Cookie Cutters

Online advertising is a self-regulated industry, which means you tangle with it entirely on its terms

The signature, once the widely accepted seal of approval, seems increasingly quaint and perfunctory in the age of digitally mediated interaction, an outmoded ritual that for many transactions has become superfluous. When you scrawl-sign your name with a plastic stub in digital capture box, you can’t help but wonder whether this vestigial ritual of consent is even necessary.

Online marketers and data brokers don’t seem to think so, however. Many benefit from this relic and its inability to handle today’s complexities. This is best seen when we try to enter into agreements to opt out of online advertising schemes. Instead of agreeing to an opted-out status, we find we have always opted in—even when we accept their consent to not track our online ­activities. We are, it seems, already opted out of opting out of such efforts.

Traditionally, the matter of drawing signatures on documents has served as the lasting reminder of the moment of contractual consent. But this moment, in more and more cases, never comes. For instance, faced with towering stacks of delinquent contracts, mortgage companies resorted to the practice of robo-signing to expedite foreclosure proceedings against homeowners, despite laws that explicitly forbid such practices. President Obama’s legal team had to argue for the constitutionality of his using an autopen to sign legislation into law when he is away from Washington.

A pioneering distant contract was the “Do Not Call List” enacted by Congress in 2003 to stem the flood of telemarketer calls that were once a widespread nuisance, which one “signed” by providing a phone number to a government website. The “Do Not Call” agreement persisted even when the number that one registered and signed with was transferred to a new service provider or assigned to a new phone.

These examples should resonate with our own experiences, as many more of our interactions—financial, legal, and otherwise—occur in online spaces where parties are not physically present in the ways that signing a contract once typically required. The underlying reliance on the signature as a ritual binding event remains prevalent, but the boundaries of what counts as a signature are being blurred.

A contract relies on two coherent signatories, but when the consenting “parties” are more explicitly understood as shifting constellations in psychological, economical, or technological flux, then what good are contracts? How does an individual consent to a contract when individuality itself is revealed as increasingly unstable?

While previous modes of performing contracts have been susceptible to questions of legitimacy, such questions were aimed at a discrete and stable individual’s agency or competency. But what happens when one questions the notion of the individual as such? It is not enough to certify that a party is of sound mind when entering an agreement. One must also consider questions of how we are embodied and disembodied by technology.

As we rely on more mobile and personal media to manage our affairs, we find it difficult to parse out those media from what we do, from who we are. Given the ways we mediate our presence, the individual cannot be relied on to be a consistent, indivisible entity. In contemporary times—what philosopher Gilles Deleuze loosely frames as “societies of control”—that individual is only ever “dividuated” through a multiplicity of competing allegiances and allergies that are situated in economic, social, and technological milieus. The individual registers and dissolves into code, into data within larger databases. In “Postscript on the Societies of Control,” Deleuze argues:

In the societies of control ... what is important is no longer either a signature or a number, but a code: the code is a password, while on the other hand disciplinary societies are regulated by watchwords (as much from the point of view of integration as from that of resistance). The numerical language of control is made of codes that mark access to information, or reject it. We no longer find ourselves dealing with the mass/individual pair. Individuals have become “dividuals,” and masses, samples, data, markets, or “banks.”

The signature once offered a constant; the password now presents flux. Where the signature designated the ever present sentinel guard, the password functions as the part-time car valet.

Despite this recognition of a multiplicity of forces constituting the “individual,” we still rely on signature-like events to manage our affairs. This becomes particularly apparent in a now common event, one which relies on the ways individuals become de-differentiated data: the confrontation between a Web user and a targeted advertisement. What happens when the individual user decides to opt out of such advertising — which treats that user not as an individual but a bundle of qualities parsed by an algorithm?

As is well known, various online marketing and advertising companies take advantage of surveillance technologies to track users’ every click, mouse motion, input, and location as they visit sites online or use their smartphones. The companies use this mass of data to categorize us and target advertisements, offers, and sales pitches to us, a practice called online behavioral advertising (OBA). Their ability to sort us is getting ever more productive and precise.

Needless to say, OBA is a controversial practice, and privacy advocates have fought it for years. In 2009 the Federal Trade Commission asked the online advertising industry to “self-regulate,” and the industry responded by offering “opt-out” cookies to Web users who want to avoid having their movements tracked, available at sites like Like the Do Not Call List before it, the opt-out cookies are designed to establish a contract where the online marketers agree to stop doing something one party never asked to have happen in the first place. But at first glance, OBA’s self-regulation seems to restore parity, assuring us that an agreement is made. Consent between individuals (the user on one side and the advertising industry on the other) appears to be stable.

But this appearance ignores multiplicity: The swarm of things that constellate together as a contracting party—­users, browsers, machines, and cookies—actually undermine consent because that multiplicity is always in flux, undoing consenting parties. This ever shifting, always changing situation largely benefits the advertising industry at the expense of the user.

To explore this, we have to consider the anatomy of a modern website. A website comprises multiple heterogeneous streams: its main editorial content (usually provided by the site itself), its tracking software for internal analytics, and advertisements from third-party external advertising networks, often targeted. For example, our recent visit to the New York Times site yields 20 internal tracking cookies and 17 third-party tracking cookies, drawn from eight distinct servers across the Web. One of these external companies is Facebook (users of can log in with their Facebook accounts and share stories).

If you don’t want to be tracked by third parties as you use the Web and see ads customized for the targeted you—the individual they have determined that you are, despite who you think are and what you think you might want to see—you have to opt out.  Or in other words, you must enter into a contract with the online advertising industry, and ask that they stop trying to build up a working version of you.

This is where multiplicity appears in full force. To opt out, you will have to go to the industry’s opt-out page, and give them more data about you. After watching this site scan your computer for 45 seconds or so, you’ll be given a choice to get “opt-out cookies” from 117 companies. If you accept that offer, you’ll get more than 150 new cookies. Immediately, you will see that you’re entering into a contract not with the advertising industry as a whole but rather (at time of this writing) 117 ad networks. There is no negotiation with such a swarming entity.

By opting out, you first consent with this swarm to maintain these 150-plus opt-out cookies in your browser indefinitely. If you delete these cookies, your browser will again be tracked by the 117 companies. If you use another browser, a different computer, or a smartphone, or if you install a new operating system, you’ll likely have to go through this process again.

Not only does the industry dissolve into a swarm; your online presence does as well, as it is articulated among many heterogeneous devices. Not you, but every device you use must make a contract with every ad network.

You also agree to monitor these firms: The 117 ad networks listed in are members of a trade organization, the Digital Advertising Alliance (DAA). If a network leaves the DAA, it no longer has to adhere to the DAA’s self-regulation rules. And if any of these firms are bought out by another (common in the world of advertising), your opt-out cookie is invalidated across all your devices and browsers. And of course, using this opt-out system does nothing to stop the advertising networks that are not a part of the DAA from tracking you. Self-regulation is not mandatory among online advertisers, and by definition it has no standards an outside monitor could enforce.

Even after all your opt-out efforts, you’re still going to see advertisements. If you wanted to know if you should have been opted out of these, the onus would be on you to ascertain whether they are there through tracking or by chance. Did the latest offer from McDonald’s come because the New York Times sold space to McDonald’s, or because your profile was sold to McDonald’s? How could you tell? This means that in consenting to the online ad industry’s self-regulation by contracting with them to opt out, you agree to simply take it on faith that the massive online tracking industry will respect your wishes.

Engaging with the advertising industry’s opt-out feature reveals troubling, dissociated entities. Unlike the kind of contract used in the Do Not Call List, the opt-out cookie is not an agreement between an end user and the advertising industry as a whole. Instead, it is between a user’s extended devices and a vast array of fragmented and dissociated technologies and organizations. This is a contract associating hundreds of cookies, inscrutable terms-of-service agreements, browsers, devices, more than 110 advertising networks, and the shifting layers of ownership as advertising firms merge and acquire one another. It is, in other words, a contract as a loose gathering of elements—two swarms—rather than as consent between two individuals.

Ultimately, the online advertising industry benefits from this complexity. When it comes time for the advertising industry to consent to the user’s wish not to be watched online, the industry dissolves into a swarm. All the while, the user’s own technological dispersal allows for that contract to be undermined when that user changes any of the original conditions of consent. Once this fragile contract dissolves, tracking can recommence. Industry self-regulation becomes a joke in the face of this dissociation.

Given the farce of self-regulation, privacy advocates have shifted their attention in recent years to another means of opting out: the “Do Not Track” system. This would add a header field to HTTP, the transfer protocol of the Web, allowing the user to signal an intention to not be tracked. This would be far easier than the cookie-based system the DAA has built. Major browsers now offer this as an option: Firefox, for instance, lets you “Tell sites I do not want to be tracked.”

However, this initiative may face the same difficulties we’ve described above. First of all, this HTTP header is not standardized by the governing body of the Web, the W3C. A “Do Not Track” initiative still asks us to constitute an individual who ultimately shall not be recognized by the parties named in the contract. “Do Not Track” presupposes an individual in a time when we find none; again, we see only swarms. And more important, the online advertising industry hates it and is likely to ignore it anyway.

But self-regulation is not the entire problem: It’s the very regulation of selves. If we are to create the contract of the future that ensures consent across several multiplicities and can respect a desire of a subject to not be constantly tracked, we may need to reinvent loose designations—as Derrida claimed the signature/signator to be—that function as the signature once did. We have to compose a level of abstraction removed from but included within our multiple devices, software, and users. A level that, paradoxically, must be trackable to ensure it is not tracked.

The difficulty of opting out of online advertisement is symptomatic of a larger, ongoing shift away from stable, enduring foundations. It might be time we recalibrate the I or the we that offers consent. We need this recalibration badly, because we’re watching full-time employment erode, home ownership dip, pension promises vanish, nation-state actors slide away, and national citizenship fade in favor of temporary employment, rented houses, longer work lives, failed states, and consumer culture. Perhaps consent is no longer available for purchase; maybe we can now only— from time to time—subscribe.