If you are around DC today, join us for what I hope will be an exciting panel!Some advance thoughts — I suspect that I am personally far less allergic to legislation than some of my colleagues on today’s PFF Regulating Online Advertising Panel. I do think that effective legislation here will be very difficult, but I think that the Hill staff and FTC staff have done a great deal in the last 2 years to really get up to speed on the technologies, business models, consumer issues and the big picture of the economy and internet eco-system. I think industry claims that requiring greater control or transparency will break business models, eliminate free content and generally wreak havoc ring hollow. On the other hand, efforts (legislative or self-regulatory) that focus solely on behavioral ads, deep packet inspection, or specific technologies could easily miss the mark, as business models already using a much wider range of data. And a great deal of confusion continues to exist, even within the ‘expert” circles about how the relevant technologies are used and I do certainly worry about proposals that would do more harm than good.
Anyway, looking forward to participating with the wise heads listed below and continuing to think this issue through.
Today on Capitol Hill
Regulating Online Advertising:
What Will it Mean for Consumers, Culture & Journalism?
Berin Szoka (Moderator), Senior Fellow and Director of the Center for Internet Freedom, The Progress & Freedom Foundation
Howard Beales, Associate Professor, Department of Strategic Management and Public Policy, George Washington University
Thomas Lenard, President & Senior Fellow, Technology Policy Institute
Jules Polonetsky, Co-Chair & Director, Future of Privacy Forum
Mark Adams, Visiting Fellow, The Progress & Freedom Foundation
Proposals to regulate advertising and data collection on the Internet, mobile phones, and interactive television, hold the promise of enhancing consumer privacy. On the other hand, “smart advertising” allows more relevant advertising to be targeted directly to individual consumers, making markets more competitive, significantly increasing the funding available for creating free content and services, and increasing the effectiveness of all forms of free speech. So what would regulation cost consumers, and how will it impact journalism and other non-commercial content, which stands to gain the most from better targeting? What First Amendment questions would regulation raise about the future of culture and political discourse? These and other pressing questions will be discussed at “Regulating Online Advertising: What Will it Mean for Consumers, Culture & Journalism?,” a congressional seminar hosted by The Progress & Freedom Foundation.
Privacy Gourmet: Computers, Freedom and Privacy Tutorial on Online Advertising
Doug Miller, the privacy lead at AOL and one of the most genuine people I have ever met, joined me to give a tutorial on the nuts and bolts of online advertising at the Computers, Freedom and Privacy 2009 Conference. Doug has been kind enough to post the charts he and his team prepared. Check them out at AOL’s Privacy Gourmet blog.
A cookie is a cookie and an IP address is an IP address
Cookies, not IP addresses as claimed in the above article, are today used for behavioral tracking. IP addresses are used by ad networks for geo-targeting, for anti-fraud and auditing, and in some cases for presuming the type of company the user is coming from. They are not currently the basis for behavioral ad targeting at any major ad network or behavioral company. In fact, some behavioral ad companies in Europe very quickly delete IP addresses, or do not log them at all, in order to better comply with local law. Not saying there is no privacy issue with behavioral ads, as there certainly is – but it is the tasty http cookie that is at the center of this issue. Not saying there aren’t some new emerging business models focused on IP addresses, but this wasn’t the issue with PHORM. There has been plenty of ink already devoted to the privacy issues around the ISP behavioral model that PHORM championed, so I don’t intend to get into that here, but one of the points that the PHORM crew made in support of their model was that they didn’t keep IP addresses, while much of the rest of the industry did log and retain IPs.
Quite a muddle, so what is the lesson? Delete IP addresses quickly. Do so primarily because you don’t really need them long term and because they are a sensitive piece of data. Debate all day whether they are personal data or not, but clearly they are more of a hot potato than other data you hold because it can be linked to a user by law enforcement or a cooperating third party. Ask your ad network why they need to retain IP addresses of your visitors for the long term. Note that Yahoo deletes IP addresses after 6 months and some analytics vendors will eliminate the IP immediately – with no business impact.
The second reason to delete those IP addresses after a short term is that all sorts of people suspect you are doing funky things with them that you aren’t even doing!
It is Official! No one is in charge of my retinal scan!
Feds announce that Clear Pass data aint their problem.
One more reason the US needs a Chief Privacy Officer is that there is so much that falls within the cracks of jurisdiction. Data is the lifeblood of government and of commercial activity, but without someone “owning” the overall responsibility for a national strategy around respect for individual data, we will face a thousand nicks and cuts that weaken trust in the system. Peter Swire served admirably as White House Counselor for Privacy during the Clinton administration from his seat at OMB. A similar role today, chairing a CPO Council from the agencies as CDT and others have suggested, is critically needed if privacy battles are not going to overhang future efforts to move forward on dozens of areas that require robust but respectful use of data to succeed.
Geolocation API Specification
Excellent to see that Alissa Cooper, CDT Chief Scientist, is involved with the development of this important Geolocation API spec at the W3C.
If you really want to understand the FTC today, read this post by Rebecca Tushnet
Although coverage of the ABA Conference remarks of the new Consumer Protection Director at the FTC (raising the need for a new paradigm for privacy regulation) got my attention, I didnt get a chance to catch up on full coverage of the panel until today. Check out Professor Rebecca Tushnet’s blog for great coverage of the insightful conversation about the FTC, its jurisdiction and activities.
Court: IP Addresses Are Not 'Personally Identifiable' Information
Court: IP Addresses Are Not ‘Personally Identifiable’ Information
Media Post
By Wendy Davis
July 6, 2009
In a ruling that could fuel debate about online privacy, a federal judge in Seattle has held that IP addresses are not personal information.
“In order for ‘personally identifiable information’ to be personally identifiable, it must identify a person. But an IP address identifies a computer,” U.S. District Court Judge Richard Jones said in a written decision…
Jules Polonetsky quoted:
Jules Polonetsky, co-chair and director of the think tank Future of Privacy Forum, adds that many sites with older privacy policies maintain that they don’t collect personally identifiable information, but log IP addresses. “For many years, people just threw around the term ‘personal information,'” he says. “They didn’t pay attention to account IDs in the hands of third parties, IP addresses — other types of information that, with some effort, could become identifiable.”
Polonetsky says that companies today are rewriting privacy policies to more carefully define their terms, adding that many in the industry now view IP addresses as more sensitive than completely random data.
Snip…..”Jules Polonetsky, co-chair and director of the think tank Future of Privacy Forum, adds that many sites with older privacy policies maintain they don’t collect personally identifiable information, but log IP addresses. “For many years, people just threw around the term personal information,” he says. “They didn’t pay attention to account IDs in the hands of third parties, IP addresses, other types of information that, with some effort, could become identifiable.”
Polonetsky says that companies today are rewriting privacy policies to more carefully define their terms, adding that many in the industry now view IP addresses as more sensitive than completely random data.”…….
— Let’s quit debating whether IP addresses are PII. Lets’s just agree that they are more significant than some less personal information and arrange to not log them when we dont need to or let’s obscure or delete IP addresses at an earlier date. For example, consider Yahoo’s example – they anonimyze search and adserving logfiles, deleting IP addresses, after 6 months. (and it doesnt appear to have shut down their business). Others retain for 9 months or a year, but many don’t yet have public policies around such data retention. Time for everyone else to follow.
Chris Soghoian’s TACO opt-out tool continues to pick up steam. Kudo’s to our friends at Lotame who include TACO in their opt-out offered to users, one of the only ad networks to do so.
The Ethicist – A Facebook Teaching Moment – Question – NYTimes.com
“Strictly speaking, when these students gave her access to their Facebook pages, they waived their right to privacy. But that’s not how many kids see it. To them, Facebook and the like occupy some weird twilight zone between public and private information, rather like a diary left on the kitchen table. That a photo of drunken antics might thwart a chance at a job or a scholarship is not something all kids seriously consider. This teacher can get them to think about that.
She might send e-mail messages to transgressing students, noting their misdeeds and reminding them of their vulnerability. Or she could address her entire class, citing (anonymous) examples of student escapades.”
— We read this smugly and think kids are silly, we know better, especially us responsible business people. But I am aware of some experts who do “anti-trust” training, and then follow up by having the company scan the stored emails of senior execs. They pull out all kinds of scandalous comments made on email by the execs – we will crush them in the market etc. Only then do the execs grok the fact that the emails they write, even casually, can and will be used against them if turned over in an anti-trust suit. Why do we expect teens to be savvier than smart tech businesspeople?
