Category: Web 2.0 & Democracy

CDD Asks Facebook to Address Digital Marketing & Data Mining in Principles–including for outside developers

We have significant questions about the proposed Principles and Statement and how they will affect individual privacy.  CDD has submitted comments.  Here’s an excerpt:  “Ultimately, users must have full knowledge of and control over any and all user data collected by Facebook or by any third party using Facebook’s platform. Facebook must change its Principles and Statement to give users this knowledge and control. 

We urge Facebook to use this wording:

2. Ownership and Control of Information

People own their information. They have the freedom to share it with anyone they want and take it with them anywhere they want, including removing it from the Facebook Service. People have the freedom to decide with whom they will share their information, and to set privacy controls to protect those choices. As part of user control of their data, every Facebook user has the right to know and fully control if and how data is collected from them, especially if the data is to be used in advertising. Facebook will be transparent in how it collects and analyzes data for advertising, including profiling and targeting of users. Facebook also will detail to users what particular data collecting and mining will be done for advertising purposes. Facebook will ensure that every company that works with it, via third-party applications or otherwise, also details to users if their data is collected or mined, how this data will be collected or mined and for what the data that is collected or mined will be used. Those controls, however, are not capable of limiting how those who have received information may use it, particularly outside the Facebook Service…

Users need to know how third-party developers use the data accessed or collected, including how the data is used for advertising and marketing. For example, if games and widgets and other third-party applications base their business model on capturing user data for lead generation, the users must be clearly told the details of this data capture and lead generation, and users must give their explicit approval first.  Users have the right to control third-party use, access to, collection or sharing of user data, and Facebook needs to make this clear in its Principles.”

“…distinctions between government services and political campaigning are being blurred as politicians use Internet technology”–National Journal

excerpts:  In general, federal laws bar the use of government assets for political campaigning. But the much-lawyered distinctions between government services and political campaigning are being blurred as politicians use Internet technology to extend their advocacy…White House officials declined to be interviewed on the rules governing the separation of campaign and state data.

“There are indications that the administration wants to revise some of these laws, particularly with respect to the Internet, and we’re waiting to see if we can play a role,” said Peter Greenberger, a former regional campaign manager for Al Gore’s presidential bid who now heads Google’s Elections and Issues Advocacy team. “The real question that people are trying to answer is what can the White House do now that they’re the White House as opposed to a [political] campaign.”

Finding that line will mean answering questions about rules that bar the use of government assets for political campaigning, contracting rules that limit the ability of officials to hire one company rather than another and laws that bar government officials from favoring contractors, said Google officials. Also, added Greenberger, “There would be issues providing some services to an elected official that is not provided to somebody else,” such as a political opponent. But, he added, “in some cases, you know, incumbency is a powerful thing.”

source:  Google Stands To Gain From Capital Connections.  Neil Munro.  National Journal.  March 17, 2009.

Online Ad Privacy Watch: Those “Pixels” Are Tracking You [Annals of Behavioral Targeting]

In bringing the issue of what is considered personally-identifiable information more up-to-date, the FTC has finally begun to acknowledge the ever-expanding techniques used to collect information about our online experiences.   Case in point, the modest “pixel,” an invisible piece of data placed on your browser–in the words of one online ad marketer, a digital “mole.”  It’s worth reading the entire article “What a Pixel and Cookie Can Reveal,” by Brian Massey (ClickZ.  Feb. 4, 2009).  Here’s an excerpt:

The pixel delivers a list of basic attributes… These basic attributes include:

  • IP address, character set, and encoding
  • Language, connection, and host
  • Referrer, browser, and portal

The pixel can also pass along just about any information that the browser knows:

  • URL, server name, and posting method
  • Search keyword, keyword phrase, or search engine term
  • Time and date, time of day, day of the week, and week of the year

The URL provides the entire content of the page visited by the surfer:

  • Text, images, headings, and navigation
  • Parameters and values
  • Were they home or just landing?

The IP address can be used to look up more information:

  • Country, state, and city
  • ISP, cable, DSL, or dial-up
  • Bot, crawler, or spider

By adding a cookie, surfer data can be aggregated over time, and more can be inferred about visitor behaviors…

Once we get ZAG [Zip code, age, gender], we can start to segment visitors more accurately:

  • Where do they live?
  • What do they make?…
  • What is their profession, race, marital status; do they have kids; and other census data           And when we integrate this information with other non-PII databases, we can learn even more: What they buy, how often, how recently…

Baby Steps for Online Privacy: Why the FTC Self-Regulatory Principles For Online Behavioral Advertising Fails to Protect the Public

Statement of Jeff Chester, Exec. Director, Center for Digital Democracy:

The Federal Trade Commission is supposed to serve as the nation’s leading consumer protection agency.  But for too long it has buried its mandate in the `digital’ sand, as far as ensuring U.S. consumer privacy is protected online.    The commission embraced a narrow intellectual framework as it examined online marketing and data collection for this proceeding.  Since 2001, the Bush FTC has made industry self-regulation for privacy and online marketing the only acceptable approach when considering any policy safeguards (although the Clinton FTC was also inadequate in this regard as well).  Consequently, FTC staff—placed in a sort of intellectual straitjacket—was hampered in their efforts to propose meaningful safeguards.

Advertisers and marketers have developed an array of sophisticated and ever-evolving data collection and profiling applications, honed from the latest developments in such fields as semantics, artificial intelligence, auction theory, social network analysis, data-mining, and statistical modeling.  Unknown to many members of the public, a vast commercial surveillance system is at the core of most search engines, online video channels, videogames, mobile services and social networks.  We are being digitally shadowed across the online medium, our actions monitored and analyzed.

Behavioral targeting (BT), the online marketing technique that analyzes how an individual user acts online so they can be sent more precise marketing messages, is just one tool in the interactive advertisers’ arsenal.  Today, we are witnessing a dramatic growth in the capabilities of marketers to track and assess our activities and communication habits on the Internet.  Social media monitoring, so-called “rich-media” immersive marketing, new forms of viral and virtual advertising and product placement, and a renewed interest (and growing investment in) neuromarketing, all contribute to the panoply of approaches that also includes BT.  Behavioral targeting itself has also grown more complex.  That modest little “cookie” data file on our browsers, which created the potential for behavioral ads, now permits a more diverse set of approaches for delivering targeted advertising.

We don’t believe that the FTC has sufficiently analyzed the current state of interactive marketing and data collection.  Otherwise, it would have been able to articulate a better definition of behavioral targeting that would illustrate why legislative safeguards are now required.  It should have not exempted “First Party” sites from the Principles; users need to know and approve what kinds of data collection for targeting are being done at that specific online location.

The commission should have created specific policies for so-called sensitive data, especially in the financial, health, and children/adolescent area.  By urging a conversation between industry and consumer groups to “develop more specific standards,” the commission has effectively and needlessly delayed the enactment of meaningful safeguards.

On the positive side, the FTC has finally recognized that given today’s contemporary marketing practices, the distinction between so-called personally identifiable information (PII) and non-PII is no longer relevant.  The commission is finally catching up with the work of the Article 29 Working Party in the EU (the organization of privacy commissioners from member states), which has made significant advances in this area.

We acknowledge that many on the FTC staff worked diligently to develop these principles.  We personally thank them for their commitment to the public interest.  Both Commissioners Leibowitz and Harbour played especially critical roles by supporting a serious examination of these issues.  We urge everyone to review their separate statements issued today.  Today’s release of the privacy principles continues the conversation.  But meaningful action is required.  We cannot leave the American public—now pressed by all manner of financial and other pressures—to remain vulnerable to the data collection and targeting lures of interactive marketing.

Facebook researching “sentiment” engine: “looking to figure out if people are having a good day or bad day”

Via scobleizer.com [excerpt from interview with Facebook CEO Mark Zuckerberg.  My bold]:
Facebook is, he told me, studying “sentiment” behavior. It hasn’t yet used that research in its public service yet, but is looking to figure out if people are having a good day or bad day. He said that already his teams are able to sense when nasty news, like stock prices are headed down, is underway. He also told me that the sentiment engine notices a lot of “going out” kinds of messages on Friday afternoon and then notices a lot of “hungover” messages on Saturday morning. He’s not sure where that research will lead. We talked about how sentiment analysis might lead to a new kind of news display in Facebook. Knowing whether a story is positive or negative would let Facebook pick a good selection of both kinds of news, or maybe even let you choose whether you want to see only “happy” news.” 

source: Zuckerberg: Facebook’s “intense” year.  scobleizer.com

International Privacy Day: Privacy Policy Also Means Protecting Consumers [Think Financial Products/Mortgages, Health Products, the Marketing of Obesity-linked Foods, etc]

My group the Center for Digital Democracy joins with our colleagues throughout the world to acknowledge International Privacy Day.  The day is to help mark what is a growing debate about the role that data collection on citizens and consumers plays in our lives.  Both governments and many corporations are harvesting a tremendous amount of information on us, to monitor our activities and influence our behavior.

But protecting our privacy is more than just data protection and the Big Brother/Sister-like surveillance system now available.  It’s also about linking the use of data collection to the vast interactive marketing apparatus which is designed to help direct our thinking about products, brands, and ideas (including political leaders).  Protecting privacy is just one part of the problem; the other half relates to ensuring protection for consumers.  Interactive marketing has created a range of unfair, deceptive and potentially harmful practices across a broad range of product categories.  These practices are fueled by the data collection, analysis and targeting system which has been put in place.  So here’s to those who care about privacy; to those who also care about the public welfare; and to the public whose future will be affected by the outcomes of these debates and policies.

Is the White House Collecting Data on the Public via YouTube?

According to CNET, the White House has again changed its privacy policy regarding persistent cookies and online videos.  Now all video providers, it appears–not just YouTube–has received a formal exemption of the federal prohibition on persistent cookies.

But beyond the cookie issue–which shouldn’t be placed at all when the public watches a government video–are questions regarding statistical and tracking data.  Is Google/YouTube providing the White House with any analytics and user information [such as through YouTube Insight]?  For example, YouTube allows “brand channels” to know “the gender and age” of viewers; “identify the ways…users find your videos;” “Hot spots viewing information, which identifies viewing trends  for each moment in a video.” YouTube also permits brand channel video providers to track users via a “one 1px by 1px third-party tracking tag, which lets the channel owners use view-through tracking to better understand a user’s behavior after the user leaves the channel page.”

We assume the White House will answer such questions (such as whether they receive brand channel-like services), respond favorably to the FOIA request from Chris Soghoian, and ensure that the site reflects the highest possible consumer privacy standards.

Commercial Domestic Surveillance: The new White House Website, YouTube & Privacy

In a post for CNET yesterday, privacy expert Chris Soghoian revealed that President Obama’s White House “has quietly exempted YouTube from strict rules relating to the use of cookies on federal agency Web sites.”   Federal rules prohibit the use of what are called “persistent cookies,” that can track an online users activities and behavior.  Soghoian cites the new White House privacy policy that states, “A waiver has been issued by the White House Counsel’s office to allow for the use of this persistent cookie.”  Google’s YouTube received this exemption, notes the White House site, “to help maintain the integrity of video statistics.”

Now the White House has made a quick change, according to a post written today by Soghoian.  “Obama’s web team rolled out a technical fix that severely limits YouTube’s ability to track most visitors to the White House website,” he writes. “By late Thursday evening, each embedded YouTube video had been replaced with an image of a video player, which a user must click on before the real YouTube player will be loaded. The result of this change is that YouTube is now only able to use cookies to track users who click on the “play” button on an embedded YouTube video — the majority of people who scroll through a page without clicking play will not be tracked.”  But he also describes the new approach as a “band-aid. Those users who do click the play button will be secretly tracked as they navigate the White House website — and if those users have visited YouTube or any other Google run website in the past, the fact that they watched an Obama video will be added to the existing massive pile of data the company has compiled on each web surfer.”

But for those White House web site visitors who do click on the YouTube videos, they will likely become part of the data analysis which could be generated via Google’s YouTube Insight.  That’s a video analytics tool providing “detailed statistics” on video use.  One Google executive offered a commercial example of the tools’ features: “YouTube’s geographical insights could help marketers determine ad effectiveness and campaign optimization. For instance, he said, different versions of a movie trailer might perform better in different regions.”  Other YouTube analytical data available  includes a “demographics tab that displays view count information broken down by age group (such as ages 18-24), gender, or a combination of the two, to help you get a better understanding of the makeup of your YouTube audience. We show you general information about your viewers in anonymous and aggregate form, based on the birth date and gender information that users share with us when they create YouTube accounts.”  (Google says “individual users can’t be personally identified.”  But the company has embraced a narrow definition of what privacy protections users should expect, the so-called APEC standard).

Persistent cookies, explains U.S. Military Academy computer science professor Greg Conti, “can exist for many years…repeatedly identifying the user to the issuing web site…persistent cookies are specifically designed to uniquely identify users on return visits to web sites…In terms of anonymity, this is bad.  Advertisers have found innovative ways to exploit cookies to track users as they visit web sites that contain ads or other content.”  [source is Professor Conti’s terrific book, Googling Security:  How Much Does Google Know About You?  Addison-Wesley.  2009.  Page 73]

Of course, Google/YouTube’s cookie placed via a White House visit sets the stage for the company to further track and analyze citizens/ users.  Given YouTube’s ever-growing expansion as a commercial video advertising service, its ability to harness the White House data cookie will undoubtedly prove useful for the company.

The revised White House privacy policy does offer users a way to view the videos “without the use of persistent cookies” through the extra step of clicking the “link to download the video file… provided just below the video.” But we think opt-out is the incorrect approach.

The Obama White House should set the standard for protecting privacy in the digital era.  They should maintain the prohibition on persistent tracking cookies.  Nor should they permit any commercial operator, including Google’s YouTube, to engage in federally-sanctioned data collection.  We know the new Obama Administration has many important issues to address.  But they also need to develop a sophisticated critique of the online advertising industry, ensuring privacy and consumer protection.  The Obama Administration should be able to articulate a balanced perspective– that can take advantage and foster the democratic potential of digital media, while also meaningfully addressing the harms.

Google, YouTube, and DoubleClick Cookies Placed on Users of YouTube’s new Congress Channels, Says Computer Scientist

Columbia U computer professor Steven M. Bellovin has an important post on the privacy issues raised by YouTube’s new House and Senate channels.  He writes [excerpt, our emphasis] that:

“I opened a fresh web browser, with no cookies stored, and went directly to the House site. Just from that page, I ended up with cookies from YouTube, Google, and DoubleClick, another Google subsidiary. Why should Google know which members of Congress I’m interested in? Do they plan to correlate political viewing preferences with, say, searches I do on guns, hybrid cars, religion, privacy, etc.?

The incoming executive branch has made the same mistake: President-Elect Obama’s videos on Change.gov are also hosted on (among others) YouTube. Nor does the privacy policy say anything at all about 3rd-party cookies.

Video channels providing the public access to members of Congress and the new Administration should be in the forefront of privacy protection-and not serve as a data collection shill for any company.  Nor should one company be permitted to shape broadband video access to federal officials.

The “Revised” Network Advertising Initiative Principles: Ghost-written by Bernard Madoff?

That was really what we felt reading the “NAI Response to Public Comments” released yesterday.  It accompanied the 2008 principles announcement by the self-regulatory trade online marketing trade group.  The “response” is worth reading, because it really reveals the inability of the group to meaningfully address how to protect consumers online.  You would think that an organization which has Microsoft, Google, Yahoo, Time Warner and many others as paying members could at least clearly state what happens to our data in the online marketing process.  But the real goal of the NAI is to prevent the enactment of serious state and federal privacy policies that would protect consumers. My group put out a statement yesterday discussing the new principles.

The credibility of Google, Microsoft, Yahoo and Time Warner are at stake.  They should be able to ensure that their own organization can honestly address the implications of online advertising.  But it’s time to abandon any call for self-regulation.  That has been a failure.  It’s clear that a growing number of consumer and privacy groups are calling for a legislative solution, as well as a more effective FTC.  Responsible online ad companies will support such regulation.