Data Security Breach Laws Remain the Province of the States
With 44 states and the District of Columbia having breach notification laws on the books, California — the first state in the nation to enact such a law — is proposing to amend its law (SB. 20) to require notification of breaches to the attorney general (a requirement contained in many other states’ laws), and to require “plain language” in the notices sent to consumers. Missouri is considering a law that would make the state the 45th with a breach notice law and the first to have criminal penalties for a failure to notify individuals of a data security breach involving their personal information. Other states are considering new breach liability provisions. For example, a New Jersey bill (A. 2270) would establish retailer liability to banks for breaches of payment card data and also subject every entity covered by the state’s existing data breach notification law to liability to banks for breaches of any protected personal information. Thus, the legal regime to protect consumers from identity theft when their personal information is exposed through a breach of data security remains the province of the states, with Congress considering but yet to enact a nationwide law for consumer notification. Reg S-P, the SEC’s implementation of Gramm-Lech-Bliley, was widely expected to be finally amended by year-end 2008 to provide clearer guidance on when entities supervised by the SEC needed to provide notification of data breaches, but the amended reg is still pending.
Flash Cookies and Privacy
We are glad to read that Adobe is working with browser companies to incorporate Flash cookie controls into the current browser cookie controls. This is long overdue! Given that most consumers have no idea that Flash cookie controls exist or where to find them, companies should be very wary of using this type of cookie for robust tracking purposes. Using them as they were initially intended, to store a user’s expressed preference for their convenience, such as storing favorite channels on a flash media player — is cool. But using them for behavioral targeting without a user understanding how to control these cookies — not cool.
Check here to explore the privacy controls that do exist for your Adobe Flash cookies.
FPF Commends Yahoo Privacy Announcement
The Future of Privacy Forum (FPF) applauds the Yahoo! announcement today that the company has sharpened its privacy practices with a new global data retention policy. FPF Co-chair Jules Polonetsky called for such steps last week in his blog posting. We are delighted to see a great example of advancing privacy in a business practical manner. Thanks to Tech Policy Central for noting our advocacy in this area. The new Yahoo! policy will truncate IP addresses and cookies for search and, very importantly, for adserving logfiles. Most will be deleted at three months, with a subset of data remaining 6 months for security and fraud purposes. Google has previously enhanced practices in this area by announcing a 9 month time frame for search data, and per our earlier post, Microsoft is considering 6 months. Whether the sweet spot is 6 months or 9 months, the engineers are finding the minimum time needed to use data to create and improve a great service. We see this as an important step towards a common set of privacy principles that can apply to everyone in the internet space – which will be of benefit to all businesses and consumers.
Marty Abrams
Congrats to Marty Abrams for being presented with the IAPP Vanguard Privacy Award. Marty has been an advisor to most of us in the privacy area and is a true thought leader. When I set up my first privacy advisory board about 9 years ago at DoubleClick, Marty was one of the people I turned to for guidance. Today he and his colleagues at the Center for Information Policy Leadership are doing some of the most important work in the global privacy arena. Kudo’s, Marty, on a well-deserved honor.
Search Log Files – Ad Server Log Files
Microsoft has agreed with the Article 29 Working Party of EU data regulators that they will remove cookies and IP addresses from search data after 6 months, but only if Google and Yahoo also go along. We will comment further about this, but are already thinking about the next issue – ad server log file retention.
Companies didn’t adopt search data retention practices until pressed by the European regulators and then were “ordered” to adopt a 6 month term. This time frame seemed to be a political compromise period agreed to by the group of regulators without any documentation of why 6 months is the model balance of improving search vs. user privacy. We propose a better process for ad server log files, based on examining the minimum period needed for the functions of serving and accounting for ad delivery and related auditing and analysis. We have some more work to do here and will be discussing this with ad serving and behavioral targeting companies, many of whom currently keep ad serving log data long term without any clear need to do so. We understand the value of having a year’s worth of data in order to understand seasonal or year to year trends and believe that retention periods of 9-13 months could easily be put in place at many companies with zero business impact whatsoever. Why wait until the next crisis hits or the Europeans decide to press this issue? Let’s figure out how to implement a more responsible practice in this area in order to improved user privacy in a business practical manner.
Please contact us via this site if you would like to be part of this discussion.
Pew on FaceBook Connect
Amanda Lenhart of Pew thinks FaceBook is off-base with plans for FaceBook Connect because of the complexity that will be added to the average user’s identity management desires. Perhaps we are extroverts, but we are optimistic that FaceBook will have done the work needed to make use of this extension of FaceBook into the rest of our web life intuitive to use so that we can share what we want with who we want. And, of course, we hope we can NOT share all of our data with a new site, just because we want to use our FB credentials and friend network on the site. Eagerly awaiting a look and this implementation – will need to ping our busy friend FaceBook CPO Chris Kelly to seek a preview!
Online Shoppers Carry Web Retailers' Baggage
Online Shoppers Carry Web Retailers’ Baggage
San Francisco Chronicle
By Deborah Gage
November 28, 2008
Online shoppers bring to the hunt a lot of baggage from retailers.
People who shop online share lots of information about themselves, even when they’re not buying anything, said Jules Polonetsky, the former chief privacy officer at AOL who now heads the Future of Privacy Forum.
Jules Polonetsky quoted:
“Simply visiting a Web site leads to an explosion of data to dozens of other companies,” he said. “You (may) think you’re shopping alone when you sit there at home, (but) you’ve got as many folks along with you as if you were in a crowd at the mall.”
The first, a story by John Markoff, explores the advances in “reality mining”, a term coined to capture the risks and opportunities of data-mining a full range of data about users, from location, to shopping, to online. It is hard to read this article, without understanding the need for leaders who appreciate the opportunities and risks of data to beginning setting down the parameters for ethical progress. At some point, the solution will clearly need to be a combination of technological standards, industry rules and legislation.
Without such guidance, the projects move forward subject to the personal and sometimes conflicting views of project leaders. Here’s is an example from the article:
Pentland says there are ways to avoid surveillance-society pitfalls that lurk in the technology. For the commercial use of such information, he has proposed a set of principles derived from English common law to guarantee that people have ownership rights to data about their behavior. The idea revolves around three principles: that you have a right to possess your own data, that you control the data that is collected about you, and that you can destroy, remove or redeploy your data as you wish.
At the same time, he argued that individual privacy rights must also be weighed against the public good.
Citing the epidemic involving severe acute respiratory syndrome, or SARS, in recent years, he said technology would have helped health officials watch the movement of infected people, providing an opportunity to limit the spread of the disease.
“If I could have looked at the cell phone records, it could have been stopped that morning rather than a couple of weeks later,” he said. “I’m sorry, that trumps minute concerns about privacy.”
Indeed, some researchers argue that strong concerns about privacy rights are a relatively recent phenomenon in human history.
“For most of human history, people have lived in small tribes where everything they did was known by everyone they knew,” said Thomas Malone, director of the MIT Center for Collective Intelligence. “In some sense we’re becoming a global village. Privacy may turn out to have become an anomaly.”
The second article is from the NY Times Magazine, by our friend Jeffrey Rosen, the leading legal and privacy scholar, who takes a look at the critical decisions about censorship, legal compliance, and often privacy made by the legal and policy team at Google. Having sometimes sat in smaller versions of that seat of responsibility (Jules while at AOL and Chris in his leadership role dealing with online hate speech at the ADL and at INACH), we understand the challenge of making private sector decisions that impact the public commons. The folks at Google recognize this challenge and do call for governments themselves to play more of a definitive role in establishing the legal guidelines in each jurisdiction. Given this isnt the case yet and may never be, how Google and how many others who are also juggling competing legal and policy obligations handle these conflicts is one of the critical issues for the future of the internet.
Where does your data go … before you even click
Who’s watching you while you’re shopping? This holiday season you may be getting more of a mouthful of cookies then expected. You may not be aware that when you visit a site you’re actually a part of a complex advertising and marketing mechanism. Very few things on the Internet are completely anonymous. Data collection is inevitable due to the architecture of the internet and much of the data collected is simply used to help sites analyze which offers are popular, but many users would be surprised at the multiple companies involved with nearly every Web site visit and the breadth of the data collected. The good news is there are tips to help control your privacy:
Most online tracking relies on little bits of data left on your computer called cookies. Use your browser privacy settings to delete those cookies after browsing, or visit the consumer tools page at fpf.org to find the opt-out links offered by the largest ad networks.
Download the new version of Microsoft’s Internet Explorer 8, which includes a powerful safety setting that will prevent your computer from silently loading many of the tracking tools.
Alternative browsers Firefox and Google’s Chrome also have settings that let users block or delete cookies.
Check out Ask Eraser, a useful privacy feature unique to Ask.com’s search engine which allows users to permanently eliminate their searches from Ask’s log files.
Avoid using the same company for your searches and for your email account, so that linking your searches and your email identity is not possible.
Additional useful resources for online privacy can be found at the TRUSTe and Federal Trade Commission sites.
Why do we think that right now, as 2009 approaches, there can be real progress on privacy? Because some of the most senior marketers in the industry are starting to sound like privacy advocates. Read this comment about advertising on social networks and then click here to see who said it!
“I have a reaction to that as a consumer advocate and an advertiser,” he said. “What in heaven’s name made you think you could monetize the real estate in which somebody is breaking up with their girlfriend?”
Of course his point, as a large global advertiser, isn’t that ads don’t belong on social networks, but rather that engaging users is more effective than using data simply to “target at” them. We couldn’t agree more. We certainly expect that FaceBook will continue to develop in this direction and that it will succeed in collecting ad dollars by increasingly serving the desires of its users. We never click on banner ads offering us a local date with a hottie in our area, but we do enjoy someone using a FaceBook application to buy us our favorite brand of scotch, even if virtual!
