Study Weighs Privacy Concerns Against Relevant Offers for Mobile Shoppers, Reports MediaPost
Yesterday, MediaPost reported a study by IDC that provided an interesting insight on how smartphone users value their privacy in retail environments. According to MediaPost:
“Smartphone owners were asked which was more important: retailers respecting their privacy or retailers presenting them with relevant offers.
The results were essentially split, with slightly more than half (53%) saying retailers respecting their privacy was more important and almost half (47%) saying presenting relevant offers matters more.”
This almost even split demonstrates the importance of transparency and choice when it comes to retailers using their customer’s smartphone data. We’ve been testing our mobile location analytics opt-out mechanism for precisely this reason: so that customers can decide for themselves whether they wish to opt out of tracking, or avail themselves of the valuable offers and discounts that individual shopper targeting allows.
Privacy a Big Priority for Mobile Location Analytics Companies at "Retail's BIG Show"
This week, over 30,000 attendees and 500 companies swarmed the Javits Center in New York City for the 2014 National Retail Federation Big Show. The massive expo showcased the latest in retail technology, with mobile location analytics companies making a particularly strong showing. Ten of these companies (Aislelabs, Brickstream, Euclid, iInside, Measurence, Mexia Interactive, Radius Networks, ReadMe Systems, SOLOMO Technology, and Turnstyle Solutions) have already made a significant commitment to protecting privacy by signing on to our Code of Conduct. However, as companies continue to find exciting new ways to improve the retail experience using consumer data, privacy and security are hardly foregone conclusions. [link] Square CEO Jack Dorsey put it nicely in his keynote on Wednesday morning, when he remarked:
“Privacy and security is not an end point. There’s no one solution. It’s always changing. You have to constantly be refreshing your technology. You have to give simple, intuitive tools to people so they can control their own privacy and make their own decisions. Otherwise, they will feel like there is all this big data out there and then ‘there’s me.’ If you give them simple controls, tools to glean insights from their own data, then you have something really powerful.”
Here at FPF — particularly as we work hard on building a central site for opting out of mobile location analytics — we continue to look for ways to give consumers choices and control in how they share their data in the retail space.
A “Cutting-Edge” Guide to Privacy For Not-So-“Cutting-Edge” Phones
Now that the New Year is upon us, California’s Do Not Track transparency bill AB 370 is officially in effect. As websites start to disclose in their privacy policies how they respond to Do Not Track signals, it’s helpful to explain a little more about Do Not Track, as well as other options consumers can use to limit how they are tracked online. FPF’s site AllAboutDNT is designed to serve as a tool for educating consumers about what DNT does and how to turn it on for a variety of devices.
In previous posts, we have reviewed the new privacy features for the most up-to-date versions of both Apple’s iPhone (running iOS 7) and Android (link Expired) (running 4.4 KitKat). But what if you’re using a slightly older phone that doesn’t run the new operating systems? In that case, this guide is for you.
iPhone (or iPad)
Check which version of the iOS you’re running by tapping Settings > General > About. Under “Version” you can see your version of iOS. The most up-to-date version of iOS is iOS 3.1.3 for the first generation iPhone, iOS 4.2.1 for the iPhone 3G, and iOS 6.1.3 for the iPhone 3GS. If your phone’s OS is out of date, connect it to your computer and follow the prompts to update it through iTunes.
The now-unsupported iPhone 3GS running iOS 6 has many of the same privacy controls as its newer counterparts, but some of the controls are located in unusual and hard-to-find places.
Private Browsing/Do Not Track
iOS 5.1 and newer have a feature called “Private Browsing.” When Private Browsing is on, webpages you visited are not added to the history list, the names of downloads are removed from the Downloads window, AutoFill information isn’t saved, and searches are not added to the search field’s pop-up menu. Enabling Private Browsing also sets Safari to include a “Do Not Track” signal with all web traffic, which communicates to websites that you do not wish to be tracked.
To turn it on, go to Settings > Safari > Private Browsing.
Note that while Private Browsing is on, websites can’t modify information stored on your computer, so services normally available at such sites may work differently until you turn off Private Browsing. Any changes made to cookies are discarded when you turn off Private Browsing. While older versions of the iOS cannot activate this feature, they can still navigate to the Safari Settings menu to clear their history and cookies.
Limit Ad Tracking (iOS 6 and newer)
In iOS 6, you can turn on “Limit Ad Tracking” by navigating to Settings > General > About > Advertising > Limit Ad Tracking and turning the feature on. (On iOS 7, the control is located at Settings > Privacy > Advertising.)
If you choose to limit ad tracking, advertising networks using Apple’s unique Advertising Identifier are prohibited from serving you targeted ads. You will still get ads, but they should not be based on tracking your activity across the different apps you use.
Permissions For Apps (Sorted By Data Type)
You might want to have more control over which apps can access your location,* contacts, calendars, reminders, photos, Bluetooth connection, or Twitter and Facebook accounts. To adjust these permissions go to Settings > Privacy – make sure that no unwanted or unfamiliar apps have access to your sensitive data.
*In iOS 4 and 5, Location Services is found in the General Settings menu, below “Notifications.”
Permissions For “System Services” With Access To Location
At the bottom of the menu within Settings > Privacy > Location Services, you’ll see another box labeled “System Services.” In this menu, you’ll see a number of options for “Cell Network Search, Compass Calibration, Diagnostics & Usage,” etc. While each option corresponds to a different service, they only affect whether this data is sent to Apple – they do not affect the device’s functionality. In other words, you can disable every single feature in that section and your iPhone or iPad will continue to function exactly the same way it always has.
The only exception is “Setting Time Zone” – if you turn this function off, then you won’t be able to set your time zone automatically when no cell tower is within range. If you frequently travel places where there are no cell towers, then consider leaving this on.
Android Phones
Google sends updates through its Google Play Store without the need for a full update of the phone’s operating system. As a result, you don’t need to run 4.4 KitKat to control many of your Android phone’s new privacy features.
Ad Tracking Controls
We discussed in our previous Android blog how ad networks used to track users through the device’s “Android ID.” The Android ID could only be reset by wiping the entire device, and opting out required the user to visit the third-party ad network’s site and enter in his or her device’s (lengthy) ID. Now, Users running Android 2.3 or later can use the new “Advertising ID” controls. In Google Settings (not to be confused with the regular Settings menu), select “Ads” and you will see your Advertising ID. On this screen you can select the option to “Reset Advertising ID.” Tap the box labeled “Opt Out of interest-based ads” to opt out. On the opt-out page, you can also reset your Advertising ID or follow the “Ads settings” link to a page that allows you to adjust your Ads Settings more granularly.
According to Google, when a user activates the Opt-Out feature, app developers are required to no longer use the advertising identifier for creating user profiles for advertising purposes or for targeting users with interest-based advertising. They may only use your Advertising ID for contextual advertising (i.e., advertisements that relate to the content on the page on which the ad is displayed), frequency capping, conversion tracking, reporting and security and fraud detection. (Enforcement of this policy will begin in August.)
App Permissions For Location Data
On older versions of Android (including 4.3 JellyBean), you can control whether apps can use your location information by going to the general Settings menu and selecting Location Services. Note that disabling this option makes apps such as Google Maps unable to detect your location for the purpose of finding directions.
Google Search Privacy Options
You can also adjust a myriad of other privacy settings within the Google Settings menu, found within the app list. On Google Settings, select Search> Accounts & Privacy. On this menu are a number of privacy options:
Commute Sharing lets your friends and family know when you’re heading home from work. You can use the controls here to enable or disable this feature.
Google Location Settings allows you to control whether Google apps can access your phone’s location at any time the device is on. Here you can set different controls for different accounts on the phone as well.
You can control whether Google retains your search history (note that this may disable some features).
You can control whether you get personal results in searches.
You can control whether Google can use your contact list.
You can control how much data is stored by your search application (typically Google Search).
CONCLUSION
Just because you haven’t paid for the newest phone doesn’t mean you can’t protect your privacy. Newer phones (sometimes) have more accessible privacy controls and options, but even your old phones can be made more private and more secure with a little knowledge of their inner workings. If you know of other privacy tips for old phones, share them in the comments!
Commerce Privacy Specialist Josh Harris Joins Future of Privacy Forum as Policy Director
Commerce Privacy Specialist Josh Harris Joins Future of Privacy Forum as Policy Director
Washington, DC, January 14, 2014 — The Future of Privacy Forum (FPF), a Washington, DC-based think tank advancing responsible data use and consumer privacy, today announced that former Department of Commerce staffer Josh Harris has joined FPF as its Policy Director. In this role, Mr. Harris will be coordinating FPF’s focus on cutting-edge privacy issues. Mr. Harris will report to FPF Executive Director Jules Polonetsky.
Mr. Harris brings to FPF his seven years of experience in the International Trade Administration’s Office of Technology and Electronic Commerce. In this capacity, Mr. Harris worked to develop and implement the Asia Pacific Economic Cooperation’s (APEC) Cross Border Privacy Rules (CBPR) System. In 2012, Mr. Harris received the United States Department of Commerce Gold Medal – the highest award offered by the Department – for his work in this area. In 2004, he was selected to the White House’s Presidential Management Fellowship program. Previously, Mr. Harris served as the Vice-Chair of the American Bar Association’s Privacy and Information Security Committee.
FPF Founder and Co-Chair Christopher Wolf commented on Mr. Harris’s new role as Policy Director by saying “Josh’s experience developing and implementing privacy-based codes of conduct is an extremely valuable asset to FPF’s mission to develop best practices for the responsible use of data.”
FPF’s Executive Director and Co-Chair, Jules Polonetsky said, “Josh has the kind of practical, hands-on experience in the privacy field that will make a great addition to our FPF Team. We’re very glad to have him onboard.”
Commenting on his new appointment, Josh Harris said: “I am honored to have the opportunity to help advance FPF’s important privacy work, along with Jules and Chris, Senior Fellows Mary Culnan, Peter Swire, Omer Tene, and the Junior Fellows.”
If you are interested in learning more about Future of Privacy Forum, please email [email protected] or call 202-642-9142.
The Future of Privacy Forum (FPF) is a Washington, DC based think tank that seeks to advance responsible data practices. The forum is led by Internet privacy experts Jules Polonetsky and Christopher Wolf and includes an advisory board comprised of leading figures from industry, academia, law and advocacy groups.
Additional Comments to the FTC about the Internet of Things
On Friday, the Future of Privacy Forum provided an additional set of comments to the FTC in the wake of the Commission’s workshop on the Internet of Things (IoT) last November. The comments expand on FPF’s recent white paper, An Updated Privacy Paradigm for the “Internet of Things”, and address two important themes from the FTC’s workshop: (1) the importance of data security and (2) the privacy issues raised by the comprehensive collection of information.
FPF’s whitepaper explores why IoT is not well-suited to a one-size-fits all approach to consumer privacy. The myriad types of connected devices and the varied contexts in which those devices will operate will require the implementation of flexible frameworks designed to address evolving privacy issues and consumer preferences. The imposition of rigid or universal standards to promote privacy within IoT may harm innovation and, moreover, be ill-suited to the privacy risks and consumer preferences that ultimately emerge.
Our comments note that data security may have been the most frequently raised concern at the FTC’s workshop. Inadequate security presents the biggest risk of actual consumer harm within IoT. With it, bad actors will have access to all manner of connected devices, and will be able to pry into intimate spaces or perpetrate fraud or identity theft. Company must devote adequate resources to security before and after their products reach the market. Fortunately, companies large and small are aware of this concern and are taking steps to address it.
Another concern posed by the IoT is the ubiquitous data collection of “deeply personal” information. Still, it must be recognized that not all connected devices will facilitate the large-scale collection of personally identifiable information. And this issue is neither new nor unique to IoT.
FPF’s comments urge the FTC to continue its advocacy of the high-level principles of privacy by design, simplified consumer choice, and transparency while being mindful of the need for flexibility described above. High-level principles are particularly well-suited for the Internet of Things as they allow policies and procedures to be tailored to the nature of connected devices, the environments in which they are used, the purposes for which the information is used, and the evolution of consumer preferences. Simplified consumer choice and increased transparency by industry should also be encouraged. Industry must ensure that consumers understand how they will benefit from IoT and see that measures are in place to promote consumer privacy and security.
Jules Polonetsky to Discuss the State of the World on Data Privacy
Tomorrow at 2 PM ET, Jules Polonetsky will be joining Christina Peters, IBM’s Chief Privacy Officer, for a live videochat to discuss data privacy. Specifically, the two will address challenges managing cross-border data issues as different countries pursue different approaches and regulations for emerging technologies, mobile, and the Internet of Things.
The conversation will be streaming for IBM’s Big Data and Analytics Hub, and you can following the conversation on Twitter at #BigDataBytes.
GAO Looks at Privacy Practices for Connected Car Location Data
Yesterday, the Government Accountability Office released its study on in-car location-based services, and its survey generally concludes that players in the connected car space are thinking seriously about driver privacy. Companies reported that they neither share nor sell personal location data to marketing companies or data brokers, and the GAO found that all parties are taking steps to address privacy challenges.
The report, requested by Sen. Al Franken, evaluated (1) how selected companies use in-car location data and (2) whether these companies’ policies align with industry-recommended privacy practices. For its survey, the GAO interviewed six automobile manufacturers, which together constitute 75% of new car sales in the United States, along with several makers of portable navigation devices and developers of mapping and navigation apps. Though the report generally reflects the positive steps taken by companies to address the privacy risks posed by increased access to information about drivers’ locations, the GAO cautions that current privacy practices are in some cases “unclear” and “could make it difficult for consumers to understand the privacy risks that may exist.”
The GAO looked at how company practices comported with the Fair Information Practice Principles generally and then compared them to industry-developed privacy practices that the GAO believed were applicable to location data. Specifically, the GAO evaluated company practices with regards to (1) disclosures, (2) consumer consent and control, (3) data safeguards and retention policies, and (4) company accountability.
First, the report noted that every surveyed company disclosed to drivers that they collect and share location data, but warned that some of these consumer disclosures could sometimes be unclear. In particular, the GAO appeared to be concerned about whether consumers were receiving clear disclosures about the purposes for which their location information was being collected, used, or shared. Current policies were “broadly worded and potentially allow for unlimited data collection and use,” the GAO reported.
While the report recognizes that connected car companies are offering consumers a variety of ways both to consent to the collection of location data and to control their information, the GAO was concerned that none of the surveyed companies permit consumers to delete their location data once it has been collected. Certainly it may not be possible for individuals to delete location data that has been scrubbed of personal identifiers or aggregated with other data, but the GAO found that some companies were keeping “location data in a format that is associated with an individual vehicle” without providing drivers with the option to request the deletion of this information.
Every company was found to be taking positive steps to safeguard location information. However, familiar privacy challenges such as the use of different de-identification methods and different data retention periods were discovered across the companies the GAO surveyed. Further, no company disclosed how long location data were being retained, though the GAO noted that several companies responded that they retained location data no “longer than necessary.”
Finally, the GAO noted that while every company it spoke with is taking steps to be accountable for the location data it collects, this fact and any steps involved are not being disclosed to drivers themselves. The GAO cautioned that consumers would have difficulty even being aware that companies were working to appropriately protect their data.
The Future of Privacy Forum was one of a handful of privacy organizations that met with the GAO in advance of this report. FPF supports the development of flexible notice and choice mechanisms in connected cars, and has launched a Connected Cars Project to promote best practices in privacy and data security for connected cars. This report by the GAO should be taken as an opportunity to advance a dialogue among players in the connected car space that works to protect consumer privacy and promote the beneficial uses of in-car location data.
Privacy Ins and Outs for 2014
Happy New Year!
Happy New Year from the Future of Privacy Forum! Here is our 2014 List of Ins and Outs for your enjoyment. On behalf of the entire team at FPF we wish you a fulfilling New Year.
Chris and Jules
1. Privacy Notices for Websites
1. Privacy Notices for Sensors
2. Smith v. Maryland
2. Fourth Amendment
3. “The face is familiar, but I can’t pull in the name…”
3. Facial Recognition
4. One-stop shop for EU DPAs
4. One-stop shop derails EU Privacy Law
5. “Big Data”
5. “Internet of Things”
6. Letters from Congressman Markey
6. Letters from Senator Markey
7. “What They Know” Stories
7. What the NSA Knows Stories
8. Connected Teens
8. Connected Cars
9. Edward Snowden
9. Edward Snowden
10. Twitter “Twits”
10. Google “Glassholes”
11. Minority Report
11. The Circle
12. Viviane Reding
12. ?
The LIBE Committee Wants To “Suspend” The Safe Harbor… Along With Thousands of EU Employee Salaries
The Committee on Civil Liberties, Justice and Home Affairs (LIBE) released a draft report yesterday calling for the European Commission to suspend the US-EU Safe Harbor. FPF has written an in-depth report analyzing the effectiveness of the current Safe Harbor regime and cautioning the European Commission not to revoke the agreement, which has been largely successful in safeguarding user privacy while promoting international data transfers. We’ve yet to see the Committee’s actual draft, but we are nonetheless concerned that the Commission is so willing to suspend the framework, especially when it will mean that thousands of EU employees risk experiencing delays in getting their paychecks.
The Safe Harbor is a well-established mechanism for the transfer of data between the US and EU and is designed to streamline compliance requirements for US small businesses. One of the most common types of data transferred from the EU to the US is human resources data – this is because many EU data subjects work for US companies in Europe. In fact, FPF has searched through the Safe Harbor List and found that over 1,695 companies listed as “current” members use the Safe Harbor to process their human resources data. That’s over 50% of all companies currently in the program.
If the Safe Harbor framework were suspended, EU citizens whose HR data is stored or handled in the US would be heavily burdened. US companies who hire EU citizens would need to revert to model contracts, which are strict and expensive to implement (particularly for small businesses). Inhibiting the flow of HR data between the US and EU could mean delays for EU citizens receiving their paychecks, or a decline in global hiring by US companies.
FPF urges the LIBE committee to consider our recommendations to improve the Safe Harbor framework rather than create additional burdens and expense for companies that employ EU residents. These recommendations, which include Chris Connolly’s suggestion of appointing a “Safe Harbor Master,” adequately address EU concerns about user privacy while allowing US and EU businesses to continue growing.
Study Suggests Broad-Based Consumer Concerns about Privacy
An October study published by McGraw Hill Financial Global Institute cautions that consumers believe they are losing control of their online privacy. The report from authors at J.D. Power suggests that a majority of consumers feel they have lost control over how their personal information is collected and used, suggesting a lack of consumer trust will be a critical issue for companies to manage.
The study also provides further evidence debunking the old canard that young people do not care about their privacy. On the contrary, if young people’s concerns about privacy are lessened, this may be due to evidence to that younger consumers are taking direct actions to reduce their privacy risk. According to the report, younger generational groups more frequently take advantage of social media settings and set their social networking to private than older consumers. Additionally, nearly 30% of younger consumers “openly admit to providing false information on websites and apps.”
Worries about privacy and personal data management exist worldwide. While over 80% of consumers in the U.S. say they have lost control over how personal information is collected and used, the study found that similarly high numbers of people in emerging economies like China and India are concerned about their privacy.
