Online advertising companies like Google or Microsoft increasingly track users. They gather information about users, such as the websites they visit and their location, and use it to profile them and target ads. This has led to increasing complaints and calls for regulation from privacy and consumer protection groups.
We are proposing an advertising system that doesn't track, and is therefore far more private. This system, called Privad, is based on two main principles:
- Most information about you is kept on your own computer and not leaked out.
- The information that does leave your computer is proxied through an intermediary. Neither the intermediary nor the advertising company are able to build user profiles, nor are they able to identify users, not even with cookies.
Rather than watch what you do from the cloud, as advertising companies do today, with Privad users run software directly on their computers. This “software agent” insures that each user's profile is kept only on his or her computer: the profile information never leaks out. The software agent is also responsible for showing ads. It anonymously gathers and stores the sorts of ads each user might be interested in. When users browse websites that have advertising space, the software agent on your computer selects an ad for you to view, and locally inserts it into the advertising space.
Unfortunately, your software agent cannot operate without transmitting some information. The advertising company needs to know which ads have been viewed or clicked, so that it can charge the advertiser accordingly. The advertising company also needs to know which websites provided advertising space, so that it can pay the websites accordingly. Privad delivers these reports anonymously.
Privad uses an intermediary that mixes the reports from many users so that the advertising company cannot tell where the reports come from. The intermediary is operated by an independent organization that is funded through advertising profits, and is contractually obligated to not reveal IP addresses to the advertising companies.
The intermediary cannot see what is in Privad messages. In other words, users don’t need to trust the intermediary, just as users don’t need to trust the advertising company. This is because the reports are encrypted in such a way that only the advertiser can decrypt them. The intermediary knows that you sent a report, but not what is in the report. The advertiser knows what is in the report, but not who sent it. The intermediary is also used to anonymously deliver ads to you. As with the reports, the intermediary cannot see what ads you receive, and the advertising company does not know who got what ads.
- Privad: Practical Privacy in Online Advertising
- Serving Ads from localhost for Performance, Privacy, and Profit ( slides)
- Auctions in Do-Not-Track Compliant Internet Advertising
- Towards Statistical Queries over Distributed Private User Data
- Q: How can I be sure that this “software agent” isn’t sending my profile to the advertising company?
A: The software agent is built in such a way that all communications in and out can be monitored by trusted third-party software. So, for instance, your anti-virus software could be modified to insure that the software agent is not sending out additional information.
- Q: If the reports from the “software agent” are encrypted, how do I know they don’t contain private information like my name, gender, religion, and so on?
A: The encryption is done in such a way that the third-party software can validate the contents of the encrypted reports while still preventing the intermediary from seeing the contents of the reports.
- Q: Can’t this third-party software see my private information?
A: Sure, but if you can’t trust your anti-virus software, you are in trouble anyway. More generally, anybody who can get malware running on your computer can pretty much learn what they want. The software agent doesn’t change this one way or the other.
- Q: Can't a government agency just legally order the intermediary and the advertising company to show it the decrypted reports and user IP addresses?
A: Yes, but if it can do that, it can just as well legally wiretap users from their ISP.
- Q: Why would anyone install this software agent?
A: The software agent, or indeed a collection of competing software agents, could be supported by your browser in much the same way your browser toolbar supports multiple competing search engines today. The browser could provide basic protocol support and a framework for running Privad. Advertising companies could install their software agents into this framework, and compete with each other for advertisers, website ad space, and website profiling information.