The $10 billion online advertising industry is in a state of crisis. That is, if we are to believe "Privacy and Tracking in a Post-Cookie World," a recent report from the advertising trade group Interactive Advertising Bureau (IAB).
As this IAB report details, the online marketing industry requires accurate, pervasive monitoring of our online habits. The data that results from this monitoring is turned into profiles, and these profiles get sold to advertisers in a hyperspeed auction that takes place in the milliseconds before your browser loads the next webpage. This practice of monitoring our habits, profiling us, and selling our eyes to the highest bidder is called Online Behavioral Advertising (OBA).
In order to work, however, OBA relies largely on a two-decade-old technology: The cookie, a small text file with a unique ID that is downloaded to your browser when you visit many websites. But just like any cookie would be after 20 years, the HTTP cookie is now stale.
The cookie, crumbled
Cookies are failing because internet users are increasingly blocking them. In fact, as you read this, many of you might have your browsers set to block third-party cookies, or you might be using privacy add-ons like Self-Destructing Cookies. You're not alone; as the IAB report notes, privacy-conscious internet users are now "churning" cookies by regularly deleting them, thus making it impossible to track these users over time.
Finally, in 2011, the European Union and U.S. government began cracking down on cookies due to privacy concerns. The IAB and other trade groups consistently fight such regulation, but regulator tolerance of cookies has waned.
And when the cookie crumbles, the OBA industry does too. Without reliable data culled from constantly monitoring our online habits, the custom profiles data brokers make about us are far less valuable to advertisers.
After cookies: User IDs and security desks?
However, let's not celebrate the end of the cookie too soon. If the IAB report is any indication of where the online marketing industry wants to take the internet, I think we're going to be longing for the days when a visit to a site like Dictionary.com resulted in 159 cookies downloaded onto our computers.
Why? Because, in a move resulting either from clumsiness or sheer hubris, the marketers who wrote the IAB report have tipped their hands about what they want the internet to look like in the post-cookie world.
To explain the need for new tracking technologies, they use an analogy of security desks:
Imagine you work in a building with a security desk on each floor. Think how frustrating it would be if every time you walked into the building or went to a different floor you had to provide your name, company, job title, and ID so security personnel could make sure you’re allowed to proceed. You would have to provide all of this information every time you left the building or went to another floor — even if you just went for a quick coffee break, or walked a guest to the elevator. To circumvent headaches such as these, security badges were invented. Now every time you enter your building or change floors you are able to swipe your badge at the security desk and that swipe provides information to quickly remind the system of all of your details and automatically gives you permission to proceed. Additionally, your security badge contains information about you that can only be read by the security desks in your building, [sic] it would not work if you swiped it anywhere else. [Privacy and Tracking in a Post-Cookie World]
As the report explains, cookies are like security badges, but badges that are now obsolete; they don't identify you consistently enough. The report authors suggest new ones by expanding the use of "advertising IDs," cloud-based ID systems, or statistical identification of users (for an example of how this last might work, see this EFF project).
These plans would require a centralized service to assign us unique online IDs on our devices. The report outlines a few different approaches: A cloud-based one would have us sign into an ID service and use the unique ID it gives us to connect to publishers. In a sense, this is happening with Facebook Connect (although Twitter's implementation of OAuth competes with Facebook to be an internet ID system), but in the IAB's ideal scenario, we'd pick just one service to be our online ID. The report also indicates a solution through your internet service provider: Every time you log on to the internet through Comcast or Verizon, for example, you'd be assigned a unique ID. Advertising IDs, like those used in Android and iPhones, would provide device-level identification; this would be far less centralized, but it would still be more concentrated than the free-for-all cookie system.
But I want to set aside the technical details of these ideas and instead focus on what the practical effects would be. Let's take the IAB's unfortunate analogy of the internet as a highly secured building to it's logical conclusion. (Seriously: The internet as a series of security desks? They wrote this report after Snowden's NSA leaks?)
1. We all work and live in the same building; call it "Les Interwebs." It used to be that you had to explain to the guards who you are every time you left and came back into the building, but the IAB has fixed this for us. Now you have an IAB-issued internet ID card you can use to get into Les Interwebs, and the guards greet you by name with a cheerful grin. (The IAB report acknowledges that post-cookie tracking technology will require "an authentication mechanism" — in other words, a persistent ID you use to identify yourself online.)
2. We each have our own special room in that building. The guards know when you're in your room and when you're not.
3. While you're in your special room, highly trained social scientists watch your every move, monitor what you read and watch, pore through your financial records, consult with your doctor about your health, study your sexual preferences, map your social networks, and divide you up into myriad categories. (This detailed monitoring is, of course, the dream that animates online behavioral advertising).
4. As a result, in your room, you only see what you want to see — or rather, you only see what marketers believe you want to see. You like "technology" and "sports?" That's all you see. You like liberal politics? You will only confront views that confirm your own. Don't worry about the opinions of others; you won't hear about them — except in sensational headlines. (This is what the IAB would call "personalization," and what others might call a "filter bubble.")
Of course, much of this is already reality, but if we take the IAB report at face value, the way in which this vision of the internet is currently being implemented is inefficient and clumsy. Cookies helped get us to an internet that tracked us, but now the time has come for even more precise and powerful tracking technologies.
The internet can certainly be a building with security desks on every floor. If you want personalized services everywhere you go — where "personalization" means you get what someone else says you want — then the IAB is your guide to the future of the internet. If you like to be watched as you lust, love, and live, if you like to give the marketing industry such infopower, please do help the IAB figure out the future of tracking after the cookie.
On the internet, no one should know you're not a dog
However, what if we take seriously other metaphors for the internet? For example, since so much of the IAB's work is to fix us as specific, identifiable people, perhaps we need to turn to the old metaphor of the internet as a place where, as the famous New Yorker cartoon put it, "no one knows you're a dog."
I would rather see an internet where you can be a dog one minute, a cat the next, a man the next, a woman the next. Where you can do things without a massive, highly sophisticated industry studying your every move. Where you can explore and learn based on whim and serendipity rather than the dictates of marketing (or, of course, government, but that's for another essay). Where when you can put your name on things one minute and be anonymous the next.
In other words, let's have a post-cookie internet without tracking. The IAB can keep their security desks.