FPF Senior Fellow Peter Swire just published an op-ed in The Hill titled “Moving Too Fast on Cybersecurity.” In the piece, Swire cautioned against rushing cybersecurity legislation through Congress. To see the full op-ed, click here.
The Tracking Protection Working Group of the World Wide Web Consortium (W3C) met last week in Washington, D.C. to further its efforts in developing industry standards for Do Not Track (DNT) measures. As deadlines for public release of the specifications near, the pressure is on for the group to come to agreement on critical policy questions around Do Not Track. The group has made a lot of progress on some issues such as reaching general agreement that DNT is primarily aimed at third parties who collect data at sites. However, substantial debate continues around the definition of a third party and what those third parties can do with data when the DNT header is “on.”
Some stakeholder participants maintain that DNT should give consumers the ability to block most data collection by third parties, and only allow collection and retention for limited specified purposes, such as fraud and security. Other participants maintain that they need to be able to collect more data under DNT in order to perform business functions such as frequency capping, auditing, financial logging, and market research.
FTC Commissioner Julie Brill made a guest appearance to show the FTC’s support for the W3C’s efforts, identifying it as one of three major DNT processes underway-the other accompanying processes are the advertising trade groups’ self-regulatory program and popular browsers that have implemented do not track mechanisms. The FTC set the stage for a future DNT framework in its Final Privacy Report released last month. The report called for a Do Not Track standard to mean more than just “Do Not Target” and to have elements of “Do Not Collect.” Failing the inclusion of this, the FTC indicated it would support DNT legislation. However, Commissioner Brill stated that she, along with FTC Chairman Jon Leibowitz, is confident that there will be an effective DNT framework by the end of the year.
Why is tracking so important for companies, if they have already agreed to allow users to opt-out of behavioral advertising? Tiny banner ads are a poor way to influence users compared to the richness of TV, radio, and magazines. But banner ads and their effectiveness can be precisely measured in ways that the other media cannot be (yet!). Advertisers still spend the bulk of their dollars offline, even though users increasingly spend large chunks of their day on the web. The big value add for many web publishers is their ability to report which ads on which sites were successful in causing users to transact on other sites and later in time.
For some, allowing the logging of data needed for such cross-site tracking creates too many risks. They worry the government might seek the data or they do not trust companies to refrain from using it for profiling or for discriminatory purposes. Others argue that consumers who are promised that they will not be tracked expect not to be tracked at all.
We believe that the potential compromise solution will need to allow for the basics of analytics and ad reporting, while relying on de-identification and retention limits as well as contractual and policy commitments to minimize privacy risks.
We were surprised to see Yahoo called out yesterday by the WSJ as “leading the charge” against DNT. If a DNT compromise is reached, no individual on the industry side will be more deserving of credit than Yahoo’s Shane Wiley. He and his team at Yahoo have spent countless hours on proposals seeking to bridge the differences among companies and other stakeholders. The volume of emails in our inbox and on the W3C listserv is a testament to that.
There is still much work to be done and the next weeks will be critical.
For a detailed analysis of the Do Not Track debate, read Jules Polonetsky and Omer Tene’s paper, “To Track or Do Not Track.”
-Lia Sheena
Last week, security researcher Brian Krebs reported on an FBI bulletin warning that criminals are hacking smart meters. In the bulletin, the FBI warns that former employees of smart meter manufacturers and utilities have been reprograming residential and commercial smart meters to lower power bills. The FBI identifies one particular instance where a utility may have lost hundreds of millions of dollars due to this type of hacking.
While it is unfortunate that hacking of smart meters has taken place, it is not surprising. Where there is data and money, criminals will find a way to hack and steal. Indeed, criminals have been stealing from analog meters for decades as well.
However, criminal activity should not impede our adoption of important new technologies. For example, ATMs and online banking accounts are hacked today, but nobody is suggesting we should forgo the benefits provided by banks and retail websites. Similarly, smart meters offer consumers and society significant benefits, namely increased reliability, potentially smaller electric bills, and lower carbon emissions. These benefits should not be surrendered simply because digital progress comes with a risk of digital misuse.
Rather, the appropriate response is to focus on improving security and protecting privacy. With good policies and safety measures, we can minimize the risk and protect against loss. We need to recognize that absolute security is not possible. If the bar for technology adoption was set at 100% perfect, we would still be in the Dark Ages. We should take the FBI warning seriously and examine the research needed to minimize intrusions. By instituting reasonable security and privacy measures and building privacy and security into the design process, we can ensure that consumers reap the benefits of progress.
Release of new details about the Google Glass project deservedly is getting great attention from a range of tech and privacy writers. The idea of smart glasses is familiar to fans of Vernor Vinge’s book Rainbow’s End, which won the 2007 Hugo Award for best science fiction novel of the year. It’s safe to say that most people, however, have not deeply imagined what it will be like to have the equivalent of a computer screen super-imposed on their vision as they go through daily life.
Reporters have been asking whether to foresee advertisements on the smart glasses of the near future. My assumption is that we will see ads. Ads exist on television, radio, magazines, smartphones, and the Internet, so they will almost certainly exist on smart glasses.
Will there also be privacy debates about those advertisements? Yes, of course. Marketing companies will emphasize that the ads are incredibly useful – you look at the restaurant when walking down the street and a coupon pops up. Privacy advocates will emphasize the intrusiveness of seeing the world through a series of distracting and perhaps-unwanted ads. Advocates are also likely to express concern about the power of advertising to literally shape a person’s “world view” – to alter what a person sees moment-by-moment when traveling through life.
As the privacy debates commence, I think we can even announce a likely title for a regulatory debate about smart glasses – the “Do Not See List.” We have had “Do Not Call” for phones and “Do Not Track” for web surfing. Should individuals have the right to opt out of targeted ads on their glasses? It will be overwhelmingly tempting to call the privacy debate about smart glasses the “Do Not See” debate. I hereby give in to the temptation early.
For me, it is unbelievably exciting to imagine the range of new applications that will emerge to see the world differently. It is hard to predict the killer aps for this space, except to predict that there will be many of them. (As a professor, I immediately think how wonderful it would be to get prompts of student names when I forget them.) It is easy to predict, though, that privacy and other tech experts will debate long and hard about who gets to affect what I see, as I look out through my new pair of smart glasses.
-Peter Swire
The Future of Privacy Forum (FPF) today filed its suggestion with the NTIA that a first area that the Multi-Stakeholder Process should address is mobile device applications. In February, the White House announced a privacy initiative through which enforceable industry codes of conduct would emerge from a Multi-Stakeholder Process, and it requested input from interested parties on which privacy issues should be addressed through the process.
In a submission filed with the National Telecommunications and Information Administration (NTIA), FPF observed: “The continued proliferation and use of mobile devices by consumers for a multitude of communication and computing purposes, with a corresponding increase in downloads and use of mobile apps, makes app privacy a priority. Reports of privacy issues with mobile apps abound, making the issue timely and urgent.” The mobile app issue recently was addressed by FPF co-chairs Jules Polonestky and Christopher Wolf in an opinion piece recently published by the San Jose Mercury News.
FPF strongly supports the Administration’s efforts to enhance data privacy protections and promote consumer trust in a networked society. FPF also supports NTIA’s efforts to facilitate the development of enforceable codes of conduct through a Multi-Stakeholder Process. With the rapid evolution of technology, an approach in lieu of technology-specific and prescriptive legislation and one that allows affected parties to participate is prudent.
In proposing mobile apps as a first area of focus for the MSHP process, FPF noted the important work that has already been done in the area and urged the integration of the foundational work already done and the continuation of parallel activities.
It noted the app best practices guidelines and model app privacy policies already have been produced by the GSMA (representing mobile operators, the Electronic Frontier Foundation (“EFF”), the Center for Democracy and Technology (“CDT”), the Future of Privacy Forum and the Mobile Marketing Association (“MMA”), which provide a substantive starting point for consideration of binding Codes of Conduct. And it observed that further progress is expected from efforts such as the April 25, 2012 App Developer Privacy Summit convened by the Future of Privacy Forum, the Application Developers Alliance and the Stanford Center for Information and Society.
Media: For more information, please email [email protected].
On Monday, March 5th Jules Polonetsky interviewed with the NewsChannel 8 program “Capital Insider.” Viewers in Maryland, Virginia and Washington, DC watched Jules speak about mobile app privacy issues and Google’s privacy policy. To watch the interview, please click here.
Kudos to Yahoo for once again being an industry leader in advancing online privacy measures. We were pleased to work with Yahoo on both the first implementation of an industry symbol labeling behavioral ads, as well as their Ad Preference manager. As the FTC continues to urge successful Do Not Track implementation as an alternative to a Do Not Track law, it is critical that companies show progress by offering users actionable tools. Although there are details still to be worked out in fleshing out the parameters of Do Not Track between industry, browsers, and the W3C, real progress through major Do Not Track implementations demonstrates that business practical privacy enhancing steps are truly feasible. To see Yahoo’s post on the news, please click here.
Tomorrow morning from 8:30am – 10:30 am, Jules and Chris will participate in “The Latest Developments in Internet Privacy,” a panel hosted by ISOC-DC TV at SRI International (1100 Wilson Blvd. Suite 2800 Arlington, VA). Justin Brookman, Director of the Project on Consumer Privacy at the Center for Democracy and Technology will also participate on the panel. Free registration and more information about the event can be found here. The event will also be livestreamed here.