Don Marti

Fri 15 Mar 2013 10:27:35 AM PDT

Why is another adtech person freaking out over fixing a privacy bug?

Scott Meyer (not the Basic Instructions Scott Meyer) writes that Firefox's new policy on third-party cookies will mean a loss of privacy controls for consumers, a degraded web experience and further tilting of the playing field toward the biggest companies on the web.

That's a lot of impact for one bug fix, so let's try to unpack it. First of all, does the new policy have a disproportionate effect on smaller adtech companies? No doubt. Firefox is, in effect, leaving tracking open for big sites, such as Google and Facebook, which can give users a first-party cookie, then follow them across other sites. Meanwhile, hardly anybody ever visits the pure adtech firms directly, so their cookies get blocked. Unfortunately, the adtech field is crowded with similar firms doing similar things, and it's bound to consolidate anyway. What the shift to a small-timer-unfriendly cookie policy means is that more of the consolidation will happen on the acquirers' terms. Instead of adtech firms getting snapped up for their programmers and their partner lists, more are going to end as pure Talent Acquisitions.

So it sucks to be an adtech investor, but, seriously, people, all that investment based on a design mistake made in Netscape 1.0 that has been controversial from the beginning? It's hard to build a business on the expectation that a bug won't get fixed. (I could say the same thing about Microsoft Security Essentials and the MS-Windows desktop antivirus business, but that's another story.)

So the small fry of adtech will go away faster and with less lucrative exits. That, Meyer is right about. But there's a next step that will affect the larger sites. The harder problem is having the user stay logged in to sites he or she chooses to visit, without leaking information through third-party cookies from the same sites. I'm a fan of an approach called double keying, which would do what looks like the user-expected thing, but Social API and other ideas are also kicking around.

Should Mozilla have waited to fix the easy problem of pure third-party tracking until it could also handle the harder problem of "Like" buttons? I don't think so. If you have a clean fix for part of a hard bug, ship it and iterate. Don't hole up in an ivory tower and try to fix everything, then have to iterate anyway.

Next item: the degraded web experience. This one I'm just not seeing. Many of the most dedicated user experience people are fans of Apple's devices and operating systems. And, aside from users who never visit, but want to use the Disqus comments on blogs, the Apple implementation of third-party cookie blocking has been painless. Bloggers know that a post about an Apple problem is great clickbait, but so far we have: (1) Disqus comments break unless you also go to, and (2) well, fine, I'll get back to you on the other one.

Now for the overall point of Meyer's piece. There are "consumers" and "advocates", and the "consumers" want to be tracked, but those mean advocates are deceiving the browser developers into keeping users from giving away information. Or maybe a better way to put it is that users like to get original content free of charge, and that the advocates are destroying the adtech system that brings it to them.

This is where the adtech system is giving itself way too much credit. Alexis C. Madrigal writes, The ad market, on which we all depend, started going haywire. Advertisers didn't have to buy The Atlantic. They could buy ads on networks that had dropped a cookie on people visiting The Atlantic. They could snatch our audience right out from underneath us.

Snatching is going to be less and less of an option. One of the key points that privacy advocates often miss is that user tracking isn't just for targeting in order to increase response rates. User tracking is also a key part of adtech's fraud prevention efforts. After all, an adtech vendor that's willing to run ads on copyright-infringing or other illegal sites can't depend on those sites not to do some click fraud. Every extra step between the advertiser and the user is one more opportunity for fraud.

People disagree about the extent of fraud perpetrated on the adtech system—John Battelle makes a good case that there's a lot—but there's no doubt that denying third-party cookies will open up more places for it to happen. The natural response is for advertisers to pull back on highly automated adtech and go for more native advertising, just as publishers are backing away from third-party social sites to "own the conversation" about their content.

Today's online ad industry is largely based on exploits for a browser privacy bug. Fixing the bugs will mean fixing the business. This is good for online advertising in the long run, because paradoxically, the better targeted an ad medium can be, the less valuable it is.

And now, bonus links (things that the RSS reader dragged in. RSS forever.)

Mozilla identity team: Persona plays well with Firefox's third-party cookie policy

Bob Hoffman: Advertising Is Like Exercise and Money Is Their Leverage. Media Is Their Weapon.

Jacques Mattheij: Disqus bait and switch, now with ads

Bob Garfield at MediaPost: The Miracle Machine That Keeps A Dying Magazine Alive.

Josh Dreller asks, Ad Blocking: Theft Or Fair Use? (But my big question is: why was ad blocking so rare until users started learning about tracking? If the adtech proponents are right, targeted ads should make blocking go down instead.)

Adam Lehman: Just Who Do The Data Paranoiacs Think We Are?

Mozilla Privacy Blog: Firefox getting smarter about third-party cookies