"Do Not Track" – Update

Some Background Notes on Do Not Track – in  Advance of the Future of Privacy Panel and the Energy and Commerce Hearing

Today’s Wall Street Journal article by Julia Angwin focuses on the upcoming “Do Not Track” events taking place this week, including the FPF program on Wednesday, and provides some background on recent developments.  To further brief those of you attending in person or by phone, we thought it would be useful to provide an overview that captures the incredible flurry of advances in this area.  Although there are improvements that are still critically needed, there has been tremendous progress in this area and a host of innovations are just beginning to emerge.  We hope the attention from the FTC, the Hill, the media, and the advocacy community will encourage the next steps needed to advance meaningful consumer controls and will support responsible advertising data uses.

Industry Efforts

Every behavioral targeting company already offers web surfers the option to opt-out of the tracking cookie used to tailor advertising across web sites.  This opt-out relies on the web surfer clicking to accept an opt-out cookie which is generic and ensures a profile isn’t built based on the web sites that are visited.  The Network Advertising Initiative and now the joint coalition of industry groups now known as the Digital Advertising Association provide a central location where web surfers can go to opt-out of most ad networks.  Shortly, companies involved with behavioral advertising will be providing an icon alongside targeted ads, leading users to www.aboutads.info, the DAA’s central opt-out location.  However, the opt-out cookie is deleted when users clear their cookies, tossing them unknowingly back into the ad targeting pool.

When Google launched its behavioral advertising network, it created a browser plug-in that users could download to “protect” their opt-out cookie from deletion.  Chris Soghoian created TACO, a Firefox plug-in which would opt-out a user out of most ad networks by collecting the needed opt-out cookies and protecting them.  Lotame began offering users TACO, in addition to the standard cookie opt-out. Online privacy company Abine has purchased TACO and incorporated it into a free suite of comprehensive consumer privacy tools.  The NAI now offers a download that will protect the opt-out cookies set by its members. Better Advertising is providing a program and process for managing and ensuring opt-outs and overall behavioral policy compliance for the Digital Advertising Association and its Ghostery browser download offers users transparency and detailed controls over cookies plus other tracking methods. TRUSTe offers enhanced an enhanced opt-outs via its program and PrivacyChoice offers an option that can be implemented via a toolbar bookmarklet.  PreferenceCentral offers a centralized opt-out manager tool which also allows users to centrally manage multiple profiles that are created by ad networks.

Advocacy Efforts

In November 2007, a number of advocacy groups led by the World Privacy Forum propose that the FTC create a do not track list by requiring any advertising entity that sets a persistent identifier to provide the domain names of their servers to the FTC.  Consumers would then download this list and use browser plug-ins to ensure those domains did not track them.

Progress

In 2010, the Center for Democracy and Technology and the Future of Privacy Forum held a number of meetings with companies, trade groups, browser companies and advocates focused on improving the opt-out process.  Ideas discussed include plug-ins and the use of an opt-out header that could replace the opt-out cookie.

Policymakers

In 2010, policymakers began expressing support for the general concept of a Do Not track mechanism.  The FTC is expected to advance support for Do Not track in its upcoming privacy report, while the Department of Commerce takes a broader approach in calling for a general Fair Information Practices privacy law.

On Wednesday, FPF convenes a panel of key stakeholders to examine what the different concepts of “Do Not Track”actually are and to discuss questions such as:

                Does government need to play a role or can industry and technology address the concerns?

                Is an Opt-Out or Do Not Track header a feasible replacement for the opt-out cookie?

                Are browser plug-ins or other opt-out managers a potential solution?

                Are there options that continue to enable ad supported content, but give users more control?

At the panel, audience marketing platform provider Lotame Solutions will discuss the improved transparency and consumer choice options afforded by the host of new privacy management tools being introduced by industry groups and independent players, and the risks for consumers and businesses in trying to construct a government-sponsored “Do Not Track” mechanism.  Mozilla  will address future plans for privacy in the Firefox browser.  Technologists, experts and advocates including CDT, Consumer Action, ITIF, Chris Soghoian and Arvind Narayanan will discuss technical and legal paths forward.

Most importantly, kick-off speaker Danny Weitzner of the Department of Commerce/NTIA will help us focus on the bigger picture privacy issues that need to be the lead focus for those who want to see progress in the upcoming year!

 In person seating at the event is filled, but email [email protected] for dial in details.

On Thursday the Energy and Commerce Committee will hold a hearing on Do Not Track and is expected to hear from witnesses including FTC Consumer Chief David Vladeck, TimeWarner Cable, Symantec, Prof Eben Moglen, Susan Grant, Dan Castro of ITIF and others.

FPF Do Not Track Resource Page

http://fpf.org/2010/11/17/do-not-track-resources/

Jules Polonetsky/ChristopherWolf views

A government created Do Not Track list is not a practical solution for advancing online consumer controls.  Recent progress by companies in providing users with access to profiles and the ability to edit  or delete their ad preferences is a far more useful path and should be encouraged.  Companies and technologists can deliver on the goals of “Do Not Track” by improving the current imperfect cookie based opt-out process.  Moreover, certain existing laws can bolster the effectiveness of new technologies designed to empower consumers.  Once consumers choose not to be tracked, companies that ignore those wishes do so at their legal risk. Note: Other panelists at the FPF event will present a range of diverse views.  The opinions of Chris and Jules are not necessarily representative of the position of supporters or advisory board members of the FPF.

Hiding Online Footprints

FPF was featured in The Wall Street Journal article, “Hiding Online Footprints.”

Read the full story here.

FPF to host event, "Do Not Track" Demystified

FPF will host an expert event entitled, “Do Not Track” Demystified. The discussion comes on the eve of a Congressional hearing to examine the need and feasibility of a federal law to control the tracking of consumers’ online activity for marketing and analytic purposes. This program will examine the role of technology in empowering consumers to control online tracking and whether there is a need for a new legal framework.

When: Wednesday, Dec. 1

Time: 2 p.m. until 4 p.m. EST

Panelists:

Daniel Weitzner, Associate Administrator, NTIA, Dept of Commerce

Jules Polonetsky, Future of Privacy Forum Co-Chair

Christopher Wolf, Future of Privacy Forum Co-Chair

Chris Soghoian, Indiana University

Erica Newland, Center for Democracy & Technology

Sid Stamm, Mozilla (Firefox)

Arvind Narayanan, Stanford University

Adam Lehman, Lotame Solutions

Michelle De Mooy, Consumer Action

Daniel Castro, ITIF

Future of Privacy Forum Do Not Track Resource Page

Space is limited. Please RSVP to [email protected] to request location information and to reserve your spot.

World Privacy Forum: FTC, Not Commerce, Should Take Lead On Privacy

FPF was featured in MediaPost.com article, “World Privacy Forum: FTC, Not Commerce, Should Take Lead On Privacy.”

Read full story here, and see FPF quote below.

Meantime, the think tank Future of Privacy Forum is taking the position that two heads are better than one. “We need the FTC and Commerce working together — pushing and pulling and a combination of both law and serious but flexible and business practical self-regulation,” the group says in a new blog post. “Creating a false sense of competition or conflict will result in inaction and lack of progress.”

We Need an Official To Guard Our Privacy

Gordon Crovitz is wrong to equate the idea of a senior U.S. privacy official (as he provocatively put it, a “privacy czar to regulate the Internet”) with the proposal in the European Union of a “right to be forgotten.” (“Forget Any ‘Right to Be Forgotten,‘” Information Age, Nov. 15). It is precisely because of international proposals that may impact U.S. principles that the U.S. needs a senior governmental official to participate in the global debates over the regulation of personal information.

Read Chris’ and Jules’ full Wall Street Journal letter to the editor here.

Topsy Turvy World of Privacy

Topsy Turvy World of Privacy: World Privacy Forum blasts FTC  for not taking action against companies who falsely claim they are in Safe Harbor or who don’t live up to Safe Harbor committments. Advocates critique FTC for not taking enforcement action on numerous complaints they file and argue the FTC support for self-regulation is misguided, only a law will do. Upcoming FTC report likely to continue to call for self-regulation. Department of Commerce report calls for an expanded Fair Information Practices based privacy law – first time ever for the US government -if the White House agrees with the report’s proposals. Commerce calls for additional enforcement authority and rulemaking for FTC – efforts the Commission has sought but failed to receive from a privacy friendly Congress this past term. World Privacy Forum and other advocates tell the Dept of Commerce to step back from privacy leadership and leave field to only the FTC.

Reality check: We need the FTC and Commerce working together – pushing and pulling and a combination of both law and serious but flexible and business practical self-regulation. Creating a false sense of competition or conflict will result in inaction and lack of progress – perhaps a satisfactory solution for the most aggressive data mongers and for privacy martyrs who aspire for the most profound restrictions on data. But the rest of us – ordinary internet users, reasonable businesses and practical advocates – are hoping for progress that recognizes that everyone gains when smart privacy and online trust advances.

Do Not Track Resources

Proposal from the advocates

http://www.worldprivacyforum.org/pdf/ConsumerProtections_FTC_ConsensusDoc_Final_s.pdf

Comments of the FTC Chairman

http://techdailydose.nationaljournal.com/2010/07/ftc-weighs-do-not-track-list.php

Commissioner Brill

http://www.lexology.com/library/detail.aspx?g=ddba4e6e-ba99-409a-ac48-2e822776e32a

Senator Pryor

http://www.nextgov.com/nextgov/ng_20101001_6529.php

PrivacyChoice

http://privacychoice.wordpress.com/2010/11/17/do-not-track-in-browser-headers-six-concerns/

Arvind Narayanan and Jonathan Mayer, Stanford

http://donottrack.us/

Harlan Yu, Princeton

http://www.freedom-to-tinker.com/blog/harlanyu/do-not-track-not-simple-it-sounds

ITIF

http://www.itif.org/files/2010-do-not-track.pdf

Please let us know if we are missing anything else useful!

Summary of Draft Department of Commerce Privacy Green Paper

Chris Wolf passes on details that have emerged about the upcoming Commerce Dept. privacy ‘green paper’. Interesting to note that Commerce is calling for a baseline privacy law supplanted by self-regulation – which sounds close to what the FTC is likely to call for. To read his post, click here: Summary of Draft Department of Commerce Green Paper.

A US Privacy Leader

Two weeks ago in Jerusalem at the annual conference of Data Protection Commissioners, Assistant Secretary of Commerce Larry Strickling announced that Commerce Department would be calling for the creation of a new US privacy office.

Here is how Strickling described the role:

” In the area of privacy, I believe that the U.S. Government should establish a Privacy Policy Office to serve as a center of information privacy expertise. This Office would complement, not supplant, the Federal Trade Commission or the other institutions in the Federal Government, such as the professional cadre of Chief Privacy Officers we now have in multiple agencies. A key role for the new Privacy Office would be to bring together the many different parties that are necessary to help develop privacy practices. This institutional commitment to engage on information privacy issues in a dynamic, multi-stakeholder manner over the long term would do more than just help voluntary industry codes to develop.  It would also be an important vehicle to help us better engage with all of you to address the privacy issues that we’re all confronting.”

We at the Future of Privacy Forum were delighted because we have been advocating for the Administration to do just this! Item number one on our “Agenda for the New Administration” was as follows:  Appoint a Chief Privacy Officer to Promote Fair Information Practices in the Public and Private Sectors.

Here is what we said: “We embrace the idea of government catching up to industry by creating the central role of a Chief Technology Officer, as has been announced. But we also point out the need — recognized by hundreds of privacy-sensitive companies — for a senior level Chief Privacy Officer, someone to ensure that data protection is a central consideration for technology, data and policy decisions. Although many federal agencies have privacy officers, the fact that data is increasingly available across government entities demonstrates the need for a central figure to lead U.S. efforts to respect citizen data. To ensure that the data needed to combat terror will be available while appropriate oversight is in place to protect essential freedoms, the Administration should have an accountable, executive-level figure to drive an agenda based on responsible data practices. And as behavioral targeting, correlation of data across platforms, cloud computing and the use of personal health records becomes widespread in the business world, the need for a senior figure who can drive a consumer-centric agenda based on Fair Information Practices becomes increasingly crucial.

As data flows have already become a global issue, an empowered central address for U.S. data protection will also more effectively allow the U.S. to engage with data authorities around the world.”

Strickling also noted the importance of international engagement at the Commissioner’s conference when he continued:

“This brings me to a third major issue: our desire for robust engagement with the global privacy community. The Obama Administration realizes that the legal and policy framework surrounding the Internet, especially privacy, is complex both domestically and internationally.  While we understand that governments must act to protect their citizens, we also wish to avoid fragmented sets of inconsistent and unpredictable rules that frustrate innovation and the broad commercial success of the online environment.”

We are delighted to see this idea embraced by the leaders at Commerce and hope it will be supported by the White House!

We also provided a number of more detailed ideas to the Department of Commerce on public panels, informal meetings and in response to their request for formal submissions.  Have a look at our filing for details! We hope some of these ideas will show up in the upcoming Commerce Department “Green Paper” .

As both the value to consumers of data use and the risks that follow increase exponentially, we are at a point where enhancing privacy and trust online is essential. We are glad to see Commerce joining the fray!

Privacy Showdown? Not! The US is finally "in the game"!

It was very disappointing to read today’s NYTimes story which raised the idea that the Department of Commerce was focusing on privacy in order to somehow head off the FTC’s upcoming report on a privacy framework.  We at FPF and many others have been urging the Administration to step into the privacy efforts in the private sector and internationally and to provide leadership in advancing a serious data protection agenda. We  issued a privacy agenda for the White House in its first days and we have provided detailed measures that would advance consumer privacy protections. We are very optimistic that some of these ideas will show up in the soon-to-be-released Department of Commerce ‘green paper’ on privacy.  At the OECD meeting on privacy in Jerusalem,  we were thrilled to hear Assistant Secretary Strickland announce support for our idea of a new position of a central appointed US leader to advance privacy at home and abroad.

For years, the US has had a minimal voice in the international privacy debates that have been raging.  The FTC is present at international meetings to discuss their agenda and important enforcement activity, but as an independent agency, they do not speak for the Administration. The Department of Homeland Security is active, but the only on the topic of national security concerns.  It was therefore very encouraging to see Administration leaders like Cameron Kerry, Larry Strickling and Danny Weitzner taking active roles at the recent OECD and Data Commissioner Conferences in Jerusalem.

We understand the knee jerk assumption that the Department of Commerce is supposed to support ‘commerce.’  But anyone with perspective should recognize that US business interests around the world and free flows of data that are needed for commerce will not advance unless the US shows that it is serious about privacy.  We think the team in place at Commerce gets that quite well.  Whether the Commerce report or the new cross agency privacy committee calls for legislation, self regulation or something in between, the plan seems to be to at long last move the privacy agenda forward.