Behavioural targeting

Behavioural targeting


Behavioural targeting has become a significant concern to privacy advocates. In the past, the ability of marketers to track, profile, and target individual consumers with specific advertising has been limited by marketers need for those consumers to browse to specific websites or use specific web services. Beginning in 2007, web marketing businesses began to introduce technologies that target the traffic streams of Internet Service Providers (ISPs) as a source of data for building profiles of individual ISP customers. Given the rich body of data customers provide to ISPs for the purposes of browsing the web and using online services - and the resulting privacy concerns raised - ISP entry into the behavioural targeting market has proven controversial for consumers and regulators alike.

This F.A.Q. was supported by the Social Sciences and Humanities Research Council



What is behavioural targeting?

"Behavioural targeting" is the marketing practice of targeting advertisements to consumers on the basis of observed or known characteristics of the consumer. In the internet context, marketers may observe the browsing habits of a particular consumer, classify the consumer within categories on the basis of those observations, and serve ads targeted to members of that classification. For example, a newspaper website might observe a consumer browsing to webpages that include articles on sports, technology, and pop music, and accordingly classify the consumer in a category that likely includes young males. The website would then serve ads appropriate to that demographic.
The term's usage often encompasses all stages of the practice: collecting information, storing it, analyzing it, and targeting individuals with advertising. It is sometimes used interchangeably with advertising targeting and behavioural advertising.

How is the information collected? 

Information on individuals' web usage can potentially be collected at a number of different points. These include:
  • A single web page
  • Web pages served from a single domain
  • Web pages served from a domains all owned or controlled by the same company
  • Web pages owned or controlled by different companies
  • Web-based applications like an instant messenger or email
  • Internet Service Providers (ISPs)

Who is collecting the information? 

Just as data collection can take place at a number of different places, a number of different actors can be behind it. Individual web sites, networks of websites, and sites owned by the same or different companies can all collect information about you when you visit one of their pages and/or view their advertising. Web-based applications, such as webmail and instant messaging, can collect information about users while they use the application.
Some companies specialize in collecting, storing and analyzing consumers' information, and sell those services to other companies. Websites have partnered with behavioural targeting companies such as Media6degrees, RevenueScience, SpecificMEDIA Inc., TACODA Inc., Tribal Fusion, and [x+1] (formerly Poindexter Systems Inc.).
Increasingly, ISPs are establishing relationships with behavioural targeting companies who install monitoring equipment directly onto ISPs' networks. The most well-known ISP-level behavioral targeting companies are Phorm in the United Kingdom and NebuAd in the United States and Canada. The lesser-known company AdZilla, though based in California, has a Canadian office in Vancouver. Other companies include FrontPorch and Project Rialto.

How do web pages, single domains, domains all owned or controlled by the same company, or web-based applications like an instant messenger and email collect information for behavioural targeting?

Web servers have long maintained log files documenting aggregate requests made by users for information such as web pages or graphic files as well as error and status messages sent out and transaction details. This method has proven to be relatively imprecise as it cannot account for caching servers, browser caching, and proxy servers.
Web publishers routinely use some form of data / page tag to compile information. One common type is an HTTP cookie - a small parcel of code sent by a server to a user's web browser which is sent back to the server each time the browser accesses the server. The cookie creates a reference point for a web server, enabling a more precise recognition of return users and allowing the server to determine which requests are coming from the same user. At the end of a web browsing session, cookies without expiry dates will be deleted. However, if a server sets an expiry date, the cookie will last until that time. These persistent cookies allow a web site to collect information about users over time.
Another type of data / page tag is a "web bug". Web pages or domains insert clear image files on their pages that essentially perform the function of a cookie.
The main difference in data collection between single web pages, single domains or multiple domains is in the number of places cookies will be read. Larger networks could send and read data / page tags across different domains and sites, allowing data collection across that broader territory.
There are many variations on this basic data / page tag model. For instance, one data collection method is to institute user accounts. Web sites might require or suggest that users log in to an account. Upon doing so, the user would be sent a cookie. This would identify users and permit the site to collect information about site usage.
Sites might also combine logs with data / page tags.
All of these methods only allow the web page, domain, or domains owned by the same company to know what the user does on affiliated sites or domains. When a user goes to an unaffiliated site or domain, the company can no longer collect web usage information.

How do ISPs collect information for behavioural targeting?

Whenever an individual attempts to use the Internet, the equipment installed by behavioural targeting companies on ISP networks intercepts the request, and analyzes and records the information. This may include all of a user's web traffic across different sites and domains, making the scope of data collection "comprehensive". There are technical variations in how different companies' data collection technology functions. Major behavioural targeting companies have not disclosed all of the specifics about how their respective systems work.

What types of information are collected?

Web pages, single domains, or domains all owned or controlled by the same company might track information such as which pages the user visits on a site or across domain(s), which advertisements the user views, search terms or other information entered, the user's preferences, web browser type and language, the user's operating system, and their postal or zip code.
ISP-level behavioural targeting is comprehensive in its web traffic data collection. ISPs or their partners collect similar types of information, however the scope includes most, if not all, information from an individual's online web traffic.
Some behavioural targeting companies explicitly exclude particular types of information. Most state that they do not collect personal information such as names, addresses, financial information as well as information related to sensitive subject areas. Different companies, however, set their own definitions of what is sensitive. For instance, NebuAd states that it does not collect and store information on sites relating to sex, health, or politics. NebuAd also says that it does not look into information packets containing emails or pictures. Phorm, on the other hand, does not store information related to tobacco, drugs, alcohol, pornography, gambling (except National Lottery), or UK Political Parties. Phorm also tries to avoid emails.
In addition to varying standards of what is sensitive, behavioural targeting companies have released varying degrees of information about how their applications and technologies exclude specific types of information. A common point of ambiguity is whether systems merely do not analyze and store information on sensitive topics, or whether, somehow, the information is excluded from collection altogether.

What happens with the information after it is collected?

Behavioural targeting companies generally use the collected data to build profiles about individual users. Individual users are categorized based on their web traffic. If a user visits a web page reviewing new cars, the user might be categorized as having an interest in automobiles.
Different sites, domains and companies define their categories differently. Phorm allows other companies to experiment and develop new ways of categorizing and grouping users. NebuAd uses collected information to define and develop interest categories. The data from the user's web traffic is aggregated with data from all other users and stored in aggregate form to help continually re-define the interest categories. NebuAd claims to have over 1000 interest categories.

What do companies do with the profiles they assemble?

Behavioural targeting companies use the profiles assembled from users' web traffic data to sell online advertising. Behavioural targeting companies partner with both web publishers and advertisers. Web publishers provide the space for advertising. Advertisers pay to show users falling into specific interest categories relevant advertising. When users navigate to a page that has partnered with the behavioural targeting company, they will see advertising targeted at them based on the information contained within user profiles. For example, if a user has been categorized as being interested in cars, advertisers might target them with advertising about the latest car models.

Is this practice entirely new?

Advertisers are always looking for new ways to understand consumers and their target markets. It is a relatively established practice for web sites and the companies that publish and own them to collect information about their visitors. However, what is new is the scope and scale of ISP-level behavioural targeting and comprehensive web traffic collection. In the past, if an individual navigated away from a web page and/or its affiliates that particular site or company no longer had the ability to collect information, now users will still be tracked. Traditionally, ISPs have been considered - and have characterized themselves - as mere pipes carrying information.
Further, the volume of data collected with ISP-level behavioural targeting is much greater leading to more and more being known about individuals.

Why are behavioural targeting companies interested in comprehensive web traffic collection and behavioural targeting?

Effective behavioural targeting requires high volumes of data and different companies are competing to collect more data and to analyze it effectively. Developing a model that tracks all of a user's web traffic provides a large amount of data in real time. ISP-level behavioural targeting offers the potential to gain an advantage in a very lucrative industry. Web research firm eMarketer estimates the U.S. spending alone onbehaviorally targeted advertising will more than quadruple from approximately $775 million in 2008 to $4 billion in 2012. Behavioural targeting companies are developing a business model where they play a critical role at the centre of this growing industry.

Why are ISPs interested in behavioural targeting?

Behavioural targeting offers ISPs a new way to generate revenue. Currently, providing internet services is a high volume, low profit margin business. Meanwhile, many different entities are finding ways to profit online. Behavioural targeting allows ISPs to tap into a greater share of the value being generated online.

Why are advertising companies interested in behavioural targeting?

Behaviourally targeted advertising offers the possibility of a higher return on investment (ROI) for advertising firms. Since the advertising would be directed at those more likely to be interested in the product / service, firms would not have to "waste" money showing advertising to those with no interest whatsoever in their product / service. The theory is that consumers will be more likely to click through the ad and, ultimately, to purchase the commodity offered.
ISP-level behavioural targeting is of particular interest because, if effective, it promises an unprecedented opportunity to market to internet users.

Why are web publishers interested in behavioural targeting?

Web publishers stand to gain from behavioural targeting because advertisers generally pay higher advertising rates to target individuals based on their assembled profiles. The ability to know more about subscribers helps to attract advertising money online away from television and other media. In addition, a number of behavioural targeting firms help match publishers with advertisers and provide help with advertising sales.

What are some of the privacy concerns with behavioural targeting?

Collecting and storing such vast amounts of data present some privacy concerns. Many ISPs have not been very forthcoming with information regarding their behavioural targeting practices; the lack of notice to consumers prevents their informed consent to the practices. One of the principles on which Canada's privacy legislation is founded is that individuals must be notified and must consent to their personal information being collected, used, and/or stored. ISPs' failure to inform their customers of their practices and to obtain customer permission is especially troubling considering that users' web traffic data can often be incredibly detailed and cover all sorts of personal and private topics. Although some behavioural targeting companies have pledged not to collect "sensitive" information, as noted above, the companies use their own definitions of what is considered sensitive.

What privacy protections do companies put in place? 

Like many aspects of the behavioural targeting system, privacy protections vary from company to company. Perhaps the most common protection is to assign users an anonymizing hash number. Companies use an algorithm to generate a random number for each user and information is stored under the hash number rather than under the user's name, IP address or other identifying information. This hash number aims at preventing stored information from being linked with an identifiable individual. Behavioural targeting companies undertake not to link information with ISP subscriber records.
Further, according to behavioural targeting companies, all that is associated with the user hash number is the interest categories to which the user is assigned.
Behavioural targeting companies have different methods for treating the ultimate use of the collected raw data. Phorm, for example, claims to discard the data immediately after having categorized a user. NebuAd, on the other hand, assigns the raw data a second anonymizing hash number - to prevent it from being associated with the first hash number assigned to the user profile - and stores the information in aggregate form to help define interest categories.
Behavioural targeting companies generally enact internal policies to limit access to user profiles and to the stored information.

If specific data is anonymised and aggregated, is it impossible to link it to an individual?

Extensive research has called into question the security of "anonymized" data. Very little supplementary data has been required to associate information from anonymous databases with identifiable individuals. Even category level information, if sufficiently comprehensive, can serve to identify an individual. The amount of information stored on behavioural targeting companies' servers is considerable and may include postal codes, web browser information or other useful information for one looking to identify users.
An important point of contention is what is meant by "identifiable". Defining the term is of central importance because most legal privacy protections apply to information that can be linked to an identifiable individual. If information is not about an individual who can be identified, there are fewer restrictions on its collection, use, and storage. A relatively narrow interpretation argues that to be identifiable an individual must be associated with a number of common identifiers like their name, address, financial information, social insurance number, et cetera. A broader interpretation is more contextual and argues that an individual is identifiable when s/he can be singled out or almost singled out from a group. Under the first interpretation, behavioural targeting companies would be less likely to violate privacy laws and other second they would be more likely to violate the laws.
Further resources:

Are there any concerns about the security of the data collected?

Another concern with behavioural targeting is that creating a trove of data will attract those who hope to illicitly gain access to and exploit comprehensive data about ISP subscribers. In its Privacy Policy, NebuAd states: "NebuAd is committed to protecting all our data from unauthorized access or disclosure. Access to the anonymous information that NebuAd collects is restricted to NebuAd employees, contractors, and agents who require access to that information in order to operate, develop, or improve our services. These individuals are bound by strict confidentiality obligations and may be subject to disciplinary action, including termination and criminal prosecution, if they fail to meet these obligations." NebuAd and other behavioural targeting companies are, however, subject to the same technological vulnerabilities as other companies attempting to secure their data.

What choices do consumers have?

An acknowledged issue with behavioural targeting is that many of the opt-out mechanisms presented to subscribers who wish to not participate in the system are ineffective. Phorm used an opt-out system that was based on cookies, meaning that consumers would have to opt out on each individual computer they use. Further, if consumers periodically delete the cookies on their computers - as is generally good internet safety practice - they are surreptitiously opted back in.
Even non-cookie based opt-out mechanisms may have difficulty recognizing users across different computers in their own home. IP address-based opt-out mechanisms might have trouble recognizing users to whom ISPs have assigned a dynamic IP address.When their IP address changes,those who have opted-out on their computer may also still have their information collected and used as a part of the behavioural targeting system.
The lack of effective opt-out mechanism significantly curtails users' choices, however, it should also be noted that consumers are not always vigilant and often do not read a company's privacy policy or terms of use when presented with them online.

What are the limits on companies' use of the data collected and the targeted advertising?

Without full disclosure by ISPs and behavioural targeting companies as to what exactly they are doing with the technologies they are employing, it is hard to establish firm limits on appropriate practices. There are industry trends toward collecting ever increasing amounts of data. If companies are left to their own devices, market forces may entice them to collect increasingly detailed information in an effort to learn even more about consumers and to provide the best service to advertisers.

What is the status of behavioural targeting development and implementation?

In Canada, testing of behavioural targeting practices is already underway, according to NebuAd CEO Robert Dykes. In an April 14, 2008 Financial Post article, Dykes confirmed that "his company is testing its hardware with a number of undisclosed Canadian ISPs and has launched a sales team in Canada to locate more business." No Canadian ISPs have disclosed their participation in behavioural targeting trials.
Behavioural targeting is most established in the UK. Phorm has partnerships with the three largest ISPs - BT, TalkTalk, and Virgin - representing 70% of broadband internet users. In 2006, 18,000 BT customers were subject to trials of Phorm technology without being made aware of it and in 2007 a trial of similar scale occurred without customers being informed. BT has publicly stated that it conducted trials with Phorm technology without disclosing the tests to affected subscribers. BT has plans to conduct further trials with Phorm's technology on about 10,000
subscribers. The UK Office of the Information Commission recently reviewed Phorm practices and found that the company was not obtaining sufficient consent from subscribers. According to BT's website, the trial will be opt-in. Following the furour, TalkTalk has announced that they will only implement Phorm's technology if users would have to opt-in to participate and Virgin has said it has yet to decide whether to follow through with behavioural targeting plans.
In the U.S., NebuAd has partnered with ISPs representing 10 % of broadband users. Charter Communications, the fourth largest ISP in the U.S., was scheduled to begin a trial with NebuAd on June 15, 2008. However, Charter has since announced it was suspending its plans after Edward Markey, Chairman of the House of Representatives' Telecommunications Sub-Committee, along with Rep. Joe Barton wrote a letter asking Charter to hold off on trials until after Congressional hearings on the practice and a similar entreaty from the Connecticut Attorney General. The ISPs CenturyTel, Embarq and Knology have suspended planned NebuAd trials out of fear about potential legal liability.

How can consumers find out if a website, program, or ISP is collecting their information for behavioural targeting?

Users have a couple of options. Users can check the website, program, or ISP's privacy policy which should be prominently displayed on their website or otherwise readily accessible. If a company is engaging in behavioural targeting it should have clear and explicit language indicating that it does so. As the experiences in the United Kingdom and the United States demonstrate, however, some companies have not disclosed that they were engaging in behavioural targeting.
Users can also contact the company's designated representative in charge of privacy concerns. Companies are supposed to clearly identify someone who can be contacted to deal with individuals' privacy concerns.

How can consumers avoid behavioural targeting?

If a subscriber's ISP engages in behavioural targeting, they can use the system's opt-out mechanism or, if possible, the subscriber can switch to another ISP.


  • CIPPIC's letter to the Privacy Commissioner of Canada, dated July 25, 2008, requesting that that she intervene to establish rules around the use of behavioural targeting technologies at the ISP level in Canada
  • Washington Post: "Every Click You Make" : Provides a general level overview of ISP-level behavioural targeting.
  • The Register's Phorm Files : British website The Register has compiled their extensive reporting on Phorm's activities in the United Kingdom.
  • Digital Destiny : Jeff Chester's reports on digital media and public interest issues are invaluable. Often mining trade publications, Chester has established himself as a leading voice on behavioural targeting.
  • Specific Media's description of behavioural targeting : Advertising firm Specific Media provides its explanation of the practice of behavioural targeting.
  • Phorm : Behavioural targeting company Phorm provides its own explanation of how its technology works.
  • NebuAd : Behavioural targeting company NebuAd provides its own explanation of how its technology works.
  • Richard Clayton's Report on the Phorm "Webwise" System : Richard Clayton, Treasure for the Foundation for Information Policy Research, interviewed Phorm representatives and compiled a very detailed report on the technical specifics of how the Phorm "Webwise" system functions.
  • Page Sense External Validation Report : This internal report from Phorm's 2006 secret trials with BT that was leaked to the public via wikiLinks. It was reported on by The Register in April 2008.
  • NebuAd and Partner ISPs: Wiretapping, Forgery and Browser Hijacking : This report details how NebuAd's web tracking technology works and alleges that the NebuAd hardware impersonates the websites requested by a user in order to insert its own bits of code.
  • U.S. House of Representatives Subcommittee on Telecommunications and the Internet Hearing "What Your Broadband Provider Knows About Your Web Use" : The U.S. House of Representatives held hearings into internet service providers' use of Deep Packet Inspection technologies. The testimony of different parties provides more information about some the issues with behavioural targeting. Center for Democracy and Technology Chief Computer Scientist Alissa Cooper provides a privacy advocate perspective, while NebuAd CEO Robert Dykes provides a behavioural targeting company perspective.

This page last updated: August 6, 2008