The big news on the privacy front was last week's report released by the Federal Trade Commission (FTC) recommending, among other things, the establishment of a Do Not Track (DNT) mechanism. Not addressed in the report, a concern for some in the privacy community, was the privacy implications of cloud computing and social networking, the need for a US privacy agency, or a comprehensive federal privacy law based on "Fair Information Practices".
Nonetheless, the DNT option is an interesting concept - one that privacy advocates have supported in the past - and worth detailing here today. Before I get to specifics, I should define what kind of "tracking" we're talking about.
The Center for Digital Democracy defines behavioral marketing thusly:
Perhaps the most powerful - but largely invisible - force shaping our digital media reality is the role of interactive advertising and marketing. Much of our online experience, from websites to search engines to social networks, is being shaped to better serve advertisers. Increasingly, individuals are being electronically "shadowed" online, our actions and behaviors observed, collected, and analyzed so that we can be "micro-targeted." Now a $24 billion a year industry [2008 estimates] in the U.S., with expected dramatic growth to $80 billion or more by 2011, the goal of interactive marketing is to use the awesome power of new media to deeply engage you in what is being sold: whether it's a car, a vacation, a politician or a belief. An explosion of digital technologies, such as behavioral targeting and retargeting, "immersive" rich media, and virtual reality, are being utilized to drive the market goals of the largest brand advertisers and many others.
A major infrastructure has emerged to expand and promote the interests of this sector, including online advertising networks, digital marketing specialists, and trade lobbying groups.
The role which online marketing and advertising plays in shaping our new media world, including at the global level, will help determine what kind of society we will create.
- Will online advertising evolve so that everyone's privacy is truly protected?
- Will there be only a few gatekeepers determining what editorial content should be supported in order to better serve the interests of advertising, or will we see a vibrant commercial and non-commercial marketplace for news, information, and other content necessary for a civil society?
- Who will hold the online advertising industry accountable to the public, making its decisions transparent and part of the policy debate?
- Will the more harmful aspects of interactive marketing - such as threats to public health - be effectively addressed?
Back in April,
privacy advocates filed a complaint with federal regulators against tracking and profiling practices used by Google, Yahoo, Microsoft and other Internet companies to auction off ads targeted at individual consumers in the fractions of a second before a Web page loads.
The complaint was filed by the Center for Digital Democracy, U.S.
PIRG, and the World Privacy Forum, charging that a "massive and stealth data collection apparatus threatens user privacy," and asks regulators to compel companies to obtain express consent from consumers before serving up "behavioral" ads based on their online history.
Internet companies would be asked to acknowledge that the data they collect about a person's online movements through software "cookies" embedded in a Web browser allows advertisers to know details about them, even if those cookies don't have a person's name attached.
Privacy advocates have long argued that when enabled to protect their privacy and control their data. BUT, not if it’s made difficult, confusing, or time consuming. And this is why new rules, laws are so desperately needed for cyberspace...
we need "systems" that will allow users to control their information in an easy, logical, and practical way.
And this leads to the need for a DNT mechanism on
internet browsers. Essentially what the FTC is rightly arguing is that
web users should be able to use a 'do not track' facility to block any use of their browsing habits for advertising purposes.
The feature, which the FTC said could be located within browsers,
would prevent a person from being exposed to behavioural advertising and would function like 'do not call' lists of phone numbers.
FTC chairman Jon Leibowitz stated:
"Despite some good actors, self-regulation of privacy has not worked adequately and is not working adequately for American consumers. We deserve far better from the companies we entrust our data to, and industry, as a whole, must do better. So the FTC will take action against companies that cross the line with consumer data and violate consumers' privacy - especially when children and teens are involved. The FTC wants to help ensure that the growing, changing, thriving information marketplace is built on a framework that promotes privacy, transparency, business innovation and consumer choice. We believe that's what most Americans want as well....The Commission recommends a simple, easy to use choice mechanism for consumers to opt out of the collection of information about their Internet behavior for targeted ads. The most practical method would probably involve the placement of a persistent setting, similar to a cookie, on the consumer's browser signaling the consumer's choices about being tracked and receiving targeted ads."
This is a sensible component of a much larger web privacy strategy that will ideally put the individual in control, or ownership, of their own data. While I favor the opt-in versus over the opt-out method as a rule of thumb, certainly a visible
DNT mechanism in browsers would be an acceptable piece of the internet "privacy puzzle".
As for the
public reaction to this debate, I think its a no
brainer.
Who doesn't want more choice, and control? Of course, it's not quite like a phone call at dinner. People aren't being physically interrupted from something they're doing, but, again, it comes down to the consumers choice, one we do not currently have. Its also true that young people today are far more likely to want to, or be okay with, sharing personal information. However, studies show that when given the choice, they too care about privacy, and would more often than not choose that privacy if given the opportunity...they're just not going to work for it.
It also seems to me that this could benefit consumers in an additional way, because online marketers would have to find more substantive ways to coax web users into letting themselves be tracked. Thus, under
DNT, consumers would likely get better or more free stuff for signing up.
I also liked what Susan Grant, the director of consumer protection at the Consumer Federation of America, had to say about why
DNT is needed (in addition to much more comprehensive privacy legislation), stating,
"If someone were following you around in the physical world - tailing you and making note of everywhere you go, what you read, what you eat, who you see, what music you listen to, what you buy, what you watch - you might find this disturbing. On the Internet even if the tracker doesn't know your name, you are not anonymous."
She pointed to technology like so-called cookies and other persistent, digital identifiers that "are essentially personally identifying information."
Eric Newland of the Center for Democracy and Technology had some more critical points to add, writing:
While DNT is an intriguing idea, and one CDT has supported, it is not a silver bullet. If implemented, it would likely address, at best, just a portion of a larger problem. In its narrowest conception, DNT might give consumers an opportunity to state that they do not want data that has been collected about them to be used for the targeting of behavioral advertisements; enforceable rules would ensure that these expressions of consumer intent are respected. But conceived in this way, DNT would leave consumers in the same, unfortunate position with regard to how their data – web browsing history, transaction data, contact information – is collected and how it is shared for purposes outside of behavioral advertising: with market research firms, data brokers, life insurance companies and the like. DNT further fails to address emerging challenges to online privacy: cloud computing, social networking, and the growth of the app economy. And DNT would certainly not address the collection and use of offline consumer data such as mortgage information, credit card information, DMV records, and other business records. DNT alone will not solve all of our privacy challenges.
Meanwhile, just unpacking the term “do not track” requires navigating a wide array of challenging questions. The very broad concept of DNT is appealing for consumers. But does DNT mean don’t collect user data, don’t use it for behavioral advertising specifically, or don’t use it for non-operational purposes generally? What are operational purposes? Should there be distinctions between first party collection and use and third party collection and use? What about sensitive information?
In fact, unpacking the term “do not track” requires grappling with the same questions that must be addressed before baseline consumer privacy legislation can be passed. It seems inefficient to slog through these questions in pursuit of a narrow answer to one particular privacy problem, when instead the process can be harnessed to reach consensus around baseline consumer privacy legislation.
In short, DNT is no replacement for baseline privacy legislation. While DNT-type mechanisms could function as useful privacy-enhancing technologies, we should not let a discussion about DNT distract us from a task that American businesses, the Department of Commerce, Congress, and consumers have all said is a priority: finally passing baseline privacy legislation.
The Electronic Frontier Foundation also added some important insights, stating:
...the biggest problem is not the targeted ads but the exhaustive records of peoples' reading and other online activities that are collected in order to facilitate that targeting.
The FTC report specifically endorses the idea of a standardized "Do Not Track" mechanism that would allow individuals to restrict the flow of their personal data to advertisers. Do Not Track is a response to the fact that it is currently extremely impractical for consumers to defend themselves against the astonishing array of sophisticated tracking technologies that are easy to deploy and in widespread use. One of the strongest arguments for the technical feasibility of Do Not Track can be found in this interesting blog post. Of course, behavioral advertising is not a new issue for the FTC. They issued proposed principles for industry self-regulation back in 2007. However, this self-regulatory approach has been widely criticized as ineffective -— leading to speculation that it is time for direct regulation of behavioral tracking.
...
The FTC's new privacy report is a promising development in the evolution of online consumer privacy. EFF looks forward to working with other organizations to address the issues raised by this report. The House Subcommittee on Commerce, Trade, and Consumer Protection will delve into the issue of Do Not Track more fully during a hearing scheduled for tomorrow, and we have high hopes that the conversation will be furthered by an upcoming Department of Commerce report.
With the publication of the privacy report, it seems that the FTC is ready to tackle some of the most challenging issues of online consumer privacy - including revolutionary approaches to defending personal privacy such as Do Not Track.
All in all I think there is some reason to be hopeful about the direction of the FTC, and supportive of the DNT concept. But, as with any issue this large, and this uncharted (i.e. privacy on the internet),
there are going to be HUGE moneyed interests out to stifle progress in the name of the bottom line. This issue will be no different...as marketers will be lining up to stop anything that might slow their ability to make money off your private data.
I don't think its by accident that we are told by the same interests that profit off our information that privacy is dead, and people don't care about it anymore. Well, that's easy to say when you are the ones developing the complicated and difficult to find privacy settings consumers have to deal with.
My guess is if given the choice and opportunity to choose to not be tracked consumers will in droves. But, as pointed out in today's post, this is only one small component of the much larger effort underway to establish comprehensive internet privacy protections and data rights.
Stay tuned for that continuing fight.