Sophos Cloud Optix
Last Thursday, Twitter announced the global availability of tailored audiences; promoted tweets that are targeted at individuals based on the websites they have visited.
It seemed like a good opportunity to explain how Twitter is going to do it, how it has been using a different technique to track the websites you visit for some time now, and how to turn it all off if you want to.
Tailored audiences
Tailored audiences is Twitter’s take on retargeting – a behavioural advertising technique that allows companies to continue advertising to somebody who has visited and then left their website (typically because they visited but didn’t buy anything).
Retargeted ads are the ones that seemingly follow you around – no matter which website you’re on, the same advert appears over and over.
In theory, behavioural advertising is good news all round because advertisers are less likely to waste time and money talking to the wrong people and consumers are more likely to see adverts for things they might actually want.
Unfortunately while consumers get a share of the upside they have the downside to themselves; in order for it all to work somebody, somewhere has to collect, store and analyse lots and lots of information about what those consumers have been doing.
For users who care about their privacy now and in the future that’s a significant downside, even when the data that’s collected is aggregated and anonymised.
The privacy situation is made worse by the online advertising community’s strong inclination towards opting users into behavioural advertising silently and with the assumption that users are OK with it.
This default opt-in approach is doubly disappointing from Twitter who has often been ahead of its rivals in adopting privacy technologies like HTTPS, Do Not Track and forward secrecy.
To make tailored audiences work, Twitter has teamed up with ten ‘ad partners’. These ad partners are well established advertising companies that already engage in things like retargeting and loyalty programs.
The ad partners will tell Twitter when a user has visited a website that’s signed up to tailored audiences so that it knows it can retarget that website’s promoted tweets to the same user when they log on to Twitter.
Fortunately Twitter has made it easy to opt out:
- Log in to Twitter
- Click on the Settings and help sprocket icon
- Click Settings
- Select Security and Privacy
- Un-tick Promoted content.
Unusually, you can also opt out by enabling the almost-but-not-entirely useless Do Not Track function in your browser.
Neither of these measures prevents the ad companies from tracking you on 3rd party websites but they do stop the ad companies from passing the tracking data to Twitter.
The ad partners themselves maintain their own individual opt outs (which should opt you out of their entire ad networks and not just tailored audiences). Links to the ad partner opt-out pages are provided below:
Now, as I mentioned in my introduction, tailored audiences isn’t the only way that Twitter can track the websites you visit so let’s take a look at tailored suggestions.
Tailored suggestions
Tailored suggestions is a list of users who Twitter thinks you might like to follow that appears under ‘Who to follow’ on various pages on the micro-blogging site.
Twitter tries to work out if you should follow somebody by comparing the websites their followers visit with the websites that you go to. Although it relies on knowing which websites you visit it doesn’t use the tailored audiences ad partners to get that data.
The data for tailored suggestions is gathered entirely from the blue tweet buttons that are embedded into websites (like this one) that want to make tweeting their content a little bit easier.
This is possible because of the way that the buttons are embedded. When a browser loads a web page with an embedded tweet button it has to request the code for the tweet button from twitter.com.
That request is like any other HTTP request for any other web page and will contain a referer header (which can identify where you are) and any cookies your browser has for the twitter.com domain (which can identify who you are).
So the very act of looking at a web page with a tweet button on it can tell Twitter you are looking at that web page (this is also true of Facebook Like buttons, Pinterest Pins and all the other popular social media ‘widgets’).
Fortunately it’s just as easy to switch off tailored suggestions as it is to switch of tailored audiences:
- Log in to Twitter
- Click on the Settings and help sprocket icon
- Click Settings
- Select Security and Privacy
- Un-tick Personalization
As with tailored audiences, Twitter will also disable tailored suggestions if you have Do Not Track enabled in your browser.
The methods described in this article for disabling tracking are the vendors’ own methods and following them should ensure that the sites affected stop tracking you but continue to operate correctly.
If you don’t trust vendors that rely on advertising dollars to manage your privacy or if you’re looking for a more comprehensive anti-tracking solution then you might prefer to manage your privacy with a browser plugin like Ghostery or Lightbeam.
Firefox users would do well to check out the Ghostery plugin https://addons.mozilla.org/en-US/firefox/addon/ghostery
Expect Twitter to become more intrusive, now that they’re a public company and have shareholders they have to try to impress.
While you are in Twitters config, you might as well check “Require personal information to reset my password”. As Twitter says: “By default, you can initiate a password reset by entering only your @username. If you check this box, you will be prompted to enter your email address or phone number if you forget your password.”
– Use one browser for Twitter (OR Facebook OR GooglePlus OR…) and other(s) for casual surfing.
– Configure all of them to delete cache and history when you close them.
– Close them after logging out of any service where you had to log in.
Signed: privacy conscious surfer
I love adblock pro and noscript. Marking all the above as untrusted took about 15 seconds.
Web of trust is useful too.
Regarding behavioral advertising: I feel it works….to a point. However it has gotten to the point where I avoid going to certain sites that are too heavy on this because I will see their ads EVERYWHERE and it feels creepy.
I’m talking about Zappos etc – If you visit and look around for 30 seconds, it feels like you will never get rid of them after you close that window – Ads seemingly on every site you subsequently visit.
Which of course trains me to simply STOP going to Zappos et al to avoid being ad-stalked.
I don’t mind targeted adds to much, but get tired of ads from things I already subscribe to. For example, I get quite a few ads for an MMO I have played since 2008. You would think they could find a way around that.
I think this comes down to the individual site operators rather than the ad networks.
With Google AdWords and Analytics retargeting the site owner themselves chooses how to segment the audience and which segments to retarget too.
Similar to rakso75’s suggestion, I copy/paste websites suggested in Twitter that I want to view into my secondary/backup browser. I have set both browsers to delete cache & history when I close the browser. I also use this procedure to view links in emails. Judicious practices can help mitigate the metadata traps.
In Internet Explorer (this is IE8 but all are similar),
Tools–>Internet Options–>Security–>Restricted Sites–>Sites and Add https://platform.twitter.com
No special add-ins required. At the same time you can add Facebook, Reddit, yieldmanager, doubleclick, adserver.yahoo.com, tumblr, and all those others that slow down browsing.
Any time I see the browser halt with “Waiting for http://somesite.com” then http://somesite.com gets added to this list.
Opting out of ad partners is good. Just remember some, if not all of them use cookies to track your op-out status. If you opt out, then turn around and use ccleaner or some other tool to purge your cookies, you have effectively opted back in.
Thanks for mentioning this. It occurred to me as I was researching the ad partners and then, for reasons I can’t recall, I didn’t put it in the article.
I have un-ticked both in my twitter settings & privacy but still couple of people are spying on me from several services(got from Web Shield)..how can I block all those sites such as google analytics,twitter widgets,face book connect.
As I mentioned at the end of the article (and “Black A.M.” recommended in the first comment) try Ghostery.
What does it mean, when for “personalization” it says “The feature to tailor Twitter based on your recent website visits is not available to you.”? (I already opted out for the “promoted content” weeks/months ago.)
That very vague “explanation” doesn’t make any sense.
So if I visit 10 banking sites…. twitter immediately sees the contents of all those cookies? Huh? How?
I thought the cookies were only shown to the individual sites. No?
Twitter knows that you visited one of those banking sites if:
a) The site includes a tweet button. Your browser fetches that tweet button from twitter and the request your browser sends to Twitter contains the address of the page on the banking site and any twitter.com cookies you have – such as the one that uniquely identifies you. No access to the bank site cookies is required.
b) The site includes code from a 3rd party advertiser that has a relationship with Twitter. In this case your browser fetches code from the 3rd party advertiser and the request to the advertiser includes the bank page URL and any cookies the advertiser has previously set on your browser, including unique IDs. Again, no access to bank site cookies is required.