So turns out that we don’t yet have a draft cookie policy to react to, but today we have a more formal request for comment that lays out the framework OMB is looking at and guidance on the more specific input OMB is seeking. See Open Government Blog.
Here are the details:
Under the framework we’re looking at, any Federal agency using web tracking technologies on a Federal Government website would be subject to basic principles governing the use of such technologies and would be required to:
Adhere to all existing laws and policies (including those designed to protect privacy) governing the collection, use, retention, and safeguarding of any data gathered from users;
Post clear and conspicuous notice on the website of the use of web tracking technologies;
Provide a clear and understandable means for a user to opt-out of being tracked; and
Not discriminate against those users who decide to opt-out, in terms of their access to information.
OMB is considering a three-tiered approach to the use of web tracking technologies on Federal Government websites:
1st – Single-session technologies, which track users over a single session and do not maintain tracking data over multiple sessions or visits;
2nd – Multi-session technologies for use in analytics, which track users over multiple sessions purely to gather data to analyze web traffic statistics; and
3rd – Multi-session technologies for use as persistent identifiers, which track users over multiple visits with the intent of remembering data, settings, or preferences unique to that visitor for purposes beyond what is needed for web analytics.
We expect that there would be more stringent restrictions or review of the technologies within the tiers that might have higher privacy risks.
To share your comments on this approach, you can post a comment here, submit comments directly in response to the Federal Register notice mentioned above, or email them to: [email protected]. Comments submitted by August 10, 2009 in one of these three ways, will be taken into consideration though we strongly encourage you to comment here so that others can respond. Comments submitted via email will also be republished here. We’re hoping to hear your thoughts on:
The basic principles governing the use of such technologies;
The appropriate tiers;
The acceptable use and restrictions of each tier;
The degree of clear and conspicuous notice on each website that web tracking technologies are being used;
The applicability and scope of such a framework on Federal agency use of third-party applications or websites;
The choice between an opt-in versus opt-out approach for users;
Unintended or non-obvious privacy implications; and
Any other general comments with respect to this issue.
The White House is hosting a call we are joining later today with stakeholders to discuss this further, so we will update if there is anything more to report.
New White House Policy on Cookies On the Way
Look out today for a Federal Register request for comment and a post at the White House Open Government site about ways for revising the current prohibition on persistent cookies. The goal is to continue to protect the privacy of people who visit Federal Government websites while at the same time making these websites more user-friendly, providing better customer service, and allowing for enhanced web analytics. We have commented extensively on this issue at this site and in submissions to the Administration, and CDT and EFF have produced a useful report here as well. (search cookies at this site to find early links and posts). Check back here later for an update.
Borrow this Privacy Policy, Please
Ad-targeting network Lookery includes the following language in its privacy policy:
“Thank you to TACODA, from whose privacy policy this one was derived.”
First time we have seen a company give credit like this!
When is it Acceptable for Pharma Marketers to Use Behavioral Targeting? | Pharma Marketer
Our readers may be very interested in this article about creating profiles of people who search or read about topics ranging from Viagra to asthma. Take the survey at the end to see the results so far.
*When is it Acceptable for Pharma Marketers to Use Behavioral Targeting? | Pharma Marketer*. (link expired)
Zittrain and Cloud Computing
Our friend Jonathan Zittrain’s piece in today’s New York Times entitled “Lost in the Cloud”, raises pertinent and important privacy and competition issues about cloud computing. His main focus is on the concerns for individuals and the ability of companies to innovate if they are subject to the guidelines of the cloud operators. The great irony may be that guidelines for privacy and security enforced by cloud operators may be exactly what is needed to provide individuals with a trusting experience. But, as Zittrain discusses in his book The Future of the Internet and How to Stop It, navigating the decisions that help protect users without stopping innovation is key to the future of the internet. Last week’s action by the Privacy Commissioner of Canada against Facebook for not doing enough to enforce rules over the application developers would use in its platform is an example of how government will be seeking to play a role in these decisions.
We would add to Professor Zittrain’s analysis a discussion of how business-to-business cloud computing has the real potential to enable innovation that would otherwise be impossible because of how it can reduce costs for many businesses, improve service delivery and promote innovation because of the economies of scale. Countless business models and services will exist only if they have the capability to make use of sophisticated programs and infrastructure that can serve millions of users at low cost
The contracts that sophisticated businesses are putting in place with major providers of cloud computing services, like IBM, address many of the concerns about privacy, security and intellectual property rights, as well as the location of services (so as to reduce the risk of foreign government tampering with private information). But as Zittrain has been advocating, and as remarks from Julius Genachowski reported today make clear, the success of the interaction between the innovators at the edge and the providers of the platforms of the future will be be essential to the future of privacy, security and the vitality of the internet.
Overall this is a very well informed and thoughtful decision. The majority of the issues raised by CIPPIC (Canadian Internet Policy and Public Interest Clinic) are either denied or found to have been successfully addressed by many of the privacy enhancements introduced by Facebook over the past year. The most significant unresolved issue as identified by the Commissioner is probably around the many thousands of third party applications that have become so popular with Facebook users. Although Facebook has contractual policies restricting the access and retention of user data by the “apps”, and has enforced these rules by kicking various apps off of Facebook, concerns by the Commissioner still exist about whether Facebook should be able to implement some sort of technical monitoring of these programs. Although Facebook has launched a “Verified Apps” program, where apps can sign more intensive review of their practices and receive a label informing users, this program is voluntary. We agree that this is an area where users are right to have concerns about the identities and practices of third party app developers, many of whom are individual developers or start-ups operating anywhere in the world. But we also think that a mandatory approval and review program for apps controlled by Facebook would be subject to policy debate over the openness of the platform criticism and would create a huge bottleneck for the developers of the apps. The role of “policing” these apps may be better suited for third parties or seal organizations, which can independently set trust guidelines and devote time and resources to the auditing and technical monitoring of apps.
Two other issues flagged by our northern neighbors are also intriguing. The Commissioner would like Facebook to spell out in its privacy policy what it does with user accounts, after users die. Although companies in the US often do have policies around how to handle user accounts after death, the controlling practices are usually trust and estate laws and they are dependent on the ability of a next of kin to establish ownership of the account. Rarely, if ever is information about this spelled out in a privacy policy and we wonder whether the Commissioner would require this of all blogs, Web sites, email providers or the like. Although we think transparency is key to ensuring users trust with the companies they deal with, we aren’t sure that most users want to discuss death when they sign up for a social network. What do our readers think? Do you want your Facebook profile or your blog to stay up after you die? Do you want to decide this when you create an account? Should estate planners start advising clients to leave online account passwords and orders with their executors?
Also relevant to all sites that allow users to post content is the request that Facebook implement methods to ensure that users who post images or provide emails of non-Facebook users can show that they have the consent of those non-users. Although the Commissioner recognizes that personal use by individuals is ordinarily exempted from PIPEDA (Personal Information Protection and Electronic Documents Act), the fact that Facebook makes additional use of this information is held to be the basis to cover it under PIPEDA. In addition to the free speech concerns of users that might be raised under US law, practical application of this principle to user Web sites in general seems practically impossible. On the other hand, facebook more strictly limiting retention of certain non-user data supplied by users, for example email addresses used to invite friends, seems practical, required by PIPEDA and likely to be a very good idea and an effective way to deal with this concern.
The Commissioner also makes a strong case that the option to completely delete a user’s profile needs to be easier to do. We firmly agree. At a time when users are first becoming aware of that many ways the data they post can later be used against them or out of context, the safety valve that can help ensure users have more control over their data trail is a firm ability to easily delete their profile information. And de-activated profiles, which are maintained for the long term are quite likely forgotten by their owners and should also be deleted on a published schedule.
Here is the response from Facebook: “Facebook will soon be introducing a number of new additional privacy features to its service that we believe will keep the site at the forefront of user privacy and address any remaining concerns the Commission may have. In the meantime, we will also continue our efforts to work with the Canadian Federal Privacy Commissioner to address the outstanding areas highlighted in the report and will continue our efforts to raise awareness of the privacy controls on Facebook.”
Kudos to Assistant Commissioner Liz Denham, author of the report, for producing one of the best pieces of work we have seen from a data protection agency anywhere. The document demonstrates an understanding of the Facebook platform and how users interact with it. In the many cases where complaints were raised but where Facebook was already in compliance or where practical changes were made, the reports takes a pragmatic and user focused view towards application of the law and recognizes those measures. We agree with leading Canadian privacy scholar Michael Geist, who commented as follows:
“The finding is one of the longest and most detailed in memory as it chronicles not only the complaint and findings but the negotiations with Facebook in addressing the concerns. In doing so, it represents the most exhaustive official investigation of Facebook privacy practices anywhere in the world.”
Yahoo launches a mobile behavioral opt-out
Kudos to Yahoo for being among the first to offer a mobile behavioral advertising opt-out. Check out http://www.ypolicyblog.com/
The FTC was clear in its behavioral advertising guidance that consumers should be entitled to opt-out of behavioral ads, regardless of the platform involved. It is great to see Yahoo take the lead here on behalf of mobile users, as they have done on the Web by adopting standards to quickly anonymize user data. I am aware of only two other mobile ad companies offering any sort of mobile opt-out – what are folks waiting for? We are putting together a list of companies doing mobile behavioral advertising, so that interested observers can be aware of developments in this area and can urge others on. If you are aware of companies offering a mobile opt-out, please comment below.
This Thursday, the Future of Privacy Forum and the Center for Democracy and Technology are hosting a working meeting with companies, industry groups, ad networks and browser companies to seek to advance efforts to improve the general opt-out process. Email [email protected] if you are a provider interested in this issue.
How close to your actual home is the geo-info companies have about your IP address?
The debate around IP addresses as personal information hinges primarily around the fact that an ISP will usually have the identity of the subscriber assigned an IP address. So the real issue isn’t really about IP adresses, but rather how to handle information which may be non-personal to one party, but which is linked to personal information in the hands of others. IP address is one of the more prominent examples of this issue, because it is often the “clue” left behind by a someone visiting a Web site, searching, or creating an email account. But account identifiers that are personal to one company are often shared with others, for example Web analytics companies or ad networks who use this ID to help correlate web log data. The analytics company or ad network can not identify the user, but the data is handed back to the client who may be able to.
DoubleClick’s ad-serving and search products utilize non-PII. Some of our clients may associate PII that you have given them (for example, a customer number, if you have registered at or purchased from their websites), with their advertising campaigns. Although this customer number may be passed from the client to DoubleClick’s ad servers during the ad delivery process, DoubleClick cannot recognize this information as PII and cannot link it to any person.
Let’s get back to IP addresses. We have posted previously about how most companies do not currently use IP to track users, relying on cookies for this. They are also needed for auditing, fraud and security purposes and we will post more on that in the future. But one of the most common uses is to estimate a user’s location for reporting and analytics or for ad targeting. How well does that work?
Here is a test from one IP geo-look-up site, WhatisMyIPAddress.com. My home is 60 miles or so away from the location identified. Not sure what service they are using for the data, some may be better than this which claims as follows: “Country accuracy is estimated at about 99%. For IP addresses in the United States, 90% accurate on the state level, and 81% accurate within a 25 mile radius. World-wide users indicate 60% accurate within 25 miles.
I would add to his set of reasons the fact that cookies are unstable, imperfect and thus a less intrusive and permanent method than other ways a company might use. For example, a browser can only hold cookies of a limited size and number, and after that they are over written.
