Feb. 22, 2010 – Google Buzz Fallout Could Hurt Future Cloud Prospects, Sci-tech-today
WMACCA Tech and IP Forum: Behavioral Advertising – How to Protect Your Brand While Taking Advantage of Advanced Advertising Techniques
Tuesday, February 23, 2010
12:00 PM – 2:00 PM
LIVE at the offices of Morrison & Foerster LLP
1650 Tysons Boulevard
Suite 400
McLean, Virginia
OR by WEBCAST
Overview
The online collection of information over time, used to create profiles for
targeted advertising campaigns (better known as behavioral advertising),
creates more effective advertising and helps web publishers support their
sites. However, behavioral advertising has also raised privacy issues among
legislators, regulators, and consumer advocates. This program will include
a discussion of the current regulatory, self-regulatory, legislative, and
policy environment around behavioral advertising, how to take all of those
factors into account when deciding to engage in behavioral advertising, and
a look forward to what the business community can expect in 2010.
Speakers
Presented by Reed Freeman of Morrison & Foerster LLP;
Michelle Rosenthal, Division of Privacy and Identity Protection, Federal Trade Commission;
C. Lee Peeler, President & CEO, National Advertising Review Council and Executive Vice President, Council of Better Business Bureaus;
Jules Polonetsky, Co-chair and Director, Future of Privacy Forum.
Power vs. Privacy: Smart Grid Could Turn Appliances Into Spies, Experts Say
CBC News Canada
By Paul Gallant
February 18, 2010
Do you want your fridge talking about you behind your back?
With the rapid adoption of a North American “smart grid” aimed at helping consumers conserve electricity, it’s also possible that smart appliances will be able to transmit information about their activities (and yours) through the power lines. Your electricity utility may not yet be able to determine when you snack, do laundry or shower, but privacy advocates are sounding the alarm that systems need to be put in place to guard details about a household’s electricity usage from prying eyes.
A paper released last November by the Office of the Information and Privacy Commissioner of Ontario and the U.S.-based Future of Privacy Forum proposes building privacy controls right into the smart grid before the system is fully rolled out.
Although different utilities define the smart grid in different ways, the key feature is a two-way communication system between a household’s meter and the electricity utility so that energy consumption can be tracked with incredible — sometimes even minute-by-minute — detail.
“The Smart Grid will enable third parties to peer into your home,” says commissioner Ann Cavoukian. “You can imagine how tempting the marketing opportunities will be.”
Christopher Wolf quoted:
“There always needs be a policy to provide levels of protection, or at least transparency, about how the data will be used,” says Christopher Wolf of the Future of Privacy Forum. “It’s not the technology that’s bad, it’s the use of the technology.”
Click here to read the full article.
Gridwise Alliance & Future of Privacy Forum Present
“Smart Privacy For the Grid”
Tuesday, March 2, 2010
Embassy of Canada
Theatre Room
501 Pennsylvania Avenue, NW
Washington, DC 20001
Click here to register for the event. (link expired)
Featured Speakers:
Dr. Ann Cavoukian, Information & Privacy Commissioner of Ontario
Andrew McLaughlin, United States Deputy, CTO
More Speakers:
Mike Oldak, Utilities Telecom Council, VP & General Counsel
Nuala O’Connor Kelly, GE, Senior Counsel, Information Governance & Privacy
Lillie Coney, Electronic Privacy Information Center, Associate Director
Jennifer Urban, Samuelson Law, Technology & Public Policy Clinic, UC Berkeley, Director
Ari Schwartz, Center for Democracy & Technology, Vice President & Chief Operating Officer
Michael Winters, Hydro One, CIO
Nick Sinai, Federal Communications Commission
For any questions or comments regarding the event please contact Rich O’Neill at [email protected]
We are pleased to congratulate Jacob Kohnstamm, Chair of the Dutch Data Protection Authority, for being elected the new chairman of the Article 29 Working party. Mr Kohnstamm visited the Future of Privacy Forum offices during his last visit to the U.S. and we enjoyed greatly the chance to discuss with him the issues on our agenda. By chance, the House Energy and Commerce Committee was holding a privacy hearing the next day, and so we arranged for Mr. Kohnstamm and his staff to attend the hearing and observe the action as Congressman Boucher questioned online companies about behavioral advertising practices.
We look forward to working with Mr. Kohnstamm and his staff on efforts to advance responsible and practical data practices.
Executive Summary:
In May 2009, the Future of Privacy Forum launched a research initiative to examine new methods for communicating with users about online advertising and privacy. This study assessed the communication efficacy of behavioral advertising disclosures based on icons and short disclosures placed near webpage advertisements as an alternative to providing transparency and choice via traditional online privacy notices.
The study employed an internet panel to assess the communication efficacy of behavioral advertising disclosures on the web. Disclosures were tested at 2 levels: (1) a level-1 disclosure comprising of a symbol and a short (2-3 word) phrase that was placed above an ad on the webpage (e.g., “interest based ads” or “ad choice”), and (2) a longer (18-20 word) level-2 disclosure that was revealed when surfers moved their cursor over the level-1 disclosure. This level-2 disclosure was intended to inform people that (a) information about their visit to this site is used to select ads they see here and elsewhere, and (b) to provide a link to “opt out” of this type of advertising.
The study involved five phases or sections:
• Part A: Exposure to webpage with level-l disclosure. Measure recall of level-1 disclosure;
• Part B: Re-exposure to webpage with level-l disclosure. Measure comprehension of level-l disclosure;
• Part C: Re-exposure to webpage with level-2 disclosure. Measure comprehension of level-2 disclosure;
• Parts D & E: Participation in 13 online activities and attitudes toward online behavioral advertising and privacy.
The sample size was 2,604 U.S. adults. The majority of the study participants were active internet users. The average respondent participated in 9 of 13 online activities, with approximately half or more of the sample participating in 12 activities. Only 2% had not participated in any activities. More than half of the sample spent at least 15 hours online/week.
Concern for privacy was measured by nine items using a 5-point scale (5=strongly agree). Average for this scale was 3.88. We also asked whether people had taken any of eight steps to protect their privacy online. The average was 4 steps, with approximately 40% of the participants engaging in 7 of 8 activities. Only 8% had never taken any of these steps.
We measured comfort with OBA with and without two key fair information practices (transparency and choice). Without transparency and choice, only 24% are comfortable with OBA. When transparency and choice are offered, 40% are comfortable with OBA. Approximately 30% are neutral about OBA with or without transparency and choice. Transparency and choice increase comfort for people who are most active online and engage in more privacy protective behaviors.
We tested 14 level-1 disclosures: 2 symbols (“Power I” and “Asterisk Man”) combined with seven phrases (Interest based ads, Custom ads, AdChoice, Your choice, Your info and ads, Why did I get this ad?, and a control phrase, Sponsor ads). We tested one level-2 disclosure which provided transparency and choice.
We measured comprehension of the level-1 disclosure with two multiple-part questions (Q8 and Q9). Comprehension of the level-2 disclosure was measured with one multiple-part question (Q11). Results show that for the level-1 disclosures, two of the seven tested phrases (“Why did I get this ad?,” and “Interest based ads”) generally do the best on comprehension. The remaining four phrases don’t do as well as the top two, but still outperform the control phrase (“Sponsor ads”). Also, while the phrase “Adchoice” did not perform as well as the top two on comprehension, it was in some cases less likely to generate agreement with decoy statements (that were unrelated to key communication objectives) than the top phrases. It is important to note, however, that while there were differences in the communication effectiveness of the six different level-1 phrases we tested, in an absolute sense it is not clear that they communicate well enough without additional support. Thus, consumer education will be needed to improve their communication effectiveness over time.
The testing also showed a very slight advantage for the asterisk man icon on some of the comprehension measures (specifically, Q8). Finally, the level-2 disclosure appears to communicate the key issues effectively.
To view the full report click here.
To view the presentation click here.
What does the FTC need to be more effective? Read what Chairman Leibowitz is seeking from Congress.
Guest Post from privacy expert Kathy Harman-Stokes
Speakers at the National Defense Industrial Association (NDIA) 2010 Biometrics Conference emphasized the value of “ubiquitous biometrics.” For biometrics to become ubiquitous, one speaker said biometrics should be widely used for facilities access, by employers for time and attendance recording of employees, and customer identification for various transactions, such as financial transactions. One goal of this NDIA Conference was to address government progress on implementation of U.S. Homeland Security Presidential Directive 24, which calls for interoperability of government biometric systems to aid the fight against terrorism. Speakers at the conference spoke of the promise for biometrics to minimize terrorist activities and also improve our everyday lives.
In my presentation I addressed the ways that biometrics are rapidly expanding in the private sector. Over 100 companies in the UK and Middle East are using a particular facial recognition systems for their employees – for access to construction sites and airports, and time-keeping of employees and contractors. This system links into the attendance and payroll systems, reducing paperwork. One company found a 4% reduction in wage payments after implementing the system, stopping its wage fraud in its tracks. Colleges are using the same system to track class attendance. Iris recognition systems now capture an iris from three-feet away, with people in motion walking toward the scanner. One system can capture the iris of 50 people/minute as they clock in for work at construction and other job sites. To comply with HIPAA, medical centers are using biometrics increasingly for staff access to patient records, and to confirm the identity of patients before dispensing medication.
Admission tests have been using biometrics for years. The GMAT is using a system worldwide that scans the vein pattern of the palm of a test-taker’s hand with infrared light (a “palm-vein” system). The LSAT and some others use fingerprints, all to minimize exam fraud, which results in fraud in the admission process. A bank in Australia is using voice authentication biometrics for some phone banking and banks in Japan are using palm vein systems at ATMs. One system, BioLock, offers a fingerprint systems that can literally protect every mouse click on a computer. An employee scans a fingerprint to log-on, then must scan again for each attempt to access a sensitive transaction, such as authorizing a wire transfer. Every attempt is logged and anyone with fingerprints in the system is identified, catching an attempt by John to initiate a transaction only authorized for Jane. This would certainly put a dent in data breaches caused by insiders.
A company in the Netherlands offers fingerprint biometrics for customer access to fitness centers, swimming pools and similar facilities. It denies access if you haven’t made your monthly payment. It can be used by hotels instead of a room key; you and your children could use your fingerprints for room access and room charges. This system is also being used in lieu of “loyalty cards,” as your purchases are tracked via fingerprint rather than a card. I wouldn’t need to carry around my 20 loyalty cards or remember which of my four phone numbers I used at a store.
Apple® iPhoto® and other photo-sharing sites are using biometric facial recognition to group user’s photos together by person. Of my 4000 photos, one site has grouped together all the photos of my daughter, my son, my mother, my friends, my children’s friends, etc. I just add the names and voila – an album ready to upload to the web and share. This simplifies holiday gift-giving.
I don’t doubt that biometrics will become ubiquitous one day. Personally I find that they can be efficient and offer conveniences, and they offer more accuracy in identifying people. Yet, there are well-known risks. For example, where is the data and how is it secured? After all, if my biometric data is breached, I have no real recourse – I can’t change my fingerprint. Who has access to the data? With how many of the “partners and affiliates” vaguely listed in a privacy policy does a company share the biometric data? How is the data being used – will it be used in an automated way to deny me rights with no recourse, for example, preventing me from entering my fitness center or job site? Despite some claims, biometric accuracy is not perfect; how stable is an iris over a life-time?
In the European Union, there are stringent laws around the use of biometrics. Systems there are being designed to comply with the law, i.e., they are being designed with privacy protections built in. The company in the Netherlands, EasySecure, doesn’t keep the image of the fingerprint collected. It only retains an encrypted string of numbers, the “template.” This eliminates the risk of someone else misusing the image for other purposes, from identity theft, to a government agency trying to apply their own algorithms to match my fingerprint one-to-many against others in their databases.
It’s different in the United States. Some in the U.S. fear the government’s use of biometric data. Yet, the U.S. Government is subject to the Privacy Act of 1974, which limits its data collection, requires published privacy impact assessments and systems of records notices. Freedom of Information Act requests are another check on government data use. No such rules apply to the private sector’s collection of biometrics. Illinois has a law that prohibits private companies from collecting biometric data, unless requirements such as notice and explicit consent are met. It also forbids retention beyond three years. Biometric Information Privacy Act, 740 ILCS 14/1 (2008). To my knowledge, however, no other states have passed similar laws and no Federal law specifically addresses private sector use of biometrics.
My concern is not necessarily the ubiquity of biometrics, but the measures in place to ensure proper use and protection of biometric data. We are entering a world where we need such protections. I would feel much better about using a fingerprint at my grocery store if I knew that the image was not being stored for any later use by anyone, at any time in the future. I would feel better knowing that only an encrypted string of numbers was sitting in the cloud on a server somewhere.
Kathy is an attorney, consultant and CIPP in Washington DC, advising clients on US and international data privacy laws, including biometric laws. She was the Associate GC for the company that owns the GMAT, where she oversaw the data privacy compliance program for collection of biometrics in 110 countries. In a novel decision, after her discussions, the French data protection authority (the “CNIL”) approved the GMAT’s use of palm vein biometric data.
National Association of Regulatory Commissioners: Winter Committee Meeting
February 12, 2010
Renaissance Hotel
Washington, DC
Jules Polonetsky will be participating in the Staff Subcommittee on Telecommunications at 1:00pm.
For more information about the event please click here.
We have done multiple blog posts warning about mis-use of flash cookies, so we are not going to harp on the issue again. And although it is flattering to be called a watchdog, we are just a small consumer privacy and technology focused think tank focused on advancing responsible data use practices. So if you have flagged our criticisms on this issue to your business partners who use flash cookies for targeting and they haven’t cooperated, you may want to poin them to the words yesterday of a watchdog with real teeth.