IAPP Privacy Academy
Chris will be moderating a panel at the IAPP Privacy Academy, “Into the Breach: Dealing with the Aftermath of a Data Breach” in Boston, MA.
September 18, 2009
11:00am – 12:00pm
Chris will be moderating a panel at the IAPP Privacy Academy, “Into the Breach: Dealing with the Aftermath of a Data Breach” in Boston, MA.
September 18, 2009
11:00am – 12:00pm
“Brown Bag” lunchtime program where we will learn what’s happening with online safety at the Federal Trade Commission (FTC) and what these developments may mean for your business.
Attendees will hear from a panel of industry experts on updates from COPPA, behavioral advertising and other issues affecting online safety and privacy followed by an interactive roundtable discussion.
August 26, 2009
12:00pm – 1:30pm
Womble Carlye’s Office
1401 Eye Street, NW
7th Floor
Washington DC, 20005
In order to encourage companies to further develop innovative means of communicating with their users about data use and behavioral advertising, The Future of Privacy Forum highlights the following companies for taking the lead in providing transparency and control to their customers. If you are aware of other companies that deserve a “cheer”, please let us know by commenting or emailing us at [email protected]Leading Practices Gallery
The Future of Privacy Forum is providing the below suggestions to offer a roadmap for enabling the use of analysis, site optimization and tracking technologies by government agencies. Personalizing site content for users who wish to have a setting remembered, enabling long term shopping carts and capturing analytics information over time to improving site usage are key to providing the public the best possible web experience.
With regard to the use of analytics tools in particular, we note the deep reliance of public and private sector web managers on these technologies to understand the basics of web site performance, such as unique users, the ability of users to navigate to the content they seek, and the usability of a web site in general.
Click here to view the full comments.
The UK Information Commissioners’ Office recently announced that it has commissioned a three-month research project to support the business case for investing in proactive privacy protection. The discussion document will be available here on August 14, 2009, and there will an opportunity to provide feedback online. More details can be seen at this link. It will be interesting to see whether the same business incentives for privacy protection that are commonly acknowledged in the US are those that will be recognized in the UK — ethics, customer and public goodwill, avoidance of legal liability, forestalling further government regulation, efficiency, and contribution to the bottom line.
The Future of Privacy Forum is providing the below suggestions to offer a roadmap for enabling the use of analysis, site optimization and tracking technologies by government agencies. Personalizing site content for users who wish to have a setting remembered, enabling long term shopping carts and capturing analytics information over time to improving site usage are key to providing the public the best possible web experience.
With regard to the use of analytics tools in particular, we note the deep reliance of public and private sector web managers on these technologies to understand the basics of web site performance, such as unique users, the ability of users to navigate to the content they seek, and the usability of a web site in general.
To provide just one example of the substantial public benefit that is enhanced by the use of cookies, consider the following: Government web sites may contain important information that users need, but if these web pages aren’t easily found in search results or can’t be found easily from the home pages of relevant government sites, this information is effectively unavailable to most users. Using analytics tools to understanding how users succeed or fail in accessing content and refining steps to “surface” this content is a valuable public benefit of cookie use. Although this function and some others can be achieved with the use of session cookies, persistent cookies provide a more comprehensive view of activity over time that adds to the web managers understanding of site usage. Other uses are significantly dependant on the use of persistent cookies specifically. For example, providing an assessment of the number of unique users of a web site and usage growth over time is reliant on the use of an identifier that will persist over the relevant time period.
These functions are currently limited by various approval requirements, including the need that a “compelling purpose standard” be met. As a result, agencies may end up either forgoing the use, or they seek approval but may not seek to establish additional necessary controls to ensure these technologies are used in the most privacy friendly manner.
We provide below practical guidelines that could enable the use of cookies to better serve the public as desired by many government web managers. Some of these concepts are already in place at some of the most progressive private sector companies, and government leadership in this area would spur wider adoption of these practices that both optimize the user experience and ensure privacy and transparency in data use.
We are deeply cognizant of the privacy issues raised by the use of cookies, when the public sector is involved. We note that the most significant issue often raised – will government be able to identify users who believe they are anonymous – is one tied not to cookie use, but rather the retention of user IP addresses in log files.
Although cookies may assist in correlating various IP addresses logged over time, the essential link to an identifiable individual (in the hands of a government enforcement agency or via other legal process to force such identification) is the logging of the user’s IP address. We believe that implementing a narrow retention terms for such data, as we propose below, is essential for addressing this concern.
The secondary privacy issue of concern when the public sector uses cookies is related to the ability of cookies to be used to aggregate data about one browser’s activity at a government site in order to analyze that user’s activity over time or to treat that user differently than others. We propose that, other than in circumstances where are user expressly consents, public sector web managers should only make end use of cookie related data in the aggregate. For example, using unique persistent cookies over time will allow individual logging and correlation of site usage, but commonly used reporting tools provide web managers the needed aggregated reporting information for their use. Other than for limited technical troubleshooting purposes, access to log-file level information should be restricted to uses that provide aggregate reports, as opposed to individual profiles.
Similarly, other than with a user’s express consent (for example asking a user whether certain content should be always presented to a user first upon return visits, or a user’s preference for a certain language or format), a user’s passive interaction with a government site should not be used to treat individual users differently than others. It would be appropriate to conduct an analysis of individual cookie/log file data in order to produce a summary report indicating that users entering a government site after clicking through via a search result provided by a search engine end up navigating through content that isn’t what they are seeking, before they are able to find the relevant content they want elsewhere at the web site. An effective web manager might use this information to optimize web pages containing the content of interest so that links to it appeared to users seeking this material at search engines or they might make this content easier to access from the homepage. But using cookies to store profiles of individual users to analyze their interests and tailor the content they are shown should not be permitted without express user consent. (Contextually providing links to other content, for example, offering a user “additional articles relevant to this article” should be appropriate. Providing “additional articles relevant based on articles you have viewed today and on prior visits” should be allowed only with prior express consent).
We propose that the current restrictions on cookies and similar technologies be revised. In their place should be requirements that establish leading practices for such technology practices.
Ensuring that Interactive Tools used by Government Provide Users with Enhanced Transparency and Controls for Data Collection and Retention Analytics, Research or Others Using Cookies, Tracking Pixels or Other Tools Restrictions that should always apply:
1. Delete log-files after a defined limited period of time. It may be useful to note here that industry in this area has increasingly been sensitive to the risks of long term retention of log file level data. Just several years ago, not a single major search engine, ad network or analytics companies had a formal retention policy in place. Today, despite the commercial desire to maximize product features and profits, many have recognized the privacy and data breach risks and have established practices which delete or minimize data after certain periods. See, for example, the policies of Yahoo and Google which require data anonymization of some degree at 3 months and 9 months, respectively.
2. Cookies should have limited expiration periods and should not be used to store personal information unprotected or without user consent.
3. IP addresses logged by vendors should be obscured or deleted as soon as possible.
4. The use of the tools and user options should be transparent and prominently explained.
5. Only “first party” domains should be used, rather than “third party” domains, to avoid potential for unwanted correlation across unrelated Web sites.
6. Domains used for cookie setting should be obvious, so that users examining their browser cookies files can understand who set the cookie and its uses. For example, analytics.whitehouse.gov is transparent to users, but 306fn.whitehouse.gov is not. Additionally, information should be posted at analytics.exampleagency.gov which describes the particular agency’s use and privacy practices related to the cookie and other log information of such a sub-domain.
7. Due to the fact that privacy enhancing choice mechanisms for non-cookie tracking mechanisms are so limited and are practically unknown by most users, Flash cookies and other tracking methods should not be used until web browsers are able to provide users the means to block or delete these from within the browser.
8. Contractual representations with vendors should be included in contracts that bar the use of data for purposes other than services contracted, other than aggregate reporting.
Restrictions applicable for non-unique cookie identifiers:
No additional restrictions need to be applied when the cookie ID used doesn’t indicate an individual user. Examples include both passive setting of such an ID and active selection by the user.
Restrictions applicable for unique identifiers that expire at the end of a session:
No additional restrictions need to be applied when the cookie ID used doesn’t indicate an individual user. Examples include both passive setting of such and ID and active selection by the user.
Restrictions applicable for unique identifiers that are persistent and that are unique:
If, active choice by user to accept cookie after description of the permitted use and clear expression of consent, no additional restrictions
If passively set, the following additional restrictions to apply.
a) Home Page: Notice should be provided via a home page notice such as: “Cookies and other technologies are used to analyze how users navigate this site. Click here for options.”
b) Opt-out: Users should be able to maintain their current browser settings and select a one click option to prevent the setting of a unique persistent identifier. As former and current FPF Advisory Board members Professor Peter Swire and Professor Annie Anton and others have written, available tools supporter by web browsers are inadequate for this purpose.
c) Priority should be given to implementations that improve on the current opt-out options. Opt-out should be set to persist for a minimum of 5 years or longer to ensure they do not expire during expected lifetime of a users computer.
i. Standard browser handling of the opt-out cookie – today opt-out cookies are regularly deleted by users who aren’t aware that doing so reverts they opt-out choice and they are often removed by anti-spyware tools.
ii. Browser plug-in handling of the opt-out cookie – enhanced options available today include “TACO”, the Google opt-out browser plug-in and other downloads under development that assist in maintaining opt-outs. Yahoo and Microsoft have options that enable authenticated users to maintain opt-outs from those companies. Although these options are an advance over the prevailing practices, they depend on users taking additional actions to download additional programs or to authenticate.
iii. Potential “opt-out header” development – The Future of Privacy Forum has coordinated discussions among advocacy groups, browser developers and companies about easy to use browser supported options that would be more stable than the current options. Although TACO already or will soon include a basic version of an “opt-out header” in its Firefox plug-in, consensus among among browser companies, developers, industry and advocates about how such a feature would best be presented or interpreted does not yet exist.
Government support in this area, by including contracting preference for vendor proposals that include improvements for opt-outs could spur privacy technology developments for both public and private sector users.
Tracking across government domains – there may be some limited circumstances where government domains interact in a manner that calls for analysis across certain domains. For example, it may be useful to understand which government domains are succeeding in helping bring users who provide comments at the Open Government blog. Such use should require additional approval and may warrant for more limited retention periods to avoid the potential for collection and aggregation of a wider range of user interaction with government.
We conclude by noting that although some of these proposals may be useful for the private sector, we raise these specifically for the public sector because of the much greater privacy implications of data collection and use by government. Many private sector uses of cookies are intended to support both functionality, analysis and the data use needed for the advertising revenue that supports the services. We highlight many of the leading practices of the private sector at the Leading Practices Gallery at fpf.org and we urge other companies to seek to implement those advances where relevant.
Jules Polonetsky
Christopher Wolf
Future of Privacy Forum
fpf.org
The Future of Privacy Forum is providing the below suggestions to offer a roadmap for enabling the use of analysis, site optimization and tracking technologies by government agencies. Personalizing site content for users who wish to have a setting remembered, enabling long term shopping carts and capturing analytics information over time to improving site usage are key to providing the public the best possible web experience.
With regard to the use of analytics tools in particular, we note the deep reliance of public and private sector web managers on these technologies to understand the basics of web site performance, such as unique users, the ability of users to navigate to the content they seek, and the usability of a web site in general.
To provide just one example of the substantial public benefit that is enhanced by the use of cookies, consider the following: Government web sites may contain important information that users need, but if these web pages aren’t easily found in search results or can’t be found easily from the home pages of relevant government sites, this information is effectively unavailable to most users. Using analytics tools to understanding how users succeed or fail in accessing content and refining steps to “surface” this content is a valuable public benefit of cookie use. Although this function and some others can be achieved with the use of session cookies, persistent cookies provide a more comprehensive view of activity over time that adds to the web managers understanding of site usage. Other uses are significantly dependant on the use of persistent cookies specifically. For example, providing an assessment of the number of unique users of a web site and usage growth over time is reliant on the use of an identifier that will persist over the relevant time period.
These functions are currently limited by various approval requirements, including the need that a “compelling purpose standard” be met. As a result, agencies may end up either forgoing the use, or they seek approval but may not seek to establish additional necessary controls to ensure these technologies are used in the most privacy friendly manner.
We provide below practical guidelines that could enable the use of cookies to better serve the public as desired by many government web managers. Some of these concepts are already in place at some of the most progressive private sector companies, and government leadership in this area would spur wider adoption of these practices that both optimize the user experience and ensure privacy and transparency in data use.
We are deeply cognizant of the privacy issues raised by the use of cookies, when the public sector is involved. We note that the most significant issue often raised – will government be able to identify users who believe they are anonymous – is one tied not to cookie use, but rather the retention of user IP addresses in log files.
Although cookies may assist in correlating various IP addresses logged over time, the essential link to an identifiable individual (in the hands of a government enforcement agency or via other legal process to force such identification) is the logging of the user’s IP address. We believe that implementing a narrow retention terms for such data, as we propose below, is essential for addressing this concern.
The secondary privacy issue of concern when the public sector uses cookies is related to the ability of cookies to be used to aggregate data about one browser’s activity at a government site in order to analyze that user’s activity over time or to treat that user differently than others. We propose that, other than in circumstances where are user expressly consents, public sector web managers should only make end use of cookie related data in the aggregate. For example, using unique persistent cookies over time will allow individual logging and correlation of site usage, but commonly used reporting tools provide web managers the needed aggregated reporting information for their use. Other than for limited technical troubleshooting purposes, access to log-file level information should be restricted to uses that provide aggregate reports, as opposed to individual profiles.
Similarly, other than with a user’s express consent (for example asking a user whether certain content should be always presented to a user first upon return visits, or a user’s preference for a certain language or format), a user’s passive interaction with a government site should not be used to treat individual users differently than others. It would be appropriate to conduct an analysis of individual cookie/log file data in order to produce a summary report indicating that users entering a government site after clicking through via a search result provided by a search engine end up navigating through content that isn’t what they are seeking, before they are able to find the relevant content they want elsewhere at the web site. An effective web manager might use this information to optimize web pages containing the content of interest so that links to it appeared to users seeking this material at search engines or they might make this content easier to access from the homepage. But using cookies to store profiles of individual users to analyze their interests and tailor the content they are shown should not be permitted without express user consent. (Contextually providing links to other content, for example, offering a user “additional articles relevant to this article” should be appropriate. Providing “additional articles relevant based on articles you have viewed today and on prior visits” should be allowed only with prior express consent).
We propose that the current restrictions on cookies and similar technologies be revised. In their place should be requirements that establish leading practices for such technology practices.
Ensuring that Interactive Tools used by Government Provide Users with Enhanced Transparency and Controls for Data Collection and Retention Analytics, Research or Others Using Cookies, Tracking Pixels or Other Tools Restrictions that should always apply:
1. Delete log-files after a defined limited period of time. It may be useful to note here that industry in this area has increasingly been sensitive to the risks of long term retention of log file level data. Just several years ago, not a single major search engine, ad network or analytics companies had a formal retention policy in place. Today, despite the commercial desire to maximize product features and profits, many have recognized the privacy and data breach risks and have established practices which delete or minimize data after certain periods. See, for example, the policies of Yahoo and Google which require data anonymization of some degree at 3 months and 9 months, respectively.
2. Cookies should have limited expiration periods and should not be used to store personal information unprotected or without user consent.
3. IP addresses logged by vendors should be obscured or deleted as soon as possible.
4. The use of the tools and user options should be transparent and prominently explained.
5. Only “first party” domains should be used, rather than “third party” domains, to avoid potential for unwanted correlation across unrelated Web sites.
6. Domains used for cookie setting should be obvious, so that users examining their browser cookies files can understand who set the cookie and its uses. For example, analytics.whitehouse.gov is transparent to users, but 306fn.whitehouse.gov is not. Additionally, information should be posted at analytics.exampleagency.gov which describes the particular agency’s use and privacy practices related to the cookie and other log information of such a sub-domain.
7. Due to the fact that privacy enhancing choice mechanisms for non-cookie tracking mechanisms are so limited and are practically unknown by most users, Flash cookies and other tracking methods should not be used until web browsers are able to provide users the means to block or delete these from within the browser.
8. Contractual representations with vendors should be included in contracts that bar the use of data for purposes other than services contracted, other than aggregate reporting.
Restrictions applicable for non-unique cookie identifiers:
No additional restrictions need to be applied when the cookie ID used doesn’t indicate an individual user. Examples include both passive setting of such an ID and active selection by the user.
Restrictions applicable for unique identifiers that expire at the end of a session:
No additional restrictions need to be applied when the cookie ID used doesn’t indicate an individual user. Examples include both passive setting of such and ID and active selection by the user.
Restrictions applicable for unique identifiers that are persistent and that are unique:
If, active choice by user to accept cookie after description of the permitted use and clear expression of consent, no additional restrictions
If passively set, the following additional restrictions to apply.
a) Home Page: Notice should be provided via a home page notice such as: “Cookies and other technologies are used to analyze how users navigate this site. Click here for options.”
b) Opt-out: Users should be able to maintain their current browser settings and select a one click option to prevent the setting of a unique persistent identifier. As former and current FPF Advisory Board members Professor Peter Swire and Professor Annie Anton and others have written, available tools supporter by web browsers are inadequate for this purpose.
c) Priority should be given to implementations that improve on the current opt-out options. Opt-out should be set to persist for a minimum of 5 years or longer to ensure they do not expire during expected lifetime of a users computer.
i. Standard browser handling of the opt-out cookie – today opt-out cookies are regularly deleted by users who aren’t aware that doing so reverts they opt-out choice and they are often removed by anti-spyware tools.
ii. Browser plug-in handling of the opt-out cookie – enhanced options available today include “TACO”, the Google opt-out browser plug-in and other downloads under development that assist in maintaining opt-outs. Yahoo and Microsoft have options that enable authenticated users to maintain opt-outs from those companies. Although these options are an advance over the prevailing practices, they depend on users taking additional actions to download additional programs or to authenticate.
iii. Potential “opt-out header” development – The Future of Privacy Forum has coordinated discussions among advocacy groups, browser developers and companies about easy to use browser supported options that would be more stable than the current options. Although TACO already or will soon include a basic version of an “opt-out header” in its Firefox plug-in, consensus among among browser companies, developers, industry and advocates about how such a feature would best be presented or interpreted does not yet exist.
Government support in this area, by including contracting preference for vendor proposals that include improvements for opt-outs could spur privacy technology developments for both public and private sector users.
Tracking across government domains – there may be some limited circumstances where government domains interact in a manner that calls for analysis across certain domains. For example, it may be useful to understand which government domains are succeeding in helping bring users who provide comments at the Open Government blog. Such use should require additional approval and may warrant for more limited retention periods to avoid the potential for collection and aggregation of a wider range of user interaction with government.
We conclude by noting that although some of these proposals may be useful for the private sector, we raise these specifically for the public sector because of the much greater privacy implications of data collection and use by government. Many private sector uses of cookies are intended to support both functionality, analysis and the data use needed for the advertising revenue that supports the services. We highlight many of the leading practices of the private sector at the Leading Practices Gallery at fpf.org and we urge other companies to seek to implement those advances where relevant.
Jules Polonetsky
Christopher Wolf
Future of Privacy Forum
fpf.org
To support our point that businesses should worry about the consumer view of behavioral advertising as much as they worry about legislative activity, have a look at CDT’s update on the current browser privacy controls available to users. Healthy browser competition over the last few years has made privacy an increasingly prominent feature for browser developers. Although the options are still a bit too much trouble for many average users, they are becoming increasingly visible and easier to use. If businesses don’t succeed in satisfying consumer concerns about behavioral ads, the browser companies may just decide to solve it for them. Some are assuming the fact that some of the companies developing browsers are also in the advertising business will prevent these privacy features from ever becoming too effective. Yet others can easily imagine circumstances where being a privacy leader and ensuring success in being the leading platform for web based applications could trump behavioral ad interests. What do you think? Before answering, have a look at the “block list” of third party ad servers and analytics companies ready to be activated on your Internet Explorer 8 browser. If you don’t remember creating a list of servers that you didn’t want your browser to contact, be aware that IE 8 has conveniently assembled this for you as you were browsing in the normal default mode. Click to turn it on and no more behavioral ads for you.
Jules IE * browser
Time to go – iTunes is nagging that it needs an update. Oh, look at that, the update includes a copy of the Safari browser for our Windows PC, automatically set by Apple to block third party cookies by default.
Comments on the Report to NIST on the Smart Grid Interoperability Standards Roadmap
What a difference six months makes! Six months ago, the staff of the Federal Trade Commission released a set of proposed principles to guide the development of self-regulation in online behavioral advertising, which it described as an “evolving area”. Industry groups reacted by agreeing to a set of principles focused around ensuring that all behaviorally targeted ads carry a label leading to a behavioral advertising notice and a link to allow users to opt-out. Many privacy advocates responded by renewing their call for national privacy legislation. At the Future of Privacy Forum, we felt strongly that regardless of self-regulation or legislation, work needed to be done to figure out how companies who wanted to be transparent about behavioral ads could do so in a way meaningful to users. Together with WPP and a number of other leading companies, we launched an initiative to develop effective messages to communicate with users about online data use and hope to be able to provide an update on our work before too long.
When announcing the principles, the FTC referenced years of study and workshops and said “The purpose of this proposal is to encourage more meaningful and enforceable self-regulation to address the privacy concerns raised with respect to behavioral advertising.” In developing the principles, FTC said its staff was “mindful of the need to maintain vigorous competition in online advertising as well as the importance of accommodating the wide variety of business models that exist in this area.” The FTC explained: “The proposed principles acknowledged that behavioral advertising provides benefits to consumers in the form of free content and personalized advertising but noted that this practice is largely invisible and unknown to consumers.”
A piece in today’s New York Times, reports that the new head of the Bureau of Consumer Protection at the Federal Trade Commission, David Vladeck has embarked on a “broad mission to redefine how the Commission look[s] at online privacy” and that he has “outlined plans that could upset the online advertising ecosystem” . At the same time, the article reports Mr. Vladeck as saying “We’re not committing ourselves to imposing regulation. What we would like is to figure out useful tools and a more comprehensive way of looking at privacy protections that may obviate the need for rules.” Still, he observed that “Privacy policies have become useless, the commission’s standards for the cases it reviews are too narrow, and some online tracking is ‘Orwellian.’” And he is reported to have said he would consider “requiring sites collecting personal data to get consumers’ assent whenever they visit the site (an “opt-in”).” He continued: “Let people vote with their feet. If the marketers are right, and the consumers like behavioral advertising, then it should be no big deal.”
Recall that in the February report, the FTC staff was careful not to suggest that opt-in is the new paradigm, writing “Every Web site where data is collected for behavioral advertising should provide a clear, consumer-friendly, and prominent statement that data is being collected to provide ads targeted to the consumer and give consumers the ability to choose whether or not to have their information collected for such purpose” (emphasis supplied). Thus, the door was open to effective opt outs as well as opt-in.
But, six months later, based on the New York Times report of its interview with Mr. Vladeck, online advertisers may be dealing with a regulator that believes that “opt-in” is the new required default. Time will tell. But we continue to believe that the regulatory and legislative environment should not be the only reason that companies should be seeking to innovate around the ways they communicate to consumers about how data is used. As more and more information is used, across platforms and devices, we are heading for a day when behavioral advertising will either feel incredibly intrusive to users – or it will be a valued and appreciated as a relevant and personalized experience. If industry focuses on meaningfully engaging users and ensuring that the experience is transparent, profits and personalization are surely possible. If behavioral advertising continues to be largely invisible to most users, regulatory stress is certain to continue and soon we will see consumers voting with their feet.