If you really want to understand the FTC today, read this post by Rebecca Tushnet

Although coverage of  the ABA Conference remarks of the new Consumer Protection Director at the FTC  (raising the need for a new paradigm for privacy regulation) got my attention, I didnt get a chance to catch up on full coverage of the panel until today.  Check out Professor Rebecca Tushnet’s blog for great coverage of the insightful conversation about the FTC, its jurisdiction and activities.

Rebecca Tushnet’s 43(B)log: ABA Consumer Protection Conference, part 1.

Court: IP Addresses Are Not 'Personally Identifiable' Information

Court: IP Addresses Are Not ‘Personally Identifiable’ Information

Media Post

By Wendy Davis

July 6, 2009

In a ruling that could fuel debate about online privacy, a federal judge in Seattle has held that IP addresses are not personal information.

“In order for ‘personally identifiable information’ to be personally identifiable, it must identify a person. But an IP address identifies a computer,” U.S. District Court Judge Richard Jones said in a written decision…

Jules Polonetsky quoted:

Jules Polonetsky, co-chair and director of the think tank Future of Privacy Forum, adds that many sites with older privacy policies maintain that they don’t collect personally identifiable information, but log IP addresses. “For many years, people just threw around the term ‘personal information,'” he says. “They didn’t pay attention to account IDs in the hands of third parties, IP addresses — other types of information that, with some effort, could become identifiable.”

Polonetsky says that companies today are rewriting privacy policies to more carefully define their terms, adding that many in the industry now view IP addresses as more sensitive than completely random data.

Click here to view the full article.

MediaPost Publications Court: IP Addresses Are Not 'Personally Identifiable' Information

MediaPost Publications Court: IP Addresses Are Not ‘Personally Identifiable’ Information 07/07/2009.

Snip…..”Jules Polonetsky, co-chair and director of the think tank Future of Privacy Forum, adds that many sites with older privacy policies maintain they don’t collect personally identifiable information, but log IP addresses. “For many years, people just threw around the term personal information,” he says. “They didn’t pay attention to account IDs in the hands of third parties, IP addresses, other types of information that, with some effort, could become identifiable.”

Polonetsky says that companies today are rewriting privacy policies to more carefully define their terms, adding that many in the industry now view IP addresses as more sensitive than completely random data.”…….

— Let’s quit debating whether IP addresses are PII.  Lets’s just agree that they are more significant than some less personal information and arrange to not log them when we dont need to or let’s obscure or delete IP addresses at an earlier date.  For example, consider Yahoo’s example – they anonimyze search and adserving logfiles, deleting IP addresses, after 6 months. (and it doesnt appear to have shut down their business).  Others retain for 9 months or a year, but many don’t yet have public policies around such data retention.  Time for everyone else to follow.

 

TACO recommended by Consumer Reports

Online privacy: New tool makes it easier to hide your tracks: Consumer Reports Electronics Blog.

Chris Soghoian’s TACO opt-out tool continues to pick up steam.  Kudo’s to our friends at Lotame who include TACO in their opt-out offered to users, one of the only ad networks to do so.

The Ethicist – A Facebook Teaching Moment – Question – NYTimes.com

From the NY Times.

The Ethicist – A Facebook Teaching Moment – Question – NYTimes.com.

“Strictly speaking, when these students gave her access to their Facebook pages, they waived their right to privacy. But that’s not how many kids see it. To them, Facebook and the like occupy some weird twilight zone between public and private information, rather like a diary left on the kitchen table. That a photo of drunken antics might thwart a chance at a job or a scholarship is not something all kids seriously consider. This teacher can get them to think about that.

She might send e-mail messages to transgressing students, noting their misdeeds and reminding them of their vulnerability. Or she could address her entire class, citing (anonymous) examples of student escapades.”

— We read this smugly and think kids are silly, we know better, especially us responsible business people.  But I am aware of some experts who do “anti-trust” training, and then follow up by having the company scan the stored emails of senior execs.  They pull out all kinds of scandalous comments made on email by the execs – we will crush them in the market etc.  Only then do the execs grok the fact that the emails they write, even casually, can and will be used against them if turned over in an anti-trust suit.  Why do we expect teens to be savvier than smart tech businesspeople?

Huge news about your Social Security number!

Our friend Professor Alessandro Acquisti has published his paper showing how it is possible to predict social security numbers with a high degree of certainty, if your date of birth and location of birth are known.  When Alessandro presented an early draft of his paper at the 2008 Privacy law Scholars Conference at GWU School of Law last year, he had the audience floored.  Now that he has released it, the implications for any company or agency still using Social Security numbers and a user ID or a password are significant.  This is big news!

July 2, 2009 – New BT Principles May Not Go Far Enough To Stop Regulation, MediaPost News

 

 

Full IAB-DMA-AAAA-ANA Behavioral Advertising Agreement Documents

The principles agreed to by the trade groups are available here.

IAB-DMA-AAAA-ANA Behavioral Advertising Principles

Future of Privacy Forum Statement Regarding Industry Behavioral Advertising July 2 Agreement

 

The entire industry reaching agreement on the need to get more information to users beyond the limits of a privacy policy is a significant advance.  But to ensure that this will be a true step forward for consumers, companies will need to consider these rules a starting point and not a finish line and they need to ensure that the required notice is a meaningful communication clearly advising consumers that their web experience is being tailored for them. The credibility of this effort will be determined by whether this notice is only a barely visible disclaimer or whether it is really a good faith effort to educate users about a key feature.  We look forward to providing input based on the results of research we have underway and to working cooperatively to make this effort a success.

 

There are some issues we think need to be addressed by the trade groups or by the enforcement and monitoring groups that will be involved. These would include the following: Further expand the definitions of sensitive data to cover clickstream profiles based on searches for sexual terms or for sensitive diseases, ensure that activities like re-targeting are expressly included, establish specific data retention limits for web surfing profiles and include requirements to show users their profiles.  We will have a more detailed assessment of additional items needed in a report we provide on Thursday.

 

We also urge the browser companies to support the industry efforts by making advances on fixing the current unstable opt-out cookie process.

 

We have also participated in detailed discussions with TRUSTe about their plans for a behavioral advertising program and look forward to their efforts in this area.

 

Overall, this is a very significant step towards bringing data use out of the shadows.  Getting the entire set of actors in the advertising ecosystem pulling in the direction of more consumer control could be an important turning point towards improved privacy practices.

New Facebook Privacy Changes

Click on the below presentation to have a good look at the new Facebook privacy changes.  Generally positive, in that Facebook will put all the privacy settings in one place and eliminate regional networks.  So many users thought their profiles were open only to friends, but were in a regional network where default settings left items like photos open to all 10 million people in the region.  I also like that users will be able to decide who should see items at the time they publish or share them.

Note, however,  that the new defaults make more information in new profiles public by default, and ask current users to update their settings to make some basic information public – such as your hometown, religion, marital status etc.  Facebook explains that this is to help users better find each other.  I get that, because the other day I was looking through 25 profiles of someone with a common name and couldnt figure out which was my old pal. (Pics were of dogs, kids, mountains or no pic!….hometown and religion would have been a good clue!).  I am pleased that they do not make birth date public in the new flow, that would surely annoy some of my friends and family who are touchy about their age.  One piece of advice for users – hide your hometown, too many companies use it as your security question.

Facebook’s Complete Privacy Presentation.

Here is what I said to the AP.

“They are learning how to listen carefully to their users,” said Jules Polonetsky, co-chairman and director of the Washington-based Future of Privacy Forum and former chief privacy officer at AOL. He added that Facebook has learned from the past that suddenly making big changes, whatever they are, has not been the most effective approach.

“To be lots of things to lots of different kinds of people,” Polonetsky said, Facebook needs to give its users, who come from different cultures, age groups and career levels, more control over what they share on the site.