Thursday, August 13, 2009

Behavioral tracking on the web: The good (FTC) and the bad (OMB)

For some backdrop on the issue of behavioral targeting on the internet and the legislative effort to protect consumer privacy currently underway in Washington, here’s some of what Jeff Chester, executive director of the Center for Digital Democracy (CDD) had to say in recent testimony before Congress. CDD has been at the forefront of exposing invasive online and mobile marketing practices as well as offering concrete regulatory measures that would more adequately protect consumer privacy.

Chester stated, Powerful techniques of data collection, analysis, consumer profiling and tracking, interactive ad creation and targeting have emerged across the online venues Americans increasingly rely on for news, information, entertainment, health, and financial services. Whether using a search engine, watching an online video, creating content on a social network, receiving an email, or playing an interactive video game, we are being digitally shadowed online. Our travels through the digital media are being monitored, and digital dossiers on us are being created—and even bought and sold.”

In order to ensure adequate trust in online marketing—an important and growing sector of our economy—Congress must enact sensible policies to protect consumers.”

Now to two interesting and completely conflicting “approaches” to this issue making news this week: On the one hand we have the Federal Trade Commission’s (FTC) apparently committed effort to better protect internet users from behavioral targeting and ads. And on the other we have the Office of Management and Budget’s (OMB) proposal to allow the use of web tracking technologies on federal government websites.

Let’s first get to the recent positive developments at the FTC.

In a recent article in Business Week, FTC Chairman Jon Leibowitz, Obama's top consumer watchdog, said he wants to terminate—or at least rein in—delivering ads to individuals based on the Web pages they visit and searches they carry out (supporting the establishment of “opt-in” as the standard rather than “opt-out”).

Similarly, David C. Vladeck - the new head of the Bureau of Consumer Protection at the FCT – said in a New York Times article this week that the frameworks used historically for privacy on the web are no longer sufficient, and wants to expand the definition of what is considered “harm” to the consumer when a company infringes on their privacy to beyond solely a monetary measurement, but to whether their dignity was violated.

So two important signals (among others articulated in the articles) are being sent by Leibowitz and Vladek indicating the FTC is considering pushing for two essential legislative reforms advocated by privacy leaders that would protect consumers: establishing "opt-in" as the standard and precedent and redefining what is considered “harm” to the consumer when his/her privacy is violated.If ever enacted, each would represent a landmark improvement in protections for consumers against aggressive behavioral marketing techniques and industry data collection practices.

Now to the negative developments at the OMB:

The OMB recently proposed reversing current federal policy by allowing the use of web racking technologies, like cookies, on federal government websites.

An ACLU press release sent out on August 10th states: Since 2000, it has been the policy of the federal government not to use such technology. But the OMB is now seeking to change that policy and is considering the use of cookies for tracking web visitors across multiple sessions and storing their unique preferences and surfing habits. Though this is a major shift in policy, the announcement of this program consists of only a single page from the federal register that contains almost no detail.

The use of cookies allows a website to differentiate between users and build a database of each user’s viewing habits and the information they share with the site. Since web surfers frequently share information like their name or email address (if they’ve signed up for a service) or search request terms, the use of cookies frequently allows a user’s identity and web surfing habits to be linked. In addition, websites can allow third parties, such as advertisers, to also place cookies on a user’s computer.

“Americans rely on the information from the federal government to research politics, medical issues and legal requirements. The OMB is now asking to retain the personal and identifiable information we leave behind,” said Christopher Calabrese, Counsel for the ACLU Technology and Liberty Project. “No American should have to sacrifice privacy or risk surveillance in order to access free government information. No policy change should be adopted without wide ranging debate including information on the restrictions and uses of cookies as well as impact on privacy.”

Limitations of the FTC and the Responsibility of Congress

What’s most important to this debate, aside from the vast differences in approach to internet privacy demonstrated this week by the OMB and the FTC, is what kind of regulatory framework will be put in place to protect consumers. As Jeff Chester also pointed out in his testimony, this responsibility will largely fall on Congress:

“The FTC has been largely incapable of ensuring American privacy is protected online. Staff has been reined in from more aggressively pursuing the issue, primarily to ensure that industry self-regulation remains as the agency’s principle approach. The FTC is also encumbered with a lack of staff working on privacy and online marketing issues, including personnel familiar with the technical characteristics of contemporary marketing…

The FTC needs to have additional resources, especially so it can better protect consumers from digital marketing transactions involving their financial and health data. Congress should press the FTC to be more proactive in this arena. We are confident that the FTC is now ready to address online marketing and consumer privacy more meaningfully than in the past."

We (CDD) urge you (Congress) to enact legislation that would ensure that consumer privacy online is protected. The foundation for a new law should be implementing Fair Information Practices for the digital marketing environment.'


Joel said...

I think it's important to distinguish between good and bad methods of behavioral targeting. If someone owns a website and they want to use the information contained in their web server logs (what ip address visited which page and when) to target better ads, then there is nothing wrong with that. It's good business and potentially a service to consumers.

There is a privacy risk with downloadable applications like the one Sears was fined for using. They applications can collect ALL information that a user views on any website. The google toolbar for the firefox browser works in this way. There is a risk to consumers who visit a financial or health related site (sites that wouldn't normally engage in behavioral advertising) to expose sensitive information without knowing it.

I know that the differences in behavioral targeting practices are subtle, but it's worth taking the time to understand how things work before proposing drastic changes.

Thanks for all your work fighting for privacy, keep it up.

CFC said...

Thanks for your feedback and the insights Joel. I think a lot of people probably have slightly different criteria for what they would consider "good" versus "bad" methods of behavioral targeting. Your's certainly make sense, and your points are well taken, and appreciated. I think what's most important to a lot of privacy advocates is simply having the option to "opt-in", rather than "opt-out"...this would give consumers more freedom and control over what they are comfortable with, based on their criteria of what methods are good and bad.