Tumblelog by Soup.io
Newer posts are loading.
You are at the newest post.
Click here to check if anything new just came in.

June 20 2013

14:02

The newsonomics of Spies vs. Spies

So who do you root for in this coming battle, as Google petitions the feds? Are you on the side of Big Brother or Little Brother — and remind me, which is which? It’s a 50-year-update on Mad Magazine’s iconic Spy vs. Spy.

The Surveillance State is — at least for this month — in front of the public. The Guardian’s rolling revelations of National Security Agency phone and web spying have again raised the bogeyman of Big Data — not the Big Data that all the airport billboards offer software to tame, but the Big Data that the unseen state can use against us. We’ve always had a love/hate relationship with big technology and disaster, consuming it madly as Hollywood churns out mad entertainments. We like our dystopia delivered hot and consumable within two hours. What we don’t like is the ooky feeling we are being watched, or that we have to make some kind unknowable choice between preventing the next act of terror and preserving basic Constitutional liberties.

Americans’ reactions to the stories is predictable. Undifferentiated outrage: “I knew they were watching us.” Outrageous indifference: “What do you expect given the state of the world?” That’s not surprising. Americans and Europeans have had the same problem thinking about the enveloping spider’s web of non-governmental digital knowledge. (See The Onion headline: “Area Man Outraged His Private Information Being Collected By Someone Other Than Advertisers.”)

While top global media, including The Guardian, The Washington Post, and The New York Times, dig into the widening government spying questions, let’s look at the ferment in the issues of commercial surveillance. There’s a lot of it, and it would take several advanced degrees and decoder rings to understand all of it. No, it’s not the same thing as the issues surrounding PRISM. But it will be conflated with national security, and indeed the overlapping social and political questions are profound. Let’s look at some recent developments and some of the diverse players in this unfolding drama and see where publishers do — and could — fit in.

The commercial surveillance culture is ubiquitous, perhaps even less hemmed in by government policy than the NSA, and growing greatly day by day. While Google asks the FISA court to allow it to release more detail about the nature of federal data demands, its growing knowledge of us seems to have no bounds. From our daily searches, to the pictures (street to sky) taken of our homes, to the whereabouts relayed by Google Maps, and on and on.

It’s not just Google, of course. Facebook, whose users spend an average of seven hours per month online disclosing everything, is challenging Google for king of the data hill. A typical news site might have 30 to 40 cookies — many of them from ad-oriented “third parties” — dropped from it. That explains why those “abandoned” shopping carts, would-be shoe purchases, and fantasy vacation ads now go with us seemingly everywhere we move on the web. It’s another love/hate relationship: We’re enamored of what Google and Facebook and others can do for us, but we’re disquieted by their long reach into our lives. It’s a different flavor of ooky.

We are targeted. We are retargeted. Who we are, what we shop for, and what we read is known by untold number of companies out there. Though we are subject to so much invisible, involuntary, and uncompensated crowdsourcing, the outrage is minimal. It’s not that it hasn’t been written about. Among others, The Wall Street Journal has done great work on it, including its multi-prize-winning three-year series on “What They Know.”

Jim Spanfeller, now CEO of Spanfeller Media Group and the builder of Forbes.com, related the PRISM NSA disclosures to commercial tracking in a well-noticed column (“At What Price Safety? At What Price Targeted Advertising?”) last week. His point: We’re all essentially ignorant of what’s being collected about us, and how it is being used. As we find out more, we’re not going to be happy.

His warning to those in the digital ad ecosystem: Government will ham-handedly regulate tracking of consumer clicks if the industry doesn’t become more “honest and transparent.”

Spanfeller outlined for me the current browser “Do Not Track” wars, which saw its latest foray yesterday. Mozilla, parent of Firefox, the third most-popular browser by most measures, said it will move forward with tech that automatically blocks third-party cookies in its browser. Presumably, users will be able to turn back on such cookies, but most will go with the defaults in the browsers they use.

The Mozilla move, much contested and long in the works, follows a similar decision by Microsoft with its release of the latest Internet Explorer. Microsoft is using a “pro-privacy” stance as a competitive weapon against Google, advancing both Bing search and IE. Spanfeller notes that Microsoft’s move hasn’t had much effect, at least yet, because “sites aren’t honoring it.”

These browser wars are one front, and much decried by forces like the Interactive Ad Bureau, the Digital Ad Alliance, and its “Ad Choices” program — which prefer consumer opt-out. Another front is an attempt at industry consensus through the World Wide Web Consortium, or W3C. Observers of that process believe it is winding its way to failure. Finally, also announced yesterday was the just-baked Cookie Clearinghouse, housed at the Stanford Center for Internet and Society. The driving notion, to be fleshed out: creating whitelists and blacklists of cookies allowed and blocked. (Good summaries by both Ad Age’s Kate Kaye and ZDNet’s Ed Bott.)

Never too far from the action, serial entrepreneur John Taysom was in Palo Alto this week as well. Taysom, a current senior fellow at Harvard’s Advanced Leadership Initiative, is an early digital hothouse pioneer, having led Reuters’ Greenhouse project way back in the mid-’90s. His list of web startups imagined and sold is impressive, and now he’s trying to put all that experience to use around privacy issues. As a student of history, old and modern, his belief is this: “When they invented the Internet, they didn’t add a privacy layer.”

“We need a Underwriters Laboratory for our time,” he told me Wednesday. UL served a great purpose at a time (1894) of another tech revolution: electricity. Electricity, like computer tech these days, seemed exciting, but the public was wary. It wasn’t afraid of behind-the-scenes chicanery — it literally was concerned about playing with fire. So UL, as a “global independent safety science company” — a kind of neutral, Switzerland-like enterprise — was set up to assure the public that electrical appliances were indeed tested and safe.

Could we do the same with the Internet?

He’s now working on a model, colloquially named “Three’s A Crowd,” to reinsert a “translucent” privacy layer in the tech stack. His model is based on a lot of current thinking on how to both better protect individual privacy and actually improve the targeting of messages by business and others. It draws on k-anonymity and Privacy by Design principles, among others.

In brief, Taysom’s Harvard project is around creating a modern UL. It would be a central trusted place, or really set of places, that institutions and businesses (and presumably governments) could draw from, but which protect individual identification. He calls it an I.D. DMZ, or demilitarized zone.

He makes the point that the whole purpose of data mining is to get to large enough groups of people with similar characteristics — not to find the perfect solution or offer for each individual. “Go up one level above the person,” to a small, but meaningfully sized, crowd. The idea: increase anonymity, giving people the comfort of knowing they are not being individually targeted.

Further, the levels of anonymity could differ depending on the kind of information associated with anyone. ”I don’t really mind that much about people knowing my taste in shirts. If it’s about the location of my kids, I want six sigmas” of anonymity, he says. Taysom, who filed a 2007 U.K. patent, now approved, on the idea, is now putting together both his boards of advisors and trustees.

Then there are emerging marketplace solutions to privacy. What havoc the digital marketplace hath wrought may be solved by…the digital marketplace. D.C.-based Personal.com is one of the leading players in that emerging group. Yes, this may be the coming personal data economy. Offering personal data lockers starting at $29.99 a year, Personal.com is worth a quick tour. What if you could store all your info in a digital vault, it asks? Among the kinds of “vaults”: passwords, memberships and rewards programs, credit and debit card info, health insurance, and lots more.

It’s a consumer play that’s also a business play. The company is now targeting insurance, finance, and education companies and institutions, who would then offer consumers the opportunity to ingest their customer information and keep it in vault and auto-fill features then let consumers re-use such information once it is banked. Think Mint.com, but broader.

Importantly, while Personal.com deals potentially with lots of kinds of digital data, its business doesn’t touch on the behavioral clickstream data that is at the heart of the Do Not Track fracas.

Do consumer want such a service? Personal.com won’t release any numbers on customers or business partners. Getting early traction may be tough.

Embedded in the strategy: a pro-consumer tilt. Personal.com offers an “owner data agreement,” basically certifying that it is the consumer, not Personal.com, that owns the data. It is a tantalizing idea: What if we individually could control our own digital data, setting parameters on who could use what and how? What if we as consumers could monetize our own data?

Neither Personal.com nor John Taysom’s project nor the various Do Not Track initiatives envision that kind of individually driven marketplace, and I’ve been told there are a whole bunch of technical reasons why it would be difficult to achieve. Yet, wouldn’t that be the ultimate capitalist, Adam Smith solution to this problem of runaway digital connectedness — a huge exchange that would facilitate the buying and selling of our own data?

For publishers, all this stuff is headache-producing. News publishers from Manhattan to Munich complain about all the third-party cookies feeding low-price exchanges, part of the reason their digital ad businesses are struggling. But there is a wide range of divergent opinion about how content-creating publishers will fare in Do Not Track world. They may benefit from diminished competition, but would they be able to adequately target for advertisers? Will Google and Facebook do even better in that world?

So, for publishers, these privacy times demand three things:

  • Upscale their own data mining businesses. “There’s a big difference between collecting and using data,” says Jonathan Mendez, CEO of Yieldbot, that works with publishers to provide selling alternatives to Google search. That’s a huge point. Many publishers don’t yet do enough with their first-party data to adequately serve advertiser needs.
  • Take a privacy-by-design approach to emerging business. How you treat consumers in product design and presentation is key here, with some tips from Inc. magazine.
  • Adopt a pro-privacy position. Who better than traditionally civic-minded newspaper companies than to help lead in asserting a sense of ownership of individual data? If news companies are to re-assert themselves as central to the next generation of their communities and of businesses, what better position than pro-privacy — and then helping individuals manage that privacy better?

It’s a position that fits with publishers’ own interests, and first-party data gathering (publisher/reader) makes more intuitive sense to citzen readers. For subscribers — those now being romanced into all-access member/subscribers — the relationship may make even more sense. Such an advocacy position could also help re-establish a local publisher as a commercial hub.

News and magazine publishers won’t have to create the technology here — certainly not their strong suits — but they can be early partners as consortia and companies emerge in the marketplace.

Photo by Fire Monkey Fire used under a Creative Commons license.

March 27 2012

14:00

FTC: If It's Your Computer, You Should Own Your Data

If you own your computer, you should own the data that's on it. That's the message from Federal Trade Commission Chairman Jon Leibowitz.

At a Washington press conference -- also broadcast -- the FTC issued a new report on Internet privacy. Leibowitz praised how far the nation's come in protecting data, even from this time last year. But he also shared that consumers still need more clarity and control over their personal information.

The event opened with this animated primer about how information is collected, and where it goes.




































The FTC made three main recommendations:

  • Social media sites, apps, browsers, retailers and Internet service providers among others should adopt "privacy by design." In other words, privacy should come first.
  • Companies should work towards better transparency. The average privacy policy, Leibowitz said, is longer than the Declaration of Independence.
  • Consumers and businesses should receive simple choices to decide what information is shared. This should include a "Do Not Track" option.

"'Do Not Track' from our perspective means do not collect," Leibowitz said. "We need to have a 'Do Not Track' option that is persistent, easy to use and effective. "

In the past year, he said, large platforms and marketers made a lot of progress toward protecting privacy, partly because it's the right thing to do, and partly because they want to keep consumers' trust.

"It's amazing how far these companies have come," Leibowitz said. "I think we're all pulling in the right direction. People just get it -- it's the right thing to do ... It's better for your business."

'Best practices'

privacyreport.jpg

Overall, the report falls more into the category of "best practices" than regulations. The point, he said, was "not to erect a stoplight, but to take a look at the traffic patterns." Yet he urged Congress to enact tougher privacy protection laws, and noted that the FTC's power is based in its ability to enforce the law.

For example, last spring Google settled FTC charges that it violated user privacy when it launched Google Buzz. Then last fall Facebook settled an FTC lawsuit alleging it repeatedly deceived users about their privacy.

The lengthy report certainly sets the stage for more debate. It ends with a dissenting statement from FTC Commissioner J. Thomas Rosch. His concerns include that the report had no limiting principles, and could be seen as a mandate.

"It would install 'Big Brother' as the watchdog over these practices, not only in the online world but in the offline world," he wrote. He also added that there's no universally accepted definition of what "Do Not Track" means.

"I still worry about the constitutionality of banning take-it-or-leave-it choice (in circumstances where the consumer has few alternatives)," Rosch opined. "As a practical matter, that prohibition may chill information collection, and thus impact innovation, regardless whether one's privacy policy is deceptive or not."

Terri Thornton, a former reporter and TV news producer, owns Thornton Communications, an award-winning PR and social media firm. She is also a freelance editor for Strategic Finance and Management Accounting Quarterly.

This is a summary. Visit our site for the full post ».

February 11 2011

22:05

WSJ Series Inspires 'Do Not Track' Bill from Rep. Jackie Speier



MP_internetprivacy_small.jpg

We didn't plan it this way, but the timing was perfect. Rep. Jackie Speier (D-Calif.) introduced a bill today in Congress that would give the FTC the power to create a "Do Not Track" database so people could opt out of online tracking. And her bill comes right during our special series about online privacy, which included a roundtable discussion (and debate) about the "Do Not Track" database and its feasibility. And Speier told me one of the inspirations for the bill was her outrage from reading the Wall Street Journal's What They Know series.

On one side is privacy groups such as Consumer Watchdog and the Electronic Frontier Foundation who worked with Speier on the bill. On the other side are behavioral ad firms and publishers who would prefer that massive numbers of people don't opt out from tracking, which helps them serve targeted ads. In the 5Across roundtable discussion, Yahoo's chief trust officer Anne Toth put it this way: "I think it's critical that people realize that collecting data about consumers online gives enormous benefits. Right now, advertising makes the Internet free. And people want a free Internet. And information leads to innovation and ideas. What I'm worried about most is that with 'Do Not Track' and government regulation, we throw out the baby with the bathwater and stifle innovation."

I talked with Rep. Speier today by phone and she wasn't buying that argument. She believes that the technology exists to create a one-button "Do Not Track" solution so people can opt out of tracking. Her bill is far from alone in the online privacy debate, as a flurry of bills are expected in Congress this year. Plus, she does not have a GOP co-sponsor on the bill nor is she a member of the House Energy and Commerce Committee. She still remains confident that the overwhelming public support for "Do Not Track" will give her bill momentum and she is "cautiously optimistic" she can get a GOP member to sign on.

The following is the entire audio of my interview with Speier this morning, and below is a transcript from that call.

speierfinal.mp3

Q&A

Why did you decide the time was right to introduce this bill now?

Rep. Jackie Speier: I think there was a growing clamor for privacy protection by the public. For the longest time, we have operated with the ignorance of bliss, I guess, that nothing was going on. There have been a number of recent exposes that have made it clear that there's a lot of tracking going on. And I must tell you that until I read it in the Wall Street Journal, and their 13-part series, I didn't know that Dictionary.com was just a means by which tracking takes place. And they're using something like the dictionary to identify you and then to track you. I was pretty outraged when I read that.

What about self-regulation. A lot of companies in Silicon Valley would prefer to do it themselves. What do you think about those efforts?

Speier: I have a long history on the financial privacy side of this issue. We've had lots of efforts by the industry to offer up pseudo financial privacy protections in California when I was working on that legislation. I'm happy to see the industry step up, but I'm not interested in fig leaf solutions. I want it to be simple and straightforward for consumers to click on one button and not be tracked. I want the FTC to develop the mechanism, and a simple format so the consumer does not have to read 20 pages of legalese.

How would you define tracking? Because it's not as simple as the Do Not Call registry. There's tracking online that people see as being bad, using their information in bad ways, and there's tracking that's just analytics for a website and not really harmful.

535px-US-DoNotCallRegistry-Logo.png

Speier: I think tracking is much more insidious than "Do Not Call." [Those telemarketing calls] were interrupting your dinner hour. Tracking is an activity that often times you don't even know it's going on. They're creating a secret dossier about who you are, they're making assumptions about you and then they're selling that information to third parties that then will market to you products or not, and then the information is then transferred from one source to another.

It starts to impact fundamental things like whether you can access health insurance, life insurance, what premium you're going to pay, based on assumptions they make. The example I used in the press conference today was I'm the chair of the refreshment committee of my church's bazaar so I go out and pay for 15 cases of wine and charge it to my credit card online. That information is then sold thousands of different ways to thousands of different data companies, and then it's sold again.

So let's say a life insurance company that I'd like to get life insurance from has that information and believes I'm an alcoholic. Either they don't sell me life insurance or charges me a higher premium. Or let's say I'm a prospective employee at a new company and they access this information and decide I'm an alcoholic and they don't want me as an employee. It becomes insidious.

I understand the worst-case scenarios, but what about the tracking that's done to give you recommendations on a site or you get ads that are served up that align with your interests? Some of those things aren't insidious or bad.

Speier: That's why you should have a choice. If you're going online to buy a new barbecue, you should be able to click to opt-in to see other barbecues. That's fine. That's your choice. But if you click on the target site, you know you want that barbecue and you don't want to be bothered and don't want to be tracked -- you can buy that barbecue and move on.

You talk about having one button to opt-out, but is that solution going to work or will people end up opting out of things they don't want to opt out of? Should there be more layers to this idea?

Speier: You'll still have advertisers seek you to opt in. The presumption is that somehow everyone is going to opt out. That's not necessarily the case. It's a choice.

What do you think about the solutions that the browsers have offered, from Microsoft's Internet Explorer, Mozilla Firefox and Google Chrome? Do you think what they're doing is a good start?

Speier: I think it's a good start, but I think we need something uniform. I've been told Mozilla's approach [with Firefox] is one that's not enforcing [Do Not Track] so what does that mean? It's more of a fig leaf at that point.

So it's more of a suggestion. "Don't track me... please."

Speier: [laughs] What is that? What it looks like to me is that they're trying to give the appearance that they're doing something, when they're not. I've been down this road before with the financial institutions in California with the financial privacy law. A placebo isn't going to work here.

I've heard from someone at Yahoo that the "Do Not Track" list could stifle innovation and the way they do behavioral advertising. And it could hurt not just Yahoo but startups as well.

Speier: I'm not persuaded by those arguments. That argument was used with the financial privacy law in California, that it would somehow stifle innovation of financial products. It didn't stifle innovation. Credit default swaps were out there for many to engage in. I'm just not buying it.

How will your bill differ from others that are being introduced? Are you coordinating with them in some way?

Speier: I'm hoping that we will coordinate. The bill from Bobby Rush (D-Ill.) is similar, though his would be site-specific. So every time you went to a site, you'd have to click, instead of a one-stop shop for purposes of opting out. My bill is more simplified and universal.

How will the bill dovetail with what's coming out from the FTC? They are in a comment period now, and they'll come out with a final report soon. Are you working with them?

Speier: First, I want to applaud the action they have taken, but we need to give them authority so they can move forward in a meaningful way in this area. They don't presently have the authority to do what we want them to do.

Part of your bill is giving them that authority?

Speier: Yes.

Did they ask for that?

Speier: No. They realize they need it in order to be effective in this area.

How long do you think it would take to implement what you're asking for in this bill?

Speier: I think the technology is already there. I think it should be as instantaneous as the Egyptian freedom. [laughs]

Within 18 days?

Speier: Yes, within 18 days. [laughing]

*****

What do you think about the "Do Not Track Me Online" bill? Would you sign up for such a database? Do you think the FTC should have the power to set up such a database? Share your thoughts in the comments below.

Mark Glaser is executive editor of MediaShift and Idea Lab. He also writes the bi-weekly OPA Intelligence Report email newsletter for the Online Publishers Association. He lives in San Francisco with his son Julian. You can follow him on Twitter @mediatwit.

This is a summary. Visit our site for the full post ».

February 10 2011

19:40

5Across: Online Privacy and the 'Do Not Track' Debate



MP_internetprivacy_small.jpg

The debate around online privacy has largely centered around advertising that is targeted at people depending on where they have been online. While somewhat creepy, those ads are perhaps the least of our worries. What many of us don't realize is that there are multiple parties tracking our moves online, some harmless and some possibly nefarious.

In fact, one of our MediaShift readers pointed out that PBS.org itself has at least seven trackers on its site:

I found that on the PBS.org site there are 7 trackers active, they are AddtoAny, Comscore Beacon, Disqus, DoubleClick, Foresee, Google AdSense, and Google Analytics...I found these because I use a Firefox add-on called 'Ghostery' that blocks trackers.

While the FTC considers a "Do Not Track" database, and Rep. Jackie Speier (D-Calif.) plans to introduce a "Do Not Track Me Online 2011" bill tomorrow in Congress, the debate about who can track us where online is heating up. The idea for such a database would be that consumers could opt-out in one simple way from all tracking online, similar to the "Do Not Call" database for telemarketers. But online, things aren't so simple. Some tracking is for analytics, some is to help tailor a site to your preferences, and some to target ads. We convened a group of privacy experts, journalists and publishers to discuss -- and debate -- the limits to what companies and government could track about us online. Check it out!

5Across: Online Privacy

onprivacy.mp4

>>> Subscribe to 5Across video podcast <<<

>>> Subscribe to 5Across via iTunes <<<

Guest Biographies

Ryan Calo runs the Consumer Privacy Project at the Stanford Center for Internet and Society. A graduate of Dartmouth College and Michigan Law School, Calo clerked on the U.S. Court of Appeals for the Sixth Circuit and practiced privacy and telecommunications law at Covington & Burling LLP before joining Stanford Law School in 2008. Calo works on the intersection of law and technology, including privacy and robotics. His work been covered by the New York Times, Wall Street Journal, and other major news outlets.

Declan McCullagh is the chief political correspondent for CNET and runs the Privacy Inc. blog there. Previously he was a senior correspondent for CBS News' website and Washington bureau chief for Wired. He is a private pilot and lives on the San Francisco peninsula with his wife and 15-month old son.

Joanne McNabb is chief of the California Office of Privacy Protection, and is a Certified Information Privacy Professional and co-chair of the International Association of Privacy Professionals' Government Working Group. She serves on the Privacy Advisory Committee to the U.S. Department of Homeland Security and is a Fellow of the Ponemon Institute. Before starting the Office of Privacy Protection, McNabb worked in public affairs and marketing, in both the public and private sectors, including five years with an international marketing company in France. She attended Occidental College and holds a master's degree in Medieval Literature from the University of California, Davis.

Lee Tien is a senior staff attorney at the Electronic Frontier Foundation, a non-profit public interest group focusing on online civil liberties. He went to college at Stanford and law school at UC-Berkeley. He works on a wide range of privacy and security issues including electronic surveillance, cybersecurity, online tracking, national ID systems, location tracking, electronic health records, and the smart energy grid.

Anne Toth is the Chief Trust Officer for Yahoo, where she has managed a wide array of policy issues related to privacy, community, user-generated content, child safety, advertising standards, online accessibility, mobile products, and consumer direct marketing. Toth has been active in leading industry trade association efforts around interest-based advertising, serves on the board of directors of the Network Advertising Initiative and Future of Privacy Forum Advisory Board. She has testified before Congress in DC and the Article 29 Working Party in Brussels on matters related to online privacy. Prior to joining Yahoo, Toth was a research economist at the Fremont Group, a San Francisco-based private investment company affiliated with Bechtel.

If you'd prefer to watch sections of the show rather than the entire show, I've broken them down by topic below.

Where's the Harm?

The 'Do Not Track' Debate

Big Brother is Watching

Differing Takes on Privacy

Free Speech vs. Privacy

Credits

Mark Glaser, executive producer and host
Corbin Hiar, research assistant

Charlotte Buchen, camera

Serene Fang, audio

Location: Vega Project & Kennerly Architecture office space in San Francisco

Special thanks to: PBS and the Knight Foundation

Music by AJ the DJ

*****

What do you think? Do you like the idea of a "Do Not Track" database? How much do you worry about your privacy while going online? Share your thoughts in the comments below.

Mark Glaser is executive editor of MediaShift and Idea Lab. He also writes the bi-weekly OPA Intelligence Report email newsletter for the Online Publishers Association. He lives in San Francisco with his son Julian. You can follow him on Twitter @mediatwit.

This is a summary. Visit our site for the full post ».

February 07 2011

18:49

Will U.S. Government Crack the Whip on Online Privacy?

This week MediaShift will be running an in-depth special report on Online Privacy, including a timeline of Facebook privacy issues, a look at how political campaigns retain data, and a 5Across video discussion. Stay tuned all week for more stories on privacy issues.

MP_internetprivacy_small.jpg

Online privacy is the new openness.

After years of telling all on the Internet, of tweeting about armpit rashes and tantric sex, we may have gone too far, shared too much. We may have lost control of the information that we reveal about ourselves and of the way others use that information. Which is a bad thing.

That's the thinking, at least, behind two government reports released at the end of 2010. The first one, produced by the Federal Trade Commission (FTC), outlines a plan to regulate the "commercial use of consumer data." The second one, produced by the Commerce Department, recommends that the federal government "articulate certain core privacy principles" for the Internet. Together they show that online privacy is very much on the public agenda.

FTC ENDORSES "DO NOT TRACK"

The FTC report, titled Protecting Consumer Privacy in an Era of Rapid Change, begins by noting that "consumer information is more important than ever" and that "some companies appear to treat it in an irresponsible or even reckless manner." It says data about consumer online activity and browsing habits are "collected, analyzed, combined, used, and shared, often instantaneously and invisibly."

google optout.JPGFor example, if I browse online for a product, which I often do, then advertisers could collect and share information about me, including my search history, the websites I visit and the kind of content I view. Likewise, if I participate in a social networking site, which I do, then third-party applications could access the stuff I post on my profile. Today my only lines of defense would be to adjust the privacy controls on my browser, to download a plug-in, or to click the opt-out icon that sometimes appears near an ad.

That's not good enough, according to the FTC report, which is intended to be a roadmap for lawmakers and companies as they develop policies and practices to protect consumer privacy. To that end, the FTC made three proposals.

First, companies should build "privacy protections into their everyday business practices." More specifically, they should provide "reasonable security for consumer data," they should collect "only the data needed for a specific business purpose," they should retain "data only as long as necessary to fulfill that purpose," they should safely "dispose of data no longer being used," and they should create "reasonable procedures to promote data accuracy." In addition, they should implement "procedurally sound privacy practices throughout their organizations."

Although it's unclear what would constitute a "specific business purpose," those suggestions to a great degree reflect existing law. Section 5 of the FTC Act, which prohibits unfair or deceptive practices, can be used to nail companies that fail to secure consumer information. Similarly, the Gramm-Leach-Bliley Act requires financial institutions to take certain steps to secure their information, and the Fair Credit Reporting Act requires consumer agencies to ensure that the entities receiving their information have a permissible reason to receive it. The latter also imposes "safe disposal" obligations on those entities.

Second, companies should "provide choices to consumers about their data practices in a simpler, more streamlined way." This would allow consumers in some transactions to choose the kind and amount of information they reveal about themselves. I say "in some transactions" because companies would have to distinguish between "commonly accepted data practices" and those "of greater concern."

The former includes ordinary transactions in which consumer consent is implied, e.g., I buy a book through Amazon, and I give the company my shipping address. No big deal, says the FTC. The latter, however, includes activities and transactions in which consent is not implied, e.g., an online publisher allows a third party to collect data about my use of the publisher's website. Big deal, says the FTC.

consumers_choice.jpgWhere consent is not implied, consumers "should be able to make informed and meaningful choices," and those choices should be "clearly and concisely described." In the context of online advertising, that means I would be able to choose whether to allow websites to collect and share information about me. The most practical way to give me that choice, according to the FTC, is to place a persistent setting on my browser to signal whether I consent to be tracked and to receive targeted ads. This "do not track" mechanism could give consumers the type of control online that they have offline with the "do not call" list for telemarketers.

Third, companies should "make their data practices more transparent to consumers." They should ensure that their privacy policies are "clear, concise and easy-to-read," and in some circumstances they should allow consumers to check out the data kept about them. Those circumstances remain unclear, but the report says if a company maintains consumer data that are used for decision-making purposes, then it could be required to allow consumers to review that data, essentially to give them the chance to correct any errors.

It's a good thing for the FTC to encourage companies to revisit their privacy policies. Most of them are long and dense and monuments to legalese, and some companies seem to notify me every week about changes to their terms and conditions. Nowhere is their ineffectiveness more apparent than in the world of mobile devices, which often spread privacy policies across dozens of screens, 50 words at a time. On the Internet, meanwhile, it would take consumers hundreds of hours [PDF file] to read the privacy policies they typically encounter in one year. That's hardly helpful to the consumer.

All in all, the FTC report has received mixed reviews. Some say its recommendations won't stop the information free-for-all, while others say it's promising and a step in the right direction. In any case, the commission will need the help of Congress to implement the plan, and that help isn't a sure thing.

COMMERCE DEPT. CALLS FOR PRIVACY CODES

The Commerce Department report, very sexily titled Commercial Data Privacy and Innovation in the Internet Economy: A Dynamic Policy Framework [PDF file], begins by noting that consumer privacy must address "a continuum of risks," such as minor nuisances and unfair surprises, as well as the disclosure of sensitive information in violation of individual rights. The report's purpose is to stimulate discussion among policymakers, and it includes recommendations in four areas.

First, the government should "revitalize" the FTC's Fair Information Practice Principles, a code that addresses how organizations collect and use personal information and the reasonableness of those practices. The amended code should "emphasize substantive privacy protection rather than simply creating procedural hurdles." The specifics are similar to those in the first section of the FTC report: the code should call on companies to be more transparent, it should articulate clear purposes for data collection, it should limit the use of data to those purposes, and it should encourage company audits to enhance accountability.

Screenshot-code.pngSecond, the government should "enlist the expertise and knowledge of the private sector" to develop voluntary codes for specific industries that promote the safeguarding of personal information. To make that happen, the Commerce Department should create a Privacy Policy Office to bring the necessary stakeholders together, and the FTC would enforce the codes once they've been voluntarily adopted.

Well, this makes me think of the old saw that socialism is good in theory but doesn't work. Whether or not that's true, too often the same can be said (truthfully) of voluntary codes. To make this scheme work, at the very least, the FTC should be given rulemaking authority to develop binding codes in the event the private sector doesn't act. Alternatively, as the report suggests, the FTC could ramp up its enforcement of existing privacy laws, to encourage companies to buy in to the voluntary codes, on the theory that the buy-in would entitle them to a legal safe harbor. In other words, complying with a voluntary code would create a presumption of compliance with any privacy legislation based on the amended Fair Information Practice Principles.

Third, the government should be mindful of its global status as a leader in privacy policy. On the one hand, it should develop a regulatory framework for Internet privacy that "enhances trust and encourages innovation," and on the other hand, it should work with the European Union and other trading partners to bridge the differences, in form and substance, between their laws and U.S. law. As the report notes, although privacy laws vary from country to country, many of them are based on similar values.

Fourth, Congress should pass a law to standardize the notification that companies are required to give consumers when data-security breaches occur. Lawmakers also should address "how to reconcile inconsistent state laws," because the differences among them have created undue costs for businesses and have made it more difficult for consumers to understand how their information is protected throughout the country.

In the privacy world my sympathies are chiefly with the consumer, but the patchwork of state security breach notification (SBN) laws is a very real challenge for businesses. Not long ago, I worked with a company that had offices in a number of states, and as a result, it had to comply with a number of different state SBN laws. They were variations on the same theme, of course, but the differences had to be accommodated. The devil was in the details, and from that work it became obvious to me that the compliance costs were high and the benefits low: Some people get better notification than others. That's neither fair for the consumers nor ideal for the company.

The reaction to the Commerce Department report, like the one to the FTC report, has been mixed. Privacy advocates have been critical of it, especially the sections that support self-regulation, but other groups and government officials have commended the Department for taking on a tough issue. For its part, the Department said it plans to incorporate the feedback into its final report, to be released later this year.

NEW COMMITTEE TO CARRY THE PRIVACY FLAG

It's also worth mentioning that in late October, the National Science and Technology Council launched a Subcommittee on Privacy and Internet Policy. Chaired by Cameron Kerry, general counsel of the Commerce Department, and Christopher Schroeder, assistant U.S. attorney general, the subcommittee's job is to monitor global privacy-policy challenges and to address how to meet those challenges.

The charter [PDF file] says the subcommittee will do three things: 1) it will produce a white paper on information privacy in the digital age, building on the work of the FTC and the Commerce Department; 2) it will develop a set of general principles that define a regulatory framework for Internet privacy, one that would apply in the U.S. and globally; and 3) it will coordinate White House statements on privacy and Internet policy, striking a balance between the expectations of consumers and the needs of industry and law enforcement.

LOOKING AHEAD

Online privacy is on the government's brain, no doubt, but it's hard to say what effect, if any, the reports will have. They strike a chord with privacy advocates concerned about the way companies use the information that consumers reveal about themselves. They show sensitivity to the needs of both consumers and businesses. And they don't contain, possibly with the exception of the "do not track" mechanism, any kind of poison pill that would make the reports in their entirety look undesirable to major stakeholders.

Still, many companies already do what the reports recommend, and many of the recommendations to a great degree reflect existing law. So it's fair to wonder how much would change even if lawmakers used the reports to draft legislation. Lots of macro-micro questions remain unanswered, too.

Would all types of businesses be subject to the new framework? What about one that collects only non-sensitive consumer data? How long would businesses be required to retain consumer data? Is there a principled way to come up with a time period? Should companies be allowed to charge a fee to consumers for them to access information that the company maintains about them? If so, how much?

That's just a small sample of the questions that the FTC and Commerce Department need to answer before moving ahead, and they've requested help from interested parties. Readers should feel free to weigh in by contacting the agencies directly; otherwise, drop a comment in the box below.

Jonathan Peters is a lawyer and the Frank Martin Fellow at the Missouri School of Journalism, where he's working on his Ph.D. and specializing in the First Amendment. An award-winning freelancer, he has written on legal issues for a variety of newspapers and magazines. He can be reached at jonathan.w.peters@gmail.com.

This is a summary. Visit our site for the full post ».

December 09 2010

17:00

The Newsonomics of Do Not Track

[Each week, our friend Ken Doctor — author of Newsonomics and longtime watcher of the business side of digital news — writes about the economics of the news business for the Lab.]

Just in time for Christmas, we have cookie madness. No, not the sugared kind — the tracking kind. With pugnacious FTC Chair Jon Leibowitz taking on yet another big topic (saving media, net neutrality), we’re talking about tracking technologies — what’s fair, what’s legal, and what’s right.

On Dec. 1, Leibowitz put forward a 122-page Do Not Track proposal, officially inviting public comment due Jan. 31. Industry groups of many kinds, including the Online Publishers Association, are busily preparing responses. It’s unclear, as often the case with things digital, where the FTC jurisdiction ends and where Congress’ assent is required. There will be all kinds of twists and turns in the politics of Do Not Track (where, for instance, will the Tea Partiers stand, pro-unfettered individual liberty or anti-government regulation?), but when the dust settles, expect the following:

  • It’ll be easier for consumers to opt out of being tracked. That may be a simple one-click cookie, or something still a little complicated, but considerably easier than the multi-step approach required today. (I asked a group at NewsFoo, a tech-savvy bunch, how many knew how to turn off tracking. Only five out of 40 raised their hands.)
  • The advertising industry will seek to find new ways to further target, no matter what new hurdles are put in front them.

This isn’t an abstract debate about consumer rights or Big Brother. It’s a debate that could have profound implications for news media. If rules are re-written, we could see a re-balancing of power among news media, advertisers, ad agencies, and the ad networks. Therein may lie billions of dollars in ad spending — and revenue splits — in the years ahead.

If you attend an digital ad conference or talk to leaders in the industry, you’ll see the same PowerPoint (or Keynote): The perfection of commerce is coming soon. Ad-targeting technologies are getting smarter each day, creating better analytics about…us, collectively and individually. The coming perfection: I only get the kinds of commercial messages that make sense to deliver to me, based on all the known info about me, my reading patterns, and shopping habits. Sure, some mass branding — Coke in both Times Square and Tokyo’s Shibuya Crossing — will always be valuable. Most advertising messages, though, will be targeted. Targeted advertising is more effective, cheaper to deliver, and cuts out waste.

In that paradigm, media isn’t an enemy, exactly. It’s just friction. Media that helped deliver audiences for many decades now is a kind of friction. In the last several years, particularly, old media brands have eschewed ad networks as much as they thought they could, selling “premium” inventory. That means leveraging the authority of the news brand and its association with the deep pockets of affluent readers. We’ve seen some success there, but have to wonder how long it might last as targeting technologies get better and better. Why deal with the friction of separate media buys, if you can cherry-pick the audiences you want wherever they may be at the moment?

In classic web theory, it’s disintermediation: The connection between media and consumers is dissolving, with marketers able to reach end users more directly.

Enter a new age of Do Not Track. Maybe, in that world, news media’s role — and its engagement with audiences — becomes much more valuable. Maybe, it’s a reintermediation of a kind, as news media’s role in the shopping/buying lives of its readers re-emerges, digitally.

How might this happen? If we look at the potential newsonomics of Do Not Track, we can see at least two ways that real revenue can be driven out of the reordering of the tracking world.

First, the FTC proposal treats first-party tracking differently than third-party tracking. First-party tracking means that media, or really any company, tracks the behavior of its customers, those who have chosen to have a relationship with the brand. First-party tracking would allow online publishers to use analytics, drawn from web usage and registration data, to better target content for readers and viewers. And first-party tracking should allow some ad targeting of readers by a publisher on its own site — though that question will get muddier, depending on how Do Not Track actually works.

If publishers — especially big publishers, with the scale of audience of the Times, the Journal, Reuters, and portals — can help advertisers target consumers, then their audiences may become relatively more valuable, and advertising messaging higher priced. The “relative” here is relative to what advertisers can do off big brand sites. If Do Not Track constrains that in a significant way, that big news brands can offer relatively better targeting. That means a $10 CPM ad may be instead sold for $16, for instance, and the value of targeting can add up to tens of millions for each company annually. For a U.S. online ad industry now galloping to 17 percent 3Q growth (and expected similar growth next year) to a $25.8 billion expected 2010 final number, that targeting advantage could mean billions.

Second, publishers might further monetize the voluminous data they are harvesting. They could sell it. Data, media have come to understand, isn’t exhaust — it’s gold, if properly mined, and deeply valuable to advertisers and agencies.

Krux Digital, which works with publishers to track data usage, recently put out a report saying that “data skimming” by third-party networks was costing “premium publishers” $850 million a year. In other words, networks were placing cookies on publisher sites, alighting with lots of data that they then used to target other advertising. The number could be high (Krux has an interest in a high number; the higher the number, the more apparent need for its services), but there’s significant money left under some table, largely unbeknownst to publishers. If Do Not Track puts more power back into the hands of the publisher, then publishers may be help to re-sell the information — and that could help build toward the new business model news publishers’ need.

The FTC, of course, isn’t setting out to provide publishers with a new revenue stream. It’s trying to protect consumers.

Consequently, in industry responses to the FTC, OPA and other news industry groups have to be smart. They have to not only give lip service to being pro-consumer. They have to talk about how they can be pro-consumer, and much more transparent about how they use consumer data. They can proudly talk about delivering better news products. They can talk about improving the researching/shopping/buying experience. They can get beyond what some note as the “creepiness factor” of tracking, by offering up fundamental rules about how they’d be clear with their readers and viewers about what is being shared, what’s not and about consumer choices. They could also offer consumers incentives to share info.

They can re-establish, and reinforce, new stronger relationships with readers, in perfect synchronicity with the efforts of some to charge for digital news content.

The big opportunity, perhaps, is the ability of news publishers to transparently offer reader/consumers the opportunity to “opt in” to a wider world of reading and shopping targeting. Then, they could re-emerge, in the tablet era no less, as community and national centers of news — and commerce. Forget Foursquare; readers could check into their favorite news companies.

Track photo by HKmPUA used under a Creative Commons license.

Older posts are this way If this message doesn't go away, click anywhere on the page to continue loading posts.
Could not load more posts
Maybe Soup is currently being updated? I'll try again automatically in a few seconds...
Just a second, loading more posts...
You've reached the end.

Don't be the product, buy the product!

Schweinderl