Future of Privacy Forum Advisory Board News

FPF is delighted to welcome several new members to our Advisory Board

Paul Ohm, associate professor at the University of Colorado Law School. Prof. Ohm is an expert in information privacy, computer crime law, intellectual property, and criminal procedure. To access his most recent paper, “Broken Promises of Privacy: Responding to the Surprising Failure of Anonymization,” please click here.

Ryan Calo, residential fellow at the Center for Internet & Society at the Stanford Law School. Calo’s expertise is on the intersection of privacy and technology. A Dartmouth grad with a JD cum laude from the University of Michigan Law School, Ryan was a contributing editor to the Michigan Law Review. To read his most recent paper, “”People Can Be So Fake: A New Dimension to Privacy and Technology Scholarship,” please click here.

Allen Brandt, corporate counsel, data privacy and protection Graduate Management Admission Council (GMAC). Allan Brandt advises colleges on data retention and privacy.

Terry McQuay, president, Nymity. Nymity is a global privacy and data protection research firm whose products are used more than 1,000 privacy professionals.

And A Fond Farewell

Two esteemed members of FPF’s Advisory Board have recently departed for higher callings. This summer, Peter Swire joined the Obama Administration as Special Assistant to the President for Economic Policy at the National Economic Council. A professor at Ohio State’s law school and an internationally recognized privacy expert, Peter had acted as the “White House Counselor for Privacy” during the Clinton Administration. His counsel to FPF has been invaluable.

Daniel Weitzner is now the Associate Administrator for the Office of Policy Analysis & Development at the Commerce Department’s National Telecommunications and Information Administration. As Director of the Decentralized Information Group MIT Computer Science and Artificial Intelligence Laboratory and Technology & Society Policy Director at the World Wide Web Consortium,,Danny still found some time to help shape our thinking about privacy.

Both Peter and Daniel joined the FPF Advisory Board at our inception. Our nation is well-served by having these two luminaries join the Administration.

Jodie Bernstein, Lifetime Achiever

A richly deserved tip of the hat is due to FPF Advisory Board member Joan “Jodie” Bernstein. Citing her “brilliant legal skills,” American Lawyer last week bestowed upon her its prestigious “Lifetime Achiever” award. This award goes to a select group of attorneys who, in the opinion of the magazine, have transformed the practice of law through leadership in public service and private practice.

In our view, it’s a fitting tribute for someone whose six decades of legal service have made her one of the nation’s most respected voices for consumer rights and privacy.

FTC to Dig Deeper on Privacy Issues

Back in August, the new head of the Bureau of Consumer Protection at the Federal Trade Commission, David C. Vladeck, sent a strong message that the Commission continued to be troubled by the state of consumer privacy in the U.S. and the current enforcement model. At that time, Vladeck said, “The frameworks that we’ve been using historically for privacy are no longer sufficient.”

It is our understanding that the announcement yesterday by the FTC that it would be holding a series of “day-long public roundtable discussions to explore the privacy challenges posed by the vast array of 21st century technology and business practices that collect and use consumer data” is an outgrowth of those comments. The commission is apparently particularly interested in hearing about new ideas for privacy models. What would be a better model that the current focus on protecting against harm or deception? What could work better than privacy policies? How can the government or industry play a role is assuring the “dignity” of online citizens?

As many are probably aware, the first of these meetings will take place on December 7th in Washington. We look forward to the Commission’s additional exploration of these issues…

Flash Cookie Confession?

I was pretty stunned to read this piece posted on MediaPost today. It usually takes a subpoena to obtain documents with comments like this:

“When Tatto began to develop its core behavioral frameworks and algorithms, it believed Flash cookies would remain the best way to slow the ability of consumers to delete cookies from their computers. Flash cookies are no different than regular cookies in terms of user privacy, but on average remain on a person’s computer for more than three months.”

Huh? Mr. Miao, please talk to a privacy professional ASAP. And read our previous post advising companies against misuse of flash cookies!

Behavioral Economics

Michael Sanserino’s column on behavioral economics in yesterday’s Wall Street Journal is a timely reminder about the benefits and the risks of new kinds of personal data uses. Take the Sacramento Municipal Utility District which since April 2008, according to Sanserino, has sent monthly notices to 35,000 customers showing how their usage compares with their neighbors and with the area’s most-efficient customers:

“Customers who received the additional information cut their energy use by 2%, compared with a similar group of users who didn’t get comparison data.”

The behavioral economic theory which shows the powerful effect of information about others on influencing individual behavior is popular among many economists and in 2002, proponents Daniel Kahneman and Vernon Smith won the Nobel Prize for their work in this area. Encouraging people to conserve energy is clearly a societal good. But from a privacy perspective, the use of this type of data raises many questions. Will my usage be shared publicly? Will it be analyzed by marketers? Can it be used against me?

The same article cites a start-up company that has created a prescription drug container with lights that glow when it’s time for a pill, and a radio chip that transmits information about how often the medicine is taken. Again, great value in such data when used for the benefit of helping people manage their medications, and for the families or guardians of those helping support those in need of assistance.

But the new risks of potential misuse of this and similar technologies highlight the challenges and need for responsible practices raised as new data uses move from laboratories to living rooms.

In the Chinese language, the characters for “challenge” and “opportunity” are remarkably similar. As Sanserino’s article makes clear, business decisions are increasingly guided by principles involving shared information. That’s a great opportunity – but from a privacy perspective, it’s also a tremendous challenge.

Behavioral Advertising in Europe

Some news just in from our friend Kirsten Bock of the data protection agency of Schleswig-Holstein in Germany. Schleswig-Holstein manages the EuroPriSe privacy seal, a privacy certification backed by many European data authorities. This week, the EuroPriSe seal was awarded to nugg.ad, a behavioral advertising company active throughout Europe. For our readers who, like us, are deep in the weeds of online ad policy, the public report is important reading. Note that the company does not have users opt-in, but rather is strict about not logging IP addresses, strictly limits health and other sensitive targeting and expires cookies after 26 weeks. Some lessons for the U.S.? We have just conducted a detailed interview with nugg.ad’s CEO, so stay tuned for a more detailed discussion of how one of the leading European online ad companies is succeeding at both personalization and privacy.

From our lips to the Senate's ears…Cass Sunstein receives confirmation

On Wednesday, we wrote on our blog that Congress could help ensure that privacy issues are given the utmost priority by confirming Cass Sunstein as the new administrator for the Office of Information and Regulatory Affairs. OIRA is the office at OMB that helps oversee government agency privacy issues. As luck would have it, we learned late yesterday that the Senate has confirmed Sunstein’s nomination. FPF believes this is a very important move in the Administration’s goal of protecting American’s privacy interests. As Peter Orszag, the Director of OMB, said on his blog, “Cass is the type of data-driven, creative thinker that we need in public life.” FPF congratulates him on this new position and we look forward to working with him in the days ahead on emerging privacy issues.

Too soon to judge Obama administration on privacy…

A number of the most fervent privacy groups today put out a report critiquing the Obama administration’s record to date on privacy issues. At only 9 months in, it seems a bit too soon to rate the Administration. As we have written previously, we do think there have been early indications of a commitment to ensuring that privacy issues are given high priority in the policy process. But clearly there are very high hopes in the advocacy community that this Administration will lean on its many tech savvy appointees to forge new paths that ensure the advances of technology are harnessed in a manner that advances both the needs of government and civil liberties. Likewise, we think that many of the more progressive companies in the business community are eager to see the government take steps to help increase the trust necessary for citizens to embrace the advances enabled by new technologies.

What about the privacy of our youth? Obama may be the first president to offer our children some personal privacy advice. Yesterday, when he was asked for some guidance on how to become president, he told several ninth graders, “Be careful what you post on Facebook.”

One thing that Congress can do to help is to confirm Cass Sunstein, the Administration’s nominee for the Office of Information and Regulatory Affairs, which is the office at OMB that helps oversee government agency privacy issues. Sunstein comes to the position with a close relationship with the President and a long history writing and thinking about the impact of technology and society. The sooner the administration can have a focal point for privacy issues, the sooner we can expect to see progress on many of the privacy issues at stake.

How We’re Losing Our Privacy Online

How We’re Losing Our Privacy Online

Christian Science Monitor

By Gregory Lamb

August 31, 2009

Gail Heyman didn’t go on Facebook often. In March Mrs. Heyman, who lives in the Atlanta area, opened an account just to keep up with a few friends. She found herself rarely checking the social-networking site, letting days or even weeks slip by between visits.

But in late June, she received a phone call from a cousin. He had responded to what he thought was her emergency plea for money on Facebook and wired her $2,000 – in London. As he thought about it more, he decided to call her just to double-check.

Heyman, who was still in Georgia, was astounded. Someone had figured out her password, taken over her account, and posted the fraudulent request. “They told my [Facebook] friends that I had been mugged, and that I was in a hotel and that I needed money,” she says.

Her cousin was able to quickly contact Western Union and cancel the transfer before the money was picked up by the imposter in London. Heyman, still a little shaken, hasn’t reopened her Facebook account but hopes to get back online in the future. “It’s made me think differently about doing things online,” she says.

Jules Polonetsky quoted:

“Let’s make it easier for folks to act in the way they want to act,” says Jules Polonetsky, co-chairman and director of the Future of Privacy Forum, a Washington, D.C.-based think tank underwritten by companies such as AT&T, AOL, Intel, eBay, and Facebook. “Yes, I can make a silly joke to my friend. It can be easily watched by my friends, but I can easily make it go away if I need to.”

Click here to view the full article.

Facebook agrees with Canada on privacy controls

Facebook Agrees with Canada on Privacy Controls

Associated Press

By Charmaine Noronha

August 27, 2009

Facebook agreed Thursday to give users more control over the information they share with outside applications like games and quizzes in response to concerns raised by Canadian privacy officials.

Currently, people who wish to use such software have to agree to share all their data with the application. For example, when a user signs up to take a quiz, the software developer could tap the user’s biographical information, photos and hobbies, along with profiles and information on friends, even if such data aren’t needed to take the quiz.

Jules Polonetsky quoted:

Jules Polonetsky, co-chairman and director at the Future of Privacy Forum think tank in Washington, D.C., said that while users will be more aware that applications are accessing their data, they may still click through the notices without regard for what information they are ceding to the developers.

Click here to view the full article.

Facebook Addresses Canada's Privacy Commissioner Concerns

Several weeks ago the Office of the Privacy Commissioner of Canada, issued a comprehensive report about Facebook’s privacy policies and asked the company to address several privacy concerns they laid out or face imminent legal action. In response, Facebook announced today a series of changes that intended to address the concerns offered by the Commissioner.

Among the changes Facebook will be making:

• Updating its Privacy Policy to better describe a number of practices, including the reasons for the collection of date of birth, account memorialization for deceased users, the distinction between account deactivation and deletion, and how its advertising programs work.

• Encouraging users to review their privacy settings to make sure the defaults and selections reflect the user’s preferences.

• Increasing the understanding and control a user has over the information accessed by third-party applications. Specifically, Facebook will introduce a new permissions model that will require applications to specify the categories of information they wish to access and obtain express consent from the user before any data is shared. In addition, the user will also have to specifically approve any access to their friends’ information, which would still be subject to the friend’s privacy and application settings.

In my opinion, the most important change is related to applications. As I have previously discussed, the challenge of policing the activities of tens of thousands of independent developers around the world is a daunting but necessary task. The current process on Facebook allows users to opt-in to giving applications permission, but allows apps to require users to provide access to all of their own data and all their friends data. Many users have no clue that by doing quizzes, they are providing a developer with access to all the information in their profile and access to their friends profiles and their information.

The new process will require applications to spell out the data they want from users with more detail and to more specifically approve access to categories of an individual’s data or their friends’ data.

For the first time, when users authorize an application, they will have the opportunity to opt out of giving certain pieces of information. Fields that are necessary for the application to function will still be mandatory. Facebook also said that it anticipated that users will need to opt-in to giving applications access to their friends’ data.

These changes are absolutely a very positive step,and do lead the way for other platforms that support applications to step up to provide more transparency and control.

Unfortunately, I don’t see how Facebook can take on the job of policing hundreds of thousands of applications, without creating huge bottlenecks or hiring hundreds of reviewers. Who will decide what data is necessary for an application to function? Will users pay attention and exclude the sharing of data which isn’t required or will they just click through? Clearly, there is a desperate need for third parties such as seal companies or application rating sites to fill the void here so that users can look to trusted experts for help before deciding to share the details of their lives with unknown and unverified developers. Of course, this issue isn’t unique to Facebook as the focus tomorrow will be on the other social network platforms. And, it’s only a matter of time before open mobile platforms feel the heat as well.

The other important note here is that, once again, the international privacy regulators are driving the global privacy agenda and setting standards for US companies. In response to recent pressure from European authorities, search engines have all reduced the time they keep search queries. Although international regulators have for many years published opinions or made public declarations about their views that companies weren’t meeting local standards, they have begun to play a significantly more aggressive role in demanding actual changes from companies active in their jurisdictions. A review of the agenda of the November international conference of data commissioners makes it clear that social networking, kids privacy, behavioral advertising will continue to be lead topics of discussion. Although the FTC cooperates with many of the international regulators and has observer status at some of the conferences, I re-iterate the call for the Obama administration to appoint a Chief Privacy Officer who can ensure that the US is more visible and relevant on this increasingly global playing field.