Archive for July, 2009

Extending our opt-out cookie’s shelf life

Tuesday, July 28th, 2009

Many users of the Internet are now aware of what cookies are – small files on a computer that store preferences for the user. What many may not be aware of, however, is that every web browser cookie comes with an expiration date – much like the “sell by” date on food items you purchase in the store. Once the expiration date is reached, the cookie becomes “stale” and must be replaced with a new web browser cookie. It’s relatively rare for web site privacy policies to include cookie expiration dates but they are visible in the cookie files themselves. These dates can range from minutes to decades from the date the cookie is set. Although a decades-long cookie sounds like a long time, in practical terms most cookies don’t last for very long. Recent research from TRUSTe shows that users are being more proactive in managing their cookies either by actively deleting them (nearly half of all users clear their cookies on a weekly basis), or by using anti-spyware packages that clear cookies (including opt-out cookies) on a regular basis. In the grand scheme of things these factors makes cookie expiration dates less important but some concerns have been raised.

A few months ago, Yahoo! made changes to make our opt-out cookie persistent to address the concern that opt-out cookies may be inadvertently deleted by users. Today users can make their opt-out both persistent and portable by linking their opt-out choice to their Yahoo! ID. Under this process, the opt-out cookie (and its expiration date) is refreshed at every login.

A more recent issue has been raised by Chris Soghoian, a graduate student fellow at the Berkman Center for Internet & Society at Harvard University. Chris has asked the NAI (Network Advertising Initiative – a group of ad serving companies focused on self-regulation in this area) to set a minimum expiration date of 5 years on online behavioral advertising opt-out cookies and to post the expiration date on the opt-out page as well. We agree that this makes a lot of sense so we revisited this issue.

Yahoo! has been in the process of implementing a two-year cookie expiration date for all Yahoo! cookies. That is why the opt-out cookie for those not making their opt-out persistent is currently set to two years but we recognize that opt-out cookies should be dealt with differently from other kinds of preferences. Yahoo! will be moving forward with extending the expiration date on our opt-out cookies to 20 years (erring on the side of being conservative). Implementing the 20-year expiration date on our opt-out cookie will take us some time to deploy across the thousands of systems we have around the globe, but we aim to have this process completed by the end of the year. We thank Chris for bringing this issue to our attention.

Consumers can learn more about their system’s browser cookies and the expiration dates by visiting Internet Options in their web browser (under “Tools” in Internet Explorer). On the General tab, under Browsing history, click Settings. Then click the View Files button. In this view, you’ll see every cookie on your system and its associated expiration date. To clear a single cookie, simply right-mouse click on that cookie and select Delete.

To learn more about how Yahoo! treats cookies, please visit the Cookie module in our Privacy Center.

Shane Wiley
Sr. Director – Privacy & Data Governance

Online Privacy, Advertising, and Self-Regulation – A Move in the Right Direction

Thursday, July 2nd, 2009

Today another important step was taken to protect privacy online and Yahoo! is proud to have played a part. The largest media and marketing trade associations in the US announced self-regulatory principles for online privacy. These groups include the Association of National Advertisers (ANA), American Association of Advertising Agencies (4A’s), Direct Marketing Association (DMA) and Interactive Advertising Bureau (IAB). Collectively, these groups count more than 5,000 member companies among them, including some of the most recognized brands and web sites in the world. These organizations collaborated with the Council of Better Business Bureaus, known for being an important voice for consumers both online and offline, and the Network Advertising Initiative, which represents the top network advertising companies that deliver the majority of interest-based ads across the Internet.

Yahoo! is excited about this effort and what it adds to the steps that Yahoo! has already taken over the last year to protect user privacy online.

Let me tell you why Yahoo! believes this initiative is significant:

  • This new self-regulatory effort is the first time publishers, agencies and advertisers have committed to privacy principles for data collected and used for interest-based advertising. Each of these entities plays an important role in purchasing, developing, delivering, and displaying online advertising and now, everyone is working together. Self-regulation is most effective when everyone is on board. This effort demonstrates real scale and collaboration.
  • This new effort answers the FTC’s call to industry to respond to their principles and to demonstrate meaningful self-regulation. Here, industry is doing just that.
  • While many ad networks and web sites have been offering users transparency through privacy notices and user control via opt-out links for years, these principles will lead to even greater transparency across an incredibly broad swath of the Internet’s most popular sites.
  • Perhaps most importantly, this effort will offer consumers greater control over the collection and use of data in a more transparent fashion when they go online.
  • I testified before Congress only a couple of weeks ago about these issues. In my testimony I explained that Yahoo! prefers self-regulation because it is the only form of regulation that can move as quickly as the Internet. Case in point – over the past year alone Yahoo! has announced a number of improvements to transparency, control and data retention. We have:

  • Redesigned our Privacy Center for better ease of use and navigation for users with prominent links to our interest-based advertising opt-out. Our Privacy Center remains linked to from nearly every page on the Yahoo! site.
  • Improved our opt-out to apply to interest-based advertising both on and off the Yahoo! network of websites AND allowed for it to be persistent so users don’t have to opt-out multiple times if their cookies get deleted.
  • Announced a policy to dramatically reduce our data retention period while broadening the scope of data covered. We will de-identify log file data at or before 90 days (it was previously 13 months) with limited exceptions to help fight fraud, secure systems, and meet legal obligations. We vastly increased the scope of this policy beyond search log files to our log file systems that hold page views, page clicks, ad views and ad clicks.
  • Improved as we go. In the process of implementing our data retention policy, we decided to completely delete IP address for most log file data at or before 90 days. Previously we had agreed to remove the last octet (or last section of numbers).
  • Run a consumer education ad campaign, showing on average 200 million advertisements per month across our sites promoting online privacy awareness.
  • All these steps are important to educating consumers about their choices, but this is only the beginning. There is a lot of work ahead to implement these principles to ensure that privacy is protected and industry is able to flourish. But today we began with an important step in the right direction.

    Anne Toth
    VP of Policy
    Head of Privacy