FTC/FDA Need to Protect Health Privacy Online–Look at what personal medical info one health site asks

The online marketing of health and medical related services require urgent and serious scrutiny–from regulators, the Congress and the Obama Administration.  CDD’s recent complaint on digital pharma marketing and advertising addresses this issue.  But action is required.  Take for example, an email we received today from Quality Health/Allergies, promoting a “guide to help you sleep.”  In order to get the guide, you are asked to provide information.  Look at this one example and ask yourself.  Aren’t safeguards required to govern the collection and use of such information.  The newsletter features the TRUSTe seal which should raise questions about how effective that group’s work is protecting privacy.

Even more questions, inc. ones about specific drug brands, was asked that what we have below.  Here’s an excerpt from the questionnaire:

Simply respond to the questions below to continue.
1.     Are you (or someone in your household) going to the doctor in the next 30 days to discuss any of the following conditions below?
Alzheimer’s Disease (Moderate-to-Severe)
Bipolar Disorder
Child with Asthma
Chronic Dry Eyes
Diabetes
Osteoarthritis
Parkinson’s Disease
Rheumatoid Arthritis (Moderate-to-Severe)
Sjögren’s Syndrome
Other Condition
No appointment scheduled
Are you the Alzheimer’s Disease patient or the caregiver?
Patient
Caregiver
Can QualityHealth send you a FREE email series with important questions to ask the doctor to properly manage the Bipolar Disorder condition?
Look for this short email series over the next few weeks – check your inbox.
Yes
No
Can QualityHealth send you a FREE email series with important questions to ask the doctor to properly manage the Asthma condition?
Look for this short email series over the next few weeks – check your inbox.
Yes
No
Can QualityHealth email you a FREE email series with important questions to ask the doctor to properly manage the Dry Eyes condition?
Look for this short series over the next few weeks – check your inbox.
Yes
No
Does this person also have any of the following symptoms?
Chronic fatigue
Depression
Lack of energy
Excessive Sleepiness
Snoring
Poor concentration
Yes
No
Can QualityHealth send you a FREE email series with important questions to ask the doctor to properly manage the Osteoarthritis condition?
Look for this short email series over the next few weeks – check your inbox.
Yes
No
Can QualityHealth send you a FREE email series with important questions to ask the doctor to properly manage the Parkinson’s Disease?
Look for this short email series over the next few weeks – check your inbox.
Yes
No
Can QualityHealth send you a FREE email series with important questions to ask the doctor to properly manage the Sjögren’s Syndrome?
Look for this short email series over the next few weeks – check your inbox.
Yes
No
2.     Do you or a loved one feel tired or sleepy because of: (Check all that apply)
A non-traditional work schedule (includes working nights, evenings, rotating or split shifts or anything other than a normal day shift)
Shift Work Disorder
Obstructive Sleep Apnea, which is treated with a breathing device
Narcolepsy (sudden uncontrollable urge to sleep)
None of the above
3.     Have you or someone you love been diagnosed with Atrial Fibrillation, or AFib?
Yes, I have
Yes, a loved one has
No
4.     Do you or someone in your household have Diabetes?
Yes, myself
Yes, someone in my household
No
5.     Do you have any of the following conditions?
(Please check all that apply)
Diabetes
High Blood Pressure
High Cholesterol
Heart Attack
Stroke
Unstable Angina
Smoking or Used to Smoke
PAD (Peripheral Artery Disease)
None of the above
6.     Do you or someone you care for have Psoriasis?
Yes, myself
Yes, someone I care for
No
7.     Do you have any of the following conditions?
Major Depressive Disorder (MDD)
Generalized Anxiety Disorder (GAD)
Social Anxiety Disorder (SAD)
Panic Disorder (PD)
None of the above
8.     Have you or someone you care for been diagnosed with Cancer?
Yes
No
9.     Do you have a child (under 18) who has been diagnosed with Attention Deficit Hyperactivity Disorder (ADHD)?
Yes
No
10.     Have you or someone you care for had a “mini-stroke” (transient ischemic attack or TIA) or stroke due to a blood clot?
Yes, myself
Yes, someone I care for
No

Marketing Industry Leader dismisses new self-reg program for online behavioral targeting. Merely a “stop-gap” and “partial solution” measure

Jack Myers is a long-time leader in the marketing and ad industry.  Writing today on the new FTC report, Myers explains that “The recently implemented Forward i logo, while ambitious and well-intentioned, is a stop-gap measure intended to demonstrate to federal regulators and Congress that the industry can police itself.  Ultimately, the solution is likely to evolve to a universal opt-out model combined with a requirement that consumers proactively override their opt-out choice on a one-by-one basis – essentially a reversal of existing self-regulation…the industry cannot continue to assume that partial solutions will meet the requirements of regulators.

Consumers Union Supports our call for FTC action on digital pharma & health marketing

My CDD is very pleased to have received a copy of this letter sent to the FTC and FDA by Consumers Union.  It underscores how the issues around sensitive data and sensitive users are a critical part of consumer protection online.  We are also pleased about the positive coverage our complaint has received from the press, including the New York Times, CBS/Moneywatch, and other publications.

December 1, 2010

Chairman Jon Leibowitz

Federal Trade Commission

600 Pennsylvania Avenue NW

Washington, DC  20580

Dear Mr. Chairman:

Consumers Union, the independent, non-profit publisher of Consumer Reports, urges the Federal Trade Commission to accept the request of November 23, 2010 from several petitioners “to investigate unfair and deceptive advertising practices that consumers face as they seek health information and services online.”

The very detailed 144-page filing is by the Center for Digital Democracy, U.S. PIRG, Consumer Watchdog, and the World Privacy Forum. Among the companies named in the complaint are Google, Yahoo, Microsoft, AOL, WebMD, Quality Health, Everyday Health, and Health Central. The complaint explains how non-traditional pharmaceutical advertising on the internet and elsewhere uses a wide range of tools and disguises to convince consumers to use various drug products. These advertisements frequently hide the fact that they are funded by the drug manufacturer and they often fail to give any hint of side effects or possible adverse events from use of the drugs.

We have not independently examined each of the documents cited in the complaint or the context in which they were used. But the documents are overwhelmingly explicit in their description of how to take information consumers would consider very private (the decision to type in a health-related word or phrase on a website) and consciously and unconsciously manipulate those consumers into the use of specific prescription drug products.

The mass of documents in the complaint are shocking in their totality and their implication for privacy and the use of pharmaceuticals with potentially dangerous side effects or questionable efficacies.

We urge the Commission to begin an immediate investigation pursuant to the requests in the complaint. Thank you for your consideration.

Sincerely,

William Vaughan

Health Policy Analyst

Google’s Privacy Challenge: Face up to your online advertising culture of data collection

Google keeps making new announcements about how it will–finally, this time!–protect consumer privacy.  This latest PR salvo–after the Canadian Privacy Commissioner ruled that Google had “contravened Canadian privacy law when it inappropriately collected personal information from unsecured wireless networks in neighbourhoods across the country”– is designed to help quell EU and US policymakers enacting safeguards that would rein in some of company’s data collection practices.  Yesterday’s announcement illustrates one of Google greatest problems: it can’t admit that its entire business model is based on collecting infinite amounts of information on individual consumers.  Google’s most recent acquisitions–Admob, Invite Media, and Teracent, for example–are designed to generate new data-mining based revenues.   Google is trapped in its own success: it can’t step off the digital data collection treadmill with Facebook and others in hot pursuit.  But consumers and citizens should expect more honesty coming from the “don’t do evil” web giant–not just new promises to better behave.

Google has named Alma Whitten to head a team designed to better address privacy issues.  During her recent testimony before the Senate Commerce Committee, Dr. Whitten didn’t provide the kind of critical analysis required on the impact of Google’s online ad business and privacy.  Doing so now–and honestly addressing and redressing the problem–will be a key test.

Five Ways to Protect Privacy

[a version we wrote of this ran in Multichannel News]
Five Ways for Digital Marketers to Protect Consumer Privacy

If George Orwell were writing today, 1984’s Winston Smith would be working as a “Doublespeak” specialist crafting privacy policies and creating self-regulatory regimes.  That’s not what consumers and citizens need in the interactive marketing era.   All Americans should have their privacy respected and protected when they go online—including when they use mobile phones.

1.     Tell your users what you actually say to your advertisers—about how the profiling and targeting process really works.  There is a disconnect that is unfair and deceptive between what companies say in their privacy policies and pitch to their clients and potential partners.   Be honest about the “360 degree” ways you engage in online marketing.

2.     Don’t collect information and target consumers based on their interests in finance and health.  These two most “sensitive” categories should be opt-in only.   When consumers go online for loans, credit, mortgages, and health concerns they require the upmost privacy.  Although online financial, health and so-called lead-generation advertising is big business, consumers should not be forced to have their online financial and health behavior stealthfully-tracked and compiled.  The risks to consumers are great if we don’t develop special rules for this data.

3.     Racial and ethnic profiling data should also be opt-in. Hispanics, African-Americas, Asian-Americans and other minorities are increasingly the focus of a growing behavioral targeting and online marketing apparatus.  In the “offline” world, we have witnessed a disturbing use of racial profiling practices to discriminate against individuals.  In today’s online environment, users are being identified as being a member of a racial or ethnic group without either their awareness or consent.  While we all want to see the growth of diversely owned online publishing, it should not be done at the expense of civil liberties in the digital era.  We must prevent the growth of online racial profiling, that when tied to income, geography and other data can be used to create 21st Century forms of discrimination.

4.     Don’t use neuromarketing and other subliminal and subconscious-based advertising.   Fortune 1000 advertisers and online marketers such as Microsoft, Yahoo and Google are using new forms of ad testing and development involving the latest tools of neuroscience, such as fMRI’s and EEGs.  Neuromarketing’s goal is to directly influence a consumer’s subconscious, and when combined with the power of online data targeting,  offers powerful—and frightening—new forms of manipulation.

5.     Users need to consent to having their profiles be bought and sold on so-called online ad exchanges.  Selling off the right to target a consumer online, via real-time auctions that happen in milliseconds, is dehumanizing.  Nor should we permit the growing combination of offline and online databases to be used for targeting, including via these new digital auction houses.

Interactive marketing is now a fundamental operating principle for the cross-platform media economy throughout the world.   But right now, it’s a digital “wild west” that doesn’t serve the interests of consumers, citizens and most marketers.

Behavioral Targeting is About Tracking an “Individual,” Explains Online Marketer

The online ad industry and lobby better stop saying that cookies and other forms of data collection aren’t personally identifiable–so-called PII [personally identifiable information].  As we know, behavioral targeting (BT) identifies, profiles, tracks and targets an individual.  Here’s just one example of how online marketers discuss what BT really is when they are talking among themselves and to clients (our emphasis):

What is behavioral targeting?
Behavioral targeting is a technique used by online advertisers to improve the effectiveness of their campaigns by increasing the relevance of product offers and promotions on a visitor-by-visitor basis.

Behavioral targeting uses information collected on an individual’s web-browsing behavior, such as the pages they have visited or the searches they have made, to select and deliver online ads to the users who are most likely to be interested…As the effective mixing and mining of audience data has become increasingly important to online advertisers, the role of behavioral targeting and retargeting have grown more central…The typical approach to behavioral targeting starts by using web analytics to group visitors into discrete channels. Each channel is analyzed and a virtual profile is created to for each channel…
Most platforms identify visitors by assigning a unique id cookie to each and every visitor to the site, allowing them to be tracked throughout their web journey.  An example is a user who visits content about auto insurance, clicks on an insurance advertiser button or banner, and then searches for “auto insurance.” This user would be assigned to the insurance prospect channel and the next time that user goes to Yahoo they will see ad for insurance…

What AOL Should Have Told Reps. Barton & Markey


AOL also describes to Reps. Barton and Markey the way they use cookies that doesn’t reflect what they say to clients--such as “Target users based on attributes from user registration or third-party data (e.g. age, gender, income, kids)… Retarget users who visit your website… Target users within households using Experian’s statistical modeling based on hundreds of offline data elements that are most predictive for defining the specific audience of consumers.” For question 1, they refer to their privacy policy—something few consumers would read or understand.  Nor does the privacy policy spell out how AOL collects and targets users, as they do for potential clients.  See and compare to privacy policy. See how they offer targeting based on political information.

Question 2:  They didn’t answer completely.  They should have included information from here. And what their partners collect.

Question 3.  They should have said they urge advertisers to use pixels, beacons and other tracking tools:   “Place pixels on all high-traffic pages… Target broadly… Most networks, including Advertising.com, look at IP or cookie data to determine if a user is part of a specific demographic or has demonstrated a particular online behavior, such as shopping for a car, browsing cooking sites, and so on. With user targeting, you reach those consumers directly, regardless of the sites they happen to be visiting.”

And they say that the third party cookies don’t identify the “specific user.”  But that’s what AOL says it can target:  “Target users within households… Retarget users who visit your website… Target users within households that demonstrate the highest propensity to buy certain products…”

Question 7.  They don’t say what they do.  It’s monetizing all the data:  “We monetize nearly 1.5 billion impressions per day on average.”

10.  They should have said how they target based on financial and health info.  They didn’t.  See its targeting for health, finance, teens, Hispanics, African-Americans.


14.   Users don’t have enough information on the process to really determine whether they should opt-out.  Nor is AOL’s opt-out really visible.

What News Corp/MySpace Should Have Told Reps. Markey and Barton


Yahoo isn’t alone in not being candid to Congress.  Here’s what News Corp should have also said to the Congress about its data collection, profiling and targeting system. 

It should have informed Congress how its Fox Interactive Media (FIM) data-mines its users daily.  From its data-mining company: “FIM operates some of the highest-traffic websites in the world, including MySpace, and serves over 5 billion online ads across its sites per day.  Each of these ads is optimized and targeted to specific audiences based on analysis of web traffic, user behavior and click patterns.  As part of our targeted ad serving platform, we analyze nearly 2,000 identifying variables for each of the millions of visitors to our sites every day (tracking and analyzing, for example, whether a visitor likes jazz, but also whether they respond more to car ads than to pizza ads).  While our targeting process was already one of the most advanced in the industry, we were eager to improve ad click-through rates further by fine- tuning targeting.  To get to this next level of targeting precision, we needed to analyze massive volumes of data to discover patterns and identify relevant targeting criteria across segments and demographics.  FIM implemented Greenplum for its parallel, multi-core architecture that could scale to support our massive data volumes, but also because the Greenplum data warehouse allows data analysis to be performed directly within the warehouse 

– instead of having to extract it first…our team can execute lightning-fast queries against a matrix that is 4 billion rows tall and 1 million rows wide, running tests against thousands of variables for each for the 5 billion ads FIM serves to visitors each day. What’s more, we can now complete 10,000 experiments against 20 million site visitors in just three hours. Previously, it took an entire day just to extract the data – and then another whole day to run the tests.  The result has been faster and more efficient data analysis, which has in turn enabled more precise ad targeting, delivering up to 200% higher click- through rates for the 5 billion ads served daily across the FIM network…our research analytics team uses Greenplum Database to conduct tens of thousands of real-time tests against millions of users every day, analyzing each visitor’s reaction to ads against over with an absolute deluge of data.”

Online Ad Biz to Reps. Markey/Barton: We Really Don’t Have to Tell You the Facts! The case of Yahoo!




If George Orwell were writing today, 1984’s Winston Smith would be working as a “Doublespeak” specialist crafting privacy policies and creating self-regulatory regimes for the online ad industry.  None of the replies provided to Reps. Markey and Barton answered the basic charge posed by the WSJ in its series and previously raised by privacy advocates:  that “[O]ne of the fastest-growing businesses on the Internet is the business of spying on Internet users.”   All the companies hide behind `it’s a business as we created it and good for everyone’ facade.  Many use a scare tactic claiming that the data collection model they developed is responsible for funding online content/publishing and without it much/if not all of the Internet would vanish (as if you can’t have both robust e-commerce and privacy!).  Many of the answers to Congress also say that their privacy policies and membership in self-regulatory groups (such as the NAI) reflect best practices (as if they automatically vanish the problems!).  The companies don’t take responsibility for the problem or acknowledge that there are privacy concerns outstanding. 

The responses reflect the Orwellian recasting of industry terms on the data collection practices it created and operates.  Behavioral targeting (with $1.13 billion this year in spending for this type of ad) has been transformed into “preference,” “relevant,” or “interest” targeting.  Online profiling and targeting is now called “customization.”  The industry is running away from the precise definitions they created and use because they are honest terms showing consumers are being tracked, profiled and targeted based on our behaviors and actions.  Finally, several of the companies submitted their privacy policies.   In order to full understand them, a consumer (in between taking their children to school or a soccer game, working, shopping, cooking) would simultaneously also have to be a technologist, lawyer, and investigator, to understand and control all the cookies, etc.

Also, the companies resort to a now out-of-date definition of what’s considered so-called personally identifiable information (PII).  Cookies, IP addresses, pixels and web bugs, they claim, are “non-PII” and hence fail to raise privacy concerns.  Yet both the EU and FTC have said that in today’s online data collection world, the old definition of what’s identifiable no longer really works.  The FTC explained last year that “[S]taff believes that, in the context of online behavioral advertising, the traditional notion of what constitutes PII versus non-PII is becoming less and less meaningful and should not, by itself, determine the protections provided for consumer data.  Indeed, in this context, the Commission and other stakeholders have long recognized that both PII and non-PII raise privacy issues…

Companies such as Yahoo, AOL, About.com (NYTimes Co), News Corp/MySpace and others are disingenuous in their responses—failing to inform the Congress what they tell their clients and prospective advertisers.  Among the most cynically self-serving is Yahoo. First, Yahoo did not describe all the ways it collects data on users when it answered question 1.  For example, examine Yahoo’s Advertising Blog, where you can find a discussion of far-ranging techniques used in the data collection process.  Most of which are not spelled out or really explained in the privacy policy;  See also, Yahoo’s “smart ad” technology that changes the copy in real time based on the data it collects.  Its privacy policy really doesn’t explain it in the same way it pitches itself to clients.  Yahoo says in its Hill letter that it “may” acquire data from external sources and gives the link to that section of its privacy policy.  Not even a multi-tasking genius could opt-out all of that.  Nor does Yahoo tell you about the tons of data on consumers their partners collect.  Also, they say in question 3 how they collect data, but tell potential clients a more informed story:  “Yahoo! gets to know its visitors to give them what they’re looking for, even when they’re not actively looking. In part, Yahoo! does this by using an industry practice called behavioral targeting (BT)… Yahoo! BT goes beyond common rules-based segmentation or grouping of consumers by the sites they’ve visited. The tool is powered by sophisticated modeling technology based on extensive online interactions that include searches, page views, and ad interactions. With these models, Yahoo! identifies what consumers are interested in and predicts where they are in the buying process, thereby determining which consumers may respond best to your ad placements.”  In question 4-5, Yahoo claims its users have all the information they require via the privacy policy.  But Yahoo’s information for perspective clients tells a more complete and different story:  “With rich media, you benefit from deep reporting that goes way beyond the click. Track time spent watching video, mouse-over interactions, poll results, average number of panels interacted with and much more.  If you design it, we can track it… Partner with Yahoo! to produce unique, immersive consumer experiences that integrate your brand…”Question 9, again, they call it “customized experience” to Congress—and “smart ads” that track and learn about you when they explain it to advertisers.   Question 10.  Health and finance.  Yahoo failed to tell Congress they track and target consumers health and financial info.  And they target teens.  For health; finance.


Danah Boyd, COPPA, Online Marketing Targeting Youth, the role of Microsoft

Danah Boyd, like many other digital media researchers, fails to examine the business practices which shape and construct most of contemporary online media.  Ms. Boyd is quoted in last week’s Boston Globe about the Children’s Online Privacy Protection Act saying “[I]t’s well-intentioned, but this legislation has failed on every level.”  Ms. Boyd is incorrect.   A whole range of interactive ad practices and techniques commonly found on most digital sites has not been embraced by the under-13 online advertising market.  The goal of COPPA was to help structure the commercial online data collection and targeting practices aimed at young people–and it’s done so (just see what kind of data collection and targeting practices occur the minute anyone reaches 13.  From that age onwards, everyone is fair game for a wide range of very disturbing practices, most of which collect and use our information). Ms. Boyd and the Globe article are also incorrect claiming that “Congress is considering renewing” COPPA.   The FTC is currently conducting a periodic review of COPPA’s rules and the Congress has held hearings on the law.  But Congress doesn’t have to “renew” COPPA.

Finally, a challenge to Ms. Boyd.  She is working for Microsoft–which is targeting youth across the globe via its advertising division.  Microsoft Advertising is collecting data and targeting teens for junk food and other products.  See Microsoft’s “How to Target Young People Online” and other materials, for example.  Ms. Boyd needs to analyze what her employer–and other financial backers from the online ad industry supporting Berkman–are doing regarding youth–and hold them and herself accountable.