Oct. 05–The Digital Advertising Alliance and the Interactive Advertising Bureau are working to develop standard technology that allows consumers to opt out of online tracking when methods other than traditional cookies are deployed.

While the move appearsto protect user choice, privacy researchers worry it’s also an effort to legitimize alternative techniques for identifying consumers, inviting controversial practices like “browser fingerprinting” to become more common.

Cookies are small files that download from websites onto a computer, allowing marketers to target ads based on online activity, among other things.

Stuart Ingis, counsel for the DAA, said Mozilla’s decision to block certain cookies by default in the upcoming version of its popular Firefox Web browser is driving the timing of the effort.

The trade group’s self-regulatory principles require members to allow users to opt out of tracking, but the current mechanism for doing so relies on cookies that soon won’t work in one of the most popular browsers. Apple’s less-used Safari browser has long blocked the same variety of cookies, known as third party, which are installed by companies that don’t have a direct relationship with consumers.

“If they use a different technology for doing the tracking, in order to comply with the DAA there has to be a choice mechanism that works,” Ingis said.

The DAA held a workshop in New York last month to discuss technical options. Data exchange BlueKai of Cupertino has emerged as a key player in the effort, coordinating with a self-regulatory group led by the DAA and IAB.

“We’ve been working with the industry to standardize data transfer that’s independent of cookies, but has all the same transparency and notices that cookies have,” BlueKai CEO Omar Tawakol said in an interview.

Tools for advertisers

BlueKai offers tools that advertisers can use to analyze and make use of big data sets. It also operates a data marketplace with information on more than 300 million online consumers. The company is growing rapidly and just opened a San Francisco satellite office this week, in part to tap into the city’s labor force.

Tawakol and Ingis both said the new technology, which is still under development, would allow companies to use alternative approaches that are sometimes called statistical or probabilistic tracking, while remaining in compliance with industry privacy standards. That includes providing notice, transparency and opt-out options, Tawakol said.

Statistical approaches include identifying a particular Web browser by its unique combination of plugins, settings, fonts and other characteristics. Privacy researchers call it browser fingerprinting, a term Ingis rejects because the technique doesn’t provide a 100 percent positive identification, just a high statistical likelihood.

A 2010 study by Peter Eckersley at the Electronic Frontier Foundation found that 94.2 percent of browsers with certain functionality were unique, or able to be fingerprinted. But researchers say the technology is rapidly improving.

“Fingerprinting is getting better, and part of that is that the incentives are higher as the rhetoric around do not track increases and people are opting out of cookies,” said Ashkan Soltani, a privacy and security researcher.

Statistical techniques can also include what is known as cross-device tracking, where a laptop, smartphone and tablet can be tied to a likely single user through a common IP address or similar patterns of online behavior.

Privacy concerns

Privacy advocates and researchers are concerned about the prospect of trade groups giving their blessing to these approaches because they can be more difficult for users to detect, delete and disable than the basic variety of cookie. There’s no file to see and remove, as the whole process happens online.

“It’s a lot harder to find out if they’ve been tagged, to do something about it in a reliable way and, depending on what the technique is, to counteract it in a way that doesn’t undermine functionality,” said Jonathan Mayer, a privacy researcher.

In a follow-up e-mail, BlueKai emphasized that the standard under development doesn’t condone cross-device tracking or the original approach to fingerprinting. Rather, the company says the technology represents a new generation of statistical methods with privacy built in.

“Our privacy-by-design version requires transparency so that users can see and control the data in the same way they can see and control a third party cookie,” the company said.

For opt out, the statistical ID technique will rely on access to first-party domains, sites that can still install cookies in Mozilla and Safari because people have chosen to visit them.

But as always with privacy, the devil will be in the details — and so far they aren’t clear, researchers say. If opting out requires visiting the sites of little known trade groups or ad networks, navigating Byzantine privacy systems or repeating the process on many different properties, it won’t be as simple — or frequently used — as cookie deletion, they say.

It’s unclear how common fingerprinting or statistical techniques are today, in part because they are difficult to detect. But as the next version of Mozilla hits the market and other cookie-blocking tools emerge, the practice in its various forms will become more widespread, said Dan Auerbach, staff technologist at EFF.

‘Robust solution’

The ad industry is “trying to come up with solutions given that third-party cookies are no longer on the table and fingerprinting seems like the most robust solution,” he said. “I suspect that a lot of players are moving in that direction.”

Ingis said there aren’t imminent plans to announce details of the new technology, but expects it will roll out sometime this year.

“As soon as cookies are blocked there has to be another mechanism providing choice, so that’s what will push the timing,” he said.

James Temple is a San Francisco Chronicle columnist. Dot-Commentary appears three days a week. E-mail: jtemple@sfchronicle.com Twitter: @jtemple