New Article 29 Working Party Chair Jacob Kohnstamm
We are pleased to congratulate Jacob Kohnstamm, Chair of the Dutch Data Protection Authority, for being elected the new chairman of the Article 29 Working party. Mr Kohnstamm visited the Future of Privacy Forum offices during his last visit to the U.S. and we enjoyed greatly the chance to discuss with him the issues on our agenda. By chance, the House Energy and Commerce Committee was holding a privacy hearing the next day, and so we arranged for Mr. Kohnstamm and his staff to attend the hearing and observe the action as Congressman Boucher questioned online companies about behavioral advertising practices.
We look forward to working with Mr. Kohnstamm and his staff on efforts to advance responsible and practical data practices.
Online Behavioral Advertising "Icon" Study
Executive Summary:
In May 2009, the Future of Privacy Forum launched a research initiative to examine new methods for communicating with users about online advertising and privacy. This study assessed the communication efficacy of behavioral advertising disclosures based on icons and short disclosures placed near webpage advertisements as an alternative to providing transparency and choice via traditional online privacy notices.
The study employed an internet panel to assess the communication efficacy of behavioral advertising disclosures on the web. Disclosures were tested at 2 levels: (1) a level-1 disclosure comprising of a symbol and a short (2-3 word) phrase that was placed above an ad on the webpage (e.g., “interest based ads” or “ad choice”), and (2) a longer (18-20 word) level-2 disclosure that was revealed when surfers moved their cursor over the level-1 disclosure. This level-2 disclosure was intended to inform people that (a) information about their visit to this site is used to select ads they see here and elsewhere, and (b) to provide a link to “opt out” of this type of advertising.
The study involved five phases or sections:
• Part A: Exposure to webpage with level-l disclosure. Measure recall of level-1 disclosure;
• Part B: Re-exposure to webpage with level-l disclosure. Measure comprehension of level-l disclosure;
• Part C: Re-exposure to webpage with level-2 disclosure. Measure comprehension of level-2 disclosure;
• Parts D & E: Participation in 13 online activities and attitudes toward online behavioral advertising and privacy.
The sample size was 2,604 U.S. adults. The majority of the study participants were active internet users. The average respondent participated in 9 of 13 online activities, with approximately half or more of the sample participating in 12 activities. Only 2% had not participated in any activities. More than half of the sample spent at least 15 hours online/week.
Concern for privacy was measured by nine items using a 5-point scale (5=strongly agree). Average for this scale was 3.88. We also asked whether people had taken any of eight steps to protect their privacy online. The average was 4 steps, with approximately 40% of the participants engaging in 7 of 8 activities. Only 8% had never taken any of these steps.
We measured comfort with OBA with and without two key fair information practices (transparency and choice). Without transparency and choice, only 24% are comfortable with OBA. When transparency and choice are offered, 40% are comfortable with OBA. Approximately 30% are neutral about OBA with or without transparency and choice. Transparency and choice increase comfort for people who are most active online and engage in more privacy protective behaviors.
We tested 14 level-1 disclosures: 2 symbols (“Power I” and “Asterisk Man”) combined with seven phrases (Interest based ads, Custom ads, AdChoice, Your choice, Your info and ads, Why did I get this ad?, and a control phrase, Sponsor ads). We tested one level-2 disclosure which provided transparency and choice.
We measured comprehension of the level-1 disclosure with two multiple-part questions (Q8 and Q9). Comprehension of the level-2 disclosure was measured with one multiple-part question (Q11). Results show that for the level-1 disclosures, two of the seven tested phrases (“Why did I get this ad?,” and “Interest based ads”) generally do the best on comprehension. The remaining four phrases don’t do as well as the top two, but still outperform the control phrase (“Sponsor ads”). Also, while the phrase “Adchoice” did not perform as well as the top two on comprehension, it was in some cases less likely to generate agreement with decoy statements (that were unrelated to key communication objectives) than the top phrases. It is important to note, however, that while there were differences in the communication effectiveness of the six different level-1 phrases we tested, in an absolute sense it is not clear that they communicate well enough without additional support. Thus, consumer education will be needed to improve their communication effectiveness over time.
The testing also showed a very slight advantage for the asterisk man icon on some of the comprehension measures (specifically, Q8). Finally, the level-2 disclosure appears to communicate the key issues effectively.
What does the FTC need to be more effective? Read what Chairman Leibowitz is seeking from Congress.
Ubiquitous Biometrics
Guest Post from privacy expert Kathy Harman-Stokes
Speakers at the National Defense Industrial Association (NDIA) 2010 Biometrics Conference emphasized the value of “ubiquitous biometrics.” For biometrics to become ubiquitous, one speaker said biometrics should be widely used for facilities access, by employers for time and attendance recording of employees, and customer identification for various transactions, such as financial transactions. One goal of this NDIA Conference was to address government progress on implementation of U.S. Homeland Security Presidential Directive 24, which calls for interoperability of government biometric systems to aid the fight against terrorism. Speakers at the conference spoke of the promise for biometrics to minimize terrorist activities and also improve our everyday lives.
In my presentation I addressed the ways that biometrics are rapidly expanding in the private sector. Over 100 companies in the UK and Middle East are using a particular facial recognition systems for their employees – for access to construction sites and airports, and time-keeping of employees and contractors. This system links into the attendance and payroll systems, reducing paperwork. One company found a 4% reduction in wage payments after implementing the system, stopping its wage fraud in its tracks. Colleges are using the same system to track class attendance. Iris recognition systems now capture an iris from three-feet away, with people in motion walking toward the scanner. One system can capture the iris of 50 people/minute as they clock in for work at construction and other job sites. To comply with HIPAA, medical centers are using biometrics increasingly for staff access to patient records, and to confirm the identity of patients before dispensing medication.
Admission tests have been using biometrics for years. The GMAT is using a system worldwide that scans the vein pattern of the palm of a test-taker’s hand with infrared light (a “palm-vein” system). The LSAT and some others use fingerprints, all to minimize exam fraud, which results in fraud in the admission process. A bank in Australia is using voice authentication biometrics for some phone banking and banks in Japan are using palm vein systems at ATMs. One system, BioLock, offers a fingerprint systems that can literally protect every mouse click on a computer. An employee scans a fingerprint to log-on, then must scan again for each attempt to access a sensitive transaction, such as authorizing a wire transfer. Every attempt is logged and anyone with fingerprints in the system is identified, catching an attempt by John to initiate a transaction only authorized for Jane. This would certainly put a dent in data breaches caused by insiders.
A company in the Netherlands offers fingerprint biometrics for customer access to fitness centers, swimming pools and similar facilities. It denies access if you haven’t made your monthly payment. It can be used by hotels instead of a room key; you and your children could use your fingerprints for room access and room charges. This system is also being used in lieu of “loyalty cards,” as your purchases are tracked via fingerprint rather than a card. I wouldn’t need to carry around my 20 loyalty cards or remember which of my four phone numbers I used at a store.
Apple® iPhoto® and other photo-sharing sites are using biometric facial recognition to group user’s photos together by person. Of my 4000 photos, one site has grouped together all the photos of my daughter, my son, my mother, my friends, my children’s friends, etc. I just add the names and voila – an album ready to upload to the web and share. This simplifies holiday gift-giving.
I don’t doubt that biometrics will become ubiquitous one day. Personally I find that they can be efficient and offer conveniences, and they offer more accuracy in identifying people. Yet, there are well-known risks. For example, where is the data and how is it secured? After all, if my biometric data is breached, I have no real recourse – I can’t change my fingerprint. Who has access to the data? With how many of the “partners and affiliates” vaguely listed in a privacy policy does a company share the biometric data? How is the data being used – will it be used in an automated way to deny me rights with no recourse, for example, preventing me from entering my fitness center or job site? Despite some claims, biometric accuracy is not perfect; how stable is an iris over a life-time?
In the European Union, there are stringent laws around the use of biometrics. Systems there are being designed to comply with the law, i.e., they are being designed with privacy protections built in. The company in the Netherlands, EasySecure, doesn’t keep the image of the fingerprint collected. It only retains an encrypted string of numbers, the “template.” This eliminates the risk of someone else misusing the image for other purposes, from identity theft, to a government agency trying to apply their own algorithms to match my fingerprint one-to-many against others in their databases.
It’s different in the United States. Some in the U.S. fear the government’s use of biometric data. Yet, the U.S. Government is subject to the Privacy Act of 1974, which limits its data collection, requires published privacy impact assessments and systems of records notices. Freedom of Information Act requests are another check on government data use. No such rules apply to the private sector’s collection of biometrics. Illinois has a law that prohibits private companies from collecting biometric data, unless requirements such as notice and explicit consent are met. It also forbids retention beyond three years. Biometric Information Privacy Act, 740 ILCS 14/1 (2008). To my knowledge, however, no other states have passed similar laws and no Federal law specifically addresses private sector use of biometrics.
My concern is not necessarily the ubiquity of biometrics, but the measures in place to ensure proper use and protection of biometric data. We are entering a world where we need such protections. I would feel much better about using a fingerprint at my grocery store if I knew that the image was not being stored for any later use by anyone, at any time in the future. I would feel better knowing that only an encrypted string of numbers was sitting in the cloud on a server somewhere.
Kathy is an attorney, consultant and CIPP in Washington DC, advising clients on US and international data privacy laws, including biometric laws. She was the Associate GC for the company that owns the GMAT, where she oversaw the data privacy compliance program for collection of biometrics in 110 countries. In a novel decision, after her discussions, the French data protection authority (the “CNIL”) approved the GMAT’s use of palm vein biometric data.
National Association of Regulatory Commissioners: Winter Committee Meeting
National Association of Regulatory Commissioners: Winter Committee Meeting
February 12, 2010
Renaissance Hotel
Washington, DC
Jules Polonetsky will be participating in the Staff Subcommittee on Telecommunications at 1:00pm.
For more information about the event please click here.
Flash Cookie
We have done multiple blog posts warning about mis-use of flash cookies, so we are not going to harp on the issue again. And although it is flattering to be called a watchdog, we are just a small consumer privacy and technology focused think tank focused on advancing responsible data use practices. So if you have flagged our criticisms on this issue to your business partners who use flash cookies for targeting and they haven’t cooperated, you may want to poin them to the words yesterday of a watchdog with real teeth.
Information Governance and Cloud Computing
Our friends at Nymity have published a thoughtful interview with FPF Advisory Board member Michelle Dennedy. Have a look!
Future of Privacy Forum Releases Behavioral Notices Study
Today, the Future of Privacy Forum (FPF) released the results of a research study which tested the effectiveness of using new icons and key phrases to provide web surfers with more transparency and choice about behavioral advertising practices. FPF launched the notices initiative in May 2009 and partnered with a number of divisions at WPP, the global marketing communications company, to launch a consumer focused effort that would rely on the skill of advertising and communications professionals to engage users about efforts to provide relevant banner advertising. In February 2009, the Federal Trade Commission had expressed concern that privacy policies were not being read or understood, and urged the industry to develop new methods of providing notice to users about behavioral advertising practices.
The two phrases that performed significantly better than others in the 2600 internet user panel were, “Why did I get this ad?” and “Interest based ads.” “AdChoice,” a phrase which is currently being used by eBay in its notice program, was a favorite of earlier focus group participants, particularly with less experienced internet users. Overall the notices research showed which phrases and icons were more effective than others, but it also indicated that an educational effort will be necessary to fully ensure that users comprehend behavioral advertising practices.
Two new icons that had emerged as leaders from earlier focus groups, and were tested in the survey included an “asterisk man” and a “Power I” image. Focus group participants, who were previously presented with choices of icons, associated the lowercase “i” with “Information” links, interest-based ads, a power on/off switch alluding to the opt-out option, and the Internet in general. “Asterisk Man” was associated with personalization or a person “watching”. In the internet user panel, without further education or branding, neither had a major advantage over the other and each was dependant on being linked to key phrases, which effectively communicate to users about behavioral advertising.
As Jules Polonetsky, co-chair and director of FPF noted, “We think the icons and phrases, plus an education campaign can play an important role in educating consumers about behavioral advertising, but this needs to be done in concert with serious self regulatory efforts and continued technology and policy advances.”
FPF founder and co-chair Christopher Wolf applauded the results, “When FPF started this initiative, we challenged our partners at WPP to find a creative way to help companies communicate with consumers about behavioral advertising in terms consumers could understand. The research we have released today shows that we have achieved our goal.”
George V. Pappachen, Chief Privacy Officer at WPP’s Kantar Group said, “From the onset of this project, we believed there were innovative ways to engage and inform consumers about behavioral advertising. By using consumer research to guide us and enlisting communication experts to create these new notices, we believe we have reached an effective tactic to help explain behavioral advertising to consumers.”
The study also measured comfort with behavioral advertising with and without transparency and choice. Among the findings, applying transparency and choice increased the percentage of those who were comfortable with behavioral advertising from 24% to 40%, a 37% change. The same study also found that approximately 30% are neutral about behavioral ads with or without transparency and choice.
The final research report was authored by leading academics Mary Culnan and Manoj Hastak, who worked with Polonetsky to structure and design the consumer testing. With GroupM and Kantar coordination, a creative team from Ogilvy designed a collection of symbols, Greenfield Consulting conducted focus groups to test the symbols that showed the most promise, and teams from Kantar Group and Lightspeed were responsible for the online quantitative study.
Members of FPF’s advisory board provided input into the research, including valuable assistance from privacy leaders at AT&T, AOL, eBay, Verizon, TRUSTe and Yahoo as well as Ari Schwartz from the Center for Democracy & Technology and Professor Lorrie Cranor from Carnegie Mellon.
To see the power point presentation of Manoj Hastak click here.
To see the power point presentation of Mary Culnan click here.
A Little ‘i’ to Teach About Online Privacy
A Little ‘i’ to Teach About Online Privacy
New York Times
By Stephanie Clifford
January 26, 2010
A LITTLE blue symbol is carrying big implications. A mockup of an ad that includes the Power-I icon.
Trying to ward off regulators, the advertising industry has agreed on a standard icon — a little “i” — that it will add to most online ads that use demographics and behavioral data to tell consumers what is happening.
Jules Polonetsky, the co-chairman and director of the Future of Privacy Forum, an advocacy group that helped create the symbol, compared it to the triangle made up of three arrows that tells consumers that something is recyclable.
Jules Polonetsky quoted:
The idea was “to come up with a recycling symbol — people will look at it, and once they know what it is, they’ll get it, and always get it,” Mr. Polonetsky said.
“We said, let’s turn to creative people whose job it is to sell things, to communicate, instead of to lawyers whose job is to create highly accurate things that mean only what they mean and can be highly complex,” Mr. Polonetsky said.
Future of Privacy Forum Releases Behavioral Notices Study
Research Shows Transparency and Choice Significantly Increase Acceptance of Behavioral Ads
WASHINGTON – Today, the Future of Privacy Forum (FPF) released the results of a research study which tested the effectiveness of using new icons and key phrases to provide web surfers with more transparency and choice about behavioral advertising practices. FPF launched the notices initiative in May 2009 and partnered with a number of divisions at WPP, the global marketing communications company, to launch a consumer focused effort that would rely on the skill of advertising and communications professionals to engage users about efforts to provide relevant banner advertising. In February 2009, the Federal Trade Commission had expressed concern that privacy policies were not being read or understood, and urged the industry to develop new methods of providing notice to users about behavioral advertising practices.
The two phrases that performed significantly better than others in the 2600 internet user panel were, “Why did I get this ad?” and “Interest based ads.” “AdChoice,” a phrase which is currently being used by eBay in its notice program, was a favorite of earlier focus group participants, particularly with less experienced internet users. Overall the notices research showed which phrases and icons were more effective than others, but it also indicated that an educational effort will be necessary to fully ensure that users comprehend behavioral advertising practices.
Two new icons that had emerged as leaders from earlier focus groups, and were tested in the survey included an “asterisk man” and a “Power I” image. Focus group participants, who were previously presented with choices of icons, associated the lowercase “i” with “Information” links, interest-based ads, a power on/off switch alluding to the opt-out option, and the Internet in general. “Asterisk Man” was associated with personalization or a person “watching”. In the internet user panel, without further education or branding, neither had a major advantage over the other and each was dependant on being linked to key phrases, which effectively communicate to users about behavioral advertising.
As Jules Polonetsky, co-chair and director of FPF noted, “We think the icons and phrases, plus an education campaign can play an important role in educating consumers about behavioral advertising, but this needs to be done in concert with serious self regulatory efforts and continued technology and policy advances.”
FPF founder and co-chair Christopher Wolf applauded the results, “When FPF started this initiative, we challenged our partners at WPP to find a creative way to help companies communicate with consumers about behavioral advertising in terms consumers could understand. The research we have released today shows that we have achieved our goal.”
George V. Pappachen, Chief Privacy Officer at WPP’s Kantar Group said, “From the onset of this project, we believed there were innovative ways to engage and inform consumers about behavioral advertising. By using consumer research to guide us and enlisting communication experts to create these new notices, we believe we have reached an effective tactic to help explain behavioral advertising to consumers.”
The study also measured comfort with behavioral advertising with and without transparency and choice. Among the findings, applying transparency and choice increased the percentage of those who were comfortable with behavioral advertising from 24% to 40%, a 37% change. The same study also found that approximately 30% are neutral about behavioral ads with or without transparency and choice.
The final research report was authored by leading academics Mary Culnan and Manoj Hastak, who worked with Polonetsky to structure and design the consumer testing. With GroupM and Kantar coordination, a creative team from Ogilvy designed a collection of symbols, Greenfield Consulting conducted focus groups to test the symbols that showed the most promise, and teams from Kantar Group and Lightspeed were responsible for the online quantitative study.
Members of FPF’s advisory board provided input into the research, including valuable assistance from privacy leaders at AT&T, AOL, eBay, Verizon, TRUSTe and Yahoo as well as Ari Schwartz from the Center for Democracy & Technology and Professor Lorrie Cranor from Carnegie Mellon.
To see the full research report and examples of the icons visit FPF’s website at: fpf.org.
The Future of Privacy Forum is a Washington, DC based think tank that seeks to advance responsible data practices. The forum is led by Internet privacy experts Jules Polonetsky and Christopher Wolf and includes an advisory board comprised of leading figures from industry, academia, law and advocacy groups. FPF was launched in November 2008, and is supported by AOL, AT&T, The Better Advertising Project, Deloitte, eBay, Facebook, Intel, Lockeed Martin, Microsoft, The Nielsen Company, Verizon and Yahoo.