In a typical network in which advertisements or other information is delivered, such as a conventional television network, the advertisements are delivered to many customers indiscriminately. This is disadvantageous for the customers because some customers are subjected to advertisements in which they have no interest. It is also disadvantageous to the advertisers because the advertisers must pay to deliver the advertisement to a large audience of customers including the customers they desire to reach and the customers who have no interest in the advertisement.
In another advertising strategy, the advertisers target a selected group of consumers who are more likely to be interested in the advertisements and deliver the advertisements to only such elected group. This advertisement strategy consequently leads to greater consumer market efficiency. Until recently, such targeted advertisement was not possible because the communications network in which the advertisements were delivered did not permit delivery of advertisements to selected customers only. Recent advances in communications networks, however, and, particularly, the advent of the World Wide Web (“the Web”), have made possible such selective delivery of advertisements or other kinds of information. In order to implement the targeted information delivery strategy, the information providers must be able to identify the consumers to whom the items of information are targeted. The Web has introduced an opportunity for interested parties to facilitate such determination by aggregating consumer data in a digital form, including users' “surfing” habits, consumption patterns, and demographic data. Despite economic and social benefits of targeted advertising, however, there are grave concerns among consumers about the invasion of privacy and potential abuses by aggregators of consumer data and hostile third parties.
Companies, such as Zero-Knowledge Systems, have offered server-based privacy protection to customers. In this approach, customers use an encrypted channel to access one or more proxy servers that anonymously reroute requests to destination servers. The system relies on trustworthy servers to shield the client from positive identification. The client must trust at least one of the servers to ensure his or her anonymity and not to eavesdrop on or tamper with his or her communications.
Another approach is the Crowds project, in which disparate users are grouped and their requests for Web pages are randomly rerouted through other “crowd” members. The identity of one group member is thus rendered indistinguishable from that of other members. The system relies on a trustworthy entity organizing the crowd and trustworthy fellow group members. Each member must trust other crowd members not to eavesdrop on or tamper with communications and not to perform network traffic analysis. Server-based systems such as Crowds provide some degree of privacy protection, but do not offer an adjustable level of control of access to consumer data.
The Platform for Privacy Preferences Project (P3P) is a standard designed to enable consumers to exercise control over their personal data. The P3P concept is to have Web sites publish specifications of their privacy policies precisely thereby allowing consumers to exercise control over their personal data in response to these policies. Particularly, P3P enables consumers to define preferences over which elements of personal data they are willing to divulge, as well as to respond to incompatible policies of a given Web site.
Another system known in the art combines properties of the P3P and proxy server systems. This system enables users to browse the World Wide Web using a variety of different “personae”. It offers controls for the user in the release of information, and also permits merchants to collect information in a controlled manner. The system aims to accommodate existing infrastructural elements, and assumes that the use of periodic merchant auditing, in conjunction with consumer control, will achieve adequate privacy protection. P3P and related systems presume that mediation between consumers and data collectors will consist of allowing consumers to select what data to reveal.