Sunday, 22 November 2009

Help warn about AdSense

his week Google began recording the web surfing behavior of everyone who visits any page that uses AdSense or DoubleClick. It happens as soon as the page loads — no clicking is required. Their new cookie has a unique ID and is similar to the same sophisticated system that was developed over the last ten years for the cookie.

Many major sites use AdSense. It took me a minute to find AdSense on,,, and, and then I stopped looking because my suspicions were already confirmed. Even apart from AdSense, DoubleClick ads are all over the web. Unless you disable JavaScript, which makes surfing inconvenient on many sites and impossible on some, you are getting thoroughly tracked.

This tracking is a major move on Google's part. The referral from the phone-home to contains the complete URL of the page you are viewing. It happens in the same instant that your browser offers up the unique ID from your cookie. Google can add a time stamp and your IP address — and knowing Google, they will.

While Google says that it is dicing this information so that it can merely stick you into a number of broad interest categories, we have to assume that Google is saving all of the information they collect. It would not make sense to identify the relevant categories on the fly and then throw away the details. That would preclude future development into a more finely-grained system. Yes, we have to assume that Google saves everything, until such time that Google allows auditors into the Googleplex and the auditors say otherwise.

The biggest issue that ought to evolve out of this latest development is the issue of opt-in vs. opt-out. This new tracking should be opt-in, but Google is falling all over itself to make sure it stays opt-out. My guess is that opt-in might allow tracking of less than two percent of the activity that the current opt-out system will allow. How many people even know what a cookie is? What percentage know how to configure the cookie options on their browsers? If they delete their cookies just one time after opting out, will they remember that they also deleted their opt-out cookie, and that Google's tracking now resumes?

If this new Google initiative remains opt-out the way it is now, the FTC should require all sites that use AdSense, to intercept their page with a notice that allows a simple opt-out click for that page. But that is extremely clumsy and would crush AdSense altogether. Opt-in is the only reasonable alternative.

How to combine two cookies

( Google already knows this, but you might not )

1. On the Google home page, force the browser to fetch an invisible image or iframe from DoubleClick.

2. Overwrite the cookie ID to match the ID that was just recorded.

3. Keep it up until nearly all browsers show a Google ID in their DoubleClick cookie.

No comments:

Post a Comment