Games Microsoft Plays: “consumer online behavior” tracked on its video gaming service [a “massive” invasion of privacy!]

Microsoft’s just announced a new consumer tracking and profiling tool for advertisers using its Massive video gaming platform service. Calling it a “breakthrough” in its press release, the new Microsoft/comScore research tool enables advertisers:

“… to see the direct impact that in-game advertisements have on consumer online behavior…, advertisers will get an inside look at the degree to which in-game ads motivate gamers to visit Web sites, conduct brand-related search queries and engage in other online actions, something that previously had gone unmeasured…Through this collaboration with comScore, we will also now be able to measure those consumer actions that result from in-game ads. We think this has the potential to literally ‘change the game’ for both advertisers and publishers who want to improve the effectiveness of their in-game ad efforts.”

AdEffx Action Lift for Gaming matches in-game console ad serving data from Massive with comScore’s third-party, post-campaign panel data to track and measure in-game advertising effectiveness. By combining Microsoft’s proprietary, non-personally identifying Anonymous ID data, which is common across Xbox LIVE and Microsoft Web properties (known as Windows Live ID), with user data from comScore’s panel of 2 million Internet users worldwide, comScore can determine if panelists who saw in-game advertising subsequently visited a brand’s Web site, searched brand-related terms or engaged in other online behaviors important to advertisers.”

“Cookie Wars, Real-Time Targeting, and Proprietary Self Learning Algorithms: Why the FTC Must Act Swiftly to Protect Consumer Privacy”

That’s the title of comments filed at the U.S. Federal Trade Commission by my Center for Digital Democracy and U.S. PIRG.  I also just gave a presentation with the same name at last week’s meeting of data protection commissioners in Madrid, Spain.   It’s available here.

Here’s an excerpt:   Today, consumers online face the rapid growth and ever-increasing sophistication of the various techniques advertisers employ for data collection, profiling, and targeting across all online platforms. The growth of ad and other optimization services for targeting, involving real-time bidding on ad exchanges; the expansion of data collection capabilities from the largest advertising agencies (with the participation of leading digital media content and marketing companies); the increasing capabilities of mobile marketers to target users via enhanced data collection; and a disturbing growth of social media surveillance practices for targeted marketing are just a few of the developments the commission must address. But despite technical innovation and what may appear to be dramatic changes in the online data collection/profiling/targeting market, the commission must recognize that the underlying paradigm threatening consumer privacy online has been constant since the early 1990’s. So-called “one-to-one marketing,” where advertisers collect as much as possible on individual consumers so they can be targeted online, remains the fundamental approach.

Online Consumers Require Real Privacy Safeguards, Not the Digital Fox [AAAA, ANA, BBB, DMA & IAB] in Charge of the Data Hen House

The self-regulatory proposals released today [2 July 2009]  by five marketing industry trade and lobby groups are way too little and far too late. This move by the online ad industry is an attempt, of course, to quell the growing bi-partisan calls in Congress to enact meaningful digital privacy and consumer protection laws. It’s also designed to assuage a reawakened Federal Trade Commission–whose new chair, Jon Leibowitz, recently appointed one the country’s most distinguished consumer advocates and legal scholars to direct its Bureau of Consumer Protection (David Vladeck). The principles are inadequate, even beyond their self-regulatory approach that condones, in effect, the “corporate fox guarding the digital data henhouse.” Effective government regulation is required to protect consumers. We should have learned a painful lesson by now with the failure of the financial industry to oversee itself. The reckless activities of the financial sector—made possible by a deregulatory, hands-off government policy–directly led to the current financial catastrophe. As more of our transactions and daily activities are conducted online, including those involving financial and health issues–through PCs, mobile phones, social networks, and the like–it is critical that the first principle be to ensure the basic protection of consumer privacy. Self-dealing “principles” concocted by online marketers simply won’t provide the level of protection consumers really require.

The industry appears to have embraced a definition of behavioral targeting and profiling that is at odds with how the practice actually works. Before any data is collected from consumers, they need to be candidly informed about the process–such as the creation and evolution of their profile; how tracking and data gathering occurs site to site; what data can be added to their profile from outside databases; the role that data targeting plays on so-called first-party websites, etc. In addition, the highest possible consumer safeguards are necessary when financial and health data are involved. Under the loosey-goosey trade industry principles, however, only “certain health and financial data” are to be treated as a “sensitive” category. This would permit widespread data collection involving personal information regarding our health and financial concerns. The new principles, moreover, fail to protect the privacy of teenagers; nor do they seriously address children’s privacy. (I was one of the two people that led the campaign to enact the Children’s Online Privacy Protection Act).

The failure to develop adequate safeguards for sensitive consumer information illustrates, I believe, the inability of the ad marketing groups to seriously address online privacy. The so-called “notice and choice” approach embraced by the industry has failed. More links to better-written privacy statements don’t address the central problem: the collection of more and more user data for profiling and targeting purposes. There needs to be quick Congressional action placing limits on the collection, use and retention of consumer data; opt-in control over profile information; and the creation of a meaningful sensitive data category. Consumer and privacy groups intend to work with Congress to ensure that individuals don’t face additional losses due to unfair online marketing practices.

[press statement by the Center for Digital Democracy]

Tales of Behavioral Targeting: Barry Diller’s IAC Can “tap into rich behavioral….information” of users

The IAC Network includes sites such as Citysearch, Evite and Match.com  From Ad Age, Page C46.  April 20, 2009 [excerpt]:

“…we can tap into rich behavioral and declared information about our users.  Translation:  We know a lot more.  For example, we know if a user exercises regularly, searches for expensive restaurants in New York, is looking for a new home to purchase, has dogs or attended a bachelor party.  Analysis of these multiple dimensions of attributes (literally millions) delivers an unmatched level of insight into our users and what’s important to them.  And we’re making that intelligence work for you.”

Center for Democracy & Technology Goes for the “Gold” as it Raises $ for its “Gala” from AT&T, eBay, Microsoft, Google (and many other corporations)

CDT is having a “Gala Celebration” next month, supported by “Gold, Silver, and Bronze” sponsors.  AT&T, eBay, Microsoft and Google are listed at the $15,000 “Gold” level [“Two tables in Premium Location-Two tickets to the VIP Reception”]; Among the “Silver” sponsors [“One table-One ticket to the VIP Reception”] at the $7,500 tab include Time Warner (AOL), Dow Lohnes, Qorvis Communications (repping Sun, Cisco, etc), American Express, Verizon, Intel, US Chamber of Commerce, ID Analytics, Yahoo!, Arnold & Porter, IAC/Interactive Corp, Thompson LexisNexis, Hogan & Hartson (reps News Corp’s MySpace, among others), Comcast, and Sonnenschein Nath  & Rosenthal, LLP.   There are also a number of “Bronze” sponsor at the $1000 level [“One seat at a table”]. (CDT has a Facebook page on the event.)

CDT’s 2007 Gala, which honored Bill Gates, had “more than 900″ supporters” in attendance.

Facebook, Advertising, Third-Party $Apps, Terms of Service, Data Collection & Privacy

The role that third party developers play accessing user data on social networks such as Facebook has long been a privacy concern for us.  The business practices, including data collection, profiling and targeting that form the basis of social networking “monetization” strategies are hidden from public view.  My CDD and USPIRG, in our various privacy complaints to the FTC, asked the agency to examine this area.  Maybe the new Obama FTC will do so.  But for now, here’s some excerpts from Facebook’s advice “on common business models” to application developers, as well as from its list of “third party developers” involved in social media marketing:

“As you think about building your app on Facebook, we want to help by highlighting some keys ways of thinking about your app as a business… Apps that are meaningful, trustworthy and well designed have real staying – and monetizing – power… we host a Platform with instant access to more than 175 million active users… Once you’ve created a sustainable, engaging social application, there are many different ways to help monetize it… Advertising: We at Facebook have had success serving targeted advertisements to our users based on information we know about them. By leveraging the data we give you access to (as detailed in our Developer Terms of Service) and data users share with you directly as a part of your application experience, you can serve highly relevant ads… Virtual Credits / Virtual Goods:… instead of accepting payments directly from users for subscriptions or virtual goods, some applications instead allow users to complete affiliate offers by filling out surveys or agreeing to try new products. There are a number of providers who consolidate these types of offers…
Third Party Providers to Help You Monetize:

Advertising:
AdParlor:  “Over 500 Million users worldwide are on a social networking site. These users are comfortable sharing their age, gender, and location, and can be reached through targeted advertising.”…
Shopitmedia: “you can target based on:
1. Location
2. Gender
3. Age
4. Application Category”…
Affiliate marketing…
Analytics…

Payments

Baby Steps for Online Privacy: Why the FTC Self-Regulatory Principles For Online Behavioral Advertising Fails to Protect the Public

Statement of Jeff Chester, Exec. Director, Center for Digital Democracy:

The Federal Trade Commission is supposed to serve as the nation’s leading consumer protection agency.  But for too long it has buried its mandate in the `digital’ sand, as far as ensuring U.S. consumer privacy is protected online.    The commission embraced a narrow intellectual framework as it examined online marketing and data collection for this proceeding.  Since 2001, the Bush FTC has made industry self-regulation for privacy and online marketing the only acceptable approach when considering any policy safeguards (although the Clinton FTC was also inadequate in this regard as well).  Consequently, FTC staff—placed in a sort of intellectual straitjacket—was hampered in their efforts to propose meaningful safeguards.

Advertisers and marketers have developed an array of sophisticated and ever-evolving data collection and profiling applications, honed from the latest developments in such fields as semantics, artificial intelligence, auction theory, social network analysis, data-mining, and statistical modeling.  Unknown to many members of the public, a vast commercial surveillance system is at the core of most search engines, online video channels, videogames, mobile services and social networks.  We are being digitally shadowed across the online medium, our actions monitored and analyzed.

Behavioral targeting (BT), the online marketing technique that analyzes how an individual user acts online so they can be sent more precise marketing messages, is just one tool in the interactive advertisers’ arsenal.  Today, we are witnessing a dramatic growth in the capabilities of marketers to track and assess our activities and communication habits on the Internet.  Social media monitoring, so-called “rich-media” immersive marketing, new forms of viral and virtual advertising and product placement, and a renewed interest (and growing investment in) neuromarketing, all contribute to the panoply of approaches that also includes BT.  Behavioral targeting itself has also grown more complex.  That modest little “cookie” data file on our browsers, which created the potential for behavioral ads, now permits a more diverse set of approaches for delivering targeted advertising.

We don’t believe that the FTC has sufficiently analyzed the current state of interactive marketing and data collection.  Otherwise, it would have been able to articulate a better definition of behavioral targeting that would illustrate why legislative safeguards are now required.  It should have not exempted “First Party” sites from the Principles; users need to know and approve what kinds of data collection for targeting are being done at that specific online location.

The commission should have created specific policies for so-called sensitive data, especially in the financial, health, and children/adolescent area.  By urging a conversation between industry and consumer groups to “develop more specific standards,” the commission has effectively and needlessly delayed the enactment of meaningful safeguards.

On the positive side, the FTC has finally recognized that given today’s contemporary marketing practices, the distinction between so-called personally identifiable information (PII) and non-PII is no longer relevant.  The commission is finally catching up with the work of the Article 29 Working Party in the EU (the organization of privacy commissioners from member states), which has made significant advances in this area.

We acknowledge that many on the FTC staff worked diligently to develop these principles.  We personally thank them for their commitment to the public interest.  Both Commissioners Leibowitz and Harbour played especially critical roles by supporting a serious examination of these issues.  We urge everyone to review their separate statements issued today.  Today’s release of the privacy principles continues the conversation.  But meaningful action is required.  We cannot leave the American public—now pressed by all manner of financial and other pressures—to remain vulnerable to the data collection and targeting lures of interactive marketing.

Ad Industry Lawyer Spins in Ad Age that Privacy Will Be on “Back Burner.” Not Only Incorrect–but self-serving

This week’s Advertising Age has a “Legal Issues to Watch in 2009” column.  Written by Douglas J. Wood of Reed Smith, it claims that: “PRIVACY TO THE BACK BURNER- Congress and regulators are in a Catch-22: While under constant pressure from constituents and consumerists to curtail the use of personal information or behavioral targeting, they recognize that advertising is the backbone of the internet. So while there will be occasional skirmishes, the war on privacy will continue in its stalemate. Regulators will also see browser makers offering more control to consumers to block ads and the collection of personal information as adequate progress.”

Mr. Wood, it turns out is “a member of Reed Smith’s Executive Committee and the firm’s Advertising Technology & Media Group…and is General Counsel to both the Association of National Advertisers and the Advertising Research Foundation.

Perhaps Mr. Wood is too busy to really follow Hill and FTC developments, because he is wrong.  There will be considerable activity on the Hill and elsewhere.   His column should have been labeled as written by the lawyer for the ad industry lobby group.  But it does reflect a lack of insight about the online ad industry’s problems related to privacy and consumer protection.

Interactive Ad Bureau to Congress and Public: If Your Privacy is Protected, The Internet Will Fail Like Wall Street!

It’s too disquieting a time in the U.S. to dismiss what a lobbyist for the Interactive Advertising Bureau said as merely silly. The IAB lobbyist is quoted in today’s Washington Post saying: “If Congress required ‘opt in’ today, Congress would be back in tomorrow writing an Internet bailout bill. Every advertising platform and business model would be put at risk.” [reg. required]

Why is the IAB afraid of honest consumer disclosure and consumer control? If online ad leaders can’t imagine a world where the industry still makes lots of money–while simultaneously respecting consumer privacy–perhaps they should choose another profession (say investment banking!).

Seriously, online ad leaders need to acknowledge that reasonable federal rules are required that safeguard consumers (with meaningful policies especially protecting children and adolescents, as well as adult financial, health, and political data). The industry doesn’t need a bail-out. But its leaders should `opt-in’ to a responsible position for online consumer privacy protection.

Behavioral Targeters Use Our Online Data to Track Our Actions and, They Say, to “Automate Serendipity.” Attention: FTC, Congress, EU, State AG’s, and Everyone Else Who Cares About Consumer Welfare (let alone issues related to public health and ethics!)

NPR’s On the Media co-host and Ad Age columnist Bob Garfield provides policymakers and advocates with an arsenal of new material that support the passage of digital age consumer protection laws. In his Ad Age essay [“Your Data With Destiny.” sub required], Garfield has this incredibly revealing–and disturbing–quote from behavioral targeting industry leader Dave Morgan (Tacoda) [our emphasis]:

“Now we have the ability to automate serendipity,” says Dave Morgan, founder of Tacoda, the behavioral-marketing firm sold to AOL in 2007 for a reported $275 million. “Consumers may know things they think they want, but they don’t know for sure what they might want.”

Garfield writes that “In 2006 Tacoda did a project for Panasonic in which it scrutinized the online behavior of millions of internet users — not a sample of 1,200 subjects to project a result against the whole population within a statistical margin of error; this was actual millions. Then it broke down that population’s surfing behavior according to 400-some criteria: media choices, last site visited, search terms, etc. It then ranked all of those behaviors according to correlation with flat-screen-TV purchase…“We no longer have to rely on old cultural prophecies as to who is the right consumer for the right message,” Morgan says. “It no longer has to be microsample-based [à la Nielsen or Simmons]. We now have [total-population] data, and that changes everything. With [those] data, you can know essentially everything. You can find out all the things that are nonintuitive or counterintuitive that are excellent predictors. … There’s a lot of power in that.”

There’s more in the piece, including what eBay is doing. As the annual Advertising Week fest begins in New York, we hope the leaders of the ad industry will take time to reflect on what they are creating. You cannot have a largely invisible system which tracks and analyzes our online and interactive behaviors and relationships, and then engages in all manner of stealth efforts to get individuals (including adolescents and kids) to act, think or feel in some desired way. Such a system requires rules which make the transaction entirely transparent and controlled by the individual. The ad industry must show some responsibility here.