Privacy Working Group

This last weekend the New York Times printed an interesting article, “Redrawing the Route to Online Privacy”, that noted today’s model of online privacy policies is no longer fulfilling its obligation of protecting consumers.  With the prevalence of data harvesting and the ability to track Web-browsing history, this 1990’s era concept of “notice and choice” is no longer enough to ensure consumers are fully informed of how and why businesses are using the personal information collected online.  The Times described some new options that could replace notice and choice that are being developed by privacy experts such as Lorrie Cranor, Ryan Calo and Ed Felten.

As Professor Danielle Citron notes, another option (reported in the Times a few weeks ago) is a method tested by the Future of Privacy Forum and WPP and recently adopted by a coalition of leading trade groups, including the Interactive Advertising Bureau, The Direct Marketing Association, The American Association of Advertising Agencies and the Association of National Advertisers.  By labeling banners that are targeted based on the previous web sites users have visited with a special “I” icon and with the tag “interest based ads”, consumers are alerted and given an option to turn-off the ad targeting if they so choose.

We hope that this new effort to communicate with consumer about privacy in a meaningful way, as well as many of the other solutions noted in the New York Times article, will be a step toward the business community advancing user transparency and control.  By voluntarily taking steps to enhance user trust, both profits and privacy should be possible.

Hello world!

An Internet-monitoring technology known as deep packet inspection is gaining favor as a tool to combat viruses and make networks run more efficiently, despite concerns that the technology allows improper snooping on private Web traffic by governments and other prying eyes.

The technology created a political firestorm when the administration of former President George W. Bush used it to monitor international communications as part of counterterrorism efforts. Iran’s apparent use of deep packet inspection, or DPI, during a crackdown on protesters last month gave the technology another black eye.

But use of DPI, which examines Web traffic at a much more detailed level than previous technologies could, is still growing globally. “I don’t see it shrinking at all,” says Al Gidari, a Seattle lawyer who focuses on the communications industry. “Its complexity is increasing, and I don’t doubt this field will become even more lucrative.”

On the Internet, information is divided into small packets that are transmitted and then reassembled at the destination. DPI generally lets operators monitor each packet moving over their networks. Based on what they learn — primarily details about addressing, the size of the transmission and whether the data is a video, say, or an email — they can prioritize traffic, block it and even alter it.
Advocates believe such technology is vital for managing the explosion of Web traffic in recent years that’s driven by social-networking sites and the popularity of online video. An online phone call, for example, might get priority over an email, because a successful phone call depends more on having few or no delays.

Opponents worry that without proper regulation, the technology poses a threat to privacy and freedom of speech, particularly if DPI gets into the wrong hands. “Even in its most innocuous form, this technology is extraordinarily powerful,” says Ben Scott, policy director at Free Press, an independent public-interest organization in Washington.

As Congress wrestles with the domestic questions, vendors are increasingly making DPI a common ingredient in the next generation of networking gear.

Read More

Senate Judiciary Chairman Patrick Leahy hopes the third time will be a charm for his legislation intended to better protect citizens’ personal information.

The bill, which he reintroduced Wednesday and in two previous Congresses, would increase criminal penalties for identity theft involving electronic data and criminalize intentional or willful concealment of a security breach. Leahy said passage of the measure, which would pre-empt a patchwork of state data breach laws, is among his top legislative priorities.

The bill requires entities that maintain personal data to establish policies to protect that material and give notice to individuals and law enforcement when they experience a breach. Failure to do so could result in penalties of up to $500,000 per violation and potentially doubled fines if the activity was deliberate. The bill would let individuals correct personal records held by commercial brokers. Additionally, states would be able to bring lawsuits on behalf of residents, but the bill would not give consumers a private right of action.

Under the measure, federal agencies would be required to set privacy and security rules for use of commercial data broker information. They would have to perform audits of contracts with brokers worth more than $500,000 and would be required to impose penalties on those that fail to meet the requirements. A GAO report this week found that almost all major federal agencies have weaknesses in their information security controls.

Leahy’s cybersecurity bill is one of many expected in the House and Senate. Senate Commerce Chairman John (Jay) Rockefeller and Sen. Olympia Snowe, R-Maine, were first with legislation in April, which could see committee action before the August recess. Rockefeller issued a statement saying he and Snowe are working hard on the measure and hope to mark it up soon.

Read More

By dissecting behavioral data, e-marketers are creating sites armed with predictive technology

By Stephen Baker

Every once in a while in most Web surfers’ lives, a suggestion pops up on the screen that leads them to wonder: How did they know that about me? The moment can seem magical, and a bit creepy.

Consider this one. A shopper at the retail site FigLeaves.com takes a close look at a silky pair of women’s slippers. Next a recommendation appears for a man’s bathrobe. This could seem terribly wrong—unless, of course, it turns out to be precisely what she wanted. This type of surprising connection will happen more often as e-marketers adopt a new generation of predictive technology. It’s fueled by growing rivers of behavioral data, from mouse clicks to search queries—all crunched by ever more powerful computers.

Why the bathrobe? ATG (ARTG), a Cambridge (Mass.) e-commerce software company that crunches data for FigLeaves, has found that certain types of female shoppers at certain times of the week are likely to be shopping for men. Like all Web recommendations, this one will be wrong a good portion of the time. But as marketers scrutinize shoppers in greater detail, they’re edging closer to their ultimate goal: teaching computers to blend data smarts with something close to the savvy of a flesh-and-blood sales clerk. “In the first five minutes in a store, the sales guy is observing a customer’s body language and tone of voice,” says Mark A. Nagaitis, CEO of 7 Billion People, an Austin (Tex.) startup that competes with ATG. “We have to teach machines to pick up those same insights from movements online.”

This dissection of online shopping comes amid growing fears about invasions of privacy online. But unlike the most controversial advertising technology, which tracks Web surfers’ wanderings from site to site, many of these “preference prediction” methods limit their scrutiny to behavior on a retailer’s own Web page. Much of the analysis looks simply at the patterns of clicks, purchases, and other variables, without including personal information about the shopper. In most cases, personal details are incorporated only if customers register on sites such as Amazon.com (AMZN) and Walmart.com (WMT) and supply them.

In the early days of e-commerce, most of the analysis focused on simple buying patterns among shoppers. Amazon and others introduced so-called collaborative filtering in the late ’90s. They found, to no one’s surprise, that people who bought the same book were likely to share interests in other books.

Now the science is growing far more sophisticated. Three years ago, Netflix (NFLX), the movie rental powerhouse, dangled a $1 million prize before anyone who could plow through data from millions of anonymous users and improve Netflix predictions of what movies customers would like by 10%. Last month an international team of computer scientists reached that goal by introducing deeper analysis. The winning team factored loads of details into its algorithm. It attempts, for example, to compensate for the shifting sentiments of a movie watcher over time. If one reviewer pans a number of movies in a row, are they all really so terrible? The algorithm might allow for a stretch of the blues—and take those ratings with a mathematical grain of salt.

Read More

In a test of the viability of small online-ad companies, Quantcast has launched a new online ad-targeting service that is being closely watched by advertisers and investors.

Quantcast, a high-profile San Francisco start-up, is one of dozens of young companies helping broker targeted display ads — which typically contain both text and images, and are aimed at audiences selected for such characteristics as age, income or even probable personality traits.

Some of these start-ups sell targeted ads directly on behalf of media companies and other Web publishers. Others — like Quantcast — provide data to help companies, such as General Electric‘s NBC Universal and Time-Warner‘s Time Inc., sell targeted ads on their own.

Investors have poured millions of dollars into the fledgling businesses, hoping to discover the next Google or Yahoo that could change the way ads are sold online.

So far, few of the ad-targeting and data-brokering companies — which also include AudienceScience and BlueKai — have become big, or even profitable. And lawmakers and regulators have stepped up inquiries into whether the ways they collect and crunch data on Web users’ online behavior ought to be more tightly regulated to protect consumer privacy.

Read More

The impetus to regulate online marketing may be gathering steam. On June 18 a House of Representatives subcommittee held a hearing to take a closer look at how advertisers gather and use information on consumers’ Web-surfing habits.

Up to now the government has had a hands-off policy toward online marketing, giving companies relatively free rein in how they use tools that track what people do online and then use that data to deliver tailored marketing messages. Although regulation is likely to be far off, it would surely rewrite how Google, Yahoo!, Microsoft, Facebook, and a wide range of other Internet companies grapple for share in the $25.7 billion online ad market.

The hearing, which brought together representatives of Web companies and online privacy advocates, may mark “the beginning of the end of self-regulation for online advertising,” says Marc Rotenberg, executive director of the Electronic Privacy Information Center (EPIC).

Advocates of regulation say Internet companies need to be more up-front about their use of so-called behavioral targeting, which includes placing “cookies” and other software designed to discern a computer user’s tastes and preferences—information that marketers can use to better deliver online ads. Representative Rick Boucher (D-Va.), who chairs the House subcommittee on communications, technology, and the Internet, has stated publicly since February that he plans to draft legislation on targeting practices this year. He says sites should maintain plain-language privacy policies, visitors should be able to opt out of data collection, and any third-party companies working with publishers must obtain permission from Web users before acquiring or using their information.

Read More

An industry coalition races to head off privacy regulation

When the startup NebuAd unveiled its behavioral targeting platform at the end of 2007, it’s safe to say the company had no inkling of the push back it was about to get from privacy advocates.

Former CEO Bob Dykes certainly seemed surprised to be hauled before Congress, where his company’s policies would be denounced as “contemptible.”

“I feel like Galileo when he was viewed with skepticism on demonstrating that the Earth revolved around the sun,” Dykes protested at one of several congressional hearings last summer. Dykes insisted the platform was privacy-friendly, but his spirited defense of NebuAd wasn’t enough to save the company. He resigned last year and NebuAd suspended its plan to purchase information about people’s Web activity from their broadband providers with the purpose of serving targeted ads.

Read more…

The Federal Trade Commission (FTC) has finally released its revised “Self-Regulatory Principles for Online Behavioral Advertising”1 (OBA) after proposing a draft of those principles back in December 2007.  The FTC deserves credit for resisting calls to abandon self-regulation, and for its thoughtful consideration of the danger in stifling advertising—the economic engine that has supported a flowering of creative expression and innovation online content and services.

Read More…