ProPublica

Journalism in the Public Interest

Cancel

How Companies Have Assembled Political Profiles for Millions of Internet Users

Political targeting companies are pushing the boundaries of what it means to be “anonymous” on the web.

A slide taken from an online slideshow by a political targeting firm.

If you're a registered voter and surf the web, one of the sites you visit has almost certainly placed a tiny piece of data on your computer flagging your political preferences. That piece of data, called a cookie, marks you as a Democrat or Republican, when you last voted, and what contributions you've made. It also can include factors like your estimated income, what you do for a living, and what you've bought at the local mall.

Across the country, companies are using cookies to tailor the political ads you see online. One of the firms is CampaignGrid, which boasted in a recent slideshow, "Internet Users are No Longer Anonymous." The slideshow includes an image of the famous New Yorker cartoon from 1993: "On the Internet, nobody knows you're a dog." Next to it, CampaignGrid lists what it can now know about an Internet user: "Lives in Pennsylvania's 13th Congressional District, 19002 zip code, Registered primary voting Republican, High net worth household, Age 50-54, Teenagers in the home, Technology professional, Interested in politics, Shopping for a car, Planning a vacation in Puerto Rico."

The slideshow was online until last week, when the company removed it after we asked for comment. (Here is the full slideshow.) Rich Masterson, CampaignGrid's chairman, wrote in an email that the slideshow was posted in error: "It was an unapproved version of a sales deck that was posted by an intern who no longer works for the company."

CampaignGrid does indeed collect 18 different "attributes" for every voter, Masterson told ProPublica, including age, gender, political donations, and more. Campaigns use this data to tailor the online ads you see.

Online targeting has taken off this campaign season. ProPublica has identified seven companies that advertise the ability to help campaigns target specific voters online. Among them is Experian, the credit reporting company. Datalogix, a company that works with Facebook to track users' buying patterns, is also involved. (Here are marketing materials and comment from the seven companies). CampaignGrid and a few, similar firms have been profiled for their innovative approaches. Yet the scale of the targeting and the number of companies involved has received little notice.

Few of the companies involved in the targeting talk about it publicly. But CampaignGrid, which works with Republicans, and a similar, Democratic firm, Precision Network, told ProPublica they have political information on 150 million American Internet users, or roughly 80 percent of the nation's registered voters.

The information — stripped of your name or address — is connected to your computer via a cookie. Targeting firms say replacing your name with an ID number keeps the process anonymous and protects users' privacy.

But privacy experts say that assembling information about Internet users' political behavior can be problematic even if voters' names aren't attached.

"A lot of people would consider their political identity more private than lots of information," said William McGeveran, a data privacy expert at the University of Minnesota Law School. "We make more rules about medical privacy. We make more rules about financial privacy. So if you think private political beliefs are in that category, maybe you're concerned about having them treated like your favorite brand of toothpaste."

Google has stayed away from this kind of targeting. It classifies political beliefs as "sensitive personal information," in the same category as medical information and religious beliefs.

But other big players have embraced the "political cookie," as one company branded it.

As we reported in June, Yahoo and Microsoft sell access to your registration information for political targeting. That's one way CampaignGrid and other companies find you online. Political targeting firms say they also work with other websites, but would not name them.

While campaigns and the firms working with them can buy reams of data about voters, voters have been left mostly in the dark.

Many online ad companies mark targeted ads with a small blue triangle symbol, or the phrase "Ad Choices," and offer surfers a chance to opt out. But even if web users know what the triangle means, they get no information about how or why they were targeted.

"Consumers don't really understand what's going on and haven't given their permission," says Joseph Turow, a digital marketing and privacy expert at the University of Pennsylvania's Annenberg School for Communication.

There are few legal regulations governing how online targeting works, or what notification consumers must receive.

Online advertising experts point out that individual voting records are public information and have long been used to target voters through direct mail. And targeting companies say they are offering a valuable service. Instead of seeing random ads, users get to see ads from candidates they might actually want to support.

"We empower voters," Jeff Dittus, co-founder of Campaign Grid and now head of Audience Partners, wrote in an email. "We give voters information that is meaningful to them and helps them make choices."

Stuart Ingis, a lawyer for the Digital Advertising Alliance, an industry group, said that voter file targeting is a First Amendment issue, and that targeting should be protected as part of political speech.

"These technologies provide a method for politicians inexpensively to improve our democracy," he said. "I would say that the founding fathers firmly believed in the ability — I think our society very much values the ability — to efficiently reach a desired audience with a political message."

Not everyone seems to agree. A recent study from the University of Pennsylvania's Annenberg School found that 86 percent of surveyed adults did not want "political advertising tailored to your interests," and that 77 percent would not return to a website if they knew it "was sharing information about me with political advertisers."

While targeting firms promise a wealth of individual detail, it's hard to know how much information most campaigns are actually using.

"The more third-party data providers you use, the smaller the universe of people who you can reach becomes," CampaignGrid's Masterson said. "Republican women 25-34 who drive SUVs and have American Express cards, and go to the theater once a month — that might be four people."

One place online voter targeting has been used successfully is in the state senate primary race of Morgan McGarvey, a Kentucky Democrat who faced off against three other Democratic candidates this May.

With four liberal candidates competing for a liberal district, McGarvey told ProPublica, he needed to convince the small number of voters who would turn out in the primary that they should vote for him.

His campaign worked with Precision Network to show online McGarvey ads to local voters under 35, and to female Democrats who had voted in at least three of the past five primary elections. (Two of his challengers were women.)

"When every dollar counts, when literally every vote counts, you have to be more targeted," he said.

"I do think it helped us win."

McGarvey is now running unopposed in the November election.

Have you seen a targeted political ad?

Help us find out how politicians are targeting you online.

1. If you spot a small blue triangle icon on any online political ad, or the words "Ad Choices," take a screenshot of the ad.

2. Then click on the blue triangle or the words "Ad Choices" to find out which company showed you the ad. Take a screenshot of that, too.

3. Email the screenshots to us at targeting2012@propublica.org. Please include the full URL of the page where you saw the ad.

If the ad asks you to "learn more," visit a website, donate, or sign a petition, please send us a screenshot of that site or petition, as well. (The page where the ad sends you may also be targeted to what advertisers know about you.)

Not sure how to take a screenshot? Here are the instructions if you're using a PC, using a Mac, or using a smartphone.

Bradford Hutchingson

Oct. 22, 2012, 5:49 p.m.

I once responded to a truly disgusting “anti-gay” online petition by signing my name as “God loves fags…”...That ONE site, has obviously SOLD that “signature”, and now, I still get email from Michelle Bachmann, and others, addressed to “Dear God loves fags…”.... PRICELESS!...

This site dops 11 pixels including an Ad Pixel from Outbrain and Cox Digital’s Ad Network and Facebook’s Ad Exchange. All of which engage in behavioral targeting.

Pot… Meet kettle.

Keep in mind that these advertising companies are the ones constantly agitating against any kind of non-tracking standard, except their own proposal that allows them to track and use the information without telling you.

A few also recommend blocking websites from users to block ads or otherwise foil their privacy invasions.

So, not only are they involved in swaying campaigns, they want to deprive us of tools to stop them.  Because otherwise, there’ll be harm to US, of course.

Steve Newcomb

Oct. 23, 2012, 2:15 p.m.

If you don’t want websites to leave their cookie droppings on your computer, simply set your browser accordingly.

That won’t prevent most privacy loss, but it will prevent some low-hanging fruit from being picked in the manner described in this article.

If you use Facebook, Google+, Twitter, etc. etc., remember that everything you do and write is being stored.  If you use almost any big commercial sales website, *everything* you *do*, what you look at, etc., is probably being stored, too, and not where you can see it or use it.  But others can. 

To prevent *some* of this, disable Java and Javascript in your browser.  Your browser can let you know when the remote site wants to take control of your computer.  Pay no attention to the reasons given by the website for asking you to enable Java; one very real reason is to report everything you do.  Just say no.  It’s not hard!

The idea that laws can protect us against privacy abuses is naive.  What laws *can* do is make sure that everyone has the unlimited right to know what information others are storing about them.  We’re a long way from there today.  What we have now is one-way mirrors everywhere.  They can see you, but you can’t even tell who is watching, much less why!  Needless to say, the people behind the mirrors are one-percenters and their employees.  Want to end the current gilded age and restore hope to the planet?  Then demand authority over your own information!  Demand that all mirrors be two-way.  Specifically, demand that dollars have identities and histories that can be examined by their current owners.  Demand information about all of the people who have accessed private information about you.  Don’t take “no” for an answer, and don’t believe people who claim such access is impossible to provide.  It is impossible for current systems to provide, but it is absolutely possible; what’s lacking today is only the necessary public demand to make the systems serve the interests and honor the rights of *all* individuals.

Steve, I both agree and disagree.

I’ll start with the law, but by analogy.  When I leave my house, I lock the doors.  However, I still want the law in place that says breaking and entering is illegal, so there’s recourse if someone bypasses my security.

Same with a browser, and we’re in an arms race, at the moment.  A few years ago (and it may still be in some browsers), there was a way to track sites you’ve visited through the color of the hyperlinks (techie-side, using the CSS to style the visited pseudoclass to display an invisible image, which requests can be monitored on the server).  Right now, there are the cookies used by Flash.  It’s entirely possible that Oracle would add a similar facility to Java.  The list of possible intrusions is enormous, and “just change the settings in the browser” provides a lot of false security.

That’s why laws, or at least industry standards, are needed, so that attention can be drawn to the people who are doing unpleasant things.  If they ignore the “Do Not Track” signal, it may not be against the law, but there’ll be backlash for ignoring it, unlike today, where there’s no standard, so any company can fall back on the excuse that doing so is common, isn’t banned anywhere, and “necessary” to keep people employed.  Ideally, though, they should be charged with something like stalking (or force them to adhere to the Constitution, since what they’re doing is a kind of governance).

It’s impossible to use the web (especially large or connected websites) without leaving footprints behind.  It’s literally, by design, impossible.  Everything you see on the screen was requested with a “return address,” so the server could send it to you, which is enough information to start tracking; cookies and other tricks stack on top of that.  To keep companies from abusing us, we need to make it unpalatable to use that information for anything we don’t agree to, plain and simple.

If you think about it, it’s not even what they collect that’s the problem.  It’s what they do with that information, and how different that is than your reason for interacting.  I fully accept that Amazon is analyzing my purchases to recommend things.  I don’t like it, but I expect it, because it’s their line of business.  Likewise, it’s obvious (if ultimately counterproductive) that Google is monitoring what you search in hopes of giving you search results you’re more likely to read.  But if Facebook were to sell your usage information to your health insurance company so they can decide whether you’re getting enough sleep, that’d be far less acceptable.

If that’s too confusing, think of cellphones.  It’s in your best interests for the carrier to monitor your location, both for emergency situations and so they can expand coverage where people actually go.  But if they use that information to arrange a meeting with you on the street, it’s creepy.

You’re right, though, that they should be forced to disclose what they collect, allow you to see it, inform you of its uses ahead of time, and allow you to purge your information.  Without that kind of facility, we’re flying blind and forced to trust them not to do anything unethical with an increasing amount of our private habits.

There has to be SOME price to all that free stuff we take advantage of on the Internet. The alternative is depositing virtual nickels and dimes while we surf.

This article is part of an ongoing investigation:
Buying Your Vote

Buying Your Vote: Dark Money and Big Data

ProPublica is following the money and exploring campaign issues in the 2012 election you won't read about elsewhere.

Get Updates

Stay on top of what we’re working on by subscribing to our email digest.

optional