Let’s just say it leaves a lot to be desired
By Aaron Sankin
Last year, while reporting a story about how the digital advertising industry burrowed its tracking technology into scores of websites serving vulnerable and marginalized communities, I did something counterintuitive, especially for a reporter who writes about tech for a living: I surrendered to the surveillance economy.
This decision to inject pure, uncut internet directly into my veins came as I was using and helping to create The Markup’s Blacklight tool, which opened my eyes even further to the plethora of companies that sought to grab my data from the websites I used on a daily basis. Until then, I had mostly used Google’s Chrome browser with the Privacy Badger extension, which blocks many forms of tracking, or Mozilla’s Firefox, which has strict privacy controls set by default.
Doing the opposite—ensuring that as many ad tech companies as possible got my data and then making sure that I saw all the personalized ads targeted at me as a result—seemed like a way to get a visceral feel for the modern internet that most people are subjected to. So I started using mostly Chrome, the least privacy-protective of all the major web browsers, and turned off third-party browser extensions that blocked tracking requests and digital ads (which also frequently insert their own user tracking on browsers).
I cannot in good conscience recommend this tactic to any normal person, not only because it’s good to be thoughtful rather than chaotic in your digital hygiene but also because having tons of ads load on every site you visit makes mindlessly clicking around the internet even slower and more of a chore than it was in my previous, privacy-protected life.
Now, six or so months later, seemed like a perfect time to run another experiment: Could I get the ad tech companies to stop using all this beautiful data they’ve been collecting on me?
Most of the time when you see a banner ad on the internet, there’s a little triangle in the corner that you’ve probably never actively thought about until this very moment. AdChoices is a program by the Digital Advertising Alliance (DAA), a consortium of digital advertising groups. Among other things, it provides what it calls a one-stop portal where people can ask more than 100 ad tech companies to opt them out of being targeted with personalized ads based on their personal data.
You may never have known this option exists, even though it’s been around for a decade.
DAA executive director Lou Mastria said in an email that the company collaborates with BBB National Programs and the Association of National Advertisers to ensure that the ad tech companies that agree to the opt-outs actually follow through. “Their work has resulted in more than 120 enforcement cases to date, including referrals to the appropriate regulatory agencies, as needed,” he explained.
“Their work has resulted in more than 120 enforcement cases to date, including referrals to the appropriate regulatory agencies, as needed,”
-Lou Mastria, DAA Executive Director
AdChoices’ offer was tempting. Just a few clicks on a single website and, like magic, I would stop all the ads I encountered from knowing everything about me? If only it had turned out to be so easy.
When I opened up a Firefox browser and went to the YourAdChoices.com opt-out page, I was greeted by a buzz of activity. The site started by automatically running some tests on my browser to check compatibility and then presented a list of participating ad tech companies. I hit the button to opt out of all of them, and we were off to the races. At the end, I got a report: 38 companies had processed my opt-out. The other 91? It said there may be a “temporary technical issue” with those.
What?
Most people would have closed the tab and given up. Honestly, I considered it. Instead, I did some research and learned that DAA’s opt-out works basically the same way that online advertisements do. It installs a cookie (a small text file that connects your device with a profile of your activity) on your web browser.
In other words, DAA doesn’t provide ad tech companies with a central database of everyone who has opted out of targeting but rather requires me to add new trackers to my browser for each company that participates in order to opt out of being targeted for ads based on previous tracking. AdChoices says it uses these cookies to tell all of the participating companies not to use any of the data they’ve collected about me to choose the ads to serve me. The companies can still collect data about me, though Mastria said that “most participating companies” stop collecting “interest-based” advertising data because it’s easier than segregating it from other data they may continue collecting, such as how many times I’ve been served an ad.
Firefox blocks third-party cookies by default. So, in order to tell advertisers not to use my data to personalize ads on Firefox, I would have to switch off that protection in the browser and allow these ad tech companies—and the dozens of ad tech companies that don’t appear to participate in the opt-out—to continue to gather data on my browsing habits.
With the Brave browser, which is among the most privacy protecting, the opt-out process didn’t work at all with the default privacy settings. Since I don’t actually use Brave regularly, I didn’t bother trying to make it work.
Chrome, which does not block cookies by default, was the most successful on the first try—but still said there was a problem opting out of 21 of the 129 participating companies.
I would not be defeated. I re-ran the request a half-dozen times on Chrome, each time getting closer and closer to full opt-out. But I never reached it. I was only able to get up to 125. I was never able to opt-out of ads for four companies in Chrome: Adstra, LKQD Technologies, Marchex, and Pulpo.
Mastria, of the DAA, said in an email that the reason for the failures is due to problems synchronizing its system with those of 129 participating ad tech companies. “Potential failures are regularly monitored and reported so that companies can address configuration issues,” Mastria said.
Mark Peterson, a PR person working with Marchex, told me that was exactly what was happening at Marchex. It was a system integration problem the company was previously unaware of. A few days later, he let me know it was fixed.
I emailed LKQD Technologies’ privacy inbox and got an unsigned email back saying the company would look into it but that I should know it primarily serves ads on mobile, not desktop, where I was trying to opt out. If I wanted to limit personalized ads on my phone, it said, I should turn on the setting on my smartphone that limits ad tracking. A couple of days later, David Hoffmann, the company’s head of ad tech, got back to me saying the opt-out seemed to be working fine for them and sent a screen recording video of a user completing the process successfully. On my end, it still wasn’t working.
By the way, after I turned off cookie blocking on Firefox and re-ran the opt-out there another half-dozen times, I got it down to three failures on that browser. Two were the same companies that had persisted on Chrome, Adstra and Pulpo. The third was KBMG.com.
When I approached KBMG, an unsigned email directed me to a form where I would have to upload a scan of my driver’s license in order to get the company to delete the information it had collected about me. Did I end up sending a company I had never previously heard of my driver’s license information? Yes, because apparently that’s how privacy works now.
Did I end up sending a company I had never previously heard of my driver’s license information? Yes, because apparently that’s how privacy works now.
Astra and Pulpo didn’t respond to my emails.
Was it just me? I recruited a half-dozen of my coworkers to try the mass opt-out for themselves, and none were able to successfully opt out of every company on the first try.
I did a little more research and found the problems I’d had opting out weren’t new. The DAA’s opt-out portal has been criticized practically since it launched in 2010.
A 2011 Carnegie Mellon University study tracked dozens of users as they attempted to navigate the process, identifying a host of issues: “Initial configuration took a long time. Difficult to navigate to actual opt-out page. Not obvious that opting out of all trackers requires switching out of default tab on opt-out page. Participants incorrectly believed that they were opting out of tracking. Participants did not realize that deleting cookies nullifies opt-outs. Opt-outs sometimes fail. Participants unable to confirm opting out was effective.”
Mastria said that DAA has since overhauled its site, “keeping pace with consumer expectations and demands”—despite my similarly frustrating experience.
Jason Kint, CEO of the online publishers’ industry group Digital Content Next, gives the site poor marks.
“I would argue that it had the right principles behind it, but the actual design of it and the execution for the user was a failure,” he said. He takes particular issue with the fact that it requires a cookie to work. “You would never design a system that way if your goal was to allow the user to opt out as easily as possible.”
After spending a few days trying to opt out of personalized ads, where did all this leave me? There are now 124 ad tech companies that have promised not to use all the data they’ve collected about me to show me ads for the perfect pair of pants or anything else when I’m surfing the web on Firefox or Chrome.
The cost is pretty high: Not only can these ad tech companies still collect data about me, but when I use Firefox, they can gather even more than they could before because I dramatically lowered my privacy settings in order to let the opt-out system function. The companies not participating in the opt-out can simply go hog wild. They can track me, load reams of personalized ads wherever I go. The works.
Also, if I ever decide to clear all of my cookies, I’m effectively opted back in to personalized advertising because I will have deleted the cookies on my browser that tell the participating companies that I’ve opted out.
“I do not see much value in current opt-out systems for behavioural advertising,” said Frederik Zuiderveen Borgesius, a professor at Radboud University’s Interdisciplinary Hub for Security, Privacy and Data Governance in The Netherlands. “In my opinion, such systems should offer an opt-in system. In other words, companies should only track people for behavioural targeting after people gave proper, informed, opt-in, consent.”
This is what the new version of Apple’s iOS mobile operating system is doing, to the horror of some in the ad tech industry.
The DAA’s opt-out wasn’t really meant to help consumers so much as it was meant to stave off government intervention and a then-growing movement to stop online tracking, some privacy advocates told me.
“The intent of these things is to undermine legitimate privacy tools and to crowd out other new standards that would be easy for people to use and would be actually effective because they already have this thing and everyone is already on board,” said Bennett Cyphers, a staff technologist at the Electronic Frontier Foundation. The opt-out may look like robust privacy protection with widespread industry buy-in, but looks, in this case, are deceiving, he said.
“If you need Exhibit A for why you shouldn’t let the ad industry regulate itself,” Cyphers added, “this is it.”
This story incorrectly identified one of the organizations DAA collaborates with to ensure the opt-outs are honored. The organization is BBB National Programs, not the Better Business Bureau.
Originally published as "I Tried to Use the Ad Tech Industry’s Tool to Opt Out of Personalized Ads. Did It Work?“ with the Attribution-NonCommercial-NoDerivatives 4.0 International (CC BY-NC-ND 4.0) license