The National Advertising Initiative: Beyond Cookies – Tracking Technologies are not Always Exposed or Visible to Consumers
A traditional cookie as defined by the NAI is not the only persistent identifier and tracker available to network advertisers and marketers anymore. New technologies and techniques have become routine business practice since the original NAI was written, particularly in the area of persistent identifiers and tracking technologies. A rich array of browser cache cookies, Flash cookies, and other non-NAI-covered tracking techniques not only exist, but are in use today.
The problem with the non-NAI covered techniques and technologies is that consumers, even if they download an NAI opt-out cookie, may still be tracked in ways hidden to them. Further, opt-in or opt-out choices made by consumers are in some cases ignored and overridden by industry uses of non-NAI covered tracking techniques. The NAI does not apply to these tracking techniques. The result is that the NAI is apparently not even trying to self-regulate all the tracking activities that should fall under its purview.
Secret Browser “Cache Cookies,” or, Non-Consensual Cache-Tracking
Browser “cache cookies” refer to a way of tracking users that was not addressed in the NAI agreement. The NAI use of the word cookie refers to a precise cookie standard generally recognized as defined by the IETF standards.  The NAI opt-out cookie does not address anything other than an IETF-style of cookie. Therefore, companies that use and store persistent identifiers not covered by the narrow NAI cookie definition can, on a technical level, both comply with the NAI and still persistently track users.
One potent example of this is the browser cache cookie, sometimes called the secret cache cookie.38 Browser cache cookies are not a new idea. In fact, they were written about and discussed prior to the original NAI agreement.  A browser cache cookie loads a persistent identifier into the browser cache area of a consumer’s computer. Very few, if any, consumers know to clear out their browser cache to remove persistent identifiers. That is one allure of this type of tracking technique to those doing the tracking.
Several patents and or patent applications exist in the area of browser cache cookies, and there are a number of known variations of browser cache-based tracking techniques. One patent application discusses browser cache cookies as “secret cache cookies.”
One technologist noted that “it seems irrational for browsers to provide selective control over treatment of cookies, without providing similar control over other mechanisms that are equally effective for storing and retrieving state on the client.”  The same broad observation may be applied to the NAI agreement. Why does the NAI agreement provide for self-regulation of the industry’s use of traditional cookies, while staying silent on known alternative tracking techniques such as browser cache cookies?
Tacoda’s “Hardened Opt-Out” Overrides Consumers’ Deletion Choices and is not Consensual
A current member of the NAI, Tacoda is a network advertiser that conducts behavioral ad targeting. Its CEO stated that the Tacoda network includes approximately 4000 web sites and reaches about 125 million “uniques” per month.  Current Tacoda press releases also state that it is developing patent-pending technology “to recognize a consumers’ opt-out status even if they have deleted their browser cookies. Current opt-out systems are not able to do this.”  In July, 2007, executives from Tacoda referred to something they call a “hardened opt-out” during panel discussions at the MediaPost Behavioral Marketing Forum. Larry Allen, SVP Marketing, Tacoda noted that:
One of the other interesting things about privacy is if you do opt out of many networks, and then you accidentally clear your cookies, you’ve just re-opted in to all of the ad networks you opted out of, except Tacoda. So, one of the things that we did is we built some technology that enabled us to harden the opt-out and enable that we uphold your choice. 
Curt Viebranz, CEO of Tacoda, also discussed the hardened opt-out on another panel:
One of the little known secrets is that the ability — as with the Tacoda audience networks — the ability to opt out is driven by a cookie itself. So that if you go to the Network Advertising Initiative — of which we’re part — and you opt out, and subsequent to that you clear your cookies, de facto you’re going to pick up a Tacoda cookie the next time you visit one of our sites. So we are actually trying …(pause) We believe that ultimately we are going to have a trusted relationship with the consumer as a purveyor of topical information. It’s going to get there at some point, and so we’re basically saying is we’re going to notice consumers that they’re part of our network, if they choose to opt out, and we notice in the cache that they have actively opted out, we’re going to reset that cookie to allow them out. 
This “hardened opt-out” works through one of the known variations of the browser cache cookie technique. Specifically, Tacoda uses an ENTITY TAG, or eTag that is stored in the cache of the user’s web browser. This eTag interacts with the Tacoda servers and users’ computers to identify users and some of their past actions. Based on the MediaPost statements, even if a user has deleted the Tacoda NAI opt-out cookie, Tacoda, employing the browser cache technique, effectively re-sets that cookie and acts as though the user had not deleted the Tacoda NAI opt-out cookie.
This is what part of the interaction looks like (Test done using Internet Explorer):
Tacoda looks to see if this file is in the local browser cache:
If it isn’t, then a unique ID number for the file is sent as an eTag:
If the opt-out page is accessed again, this unique ID number is sent back in an “If- None-Match” header:
The cache of a web browser is not where traditional NAI cookies are stored, and very few users would think to look in their browser’s cache for a persistent identifier. As the items in the cache age, older items are removed and replaced with newer items in the cache. Few consumers are aware of the reasons to delete their browser cache along with their traditional cookies. Although cache control is not as popular as cookie control yet, Mozilla Firefox has an extension called Safecache (www.safecache.com) that, if used properly, can help alleviate cache tracking. 
On first blush Tacoda’s attempt to “harden” or protect the NAI opt-out from user deletion may appear to be a good thing. But the reality is that resetting cookies without consumer consent is a bad precedent. Overriding an action taken by a consumer can be used for bad purposes or for good purposes. Resetting a deleted opt-out cookie may seem to be a neutral activity, but the spread of cookie resetting actions is more likely to be harmful to consumers. If this negative precedent becomes an established technique, not all companies using the technique can be trusted to reset cookies honorably. Assumptions about what the consumer actually meant are not likely to be made fairly or honestly by companies profiting from advertising.
Given that browser cache activities are not covered under the NAI, consumers have no NAI protections in this area. This is another example where the NAI has failed to address new techniques not covered in the NAI agreement.
Flash cookies are typically deposited when a user plays a video on the web. Watching most YouTube videos, for example, will often set a Google Flash cookie. While it was never intended as a persistent tracking device, the Adobe Flash  program’s Local Shared Objects (LSO) function allows the storage of persistent unique identifiers from third parties. 
Nicknamed “Flash cookies,” or “third party Flash cookies,” these tracking files reside in a folder outside of the traditional NAI-defined cookies folder. Flash cookies function similarly to cookies in terms of their tracking capabilities. (See Figure 1.) The functionality has not been lost on those seeking to track consumers and avoid the NAI restrictions.
Flash cookies are not identical to traditional cookies. They are stored in a different area than a traditional cookie, and Flash cookies have a much larger capacity for storage.  Although most companies use Flash cookies to simply store a numeric identifier that links back to a server (similar to a traditional cookie), it is possible for a company to store more information in the Flash cookie file.
Adobe Flash describes Flash cookies in this way:
A local shared object, sometimes referred to as a “Flash cookie,” is a data file that can be created on your computer by the sites that you visit. Shared objects are most often used to enhance your web-browsing experience, for example, by allowing you to personalize the look and feel of a website that you frequently visit. Shared objects, by themselves, can’t do anything to or with the data on your computer. More important, shared objects can never access or remember your e- mail address or other personal information unless you willingly provide such information. 
Adobe itself notes that third party local shared objects have implications for privacy and for tracking that users need to be concerned about:
A third-party local shared object, sometimes referred to as a “third-party Flash cookie,” is a shared object created by third-party content, or content that is not actually located on the site you are currently viewing. Third-party local shared objects may be important for privacy discussions because they can be used to track your preferences or your website usage across different websites that you visit. 
Adobe has a web site that allows users to set the LSO folder in ways that can include rejecting flash cookies altogether.  (See Figure 2 for what this looks like). However, most users do not know about Flash cookies, and even fewer know how to manage or disable Flash cookies.
The NAI is silent about Flash cookies. The NAI agreement does not cover these increasingly popular forms of third-party tracking cookies. An NAI opt-out cookie, if downloaded, does not disable tracking that uses third party Flash cookies. Some have estimated that 98 percent of computers have Flash and therefore the ability to store Flash cookies.  As advertising transitions to being more video-based,  Flash cookies could become increasingly important for consumers to know about. Even if someone opted out of NAI tracking cookies, a company could deposit a third party Flash cookie or LSO with a tracking number. The effect could be the same or similar as third party tracking cookies. It is not known whether any NAI members use Flash cookies.
Flash cookies point up yet again the narrowness of the NAI agreement. These persistent – and effectively secret – identifiers that can track consumers are not included in NAI’s self-regulation. It is further evidence of the failure of the NAI to accomplish its stated goal. Given the popularity of video and video ads, this deficiency is potentially substantial.
Microsoft Silverlight is a program that is a competitor to Adobe Flash. Silverlight cookies function similarly to Flash cookies. The Microsoft product is slightly different than the Flash product, however. Microsoft calls the Silverlight file an Isolated Storage File, and expressly describes it as a “hidden file” that can accept a unique identifier:
The root of the virtual file system is located in a per-user, hidden folder in the physical file system. Each unique identifier provided by the host will map to a different consistent root, giving each application its own virtual file system. 
Microsoft does not provide users a way to simply or easily find or delete the hidden folder files at this time, nor does Microsoft address the issue of how Silverlight cookies may be used for depositing unique identifiers and tracking.
The NAI does not address the use of Microsoft’s hidden file Silverlight cookies that include unique identifiers.
XML SuperCookie (Microsoft UserData)
Yet another way an advertiser can potentially set a persistent tracking identifier is on a PC running Internet Explorer. This is a variation of a browser cache cookie. The storage depot in this case is in the Internet Explorer browser cache. (UserData is not available in any other browser except for IE). UserData is written to a hidden file and stored as an XML document. This data can be made to persist through reboots and a variety of other situations. These kinds of persistent identifiers have been called “super cookies” by some due to their large capacity. 
Like other non-NAI-covered persistent identifiers, MS UserData is not covered under the NAI agreement. MS UserData supercookies would be difficult for the average user to know about, find, or manage. When data is written in a hidden file, a typical user does not see it or ever know about it.
In its documentation of UserData, Microsoft included this security alert:
Data in a UserData store is not encrypted and therefore not secure. Any application that has access to the drive where UserData is saved has access to the data. Therefore it is recommended that you do not persist sensitive data like credit card numbers. 
The warning continues:
The UserData behavior persists information across sessions by writing to a UserData store. This provides a data structure that is more dynamic and has a greater capacity than cookies.  (Emphasis added.)
Figure 3, below, shows what UserData files look like when exposed. Most people would not know about these files nor know where to look for them.
It is not known how widely MS UserData is being used today, but some companies do use it, as seen in Figure 3. A recent paper describes the idea of using browser states for tracking consumers and notes that a “same-origin principle” needs to be in effect in order to protect web browsers from this problem.  The same-origin principle would require that any entity that set a tracking mechanism to a web browser would be the only entity that could then access this information or read it. This is how traditional cookies work, but it is not how other tracking technologies employing browser states works. The NAI could have addressed this, but did not, and this reflects another point of failure of the self- regulation.
Persistent Identifiers in Other Devices
Mobile phone ads are already in place and are not a future technology. For example, a company named Decktrade is already delivering ads to the mobile web.  Ad network 24/7 debuted a mobile marketing ad network in April 2007.  MoPhap, a mobile advertising network that does behavioral targeting, announced a partnership in August 2007 that would allow them to conduct mobile third party ad serving.  Revenue Science announced in September of 2007 its plan to deliver behaviorally targeted ads to mobile phones in Japan that were able to browse the web. 
There is a great deal that is not known about consumer tracking on devices other than personal computers. For consumers, tracking on other devices is one more area where the NAI does not provide any protection. A good example of just how difficult this question is to address can be found in a recent Canadian Internet Policy and Public Interest Clinic study on Digital Rights Management and consumer privacy. The researchers for the study expressed surprise after encountering DoubleClick presence in a digital audio book from the library. 
Much work needs to be done to expose all relevant technologies and to provide appropriate consumer rights and protection. This work should have been accomplished through a sincere self-regulatory process. However, as discussed, the NAI agreement only touches on narrow categories of technologies.
As a technology-specific instrument, the NAI agreement fails to address developing tracking techniques and mechanism, some of which were in use at the time the agreement was crafted. The NAI is not an effective self-regulation process because it does not expose all tracking technologies to consumers and because it allows for hidden and secret tracking. The NAI is the equivalent of a traffic safety organization that continues to offer consumers protections against horses and buggies long after the introduction of automobiles.
 Internet Engineering Task Force, HTTP State Management Mechanism, February 1997. <http://www.ietf.org/rfc/rfc2109.txt>.
 Technical note: In this report, a browser cache cookie means the eTag and similar techniques.
 Martin Pool, Meantime: Non-consensual http user tracking using caches, March 2000. <http://sourcefrog.net/projects/meantime/ >.
 Jakobsson; Bjorn Markus; et al, US Patent Application 20070106748. May 10, 2007 at 16, 17, 19.
 See Collin Jackson, et.al, Protecting Browser State from Web Privacy Attacks, WWW 2006, May 23.26, 2006, Edinburgh, Scotland.ACM 1-59593-323-9/06/0005 (emphasis added).
 Remarks of Curt Viebranz, CEO of Tacoda. BM 2007, Grilling the Vendors, Panel Discussion. July 24 2007. Video: < http://www.brightcove.tv/title.jsp?title=1125952443&channel=429048905>.
 Market Wire, Tacoda Launches Consumer Choice Initiative; Plans Opt-Out Preservation With New Patent-Pending Technology. November 6, 2006.
 Remarks of Larry Allen, SVP Tacoda. BM 2007, Is Privacy the Third Rail? Panel Discussion. July 24 2007. Video: <http://www.brightcove.tv/title.jsp?title=1126051143&channel=429048905>.
 BM 2007, Grilling the Vendors, Panel Discussion. July 24 2007. Video: < http://www.brightcove.tv/title.jsp?title=1125952443&channel=429048905>.
 The use of browser caches to set and track persistent identifiers as well as Mozilla Safe Cache is discussed in detail in Collin Jackson, et.al, Protecting Browser State from Web Privacy Attacks, WWW 2006, May 23.26, 2006, Edinburgh, Scotland.ACM 1-59593-323-9/06/0005.
 There is also the capacity of Remote Shared Objects, which appear to be rarely used. RSOs function similarly to LSOs. See note 34.
 Adobe Tech Note: What is a local shared object? <http://kb.adobe.com/selfservice/viewContent.do?externalId=tn_16194&sliceId=1>.
 Adobe. How to Manage and Disable Local Shared Objects. <http://kb.adobe.com/selfservice/viewContent.do?externalId=52697ee8&sliceId=1>. See the Flash cookies page at the Electronic Privacy Information Center web page, <http://www.epic.org/privacy/cookies/flash.html>.
 The Adobe Flash preference manager is available at “How to manage and disable Local Shared Objects”: <http://kb.adobe.com/selfservice/viewContent.do?externalId=52697ee8&sliceId=1>. There is a demo available that gives step-by-step advice on how to restrict Flash cookies.
 Matt Marshall, New cookies, with PIE, are harder to throw out. Sunday Gazette-Mail, Charleston, W.V. May 1, 2005.
 See, for example, Catherine Holahan, Business Week Online, Online video ads: Just wait; A study by eMarketer predicts the floodgates will open after 2011. See also Web video ads to grow this year: Survey, Prism Insight, March 19 2007. See also Wireless News, Oct. 30, 2007, reported that Bright.Spot TV had surpassed its one millionth video ad: “BrightSpot Media, creator of BrightSpot.TV, an emerging interactive video advertising network, announced that it will surpass one million video ads served, in the month of October.”
 See: Microsoft Silverlight, How To: Use Microsoft Isolated Storage with .NET Framework, <http://silverlight.net/QuickStarts/IsoStore/StoreData.aspx>.
 See: Scott Isaacs, Inside Technique: Building Site Favorites with XML Super-Cookie, <http://www.siteexperts.com/tips/xml/ts05/page1.asp>. See also MSUserData. Introduction to Persistence, <http://msdn2.microsoft.com/en-us/library/ms533007.aspx> and <http://msdn2.microsoft.com/en- us/library/ms531424.aspx>.
 MSDN UserData Behavior <http://msdn2.microsoft.com/en-us/library/ms531424.aspx>.
 See Collin Jackson, et al, Protecting Browser State from Web Privacy Attacks, WWW 2006, May 23-26, 2006, Edinburgh, Scotland. ACM 1-59593-323-9/06/0005. <http://www2006.org/programme/files/xhtml/3536/index.html>.
 See Decktrade <http://www.decktrade.com/pages/advertisers?gclid=CNyV8Y3uso8CFR- YYAoduVhKLw>.
 Dianna Dilworth, 24/7 debuts mobile marketing ad network, DMNews, April 6, 2007.
 Wireless News, MoPhap Teams with RealTechNetwork, August 19, 2007. “MoPhap is the only mobile ad serving company that has enabled third-party ad serving – the very same model that changed the face of online advertising.”
 Reuters, Revenue Science offers behavioral ads in Japan, September 24, 2007.
 Digital Rights Management and Consumer Privacy: An Assessment of DRM Applications under Canadian Privacy Law, CIPPIC, September 2007. <http://www.cippic.ca>.
Roadmap: The National Advertising Initiative – Failing at Consumer Protection and at Self-Regulation: Part II: Discussion - Beyond Cookies: Tracking Technologies are not Always Exposed or Visible to Consumers