adobe’s position on the use of Flash as a back-up strategy for cookies.  Given that Scout Analytics is now reporting that Flash “Cookies” are increasingly being deleted by privacy-concerned Internet users I figured it was a good time to publish my questions and MeMe’s responses.

The following are my questions (in bold) and Mrs. Rasmussen’s responses verbatim.

Flash Local Shared Objects (LSOs) have been around for a long-time and I have been aware of their use as a “backup” for browser cookies for reset and other calculations for a few years.  What made you write your letter to the FTC now?  Was there a specific event or occurrence?

The topic of respawning browser cookies using Flash local storage was publicized after research conducted by UC Berkeley on the subject was published in August 2009.  The topic was also raised at the FTC’s First Privacy Roundtable in December, so when the FTC announced that its Second Roundtable would focus on Technology and Privacy, we felt it was the appropriate opportunity for Adobe to describe the problem and state our position on the practice.

While I believe the position you outlined in your letter to the FTC is the correct one, you have put many of your customers in an uncomfortable position by condemning an act that they have been using for quite some time — essentially issuing negative guidance where none had been previously issued (to my knowledge.)  What has the response to this been if I may ask?

We have not received any comments or concerns from customers about our Comment Letter to the FTC.  Adobe’s position specifically condemns the practice of using Flash local storage to back up browser cookies for the purpose of restoring them after they have been deleted by the user without the user’s knowledge and express consent.  We believe companies should follow responsible privacy practices for their products and services, regardless of the technologies they choose to use.

On page 8 of your response to the FTC you discuss Adobe’s commitment to research the extent of this (mis)use of Flash LSOs.  Given the extent to which LSOs are being used perhaps “not as designed” and the sheer popularity of Flash on the web this seems quite a task.  Can you describe how you have started going about this effort?

We are currently in the process of defining the research project and are working with a well-respected consumer advocacy group and university professor.  At this time, the specific details of the project have not yet been finalized.

Within the web analytics community many have commented that your position on Flash LSOs may impact some of what Mr. Nayaren and Mr. James have said about the integration of Omniture and Adobe products like Flash.  Specifically some of the commentary suggests a tight integration of Omniture’s tracking and Flash.  Does your position on LSOs as a tracking device change the guidance the company has issued to common customers?

No, the position we outlined in the FTC Comment on condemning the misuse of local storage, was specific to the practice of restoring browser cookies without user knowledge and express consent.  We believe that there are opportunities to provide value to our customers by combining Omniture solutions with Flash technology while honoring consumers’ privacy expectations.

One of the suggestions I made in the white paper with BPA Worldwide that you cited was to use Flash LSO as a back-up tracking mechanism but NOT to use it to re-spawn cookies.  From a measurement perspective there are a handful of good reasons to do this … does Adobe have a position on that strategy that you can outline?

The point we made in our FTC Comment was that we considered the practice of using Flash local storage to respawn HTML cookies without user consent or knowledge to be an inappropriate privacy practice.  In your white paper, you identified some uses of Flash local storage whereby browser cookies are rest but the use is given clear notice and an opportunity to consent.  We believe that technology should be used responsibly and in ways that are consistent with user expectations.  The example you presented in your white paper was an example of a Web site that, by giving notice and control to the user, implemented our technology in what appeared to be a responsible manner.

(Thanks again to MeMe and the team at Adobe for getting these responses back to me! As always I welcome your comments and questions.)

When I first saw the news of Google’s opt-out browser plug-in spread around Twitter I thought “hmm, I wondered when we’d see this” and moved on since opt-out is more or less an non-issue — basically because in the grand scheme of things nobody really opts-out. For all the hand-wringing and navel-gazing people do on the subject of privacy online, I have never, ever seen any data that indicates that web users actively opt-out of tracking in significant numbers.

Never.

If you have it, bring it on as I’d love to see it. But in my experience the only people really truly and actively interested in browser- or URL-based opt-out for tracking are privacy wonks, extreme bit-heads, and some Europeans. The privacy wonks and bit-heads are who they are and are unlikely to ever change; the Europeans have privacy concerns for other reasons but I will defer to Aurelie to try and make heads or tails of what those reasons are.

Still, it has been interesting to see some bright folks like Forrester’s Joe Stanhope offer some explanations about why Google might be doing this and what the ramifications might be. And it has been less interesting to see some of the fear mongering and hyperbole offered by Marketing Pilgrim’s Andy Beal in his post “Why your web traffic is going to nosedive thanks to Google” although I found Econsultancy balances things out with their straightforward and tactful post “Will opt-out threaten Google Analytics?”

What Andy, Patricio, and to some extent Joe, apparently didn’t notice is that Google Analytics is about to make a big, big push into Federal Government web sites, and this browser-based opt-out is just a check-box requirement to satisfy the needs of said privacy wonks who for better or worse have the Administration’s ear (or some body part, you choose!)

Yep, the browser opt-out isn’t actually for anyone … except for perhaps the Electronic Freedom (sic) Foundation and their ilk. Google is somewhat brilliantly checking a box now so that when the Office of Management and Budget (OMB) releases all new Federal guidelines for browser cookie usage later this year any Federal site operator who wants can immediately dump their existing solution and go directly to Google Analytics.

You do remember that Google Analytics comes at the amazing deficit reducing price of ABSOLUTELY FREE. Even a Republican can get his or her arms around that price tag, huh?

You betcha.

“Hey wait,” you say, “what about the fact that Federal web sites will probably never get permission to track visitors over multiple sessions?” Good point, except did you know you can override Google Analytics _setVisitorCookieTimeout() and_setCampaignCookieTimeout() variables and set their values to zero (“0″) which effectively converts all Google Analytics tracking cookies to session-only cookies?

Yep.

Not to mention that the little birds who sing songs in only hushed tones suggest that OMB is about to take a much more reasonable stance on visitor tracking anyway. This is not a done deal, but the situation that most Federal site managers work under today — one where many sites are more or less forced to use out-of-date log file analyzers and most are hamstrung in their ability to analyze multi-session behavior — seems to fly directly in the face of President Obama’s efforts to make government more transparent and effective.

I said as much just after he was elected, and then I said it again when I pointed out that Barack Obama should not fear browser cookies! Federal managers need modern, easy-to-use tools to improve the overall quality of government web sites.

Now, I could be wrong about all of this — I am human, and like Joe Stanhope I have not heard word-one from Google about the opt-out app — but I am pretty good at connecting dots and these are big, obvious dots:

1. Google loves data
2. Feds have tons of data
3. Feds have requirements necessitating privacy controls
4. Google builds privacy controls
5. Google gets Feds data

This is actually pretty brilliant of Google if you think about it. Assuming you’re with me in my belief that Google Analytics isn’t about AdWords or Analytics or anything other than Google’s desire to have all the world’s data, then you’ll surely see that providing Federal web site operators a web analytics solution that simultaneously solves a multitude of analysis problems AND saves money is, well, pretty freaking brilliant.

Don’t take my word for it. Here’s a list of sites in the .gov domain that people are tracking using our free, browser agnostic web analytics solution discovery tool. We have about 100 sites total, the majority of which don’t appear to have any kind of tracking code at all, and of these:

• 12% are using Google Analytics exclusively already
• Another 3% are using Google Analytics with Omniture (1%) or Webtrends (2%)
• 6% are using Omniture (one, GSA.gov in tandem with Webtrends)
• 15% are using Webtrends (including GSA.gov in tandem with Omniture)
• 63% appear to have no hosted analytics of any kind

If I’m right the evidence will be obvious as more of these “no hosted analytics” sites begin to have Google Analytics tags. Sites like Census.gov, the EPA, FCC, FEMA, HUD, and even FTC might all start to take advantage of Google’s largesse (and willingness to provide a browser-based opt-out, don’t forget that!)

What do you think?

As always I welcome your thoughts, observations, reaction, and even anti-tracking-pro-privacy rants. If you are you a Federal site manager with insight to share but unable to voice your position publicly then out of respect I am happy to have you post anonymously as long as you provide a valid email address that I will confirm and then convert to “anon@anonymous.gov” to protect your identity.

One of the biggest problems we face in web analytics today is our industry’s lack of standards and common definitions. And while a great number of incredibly bright folks have put a ton of energy into solving these problems, in my humble opinion we are more or less where we started years ago — agreeing politely to disagree. Those of you who have been reading my blog for awhile know that I’m not shy about disagreement — perhaps more than anything my analyst’s mind loves a spirited debate — but I also am somewhat anxious about creating tangible outcomes.

To this end I am incredibly excited about two huddles at X Change 2009, one that was just added! The first is Forrester’s John Lovett’s “Web Analytics Standards (or a Lack Thereof)” in which John will be leading us through the current state of industry standards, proposed definitions and our collective understanding of analytics terminology. The second, and one just added to the X Change, is Jim Hassert’s “When is a Visitor Not a Real Person?” huddle in which Jim will take John’s huddle one step further and drill-down into the often irreconcilable differences found in the seemingly harmless “visitor” metric and dimension.

Last year I was forced to miss a lot of good huddles. This year a team of wild horses couldn’t keep me from missing these two.

While I have little doubt that both of these huddles will live up to the spirit of the X Change my hope is that they will go one step further. I would love to see both produce some kind of actionable outcome, something that we can carry forth into our careers and the wider conversation about our industry. Given that some serious talent is already signed up for the X Change — including some of the brightest minds in the practitioner and vendor community — I have little doubt that we have the brain power … now all we need is the resolve to do something and not just push words around on paper.

If you’re a reader of this blog and want to join us at the X Change I’m happy to help you out.  If you act before July 31st I am offering a 15% discount on the registration (a $300 savings!)

Come to the X Change. Agree to do more than “politely disagree” — take a stand, defend your ideas, and help shape tangible and positive outcomes.

Just after President Obama was elected back in November I wrote a blog post that had been kicking around in my head for a long time calling for the “legalization” of browser cookies by Federal Government run web sites. The response to the post was great, but now it appears that the first comment from Brent Hieggelke (who was head of marketing at WebTrends for several years) was destined to become ironic.  Brent (who is my neighbor in Portland) waxed philosophical about government and cookies with this comment:

“As someone who 4 years ago spent ALL of New Years Day on the phone with the White House Communications Team because their site was “outed” by CNN and other media as <> using cookies in a completely innocent manner, I couldn’t agree more.”

Turns out that Jascha Kaykas-Wolff, the new head of marketing at WebTrends, is probably having the exact same conversation thanks to so called “privacy advocates” according to this article in InformationWeek. What’s more, the privacy advocates, rather than educating themselves about the real risks associated with the use of browser cookies are apparently patting themselves on the back for getting the Obama administration to make a simple, cosmetic change at WhiteHouse.gov regarding the use of YouTube video.

Giving himself full credit for the change, Chris Soghoian from CNET’s “surveli@nce st@te” blog says:

“It seems that someone in the White House read my blog post yesterday–as within 12 hours of the story going live, Obama’s Web team rolled out a technical fix that severely limits YouTube’s ability to track most visitors to the White House Web site.”

Congratulations Chris. Instead of giving the President’s team the lattitude to focus on, oh, THE ECONOMY, THE THREAT OF TERRORISM, THE HOUSING CRISIS, UNEMPLOYMENT, and HEALTH CARE you single-handedly managed to force the Administration to waste their time worrying about whether or not Google was getting just a little more of the world’s data.  President Obama, in the midst of rolling out a truly revolutionary use of technology in government in an effort to get more of us personally involved in our communities, our country, and our collective future, was forced by your misguided fear-mongering to stop what they were doing and address what has otherwise been hailed as a brilliant communication effort.

You sir, are the man.

Seriously people, can we stop worrying about cookies for a little while? Given all the other problems we have as a nation and as a global community, am I alone in thinking that people like Chris and his fellow “privacy advocates” need to find something else to focus their efforts on? Maybe if this community spent more time trying to help the President come up with ideas to put America back to work and less time creating fear, uncertainty, and doubt in the popular media we’d see the kind of change that our President has been talking about.

At this point I’m fairly confident that any person who has any shred of concern about their cookies being scraped, hijacked, poisoned, bombed, or otherwise maliciously used to expose their personal habits or ruin their lives has figured out how to clear or otherwise modify said cookies. Even though I started writing about the profile of the cookie deleter back in 2005, I’m still waiting for someone to give me a good reason to delete said objects that is not A) because you’re a site developer and you need to confirm how cookies are being set, B) you’re a web analytics specialist debugging tracking, C) you gamble a lot online or D) you surf a lot of porn.

If “A” or “B” I understand.  If “C” or “D” … don’t forget to clear your browser history too!

I’m being snarky, I know, and maybe I’m just taking Chris to task since he still has his street-cred inducing ponytail and I cut mine off. But at this point the hand-wringing about cookies in general much less because of the mandate set by OMB M-03-22 has become tedious and needs to stop. President Obama is working to change the way government works and I think his staff deserve some latitude when it comes to the Internet. If we want government sites to work for us, we need to let analytic technology work for them. If we want change, we need to be open to change.

Put another way, if you fear Google, don’t use their products. If you fear cookies, delete them. If you fear for your privacy online, don’t go online. Wear a foil hat. Don’t answer the phone. Don’t open the door. Don’t speak.

But please people let’s decide to take some personal responsibility on this issue and stop bugging an otherwise busy administration–whichever administration that may be. Regardless of how you feel about Barack Obama, let’s all recognize that we are facing substantially bigger challenges today than we have in recent history and since the man was fairly elected he deserves at least a chance to improve the economic conditions in the U.S. without “privacy advocates” forcing his staff to make tedious (and functionally meaningless) changes to the White House web site.

I know I’m going to get slammed for this post, that’s okay. Somebody needs to stand up for cookies and since I already tried “diplomatic” I suppose it’s time to try “direct.” Browser cookies help make it possible for great companies like CNET to provide lots of great content–including Chris’s blog! Browser cookies help justify great technology like Twitter, Facebook, and MySpace. Browser cookies power the Internet and should not be feared, especially not by President Obama.

I look forward to your comments and criticisms of my position.

As we look towards 2009 there are clearly some great challenges and great opportunities facing everyone who has more than a passing interest in web analytics. But regardless of the economic situation, we all need to stay focused on making the most of the people, process, and technology we have in place today, continuing to work towards positive business outcomes.

Towards this end, I would like to invite those of you wondering exactly where to begin and looking for some sense of structure for your digital measurement efforts in 2009 to a free webcast sponsored by Coremetrics and the DMA on Wednesday, December 3rd at 10:00 AM Pacific.

In this free event I will be focusing on helping companies of all sizes at all stages in web analytics maturation take a tactical look at their long-term strategic measurement efforts.  The net/net, I hope, is a “stratactical” (thanks Jennifer!) presentation that has something for everybody, regardless of the tools you’re using or how you’re currently using them.

Again, the webcast is free and open to everyone.  You can register with Coremetrics and the DMA at the Coremetrics web site:

Register Now to Attend this Free Webcast!

Again, the webcast is from 10:00 AM to 11:00 AM Pacific on Wednesday, December 3rd. I hope to see you there!

On a totally unrelated note, I wanted to say “Thanks” to Neil Mason of the Web Analytics Association (and now WebTraffiq) for bringing up my open letter to President-Elect Barack Obama in this week’s ClickZ column.  Neil makes a comparison between European’s view on the use of cookies and the current situation within the Federal Government here in the U.S.

Particularly interesting was this passage:

“The European Parliament passed a directive in 2002 on privacy and electronic communications. Leading up to this directive, there had been a concern in the industry that cookies would effectively be made illegal as a breach of personal privacy. In the end, the European Parliament concluded it wasn’t cookies or Web bugs that infringed privacy but the inappropriate use of these devices.”

Not the cookies themselves but rather the inappropriate use of these devices.  Absolutely.  I would encourage any of you interested in this issue to give Neil’s column a read.