How a young alum has taken on some of the biggest names in digital advertising — and won

Photo: Peter Stember

Jonathan Mayer ’09 is only 26, still in graduate school, and already the bane of the $40 billion digital-advertising industry.

In the last five years, Mayer helped spearhead the Internet’s “do-not-track” initiative, pushed an online-tracking company out of business, embarrassed Microsoft and Google, and in the latter’s case helped trigger an unprecedented fine by the Federal Trade Commission. Lawmakers and the front page of The Wall Street Journal have quoted his work.

All this from a Woodrow Wilson School major who arrived at Princeton from Chicago with no coding experience.

Photo: Peter Stember

An introductory computer science course piqued his interest freshman year. The class, taught by Professor Jennifer Rexford ’91, challenged students to build computer programs that were fast and resilient. Mayer responded with a program that exploited a software vulnerability to change a course grade from a “C” to an “A.” He earned an A — sans hacking — and resolved to make data security and privacy the cornerstone of his studies. As a sophomore, he took an advanced computer-security class with Edward Felten, who in 2011 took a break from Princeton to become the first chief technologist at the Federal Trade Commission (FTC). “He was in a class of seniors and he was one of the best-performing students in the class,” Felten recalls. “Then I found out later he wasn’t even a computer-science student.”

With Felten as his adviser, Mayer’s senior thesis took a prescient look at tracking on the Web. He looked for “quirks,” or unique characteristics in a user’s Web browser — a user’s time zone, screen resolution, language settings, and browser plug-ins — to see if they could be combined into a unique profile that would allow the user’s online activities to be tracked. Little did Mayer know he had stumbled upon a lucrative business model. A secretive industry already had begun profiling browser configurations and selling that data to tracking companies and financial firms. “Now there’s a whole crop of companies that do this,” Mayer says. “It’s routine — and a little unsavory.”

Privacy activists might call that a euphemism. At the time Mayer was finalizing his thesis, the Electronic Frontier Foundation (EFF), a nonprofit set up to press for consumers’ rights in the digital world, was putting together a project called Panoptoclick, a nod to Jeremy Bentham’s panopticon, a conceptual prison where prisoners could be observed at all times without their knowledge. The project called on volunteers to visit an EFF website that would test their browser settings to see if they were unique and traceable.

The site went viral. (It no longer is up.) Within two weeks, a million people had tested their browsers. “We managed to demonstrate to people who thought they had figured out how to be safe from tracking that, actually, they weren’t safe at all,” says Peter Eckersley, the technology project director at the EFF. “There was an almost instantaneous change in the tone of debates about online privacy.”

Digital fingerprinting, once a niche industry, had entered the public discourse and debates on Capitol Hill. Emails to the EFF flooded in. “One stood out,” Eckersley remembers. “It was from Jonathan Mayer. He said, ‘I actually did a study on this for my senior thesis at Princeton.’ ”

“Sometimes academia feels like you are writing into a great abyss,” Mayer says. “That was my realization that you can have a big impact.”

To do that, Mayer reasoned, he would have to get his hands as dirty in code as in legal minutiae. And so Mayer applied and was accepted to both Stanford’s law school and its Graduate School of Engineering. He spent his first year full time at the law school and nights and weekends roaming the school of engineering. That summer he interned at the EFF, collaborating with Arvind Narayanan, then a Stanford doctoral student and now a Princeton professor (see page 42), on a project combining a technical solution and a policy standard that would help users signal to companies that they did not want to be tracked on the Web. Until that point, privacy activists and researchers had proposed a number of technical antidotes to tracking, but the advertising industry argued that most were too complex to implement.

Mayer used his legal studies to help draft a straightforward standard for how Web services should comply with users’ privacy preferences. The technical prototype and standard caught the eye of Mozilla, which integrated it into its Firefox browser, allowing users to state that they didn’t want their online activities monitored by marketers. Other browser vendors followed suit, including Microsoft, Apple, and Google. The work caught the eye of Jackie Speier, a Democratic congresswoman from California, who introduced the first do-not-track bill. Her bill would have forced online marketers to respect the wishes of users who did not want to be tracked. But that bill, and others introduced since, failed to pass.

“There’s a free-for-all arms race between tracking companies and defensive technologies like do-not-track, and we have reason to believe the tracking companies are going to win,” says Eckersley. Indeed, do-not-track efforts met fierce resistance from the advertising lobby. Nine lawmakers fired off a letter to the FTC, citing concerns that do-not-track would constrict “the flow of data at the heart of the Internet’s success.”

“There is no appetite in Washington to hamper job creation,” says Mike Zaneis, the general counsel for the Interactive Advertising Bureau, an industry lobbying group. He dismisses much of the work on data privacy by Mayer and others as purely ideological. “The idea that blocking third-party cookies” — small files placed on your computer’s hard drive by the server of a website you visit — “will simply solve consumer-privacy issues is really an academic viewpoint that was clearly made in a laboratory setting,” he says. “The reality is that the Internet depends on data flows — whether you’re an e-commerce, news, or social-media site — they all depend on customer-data flows. That’s the way the Internet works, period.”

Nothing has infuriated advertisers more than a tool Mayer developed in 2011, called FourthParty, which crawls the Web measuring the information grabbed by various sites and services. He found that, in many cases, even when users opted out of tracking, trackers did not actually stop tracking them — they simply stopped showing them the evidence in the form of targeted ads. Advertisers refer to that practice as “opt out from targeting,” but Eckersley, of the EFF, says privacy activists have dubbed it “pretend not to track.”

Mayer also discovered that many sites use so-called super cookies that store information in at least 10 places on a computer and do not disappear when users clear their cookies. In fact, some sites used super cookies to rebuild cookies users had deleted. Among them: Microsoft.

Microsoft worked with Mayer to stop the use of super cookies. But the company was hardly the worst offender. Mayer found that a company called Epic Media Group was tracking users’ activity on websites like that of the Mayo Clinic and National Institutes of Health, to determine if the user was pregnant or going into menopause, for example, or tracking visitors to the Internal Revenue Service or FTC sites to deduce whether they were under water on a mortgage, then selling that data to marketers who serve up highly targeted ads.

Mayer’s work provoked an angry blog post from Epic Media Group’s CEO, who denied the company purposely was tracking users and said it had stopped the practice. Nevertheless, Mayer’s findings provoked a ruling from the FTC that forbade the company from conducting so-called “history sniffing,” a practice that allows companies to query a user’s browser history even if the user has indicated that he or she does not want to be tracked. Epic Media is now out of business.

Six months later, Mayer turned his attention to companies that circumvented an Apple policy that forbade cookies on its Safari Web browser. He found that Google and other advertising companies used tracking code that allowed them to bypass Safari settings to monitor users. He tipped off The Wall Street Journal, which ran the story on its front page, and the work added momentum to an FTC investigation into Google’s privacy practices, which ultimately led to an unprecedented $22.5 million fine. (Google officials have said the use of cookies for tracking was unintentional and caused by technical glitches.)

More recently, Mayer has been advising Mozilla, working with the company to implement a patch that, similar to Apple’s Safari browser, would block third-party cookies from the latest version of Firefox by default. Zaneis, of the advertising group, called Mozilla’s initial decision to block third-party cookies a “nuclear first strike” against the ad industry. In May, Mozilla said it would delay rollout of the cookie-blocking feature, though it denied lobbying had played a part.

Mayer graduated from law school last spring. He still has two years left in Stanford’s Ph.D. program. Eventually, he says, he hopes to start a nongovernmental organization in Washington that helps lawmakers make better technology policy.

The thought that Mayer soon may make a career out of his research makes some advertisers shudder. Yet not all have been unwelcoming. “Out of the blue, I’ve gotten some pretty good job offers to work for a tracking company and help them legitimize the practice,” Mayer says. “I tell them, ‘No, thank you, but tell me more about what you’re doing.’” 

Nicole Perlroth ’04, a technology reporter for The New York Times, covers cybersecurity and privacy.