Wednesday, March 30, 2011

Privacy, the Internet and New Legislation

I've talked a lot about the explosion in data collection, data analysis and use of behavioral marketing on this blog.  For good reason, when there's billions of dollars at stake, and your private information is the currency, there's plenty of reasons to place a big "consumer beware" sign anywhere you are doing something ostensibly "private".

We know for a fact, and they have been sued for it, companies like Google, Yahoo, Microsoft and other Internet companies  track and profile users and then auction off ads targeted at individual consumers in the fractions of a second before a Web page loads. That in itself, may not be all that threatening to most. But it raises some interesting questions: What kind of control should we have over our own data? And, what kind of tools should be available for us to protect it? What about ownership of our data? Should we be compensated for the billions of dollars being made by corporations from their tracking of us? And of course, what of the government's access to this new world of data storage?

We may finally get some answers, and some privacy protections, as there are three separate bills in Congress addressing in one form or another, Internet privacy. The argument from privacy advocates has largely been that this massive and stealth data collection apparatus threatens user privacy and regulators should compel (not hope that) companies to obtain express consent from consumers before serving up "behavioral" ads based on their online history.

For instance, Internet companies would be asked to acknowledge that the data they collect about a person's online movements through software "cookies" embedded in a Web browser allows advertisers to know details about them, even if those cookies don't have a person's name attached. More generally, particularly on the issue of privacy on the Internet, the fact that we have next to no privacy standards as related to these technological innovations and trends is disturbing, and more than enough of a reason for some of the bills being offered here. So now the question becomes whether they're sufficient. Word is still out on that question.

Before I get to a bit more about the Kerry/McCain legislation, and the The Electronic Privacy Information Center (EPIC) recent comments regarding Internet privacy, let me provide a more detailed description of "behavioral marketing" from Center for Digital Democracy:

Perhaps the most powerful - but largely invisible - force shaping our digital media reality is the role of interactive advertising and marketing. Much of our online experience, from websites to search engines to social networks, is being shaped to better serve advertisers. Increasingly, individuals are being electronically "shadowed" online, our actions and behaviors observed, collected, and analyzed so that we can be "micro-targeted." Now a $24 billion a year industry [2008 estimates] in the U.S., with expected dramatic growth to $80 billion or more by 2011, the goal of interactive marketing is to use the awesome power of new media to deeply engage you in what is being sold: whether it's a car, a vacation, a politician or a belief. An explosion of digital technologies, such as behavioral targeting and retargeting, "immersive" rich media, and virtual reality, are being utilized to drive the market goals of the largest brand advertisers and many others.

A major infrastructure has emerged to expand and promote the interests of this sector, including online advertising networks, digital marketing specialists, and trade lobbying groups.
The role which online marketing and advertising plays in shaping our new media world, including at the global level, will help determine what kind of society we will create.
  • Will online advertising evolve so that everyone's privacy is truly protected?
  • Will there be only a few gatekeepers determining what editorial content should be supported in order to better serve the interests of advertising, or will we see a vibrant commercial and non-commercial marketplace for news, information, and other content necessary for a civil society?
  • Who will hold the online advertising industry accountable to the public, making its decisions transparent and part of the policy debate?
  • Will the more harmful aspects of interactive marketing - such as threats to public health - be effectively addressed? 
Clearly, as with just about every market, "self regulation" is woefully inadequate...particularly when so much money is at stake. EPIC recently made this point in comments to the FTC urging urging tougher privacy protections, as summarized by NetworkWorld:

The Electronic Privacy Information Center (EPIC) has practically accused the FTC of being derelict in its duties to protect Internet user’s privacy. This attitude is revealed among the public comments filed in response to the FTC’s proposed Policy Framework on privacy.

EPIC has been an advocate of privacy protection for consumers since it was formed in 1994, when the Web was just a baby. EPIC argues in its comment that businesses should be required to adopt clearer privacy policies regarding information they collect on consumers because policies vary widely, are obtuse (sometimes purposely) and frequently change. The group complains that the FTC “mistakenly endorses self-regulation and ‘notice and choice’” of a company’s practices. Furthermore, EPIC says the FTC can already investigate deceptive business practices that invade privacy under Section 5 of the statute under which it operates, but that it doesn't. The FTC "fails to explain why it has not used its current Section 5 authority to better safeguard the interests of consumers," EPIC states.


To be sure, Internet businesses have good intentions and can point to instances where they have built “privacy by design” into their digital goods and services. Microsoft, for instance, told the FTC it already deletes the IPFirefox 4 has one, too). But Microsoft has made its share of privacy mistakes, such as assisting law enforcement and intelligence agencies in obtaining private user data, failing to encrypt the cloud-stored data of its Live@edu users and reportedly using ads as a cover for data mining.

Microsoft is not the only Internet business with a privacy protection problem, though. EPIC petitioned the FTC in 2009 to investigate Google over security breaches in its cloud computing service. And Facebook, despite numerous complaints about its envelope-pushing data mining practices at the expense of privacy, urged the FTC to provide privacy protection without imposing “restrictions [that] could limit Facebook's ability to innovate.” You’ll have to do better than that Zuck.

Now, to some of the provisions of the Kerry/McCain legislation, as reported in Media Post News:

A draft of privacy legislation floated by Sen. John Kerry (D-Mass.) would give the Federal Trade Commission authority to craft privacy regulations and to operate a Web site where consumers can opt out of online behavioral targeting. The potential measure would generally require companies to notify consumers about the collection of their data, and also allow them to opt out of having data used by third parties, like ad networks.


In addition to the obligation to notify consumers about data collection and allow opt-outs, the bill would require companies to give consumers access to data about them. Further, most companies that collect data would be required to attempt to minimize the amount of information collected and retained.

The bill would apply to a broad swath of data about consumers,
including not only names and phone numbers but also email addresses, if they include names, customer numbers held in cookies and unique device identifiers.

In its current form, the bill requires companies to obtain users' explicit opt-in consent before collecting "sensitive" data, defined expansively as personal information that "if lost, compromised, or disclosed without authorization could result in harm to an individual."

The bill, which currently names Sen. John McCain (R-Ariz.) as co-sponsor, apparently remains a work-in-progress. But some provisions in the current version are virtually certain to be opposed by privacy advocates. For instance, the measure would preempt many state laws. Additionally, consumers wouldn't be allowed to file private lawsuits to enforce the bill.

As Jeff Chester, head of the Center for Digital Democracy, recently said in an article in the UK's Independent, "This is a commercial Orwellian environment. What is at stake is that we are granting influence over our lives to largely invisible and unaccountable digital giants, who have developed a far-reaching system of data collection across platforms and across networks. Alarmingly, information gathered from cookies is more than enough to deduce a person's medical history, sexuality or political views."

But as Chester also admitted in the piece, privacy advocates remain divided on how new regulation should be structured. This is made all the more difficult by the sheer complexity and ubiquitousness of these technologies. The Independent article continues:

If the Internet is to remain an interactive, personal experience, then some amount of data tracking is vital. The questions are: how much, and what for, and who by, and with what kind of opt-in or opt-out mechanisms for consumers? 

The problem is that, behind the contents of any single web page lies an increasingly complex ecosystem of companies using an array of different systems to tailor that web page to suit the reader. At its most basic, a website itself will tailor content. Amazon generates book recommendations for its customers by knowing what they have purchased in the past, for example. Google can predict your search query, and serve the answer faster, because it knows what you have searched for in the past. 

Increasingly, websites are tying up together to make their content more “social”. Facebook users may find information about what their friends are sharing pop up on partner sites such as listings site Yelp. And most controversially, the ads that appear on web pages are often now based on data collected about the user. This so-called “behavioural advertising” may serve up ads for golf clubs to a reader who has a history of visiting golf websites, whether or not the website they are currently looking at is a golf website. 

A study by the Network Advertising Initiative last year found that behavioural advertising was three times more effective, in terms of click-through-rates, and three times as lucrative, in terms of purchases made by the consumer from the advertiser, than traditional online ads that were not personally targeted in this way. And that was a year ago. The effort being made by the advertising industry to hone advertising even more closely to what it thinks the consumer wants to see becomes more sophisticated all the time. 

A new generation of online brokers have sprung up whose key skill is the analysis of large amounts of data. These brokers collect or buy data that can be specifically linked to an IP address or cookies (the little parcels of data left on an individual’s computer as a message to web publishers, which store information such as log-in names or other personal data) and use what they learn to place the most appropriate ads instantaneously on a web page. 


Even assuming consumers can spot the link on their online ads, and know that following it will allow them to opt out, there remain numerous problems over what happens next. The burgeoning number of data collectors and networks involved means that consumers currently have to opt out numerous times if they want to sweep away all behavioural ads.


Last week, European Parliament justice commissioner Viviane Reding said new regulations in the EU would include a right to be forgotten, applied to data collected not just by advertisers but by social networks and other websites, presenting an even bigger technical challenge to the industry. 

In the US, proposals are more modest. One House of Representatives plan would allow behavioural advertising only when consumers have opted in; the bill of rights proposed by Senator John Kerry would reverse that, but would mandate a clear and easy opt-out procedure. What none of the proposals spell out, though, is how, technically, it can be done.

Clearly, I particularly like the sound of what the EU is doing. A rule of thumb for privacy advocates is the "opt-in" choice is ALWAYS preferable to "opt-out". Let's face it, the fact that there's even an opt-out option is often confusing of buried, and likely a few clicks away just to find it. But for me, its more than just the "convenience" argument. It goes deeper than that...its about having control over my information, end of story. If someone wants to borrow something of mine, like my car, I don't have to find a way to opt-out of doing so after they've taken it on a spin, they have to come to me first. The same should be true of what I do in my private time, on the net, or in my home (think smart meter).

In addition, and I've written about this A LOT on this blog, is what really concerns me, is just what are the side effects of living in a society without privacy? Not just on the Internet, or about our personal web surfing habits, but from the watchful eye of government, be it the knowledge that we could be wiretapped, that the smart grid monitors our daily in home habits and that information is sold and stored, that our emails can be intercepted, that our naked bodies must be viewed at airports, that our book purchases can be accessed (particularly if Google gets its way and everything goes electronic), that street corner cameras are watching our every move, that RFID tags allow for the tracking of clothes, cars, and phones...and the list goes on.

In other words, more concerning than any single threat posed by any single technology – including on the Internet – is this larger pattern indicating that privacy as both a right and an idea is under siege. As young people grow up with so much of their information so public and accessible to all, including government, I fear their sense, appreciation and understanding of privacy will continue to fade away. The consequences of such a loss would be profound.

I don't think its by accident that we are told by the same interests that profit off our information that privacy is dead, and people don't care about it anymore. Well, that's easy to say when you are the ones developing the complicated and difficult to find privacy settings consumers have to deal with. 

I'll continue to cover the details, and the progress, of the legislation making its way through congress attempting to address some of these concerns.

No comments: