CASE STUDY: Chitika
Initial Adoption of DNT
Chitika’s business as a third-party advertising network involves serving ads on first-party publisher’s websites using an ad server that employs a real-time bidding system. Before it implemented DNT, Chitika used “opt-out” cookies to limit tracking. In that system, a user could download an opt-out cookie (separate from the tracking cookie used for ad targeting) that would indicate to Chitika not to track the user. This opt-out-cookie system remains in place, and Chitika views the DNT signal and opt-out cookies to be equivalent. According to Chitika, DNT was live within a week of Mozilla’s original DNT proposal.
Chitika felt that adopting DNT was a “no-brainer,” viewing it as part of the company’s obligation to be good “corporate and technical citizens.” Chitika holds user privacy choice as a top priority, and it views DNT as another way to respect user choice.
Technical Implementation
Because Chitika already supported opt-out cookies, it was very easy for its engineers to implement DNT, reusing much of the same code. The company notes that implementing DNT was one of the easiest engineering challenges they have ever faced, and that the entire project was completed within an hour and involved around four lines of new code. All divisions within Chitika implement DNT in the same way, and Chitika supports DNT on all browsers, including Internet Explorer 10, to ensure that consumer choice is honored, particularly when it is impossible to determine whether the user enabled DNT or if DNT was enabled automatically for them.
When a user visits a website, the publisher’s site contains Javascript code with information from the publisher, such as the size of the ad requested, the publisher’s name, and the “channelization” of the page (e.g., “a page about cars”). This Javascript code then loads Chitika’s Javascript code from a Content Delivery Network (CDN). Depending on the type of ad being served, an HTTP request will be made either to Chitika’s ad server or Chitika’s real-time bidding system. Existing Chitika tracking cookies (containing a unique identifier) and opt-out cookies are sent automatically as part of the HTTP request. Chitika immediately checks for the presence of an “opt-out” cookie or DNT header in this request. Under normal circumstances (i.e., with no opt-out cookie or DNT enabled), the ad server selects an ad to display based on the profile associated with the unique identifier contained in the tracking cookie.
However, when Chitika detects a DNT header or an opt-out cookie, it performs the following steps:
- Chitika clears the variable that stores the machine’s unique identifier, so that this unique identifier cannot be used in the remainder of processing the ad. While any data that had been previously collected and associated with that identifier before the user enabled DNT continues to be associated with that unique identifier on Chitika’s servers, the unique identifier is no longer tied to any computer and thus will no longer be used to target ads to that particular user.
- Chitika’s server then sets the expiration date for the user’s tracking cookies to a time in the past. This deletes the cookie the next time the user requests the page, although this may not happen immediately.
- When DNT is enabled, the server logs the user’s visit, which ad was shown, and whether the ad was clicked – however, no identifying information about the user or the machine is obtained. Furthermore, Chitika does not log IP addresses of users with DNT enabled. That is, Chitika interprets DNT not just to mean that information collected should not be used to target advertisements, but also that information should not be collected. Chitika’s server logs every time it detects either an opt-out cookie or a DNT header in order to collect aggregate analytics. As a result, Chitika cannot tell how many unique users have DNT turned on, but they can know what percentage of their traffic involves blocked cookies, opt-out cookies, or a DNT header. (Those percentages are listed below.)
- Without any unique information about the user, Chitika will target ads purely based on the “channelization” of the first-party publisher’s site. For example, if the first-party site is about cars, car-themed ads will be displayed.
- The user’s opt-out cookie is unaffected when DNT is enabled – it remains on the user’s computer and will keep the user opted out even if DNT is later turned off. As with all cookies from any company, the opt-out cookie would be deleted if the user were to clear his or her cookies.
- A new identifier is created for every ad impression from a user with DNT enabled, even for multiple ad impressions on the same webpage. If the user later turns off DNT, Chitika treats them as a new user.
If a user turns DNT on, and then later turns it off, Chitika does not attempt to link the user’s de-identified profile created before enabling DNT and the new profile created after turning DNT off based on a common IP address or any other markers. Doing so would, in Chitika’s view, violate the “spirit” of DNT.
If a user visits Chitika’s privacy policy page with a DNT header on, Chitika’s site will display a message letting the user know DNT is turned on. The page also reminds users that DNT applies to each browser, so users may need to set DNT in multiple places. Again, this process parallels Chitika’s opt-out cookie support. Without a DNT header, users see a colored box that reports whether they have opt-out cookies or not, and includes a button to download an opt-out cookie if none is set.
Reflections on Implementation
Chitika describes its DNT as the “maximum” implementation – the user receives either all of Chitika’s targeted-ad services or none at all. Although the team acknowledges that some users may want more flexibility in letting tracking occur on some sites but not others, Chitika notes that more flexible mechanisms tend to be very complicated for users. The company’s approach intentionally errs on the side of protecting user privacy with the simple and straightforward DNT mechanism.
In practice, 8.39% percent of users currently use DNT on Chitika’s services:
| Browser | %sample | %both | %cookie* | %header | %none |
| Chrome | 22% | 0.00% | 0.03% | 2.06% | 97.91% |
| Safari | 13% | 0.00% | 0.03% | 5.86% | 94.11% |
| Firefox | 12% | 0.00% | 0.03% | 7.35% | 92.62% |
| IE 6 | 6% | 0.00% | 0.00% | 0.00% | 100.00% |
| IE 8 | 13% | 0.00% | 0.00% | 0.27% | 99.73% |
| IE 9 | 5% | 0.00% | 0.38% | 8.82% | 90.80% |
| IE 10 | 8% | 0.00% | 0.01% | 69.14% | 30.85% |
| Android | 8% | 0.00% | 0.02% | 0.00% | 99.98% |
| other | 12% | 0.00% | 0.02% | 1.97% | 98.01% |
| Grand Total | 100% | 0.00% | 0.04% | 8.39% | 91.57% |
*Chitika recognizes that the numbers of users with opt-out cookies may be artificially inflated in some cases because every Chitika ad displayed to users contains the text “opt out?” in a prominent location which, when clicked, takes the user to Chitika’s opt-out page.
**Note that in IE 10, the Do Not Track header is set to “on” by default when a user selects the “Express Install” option during the initial browser setup.
Chitika also has taken steps to proactively opt out certain categories of users based on the sensitivity of information that it is likely to collect. For instance, Chitika opts out all mobile users because such tracking is likely to uncover particularly private information, such as the user’s physical location. Chitika also does not transfer its user information to third parties in a way that would allow them to track users. Even without collecting uniquely identifiable data on DNT-enabled users, Chitika still uses basic aggregated statistics such as ad impressions and views for its “Insights” service.
Because Chitika’s system does not log IP addresses when DNT is enabled, the company has found that click fraud is somewhat more difficult to detect. Although the company uncovers fraud through other means, Chitika does not currently feel as though it has found a fully adequate solution to the fraud problem. Nevertheless, Chitika notes that tracking information in one part of a system, separate from the parts of the system used for user profiling, could be a future direction for minimizing click fraud.
Chitika sees DNT as just one more form of communication with its users. The company decided there was no reason to wait to implement DNT when it could handle it so quickly and demonstrate commitment to supporting users’ privacy choices. Still, Chitika recognizes that many other companies implement DNT differently, and there is a lot of resistance to the idea of DNT from certain companies given the “quantifiable disadvantages” to doing so (i.e., reducing the amount of information collected that is unique and thus limiting its ability to compete with other ad networks). That said, Chitika feels confident that although there may not be a uniform implementation of DNT or a concrete value proposition, Chitika’s support of DNT is the “right” thing to do to reflect what users want.
To learn more about Internet privacy visit the Future of Privacy Forum. Companies that wish to be included on our implementers page should contact us. View FPF’s Privacy Policy