The "What They Know" series of articles the Wall Street Journal ran last week about online privacy were quite a surprise.[1] The ideal of journalism is to inform and the Wall Street Journal usually does an excellent job of providing both sides of a story. But these articles were noticeably one-sided, containing gross errors in their explanations of basic technical points, and failing to mention simple solutions. The series is clearly meant to scare readers, but does not make it clear what, if anything, readers can do to respond to the supposed threats.

The "news" ostensibly being reported in the first article is the fact that the Journal found that the 50 most popular U.S. websites install an average of 64 "pieces of tracking technology [Web cookies] onto the computers of visitors, usually with no warning" and that "[n]early a third … were innocuous, … [b]ut over two-thirds … were installed by 131 companies, many of which are in the business of tracking Web users to create rich databases of consumer profiles that can be sold."[2] The companies that we're supposed to be so afraid of are ad networks that simply act as middlemen between companies wanting to advertise on the Internet and websites with content that draws an audience.

The authors describe a "tiny file" "hidden inside" a woman's computer that "help[s] gather personal details about her." The article mistakenly refers to this as a "beacon" and states that beacons "are small pieces of software that run on a Web page. They can track what a user is doing on the page, including what is being typed or where the mouse is moving." That would certainly be newsworthy—if it were true. But the "code" at issue is a Web cookie, and cookies are nothing to fear.

Cookies are not "files that record websites people visit," are not software, and do not "run" on a Web page (or anywhere else). They have existed since 1994 and are a core part of the World Wide Web. Cookies simply allow websites to remember you. When you first visit a website, it assigns you a unique identifier, stored in a file on your computer (the "cookie"), that is automatically sent back to the website on all subsequent visits. Cookies are used to keep track of what language you speak, what time zone you're in, what volume level you want, and what currency you want prices displayed in. Websites can infer these things through other means and you can disable cookies in your Web browser, but if you've ever tried to check your Webmail at an Internet café in a foreign country, you know how frustrating it is to have to constantly change these sorts of settings.

This is not just a case of a non-technical journalist getting confused. Julia Angwin, who wrote or co-wrote three of the articles, describes herself as "a digital native—the first generation to grow up enmeshed in digital technology."[3] She "was raised in Silicon Valley by parents who both worked in technology," "learned to type on an Apple II[,] and began programming in BASIC when [she] was in fifth grade." Another contributor, Jennifer Valentino-DeVries, is skilled in XML, HTML, Flash, basic JavaScript, and previously "handled the Journal's Web site throughout the day."[4]

Instead of demonizing standard business practices that are at the heart of the Internet economy, the Journal should do a better job of explaining that advertising is necessary if content is to remain free and pointing out that users who do have strong privacy concerns can easily opt out—though they may find, as a result, that those free Websites are either no longer free or simply no longer exist. As Journal columnist Walt Mossberg has previously stated, "Advertising is the mother's milk of all the mass media." This is as true for newspapers, which get the bulk of their revenue from advertising, as it is for other mass media.

Look closely at the list of the top 50 Websites, and you will see that only six of the sites actually charge for content available on the site, compared to 33 sites that depend at least in part on advertising.[5] So it should not be surprising that the most popular websites are working with multiple ad networks. Although The Wall Street Journal has been a longtime advocate of charging for access to its content, there are twice as many nonpaying subscribers as paying subscribers for the large amount of free content it still offers on its website.[6] And like the majority of the 50 most popular U.S. websites, the Wall Street Journal website installs tracking cookies from a behavioral targeting company (DoubleClick).

The quid pro quo for free content is advertising. And behavioral advertising, which requires the use of cookies, yields more than twice the revenue of non-behavioral advertising.[7] Without behavioral advertising, there would be a lot less free content on the Internet. That's why, in early 2008, Microsoft decided not to implement some additional security features initially planned for the next version of its Internet Explorer Web browser that would have blocked all third-party cookies by default. Why even mention something that seems so obvious? Because that non-issue was the topic of the second article in the series.[8]

The information collected and traded by ad networks is not personally identifiable. In most cases, the only information stored in the cookie itself is a random string of letters and numbers. Furthermore, ad networks don't care and don't record what specific websites or pages a user has visited. Instead, they classify various sites and pages and indicate which categories a user seem interested in. As the confidential internal Google document dissected in the series' fifth article explains, "[A]d networks today typically use very simplistic audience definitions, for example labeling auto enthusiasts based on 2 page[] views on auto content within 14 days." What is so scary about that?

For those who still have privacy concerns, it is quite easy to simply opt out of behavioral advertising by ad networks. They can go to the Network Advertising Initiative's Opt Out Tool, click a few boxes, and opt out of behavioral advertising from 55 different ad networks. Although the simplest method, that method still involves sending cookies back and forth between ad networks and if a user deletes their cookies, their opt-out preferences are also deleted. A more permanent solution that all modern Web browsers support is to completely block all third-party cookies. And users can easily block third-party Flash cookies (which some sites use to re-install regular cookies) from a Web page on Adobe's website. A companion article in the series mentions these techniques, but makes them seem more difficult than they really are.

The third article in the series, about how one company is able to made make educated guesses about website visitors, is similarly un-newsworthy. While the article suggests this technology "is transforming the Internet into a place where people are becoming anonymous in name only," the reality is that "[t]he vast majority of Web properties out there—including 99.9 percent of ecommerce sites—don't have anything like this."[9] And Hunch, one of the most accurate prediction algorithms, considers click-through rates of 20 percent to be "shockingly high."[10] That's far from the Digital Svengali portrayed by the Journal. These algorithms are more akin to mentalists who wow audiences with "cold readings" in which they seem to make contact with audience members' dead loved ones. The truth is that these performers are simply making educated guesses and/or choosing names and subjects that are common to a large number of people. The company profiled in the Journal article does the same thing: It takes a user's IP address, determines the corresponding ZIP code, and then uses that to categorize them based on Nielsen NetRatings demographic data. In the case of both the mentalists and the data-crunching firms, the goal is the same: to give the audience what they want, whether that be grandpa Billy saying he loves you or a car manufacturer's website showing sports cars on the homepage when visited by someone from San Jose and trucks when visited by someone from San Antonio.

The fourth article, about how stalkers can exploit GPS chips that the government requires manufacturers to include in cellphones, shows how government mandates dealing with technology can sometimes backfire.[11] Anyone with a GPS-enabled cellphone can attest to how tremendously useful they are, and there are lots of heart-warming stories of the technology being used to find lost hikers and kidnapping victims. But by requiring that 95% of the phones in a carrier's network be traceable, the technology ceases to be a distinguishing feature when comparing phones and its existence is easily forgotten. And because terrorism-obsessed courts have allowed warrantless cellphone tracking, the systems have been and will continue to be abused.

For both behavioral tracking on the Internet and location tracking using GPS-enabled cellphones, it is not difficult to express one's privacy preferences. One just needs to know that it is possible and how to do so. The popularity of Adblock Plus, an ad blocking add-on for the Firefox Web browser, shows that quite a lot of people are able exercise their preferences. With almost 90 million downloads and more than ten million active daily users, it is the most popular Firefox add-on by far.[12] As guest columnist Jim Harper puts it in his closing opinion piece, "People rise or fall to meet expectations, and consumer advocates who assume incompetence on the part of the public may have a hand in producing it, making consumers worse off."[13] The Wall Street Journal needs to stop its fear mongering and give its readers more credit.