The Secure Times

An online forum of the ABA Section of Antitrust Law's Privacy and Information Security Committee


1 Comment

Less Than Satisfied with Self-Regulation? FTC Chair Renews Push for Do Not Track

Edith RamirezFTC Chair Edith Ramirez created some waves in her first speech to the advertising industry this week. Ramirez renewed the call for a universal Do Not Track mechanism—and impliedly ignored the progress of AdChoices, the Digital Advertising Alliance’s opt-out program.  The FTC’s critical stance, along with a renewed initiative in the Senate, signal that the government is unsatisfied with the industry’s progress toward enhanced consumer controls over privacy and may seek a public, rather than private, solution.

“Consumers await a functioning Do Not Track system, which is long overdue,” Ramirez said. “We advocated for a persistent Do Not Track mechanism that allows consumers to stop control of data across all sites, and not just for targeting ads.”

The comments, spoken before the American Advertising Federation at their annual advertising day on Capitol Hill, illustrated a rift between advertisers and regulators over the progress of self-regulatory programs and consumers’ perceptions of online behavioral advertising. Two years ago, the FTC called on advertisers to develop a program that would give consumers a choice to opt out of behaviorally targeted ads. Speaking to AdWeek, Stu Inglis, a partner at Venable who acts as the DAA’s attorney, said of Ramirez’s remarks:  “We have solved it. The DAA’s program covers 100 percent of the advertising ecosystem. We made our agreements.”

The DAA also recently released the results of a poll it commissioned, stating that nearly 70 per cent of consumers responding that they would like at least some ads tailored directly to their interests, and 75 per cent saying that they preferred an ad-supported internet model. (The poll comes with some caveats, described by an AdWeek piece today.)

However, in her speech Ramirez spoke of consumers’ “unease” with online tracking: “An online advertising system that breeds consumer discomfort is not a foundation for sustained growth. More likely, it is an invitation to Congress and other policymakers in the U.S. and abroad to intervene with legislation or regulation and for technical measures by browsers or others to limit tracking,” she said.

Ramirez also urged the advertising community to keep working within the multiparty process led by the W3C  (World Wide Web Consortium) to develop a browser-based Do Not Track program. However, there has been little concrete progress in the talks so far.

The online advertising industry may be running out of time. Senator Jay Rockefeller D-W.Va.), chair of the Senate Commerce Committee, announced that he would hold a hearing next week to discuss legislation that would mandate a Do Not Track standard.  The chairman, along with Sen. Richard Blumenthal (D-CT), introduced the Do Not Track Online Act in February.  The bill would direct the FTC to write regulations governing when internet firms must honor a consumer’s request that their information not be collected, and deputize the FTC and state attorneys general to enforce the rules.

“Industry made a public commitment to honor Do-Not-Track requests from consumers but has not yet followed through,” Rockefeller said of the hearing. “I plan to use this hearing to find out what is holding up the development of voluntary Do-Not-Track standards that should have been adopted at the end of last year.”

If Congress and the FTC agree that the advertising industry hasn’t honored its commitments, the chances for self-regulation without a government mandate may dwindle further.

Sources:

AdWeek:  FTC Chair Stuns Advertisers

The Hill: Sen. Rockefeller to Push for Do Not Track at Hearing

Advertisements


Leave a comment

In Step Towards Broader Self-Regulation, Facebook to Allow AdChoices Icon in Ads

Facebook has closed a major gap in the industry compliance puzzle by announcing that it will now adhere to a widespread notice-and-choice program for its advertising platform. The site will be adopting the Digital Advertising Alliance’s AdChoices program, meaning it will place the program’s blue-triangled icons onto ads served by its FBX ad exchange.  The move will provide more transparency and an opt-out function to ads on the world’s most popular social networking site.

Transparency and uniformity in behaviorally targeted ads are what the Digital Advertising Alliance had in mind with its self-regulatory program.  The program is intended in part to prove to the government that the advertising industry can be proactive about sharing the consumer information that online advertisers store and use to target ads, and allow them to opt out on their own. Users can click on the “AdChoices” icon and its ubiquitous blue triangle, which takes users directly to the ad partner’s site, where they can see what information is being used to target ads and opt out.

The AdChoices program has two main advantages: broad-based industry usage and consistency from ad to ad and site to site.  However, one industry publication described Facebook’s choice to go its own way as a “gaping hole” in the voluntary industry program. Facebook is the #2 most trafficked site on the web, and the No. 1 publisher of display ads in the U.S. Due to the data is possesses about its users, it has a unique ability to behaviorally target ads. Prior to adoption, Facebook’s interface took more steps than the DAA’s to get more information and an opt-out button, including several clicks before being referred to the ad server’s site.

It should be noted that the AdChoices icon will not be displayed universally or in the fashion seen on other sites. The option will only appear on behaviorally based ads served through Facebook’s FBX platform.  Clicking the “x” on other ads will lead to Facebook’s own information and opt-out screens. FBX partners who participate in the AdChoices program will be able to display the icon- but it will only show up once a user’s cursor hovers over the ad.

This announcement has several potential impacts for Facebook and voluntary industry privacy programs. Facebook’s adoption of the icon and program should increase the visibility of the icon and the program- even if it not displayed as prominently on Facebook ads.  It will also subject Facebook to increased accountability, in the form of compliance reviews and complaint resolution procedures by the Council of Better Business Bureaus and the Direct Marketing Association, which oversee the program. Finally, it should provide increased legitimacy to industry privacy programs by bringing one of the whales of online advertising in tune with the FTC’s privacy framework.  In its final privacy report, the FTC mentioned the DAA’s program as a creative and practical consumer choice mechanism and part of significant industry progress towards its goal of a Do-Not-Track mechanism.

Links:


Leave a comment

Election 2012: Privacy Platforms Compared

The Democratic and Republican Parties unveiled their respective policy platforms at their national conventions this past month. Both platforms address a host of issues related to internet freedoms and security, and differ greatly in some ways and little in others. The starkest contrast lies in the parties’ plans for protecting consumer privacy. However, in other areas such as cybersecurity, the differences seem more imagined than real.

Both party platforms prioritize the civil-liberties aspect of internet freedom but have different prescriptions for achieving achieving it. The Democratic platform envisions information privacy as freedom from private intrusion and public censorship, “protecting an open Internet that fosters investment, innovation, creativity, consumer choice, and free speech, unfettered by censorship or undue violations of privacy.” It later touts the implementation of consumer privacy initiatives taken by the White House as a step in this direction: “That’s why the administration launched the Internet Privacy Bill of Rights and encouraged innovative solutions such as a Do Not Track option for consumers.”

Earlier Secure Times coverage on the White House’s privacy approach and Privacy Bill of Rights is available here.

The Republican platform, on the other hand, specifically promises greater protection of personal data from use by government and law enforcement. In what may be a nod to the holding in United States v. Jones and the ongoing debate over location tracking, the RNC pledges to “ensure that personal data receives full constitutional protection from government overreach.”

The RNC platform goes on to add its support for protection from private actors, such that “individuals retain the right to control the use of their data by third parties.” However, it argues that “the only way to safeguard or improve these systems is through the private sector.”

Both platforms agree on the great importance of cybersecurity. However, the RNC criticizes the Administration for not being proactive enough in its efforts to neutralize new cyberthreats:

The current Administration’s cyber security policies have failed to curb malicious actions by our adversaries, and no wonder, for there is no active deterrence protocol. The current deterrence framework is overly reliant on the development of defensive capabilities and has been unsuccessful in dissuading cyber-related aggression. The U.S. cannot afford to risk the cyber-equivalent of Pearl Harbor.

The platform does not name any specific measures to dissuade rather than defend against cyberthreats, but it goes on to criticize the administration for not enabling enough information-sharing between public and private parties. Nonetheless, the Democratic platform mentions “strengthening private sector and international partnerships” as well.

Both parties roundly agree on the multi-stakeholder policymaking framework. Both statements seem to paraphrase each other. The RNC platform states:
We will resist any effort to shift control away from the successful multi-stakeholder approach of Internet governance and toward governance by international or other in- tergovernmental organizations.

The Secure Times provided earlier coverage of the Multistakeholder Process here.

Links:

National Journal: Dems Part Company With Republicans on Net Neutrality, Online Privacy

2012 Democratic National Platform

2012 Republican National Platform


Leave a comment

Federal Trade Commission Announces Privacy Settlement with Myspace

The FTC has reined another tech giant, albeit a waning one, into a settlement agreement over alleged privacy violations. On May 8, the FTC announced a consent decree with Myspace LLC that forbids it from misrepresenting its privacy policies and requires it to institute a comprehensive privacy policy and submit to biennial audits for compliance for twenty years. This is the third settlement that the FTC has achieved with a major tech company in the social networking arena– the agency reached similarly structured settlement agreements with Google and Facebook last year.

The FTC’s Allegations

The FTC’s allegations stem from a gap between Myspace’s privacy policy and its practices from January 2009 until June 2010. In its policy, Myspace promised that it would not share a user’s personally identifiable information (defined as name, email, mailing address, phone number or credit number) without notice and user consent; that its means for delivering customized ads and sharing browsing data with advertisers; and that it complied with the U.S.-E.U. Safe Harbor framework for data protection.

However, when Myspace displayed ads from certain unaffiliated third parties to logged-in users, Myspace provided the advertiser or its affiliate with the viewer’s “Friend ID,” which is a persistent unique numerical identifier assigned to each Myspace user. This left third parties a few clicks away from accessing a host of other information about the user. For most users, the Friend ID could be used to get the users’ full name and any other information designated as public in the users’ settings. The public information could then be combined with additional information harvested by the advertiser’s tracking cookie and by any other means.

According the FTC, the representations that Myspace made in its privacy policies were thus false and misleading statements and constituted deceptive acts or practices in violation of Section 5 of the FTC Act. The agency also alleged that Myspace misrepresented its compliance with the US-EU Safe Harbor framework: to transfer personal data lawfully from the E.U. to the U.S., companies must self-certify that they meet certain privacy principles about collection and use of uder data, including Notice and Choice. According to the FTC, Myspace also misrepresented its compliance – although it did not make the offending statements about Safe Harbor compliance until December 2010, after the time period of its other deceptive practices.

Settlement Terms

The order forbids Myspace from misrepresenting its privacy practices, including collection, disclosure and third-party sharing, of all “covered information.” This includes a user’s name, address, e-mail address or chat screen name, phone number, photos and videos, IP address, device ID or other permanent identifier, contact list or physical location. Like the Google and Facebook settlements, the order requires Myspace to establish and maintain a comprehensive privacy program and submit to biennial assessments of its privacy programs by an independent auditor for 20 years. Myspace must also retain a plethora of related documents for five years, including all “widely disseminated statements” about Myspace’s privacy practices, complaints or communications with law enforcement about the order, or any documents that call into question Myspace’s compliance.

The 20-year timeframe, which has been the standard in FTC’s previous privacy consent decrees, has raised some snickers among commentators about Myspace’s longevity, given the site’s declining market share. Founded in 2003, the site was acquired by News Corp. for $580 million in 2005 and for a while dwarfed Facebook’s number of users. However, it was sold to Specific Media for $35 million last year and its number of unique users is less than half of its 2008 peak.

The agreement will be subject to public comment until June 8, after which the Commission will decide whether to make the proposed consent order final.

Links