I’ve found myself growing weary of our benevolent big brother Google recently. Certainly one of the most compelling warnings that I remember recently came from Paul Meyers of TalkBiz fame. He effectively pointed out that Google’s mantra “do no evil” was wearing a bit thin when they decided to setup camp right on my Internet real estate with sidewiki. The discovery I detail below is somewhat related and has big implications for both Adsense publishers and Adwords advertisers, not to mention how to be safe on the Internet.
Interest-based stalking (oops, I mean advertising)
A little background: On March 12, 2009 I received an email from Google about my Adsense account (since I’m a publisher). The subject was “Introducing interest-based advertising – action required for your AdSense account“. They sum it up best in the body of the email, which I’ll just quote here:
Interest-based advertising will allow advertisers to show ads based on a user’s previous interactions with them, such as visits to advertiser web site and also to reach users based on their interests (e.g. “sports enthusiast”). To develop interest categories, we will recognize the types of web pages users visit throughout the Google content network. As an example, if they visit a number of sports pages, we will add them to the “sports enthusiast” interest category. To learn more about your associated account settings, please visit the AdSense Help Center at http://www.google.com/adsense/support/bin/topic.py?topic=20310.
When I read that I had a mixed reaction. Of course I want to monetize my web sites, but like Paul Meyers mentions about sidewiki and the overall Google infrastructure, they have access to a lot of information. In some ways, Google knows more about what I’m thinking than my wife does. For example, I use www.google.com search, GMail, picasa, Google Apps for my domain, google docs, Adsense, Adwords, youtube, and probably a few other Google services that I can’t remember right now. They record what I search for, they store my emails, etc. They have a lot of information about me, and their license agreement (you know that thing you never read because you don’t have a law degree or an extra hour in your day) spells out how they can use all that information. Turns out some of it might surprise you.
So what does this have to do with Google stalking me? Yesterday I was visiting a few sites of interest to me and quickly noticed that they were all showing banner ads for the same company (see screenshots below). I might not have taken notice, except that the company they were advertising had ZERO logical relation to the site I was visiting. There was no context and no relevance.
I did a little more digging and found that the banners were all showing inside Google Adsense blocks. I decided to run a little experiment to see if Google really was stalking me. I started from the site where I first noticed the irrelevant ad and went on to visit sites that I know/own, and that have Adsense. I then started trying to find sites that have the least amount to do with the ad I was being shown to see if the ad followed me.
PRWeb and riding lawn mowers
The ad was for PRWeb, and I’m not sure how the Google Adsense network could know about my interest in PRWeb just from my surfing habits or how many other bits of my information they infiltrated to make that connection. It’s also surprising that they would be so blatant in their display of those ads when they’re not contextually relevant to the sites that I visited. Finally, I wonder if PRWeb knows that Google is showing their ad on riding lawn mower review web sites to someone (me) that just published an article bringing into question the value of the PRWeb service.
So, here’s the list of sites that I visited. In case you’re interested I’ve included the search term I used to find the site (in Google) for those sites that I searched by topic. My aim was to visit sites that were as different as possible from each other to see how far Google would go in showing contextually irrelevant ads to me based on what it assumes my interests are.
- swimming pool blog: http://www.pool-help.com/
- online dating blog: http://www.onlinedatingnewsblog.com/
- guinea pigs blog: http://www.furrypal.blogspot.com/
- gardening blog: http://www.gardeningblog.net/
- calendar templates: http://www.vertex42.com/ExcelTemplates/excel-calendar-template.html
I took screen shots along the way so you could see how awkward their placement can be. Sometimes the text ads might go unnoticed, but the bright red and gray banners really stand out on a pink mommy’s coupon site.
Even after I got this collection of screen grabs I visited a few more sites and saw the PRWeb text ads and banners on every single site. It was really quite creepy!
Primary suspect: Google Chrome
At first I didn’t know exactly what Google was using to identify me or where they were pulling the information that suggests I would be an appropriate target for PRWeb ads so I did a few experiments. All of the screen shots above were taken (and ads seen) while using Google Chrome. In Firefox I saw only contextually relevant ads. What does Chrome know that Firefox doesn’t?
To test this I opened a new incognito window in Chrome and visited the same sites. This time I saw only relevant ads and nothing about PRWeb. So it appeared that the Google was getting it’s tip from Chrome, but it turned out the same thing could have happened in any browser.
Cookies and the SQLite database
Just for kicks I went to another computer and used chrome to open up the sites and verify that I saw only contextually relevant ads, regardless of where I was logged in (e.g. Gmail in another tab). The reason that I suspected this might work was because the incognito session prevented the stalking ads from being shown. In order to understand this you need to understand a two things about how browsers manage information.
The first are cookies. These are small bits of text information stored on your computer. They can store information about your passwords, preferences, session IDs, etc. These values are intended to be domain specific. That means your browser should only send information about specificdomain.com to the server when you are requesting information from specificdomain.com. It should never send the specificdomain.com cookies to anotherdomain.com.
Next is that each browser has a database that holds information about what you’ve typed into forms, stored passwords, browsing history, etc. In Chrome and Firefox the underlying database is the fast, efficient SQLite engine. You can use an SQLite client and view and tweak these files by hand if you like. It might surprise you to see the amount of information your browser stores about you browsing habits.
So, when you run incognito (or private) in a browser you essentially bypass these two elements. Cookies are isolated to that session and destroyed when it exits. SQLite values are not recorded, such as browsing history and search terms. If I’m not mistaken, a private/incognito session also isolates you to some degree from other information already stored from non-incognito sessions.
Since Google Chrome and Firefox both use the same basic stack which includes cookies and an SQLite database, I’m not sure that Google stalking me had as much to do with Chrome as it did with the fact that I had been using Chrome as my primary browser for a few months. So as a final experiment I went back to Chrome on my original PC and cleared all the cookies and all of the ads went back to being relevant and contextual.
To shed a little more light on this, Google has explained what cookies it uses and how the cookie value might have been set, although I somehow doubt that PRWeb had this in mind. Google sets cookies from any site that displays Adsense and uses those cookies to track an individual’s interests. Here’s what they say:
When users visit a partner’s web site and either view or click on an ad, a cookie may be dropped on that end user’s browser. The data gathered from these cookies will be used to help better serve and manage ads on the publisher’s site(s) and across the web.
Implications for Adwords Advertisers
So, if I clicked on a prweb ad on Google’s search page and that set a cookie showing that I was interested in Press Release submission services, now Google is going to show me ads about PRWeb on every site I ever visit. That could be both good and bad for an advertiser. In the case of PRWeb I had already purchased (and they already paid for my click). Google, however, doesn’t know or care whether you’ve already purchased a service, but they do know that you clicked on a certain ad and if you clicked it once, you’ll probably click it again.
Advertisers might end up spending a lot more on clicks, but they also might get “pre-qualified” traffic from the content network. This could make testing the content network a little trickier, since the content network has always been a bit of a crapshoot. Now if you start to target a site because you’re getting clicks there, it might not be due to any contextual relevance. Instead they might just have the cookie set and Google shows them what it thinks they’ll click. On the other hand, like Perry Marshall explains about right angle connections, you might just find an angle or some new keywords based on the sites where people go after (maybe a long time after) they first show interest in you by clicking one of your other ads.
Either way, this adds a lot of complexity and new variables into both the safe browsing discussion and the Google services for Adsense publishers and Adwords advertisers.
My conclusion from all of this is that I need to be more aware of how regular and useful information, like cookies, is used and have a plan to do some of my own cleanup along the way. I also question whether or not I have too many of my eggs in the Google basket. Since I’m tied into so many of their services, it becomes more and more difficult to know when they might have crossed the line and compromised my privacy (which doesn’t have as much to do with their policy as my threshold for their tactics and approach).
Additional resources and links
In 134 comments on Google’s blog about the interest based advertising there is clear concern about this type of personalization. Some even go so far as to call it spyware.