Overall this is a very well informed and thoughtful decision. The majority of the issues raised by CIPPIC (Canadian Internet Policy and Public Interest Clinic) are either denied or found to have been successfully addressed by many of the privacy enhancements introduced by Facebook over the past year. The most significant unresolved issue as identified by the Commissioner is probably around the many thousands of third party applications that have become so popular with Facebook users. Although Facebook has contractual policies restricting the access and retention of user data by the “apps”, and has enforced these rules by kicking various apps off of Facebook, concerns by the Commissioner still exist about whether Facebook should be able to implement some sort of technical monitoring of these programs. Although Facebook has launched a “Verified Apps” program, where apps can sign more intensive review of their practices and receive a label informing users, this program is voluntary. We agree that this is an area where users are right to have concerns about the identities and practices of third party app developers, many of whom are individual developers or start-ups operating anywhere in the world. But we also think that a mandatory approval and review program for apps controlled by Facebook would be subject to policy debate over the openness of the platform criticism and would create a huge bottleneck for the developers of the apps. The role of “policing” these apps may be better suited for third parties or seal organizations, which can independently set trust guidelines and devote time and resources to the auditing and technical monitoring of apps.
Two other issues flagged by our northern neighbors are also intriguing. The Commissioner would like Facebook to spell out in its privacy policy what it does with user accounts, after users die. Although companies in the US often do have policies around how to handle user accounts after death, the controlling practices are usually trust and estate laws and they are dependent on the ability of a next of kin to establish ownership of the account. Rarely, if ever is information about this spelled out in a privacy policy and we wonder whether the Commissioner would require this of all blogs, Web sites, email providers or the like. Although we think transparency is key to ensuring users trust with the companies they deal with, we aren’t sure that most users want to discuss death when they sign up for a social network. What do our readers think? Do you want your Facebook profile or your blog to stay up after you die? Do you want to decide this when you create an account? Should estate planners start advising clients to leave online account passwords and orders with their executors?
Also relevant to all sites that allow users to post content is the request that Facebook implement methods to ensure that users who post images or provide emails of non-Facebook users can show that they have the consent of those non-users. Although the Commissioner recognizes that personal use by individuals is ordinarily exempted from PIPEDA (Personal Information Protection and Electronic Documents Act), the fact that Facebook makes additional use of this information is held to be the basis to cover it under PIPEDA. In addition to the free speech concerns of users that might be raised under US law, practical application of this principle to user Web sites in general seems practically impossible. On the other hand, facebook more strictly limiting retention of certain non-user data supplied by users, for example email addresses used to invite friends, seems practical, required by PIPEDA and likely to be a very good idea and an effective way to deal with this concern.
The Commissioner also makes a strong case that the option to completely delete a user’s profile needs to be easier to do. We firmly agree. At a time when users are first becoming aware of that many ways the data they post can later be used against them or out of context, the safety valve that can help ensure users have more control over their data trail is a firm ability to easily delete their profile information. And de-activated profiles, which are maintained for the long term are quite likely forgotten by their owners and should also be deleted on a published schedule.
Here is the response from Facebook: “Facebook will soon be introducing a number of new additional privacy features to its service that we believe will keep the site at the forefront of user privacy and address any remaining concerns the Commission may have. In the meantime, we will also continue our efforts to work with the Canadian Federal Privacy Commissioner to address the outstanding areas highlighted in the report and will continue our efforts to raise awareness of the privacy controls on Facebook.”
Kudos to Assistant Commissioner Liz Denham, author of the report, for producing one of the best pieces of work we have seen from a data protection agency anywhere. The document demonstrates an understanding of the Facebook platform and how users interact with it. In the many cases where complaints were raised but where Facebook was already in compliance or where practical changes were made, the reports takes a pragmatic and user focused view towards application of the law and recognizes those measures. We agree with leading Canadian privacy scholar Michael Geist, who commented as follows:
“The finding is one of the longest and most detailed in memory as it chronicles not only the complaint and findings but the negotiations with Facebook in addressing the concerns. In doing so, it represents the most exhaustive official investigation of Facebook privacy practices anywhere in the world.”
Yahoo launches a mobile behavioral opt-out
Kudos to Yahoo for being among the first to offer a mobile behavioral advertising opt-out. Check out http://www.ypolicyblog.com/
The FTC was clear in its behavioral advertising guidance that consumers should be entitled to opt-out of behavioral ads, regardless of the platform involved. It is great to see Yahoo take the lead here on behalf of mobile users, as they have done on the Web by adopting standards to quickly anonymize user data. I am aware of only two other mobile ad companies offering any sort of mobile opt-out – what are folks waiting for? We are putting together a list of companies doing mobile behavioral advertising, so that interested observers can be aware of developments in this area and can urge others on. If you are aware of companies offering a mobile opt-out, please comment below.
This Thursday, the Future of Privacy Forum and the Center for Democracy and Technology are hosting a working meeting with companies, industry groups, ad networks and browser companies to seek to advance efforts to improve the general opt-out process. Email [email protected] if you are a provider interested in this issue.
How close to your actual home is the geo-info companies have about your IP address?
The debate around IP addresses as personal information hinges primarily around the fact that an ISP will usually have the identity of the subscriber assigned an IP address. So the real issue isn’t really about IP adresses, but rather how to handle information which may be non-personal to one party, but which is linked to personal information in the hands of others. IP address is one of the more prominent examples of this issue, because it is often the “clue” left behind by a someone visiting a Web site, searching, or creating an email account. But account identifiers that are personal to one company are often shared with others, for example Web analytics companies or ad networks who use this ID to help correlate web log data. The analytics company or ad network can not identify the user, but the data is handed back to the client who may be able to.
DoubleClick’s ad-serving and search products utilize non-PII. Some of our clients may associate PII that you have given them (for example, a customer number, if you have registered at or purchased from their websites), with their advertising campaigns. Although this customer number may be passed from the client to DoubleClick’s ad servers during the ad delivery process, DoubleClick cannot recognize this information as PII and cannot link it to any person.
Let’s get back to IP addresses. We have posted previously about how most companies do not currently use IP to track users, relying on cookies for this. They are also needed for auditing, fraud and security purposes and we will post more on that in the future. But one of the most common uses is to estimate a user’s location for reporting and analytics or for ad targeting. How well does that work?
Here is a test from one IP geo-look-up site, WhatisMyIPAddress.com. My home is 60 miles or so away from the location identified. Not sure what service they are using for the data, some may be better than this which claims as follows: “Country accuracy is estimated at about 99%. For IP addresses in the United States, 90% accurate on the state level, and 81% accurate within a 25 mile radius. World-wide users indicate 60% accurate within 25 miles.
I would add to his set of reasons the fact that cookies are unstable, imperfect and thus a less intrusive and permanent method than other ways a company might use. For example, a browser can only hold cookies of a limited size and number, and after that they are over written.
Regulating Online Ads – today on the Hill
If you are around DC today, join us for what I hope will be an exciting panel!Some advance thoughts — I suspect that I am personally far less allergic to legislation than some of my colleagues on today’s PFF Regulating Online Advertising Panel. I do think that effective legislation here will be very difficult, but I think that the Hill staff and FTC staff have done a great deal in the last 2 years to really get up to speed on the technologies, business models, consumer issues and the big picture of the economy and internet eco-system. I think industry claims that requiring greater control or transparency will break business models, eliminate free content and generally wreak havoc ring hollow. On the other hand, efforts (legislative or self-regulatory) that focus solely on behavioral ads, deep packet inspection, or specific technologies could easily miss the mark, as business models already using a much wider range of data. And a great deal of confusion continues to exist, even within the ‘expert” circles about how the relevant technologies are used and I do certainly worry about proposals that would do more harm than good.
Anyway, looking forward to participating with the wise heads listed below and continuing to think this issue through.
Today on Capitol Hill
Regulating Online Advertising:
What Will it Mean for Consumers, Culture & Journalism?
Berin Szoka (Moderator), Senior Fellow and Director of the Center for Internet Freedom, The Progress & Freedom Foundation
Howard Beales, Associate Professor, Department of Strategic Management and Public Policy, George Washington University
Thomas Lenard, President & Senior Fellow, Technology Policy Institute
Jules Polonetsky, Co-Chair & Director, Future of Privacy Forum
Mark Adams, Visiting Fellow, The Progress & Freedom Foundation
Proposals to regulate advertising and data collection on the Internet, mobile phones, and interactive television, hold the promise of enhancing consumer privacy. On the other hand, “smart advertising” allows more relevant advertising to be targeted directly to individual consumers, making markets more competitive, significantly increasing the funding available for creating free content and services, and increasing the effectiveness of all forms of free speech. So what would regulation cost consumers, and how will it impact journalism and other non-commercial content, which stands to gain the most from better targeting? What First Amendment questions would regulation raise about the future of culture and political discourse? These and other pressing questions will be discussed at “Regulating Online Advertising: What Will it Mean for Consumers, Culture & Journalism?,” a congressional seminar hosted by The Progress & Freedom Foundation.
Privacy Gourmet: Computers, Freedom and Privacy Tutorial on Online Advertising
Doug Miller, the privacy lead at AOL and one of the most genuine people I have ever met, joined me to give a tutorial on the nuts and bolts of online advertising at the Computers, Freedom and Privacy 2009 Conference. Doug has been kind enough to post the charts he and his team prepared. Check them out at AOL’s Privacy Gourmet blog.
A cookie is a cookie and an IP address is an IP address
Cookies, not IP addresses as claimed in the above article, are today used for behavioral tracking. IP addresses are used by ad networks for geo-targeting, for anti-fraud and auditing, and in some cases for presuming the type of company the user is coming from. They are not currently the basis for behavioral ad targeting at any major ad network or behavioral company. In fact, some behavioral ad companies in Europe very quickly delete IP addresses, or do not log them at all, in order to better comply with local law. Not saying there is no privacy issue with behavioral ads, as there certainly is – but it is the tasty http cookie that is at the center of this issue. Not saying there aren’t some new emerging business models focused on IP addresses, but this wasn’t the issue with PHORM. There has been plenty of ink already devoted to the privacy issues around the ISP behavioral model that PHORM championed, so I don’t intend to get into that here, but one of the points that the PHORM crew made in support of their model was that they didn’t keep IP addresses, while much of the rest of the industry did log and retain IPs.
Quite a muddle, so what is the lesson? Delete IP addresses quickly. Do so primarily because you don’t really need them long term and because they are a sensitive piece of data. Debate all day whether they are personal data or not, but clearly they are more of a hot potato than other data you hold because it can be linked to a user by law enforcement or a cooperating third party. Ask your ad network why they need to retain IP addresses of your visitors for the long term. Note that Yahoo deletes IP addresses after 6 months and some analytics vendors will eliminate the IP immediately – with no business impact.
The second reason to delete those IP addresses after a short term is that all sorts of people suspect you are doing funky things with them that you aren’t even doing!
It is Official! No one is in charge of my retinal scan!
Feds announce that Clear Pass data aint their problem.
One more reason the US needs a Chief Privacy Officer is that there is so much that falls within the cracks of jurisdiction. Data is the lifeblood of government and of commercial activity, but without someone “owning” the overall responsibility for a national strategy around respect for individual data, we will face a thousand nicks and cuts that weaken trust in the system. Peter Swire served admirably as White House Counselor for Privacy during the Clinton administration from his seat at OMB. A similar role today, chairing a CPO Council from the agencies as CDT and others have suggested, is critically needed if privacy battles are not going to overhang future efforts to move forward on dozens of areas that require robust but respectful use of data to succeed.
Geolocation API Specification
Excellent to see that Alissa Cooper, CDT Chief Scientist, is involved with the development of this important Geolocation API spec at the W3C.
