Feb. 9, 2011 – Most Google, Facebook users fret over privacy, USA Today

Some companies are doing what they can. “I’m heartened by the attention to mobile privacy issues,” says privacy attorney Chris Wolf of Hogan Lovells. New services revolve around “ways to empower people to protect their information.”

 

Guest Post: A Busy Time For Privacy and Security

The following is a guest post by David Hoffman, Director of Security Policy and Global Privacy Officer at Intel and FPF advisory board member.

Check out A Busy Time For Privacy and Security and other posts by David on the Intel Policy Blog.

A Busy Time For Privacy and Security

The past two weeks have included a number of important events for privacy and security. At the top of my mind have been the protests in Egypt, as I worry about the welfare of the Egyptian people and the many non-Egyptians in the country. One of the more disturbing aspects of the developments in Egypt, was the Egyptian government’s actions to require local internet service providers to disconnect from the global internet. The internet has become an integral component of individuals’ lives. Disconnecting a country from the global internet is an extreme and unfortunate reaction.

The Egyptian government had a solid record of assisting the private sector in making the internet available to its citizens. That record made the government’s decision to take down the connections more impactful, as local internet infrastructure suppliers appear not to have had plans to deal with the government decision.

In an interesting coincidence, the Egyptian government’s actions took place while many around the world were recognizing Data Privacy Day. Intel has been one of the core supporters of Data Privacy Day since its inception. Intel embraces Data Privacy Day’s goal of educating individuals on how they can use technology to provide benefits for their lives, while still having their personal date protected. Intel has been working in several areas to provide recommendations on how we can continue to foster technology innovation, while improving cybersecurity and privacy.

The Egyptian government’s actions call attention to the need of providing strong protections for individuals and companies so they can depend upon technology. Efforts to allow government access to, or control over, private components of the global digital infrastructure have been finding their way to light in many countries. These government attempts to control technology, include providing government the right to take down all, or a portion of, a private network. Any such government ability to impact technology in such a manner, creates substantial privacy concerns for individuals and industry. National security and law enforcement are fundamental obligations of government, but reasonable due process is necessary before government should take steps to access communications or take down private networks.

Several organizations have proposed alternative mechanisms to address government concerns. One example of these efforts are the Cybersecurity Principles authored by the Information Technology Industry Council, which were finalized on January 31st. The ITI Principles focus on building off of existing public-private partnerships and fostering the development of standards, best practices and international assurance programs.

Also distributed on January 31st, was the Center for Strategic and International Studies (CSIS) Cybersecurity Commission report “Cybersecurity Two Years Later.”    I have been honored to sit on the Commission and to take part in some of the discussion that led to this report. The Commission operates as a body to provide input to the Project Director and Co-chairs. By its nature and size the Commission does not endeavor to create a report that all Commission members agree with fully. Not surprisingly, there are elements of the report with which I disagree. However, the document is an important piece of work assembled by some of the best minds in cybersecurity policy.

The report aptly calls for investment in cybersecurity education, more focus on the international implications of a patchwork of differing national regulations of the global digital infrastructure, improvements in the area of authentication and the fundamental importance of meeting the privacy expectations of individuals. Conversely, I do have concern about extending cybersecurity regulations to the private sector component of the “critical infrastructure”, when the report does not define the term. I also find the report too critical of existing public-private partnerships, as many of these activities have focused on building needed trust, while still providing transparency of operation. The Egyptian government’s actions highlight the danger of moving away from structures which create trust between government and industry.

Many companies, like Intel, are investing significantly in privacy and security to make certain individuals will be able to reasonably trust their use of technology. This busy time for privacy and security policy both brings some of these issues to the forefront, and provides useful fodder for debate on how we should move forward.

Department of Commerce Comments

FPF filed comments with the Department of Commerce on the Privacy Green Paper. To view the comments, click here.

Jan. 30, 2011 – Privacy advocates don’t ‘like’ Facebooks ad plans, USA Today

“Any time they make a change, people react, especially if there is a commercial element,” says Jules Polonetsky, director of Future of Privacy Forum, an industry-funded think tank. “But … these are things you’re actively sharing with friends.”

 

Jan. 27, 2011 – Trade Groups Announce the Selection of the Working and Link/Icon that will be used to Indicate Adherence to Industry Self-Regulatory Principles for Online Behavioral Advertising, DMA

The icon is the result of a collaborative effort between WPP and the Future of Privacy Forum (“FPF”) based on consumer research and testing.  FPF, a think tank focused on advancing responsible data practices, worked with leading academics and coalition member companies to conduct consumer research to ensure the creative symbol and language successfully delivered on the goal of informing users about behavioral advertising practices.

 

Today is Data Privacy Day and YOU are the CEO of Facebook

For those that don’t know, January 28 is Data Privacy Day.  And although you may not have the title of  CEO at Facebook, we would like to pretend that you are in charge of it for the day.

So what would you do if you were CEO of Facebook and you had to make some important decisions today? There’s a plethora of issues you need to address, such as hiring more employees to work on new innovations and additional features, and building new data centers that can host the additional servers that will be needed to store the billions of photos and videos users are uploading every month. And you will obviously need more revenue to keep the company growing and see it succeed.  Supporting half a billion users and being ready for many millions more is an expensive proposition.

So how exactly can you increase the revenue, when it seems clear that most users would prefer not to pay for the service and enjoy using it for free? Advertising is likely part of the answer, but the most common business model for free web sites involves allowing ad networks to track users’ activity to sell ads on other web sites, something you have refrained from doing. You do yourself use information that users post or share to tailor ads. Some users seem to find those ads relevant, because they do click on them more than ads that aren’t targeted. But others complain that it sometimes feels discomfiting.

So how can you solve this riddle as the CEO of facebook? Some people say you could make the current ads on the site bigger.  Or you could allow pop-ups or could make people click through a full page ad to get into the site. Lots of sites do that for the additional revenue it brings in. Users might not like that, but what are the other options?

Is increasing user control and innovations around the advertising experience the solution? Can information that users share be used in a way that actually makes the ads more useful to users (and valuable to advertisers) because they really are relevant, without feeling intrusive? How can we be sure to tell users how the system works so they can see  the data that is being used ? How can users be assured the information will only be used to benefit them?  Can we give them control of the experience?  If you were the CEO of facebook, how would you design a privacy friendly and trustworthy advertising system that would earn the funds to buy those servers and pay the employees, while still keeping users happy? How can you explain this system to users and show them how to use the controls, without making them read trough a long privacy policy? Do you, our reader, have innovative ideas that can support privacy, profits and personalization?

As a think tank focused on advancing responsible data practices, those are the questions that the Future of Privacy Forum is asking our readers to answer on Data Privacy Day. We are social media enthusiasts who value connecting and sharing, but also recognize that online data use requires responsible practices by companies and by users.  So help us celebrate this special day by sharing your ideas on our Facebook page. We will make sure to pass the best ideas on to our community of privacy advocates, academics and senior privacy leaders at the companies we work with.

On Data Privacy Day, you can’t be the CEO of Facebook, but you can help us think through the privacy challenges and opportunities that online companies grapple with every day. Find us on Facebook to be part of the Future of Privacy and to share your thoughts about user control,  innovation and privacy.

Jules Polonetsky and Christopher Wolf

Jan. 25, 2011 – Google, Mozilla Try to Preempt Regulation, AdWeek News

“There’s no doubt legislators will hold hearings and introduce bills. The question is whether they see leading practices as the ones they want to enshrine,” said Jules Polonetsky, director of the Future of Privacy Forum. “Legislators aren’t going to drop the notion of legislating. On both sides of the aisle, there is a desire to propose legislation.”

 

Screen Shot of the new Firefox Do Not track option

Tip to Chris Soghoian for flagging the screenshot of the Do Not track consumer preference in the browser settings. Check it out here.

Breaking News: Firefox 'Do Not Track' Advances

Future of Privacy Forum comments on Firefox’s plans to implement a Do Not track feature in Firefox 4:

“Firefox is advancing the “Do Not Track” concept by providing a simpler and more effective way to opt-out of behavioral ads, but in a way that is likely to allow most ad networks to continue to deliver relevant ads.  Businesses would be well advised to agree  respect the preference expressed by users who select this new option, as it could be also useful for mobile users and for apps.  This is a prime opportunity for a multi-stakeholder group, such as the Commerce Department has proposed, to work out details like whether the preference could also result in collection or retention of less data about privacy sensitive users.”

Mozilla’s discussions of its plans are spread over a series of blogs.

https://firstpersoncookie.wordpress.com/2011/01/23/more-choice-and-control-over-online-tracking/

 http://blog.sidstamm.com/2011/01/opting-out-of-behavioral-ads.html

 http://www.open-mike.org/entry/thoughts-on-do-not-track

As so often is the case, Julia Angwin is the first media reporter  to break the story.  And props to Chris Soghoian for his long leadership on this issue. 

Background Information

The amorphous concept but catchy terminology  of Do Not Track (“DNT”) has dominated much of the public discussion about what should be done about online privacy in recent months.  Much of this discussion has been unproductive, with some in industry suggesting that DNT would bring an end to ad- supported online content, and some privacy advocates viewing it as a silver bullet solution for online privacY.  Very little constructive dialogue has occurred across stakeholder groups.  Browser companies, online businesses and advocates have by and large formulated their views without collaboration.

In 2009, the Future of Privacy Forum, in cooperation with the Center for Democracy and Technology, launched an effort to improve the current cookie based opt-out mechanism offered by many online behavioral advertising companies.  Aware of the fact that many opt-out cookies are deleted by consumers or their anti-spyware programs, we convened companies, trade groups, advocates and technologists for a number of discussions aimed at formulating a more reliable process for providing consumers with options to limit the web tracking taking place for behavioral advertising purposes.  At the meeting, technologist Chris Soghoian made the case for a Do Not Track browser header that he had coded, but few were open to the idea at this time.

In December 2010,   FPF responded to the FTC’s formal DNT proposal by convening a panel which included representatives from browser companies, consumer and privacy organizations, technologists, ad networks, supporters of a DNT browser header and policy groups. Although no consensus emerged, we were convinced that a properly tailored and practically designed DNT browser header proposal was feasible.  At the panel we suggested that if companies treated an opt-out header like a more permanent version of a behavioral advertising opt-out cookie, consumers would gain a new privacy control that would be easy to use.  And since ad networks and trade associations have already agreed to provide consumers with the ability to opt-out of behavioral ads with one click  (via the Network Advertising opt-out pages or the new Digital Advertising Association opt-out page), the policy choice was one that had already been made.

As a result, we are delighted that Firefox has just announced that in the new version of its browser,  consumers will have  an option in the preferences panel of the browser that would enable a special  Do Not Track browser HTTP header. 

Ad Networks:

Servers that are sent this header should recognize that the consumer has indicated that they do not want their activity online used to tailor advertising to them across unrelated web sites.  We hope that services that offer consumers a cookie based opt-out should treat consumers presenting the header in the same manner they treated consumers relaying an opt-out cookie.  Since opt-out cookies are often deleted inadvertently by consumers, this header will provide greater stability and a more reliable means of recognizing consumer choices.

For users who present the header, we think that companies should recognize the header to indicate “no targeting” based on previous unrelated activity, whether tracked via cookies, device fingerprinting, local shared objects, or other identifiers. Such header shall not affect tailoring of advertising for a user based on inferences made about a user based on the presentation of browser information or activity during a consumers visit to a particular web site.  Thus geo-targeting based on IP address or tailoring of ads based on a consumers previous visit to the same web site shall be permitted.

Consumers:

Consumers today can technically prevent tracking by using cookie settings or browser based options or third party browser plug-ins which limit the data that is shared by their browsing activity.  But these options are unable to provide high degrees of nuance tha can distinguish between the various types of uses of data by sites.  These tools either underblock, overblock or prevent the delivery of any third party content or ads. Although P3P in theory could provide greater nuance, the manner in which it has been implemented in browsers and the  distinctions between types of data use it provides often don’t map easily to the prevalent business models in use.  Many consumers who today take steps to block cookies are likely expressing their opposition to behavioral advertising.  An opt-out/DNT header provides those consumers with a more nuanced opportunity to express their choice.

 Government:

What data should not be collected when a consumer has selected the opt-out header? Just the behavioral tracking cookie? Any unique tracking cookie? Other data? The most productive way to reach consensus on a proposal such as this is to convene a multi-stakeholder group that can work through the necessary cooperation between browser companies, ad networks, consumer representatives, government and policy groups. No system requiring nuanced cooperation and technology development across business models and government policy will spring into existing without interactions which can address the concerns of the key stakeholders.  We suggest that Firefox convene such a multi-stakeholder group, including representatives from the FTC, Commerce and international stakeholders, in a process much as the Department of Commerce has called for in its report.

Kudos to the Firefox team and good luck to Alex Fowler, Mozilla’s new global privacy and policy who has just come on board.  And huge credit to Chris Soghoian (who coded the first proof of concept of a DNT header and Arvind Narayanan of www.donottrack.us) along with Sid Stamm and others of the Mozilla team. We look forward to working with you on advancing consumer trust online.

Check out Chris Soghoian’s detailed history of the inception of the opt-out header concept and how it has developed.


Privacy Insiders Weigh In on FTC and Commerce Reports

Over the past few weeks, the Future of Privacy Forum (FPF) has been taking an informal poll from many of its advisory board members, blog readers and Facebook fans to gauge their thoughts on the recent privacy reports released by the Federal Trade Commission (FTC) and Department of Commerce.  The FTC report was entitled, “Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework for Businesses and Policymakers,” while the Department of Commerce’s Internet Safety Task Force privacy Green Paper was entitled, “Commercial Data Privacy and Innovation in the Internet Economy: A Dynamic Policy Framework.”  

As our readers know, both reports were released this past December and FPF began taking our privacy insiders’ thoughts over the past month.  Among the highlights, a large majority of respondents believed consumers need to be better educated to protect personal information online, but they do not believe a “Do Not Track” measure will be passed in 2011.  Below are some of the key results provided by the respondents, and what these reports may mean for the future of privacy:

  1.  “They don’t need it. They are much more powerful without it.”
  2.  “It would surely be useful but I doubt it will happen while recommendations and self-regulation are offset   by patchy enforcement and disjunctive legislation.”
  3. “The Republican House will resist new federal regs.”
  1. “It will impede their business plans and decrease revenue; if it’s voluntary, most won’t comply unless it’s tied to a safe harbor.”
  2. “It won’t enhance the corporate bottom line.”
  3. “FIPPS would undermine their ad business model.”