Facebook is expanding what brands and other marketers can do to target its users. As InsideFacebook explains, “Facebook has just launched a new way to draw more people to your Facebook Page or application, called “Friends of connections†targeting. Here’s how it works: before today, advertisers could already target any of their “connections,†where connections are defined as:
Fans of any of your Pages
Users of any of your Applications
Members of any of your Groups
Attendees of any of your Events
Now, advertisers can target ads specifically to friends of any of these connections as well. When this option is selected, friends of connections who see the ad will also see a message about which of their friends is connected to the advertiser…This feature should lead to increased conversion on Facebook Ads…this is the first time it has allowed advertisers to specifically target just friends of connections…We also spoke directly to Tim Kendall, Facebook’s director of monetization…In many ways we view Social Ads as less surreptitious than many types of behavioral targeting technologies.”
Here’s what we included in our recent filing at the FTC.
The Failure of Industry Self-regulation
It should be evident to all that self-regulation to protect consumer privacy online has been a dismal failure, and the FTC must have the courage to admit this. After all, it wasn’t until CDD/USPIRG and other consumer groups filed well-publicized complaints (and helped create a public outcry over the privacy implications of the Google/DoubleClick deal) that the FTC finally issued its privacy principles in 2007.[183] And it took such pressure to awaken the National Advertising Initiative (NAI) and its members from the deep freeze of inaction, belatedly scrambling to “enhance†their “Self-Regulatory Code of Conduct, a set of binding Principles that has governed members since 2001.â€[184] Since its inception, the NAI had been asleep at the digital self-regulatory “switch.†Otherwise we would not have had the ever-growing personalized data collection, profiling, and targeting apparatus that NAI’s members so enthusiastically embraced. The NAI, it should not be forgotten, was only created to head off serious action by the FTC back in 2000 as a result of the growing concern with online profiling.[185]
The revised NAI principles reveal how the group remains incapable of ensuring the protection of consumer privacy. They also demonstrate how the NAI cannot be relied on to offer the FTC—or the public—independent and honest proposals that would protect consumers from contemporary online data collection practices. For example, its revised principles—sadly—define sensitive information is the narrowest of terms: “Social Security Numbers or other Government-issued identifiers; Insurance plan numbers; Financial account numbers; Information that describes the precise real-time geographic location of an individual derived through location-based services such as through GPS-enabled devices; Precise information about past, present, or potential future health or medical conditions or treatments, including genetic, genomic, and family medical history.â€[186]
The NAI and its members know full well that copious amounts of data relating to the financial and health status of consumers is currently being collected. Indeed expenditures for online financial marketing alone was $3 billion in 2008. The collection of consumer information resulting from online lead generation—which saw some $1.7 billion in spending last year—is deeply connected to data about a person’s interest in loans or credit.[187] A growing business in online pharmaceutical marketing is also actively harvesting consumer data, for purposes that include behavioral targeting. If the NAI were a serious independent entity capable of protecting consumers, it would have effectively articulated how sensitive information should be protected.
NAI’s narrow definition of personally identifiable information (PII) is out of touch with online marketing reality: “PII includes name, address, telephone number, email address, financial account number, government-issued identifier, and any other data used or intended to be used to identify, contact or precisely locate a person.â€[188] We urge the commission to examine NAI members’ sites so it can view for itself the stark discrepancies between what is promised advertisers in terms of personalized consumer targeting and the NAI’s purposefully narrow and inaccurate definition of PII.
Finally, we find it absurd that all the NAI could do in serving the privacy interests of young people is to conform to the legal standards of the Children’s Online Privacy Protection Act. (COPPA is a law CDD’s executive director played a key leadership role in helping pass in 1998.) It is unfortunate that the NAI could not offer new safeguards for children, including policies to protect adolescent privacy.
Unfortunately, the “Self-Regulatory Principles for Online Behavioral Advertising,†released in July 2009 by the American Association of Advertising Agencies, Association of National Advertisers, Council of Better Business Bureaus, Direct Marketing Association, and the Interactive Advertising Bureau, are equally inadequate.[189] While an improvement over the stance embraced by the IAB in 2008, when it claimed there were no privacy concerns related to behavioral advertising, the new principles cannot be relied on to protect consumers.[190] Its “Sensitive Data†principle in particular, much like the NAI’s, is so inadequate that the FTC should consider bringing an Unfair and Deceptive Complaint against its authors. There are only two categories of information listed under the sensitive principle: Children and “Health and Financial Data.†Under the latter, AAAA et al’s principle is simply that “Entities should not collect and use financial account numbers, Social Security numbers, pharmaceutical prescriptions, or medical records about a specific individual for Online Behavioral Advertising without Consent.â€[191] Again, this flies in the face of what the members of these groups actually do when collecting health and financial data for online advertising. As for protecting children, the AAAA and its associates—like the NAI—simply endorse the legal framework already required by COPPA. But by failing to address adolescent privacy, the AAAA et al. reveal that they are really concerned only with maintaining the data collection/profiling/targeting status quo.
As the history of self-regulation of the media in the U.S. makes clear, we need strong baseline laws and regulations to ensure serious industry compliance. That’s why this new proceeding must lead to FTC action that will ensure that consumer privacy online is finally safeguarded.
The Federal Trade Commission should examine the privacy issues connected to the Google/AdMob deal. As we informed the FTC yesterday, AdMob says it can target via “age, gender, HHI, ethnicity, education & context.”
The CDD/USPIRG complaint on mobile advertising provides useful analysis. Here’s an excerpt on its discussion about AdMob:
AdMob: “Mining All the Data We’ve Capturedâ€
AdMob is a “mobile advertising network†seeking to “target mobile users and monetize mobile traffic.†There is inadequate notice and little opportunity to opt-out of this data- gathering. Few mobile users realize that their communications and actions are monitored and recorded in order to create intimate profiles for marketing purposes.
AdMob also targets the youth demographic. It segments “market audiences†into several categories, including a “Digital Natives†category, which include boys and girls as young as 13. AdMob also focuses on social networking sites, claiming it “enables developers to monetize Facebook mobile applications by integrating AdMob’s industry-leading mobile publishing solutions into any Facebook mobile application. Developers building mobile web applications for the Facebook community using the Facebook Platform for Mobile can easily integrate the AdMob code to start serving ads….â€
And AdMob is continually seeking to mine and monetize the data gathered on unsuspecting youths and other mobile users. AdMob’s CEO Omar Hamoui admitted, “We are investing a fair amount of development resources into mining all the data we’ve captured over the last 12 months of ad serving and targeting.â€
AdMob gathers this data (and targets youths) without adequate notice to the consumer, making it difficult for a mobile user to weigh the costs and benefits and choose whether to opt out of this profiling. This constitutes unfair and deceptive practices, and the Federal Trade Commission should scrutinize these actions.
Last week, NGO’s and activists from across the world met in Madrid Spain to discuss threats to privacy and human rights. It was part of the Public Voice’s excellent work to ensure that civil society is well represented in the debates over privacy and other digital media issues. Over 100 NGO’s, including my own CDD, were initial endorsers of the “Global Privacy Standards for a Global World” Madrid Declaration. It was well received by policy makers, including the data protection commissioner community. The all day meeting and related efforts was organized by the remarkable Katitza Rodriquez. Bravo to her and everyone involved.
The Declaration and related work at the Data Protection conference provided a much needed counter-balance to the failure of leading online companies to seriously address their data collection practices and plans.
That’s the title of comments filed at the U.S. Federal Trade Commission by my Center for Digital Democracy and U.S. PIRG. I also just gave a presentation with the same name at last week’s meeting of data protection commissioners in Madrid, Spain.  It’s available here.
Here’s an excerpt:  Today, consumers online face the rapid growth and ever-increasing sophistication of the various techniques advertisers employ for data collection, profiling, and targeting across all online platforms. The growth of ad and other optimization services for targeting, involving real-time bidding on ad exchanges; the expansion of data collection capabilities from the largest advertising agencies (with the participation of leading digital media content and marketing companies); the increasing capabilities of mobile marketers to target users via enhanced data collection; and a disturbing growth of social media surveillance practices for targeted marketing are just a few of the developments the commission must address. But despite technical innovation and what may appear to be dramatic changes in the online data collection/profiling/targeting market, the commission must recognize that the underlying paradigm threatening consumer privacy online has been constant since the early 1990’s. So-called “one-to-one marketing,†where advertisers collect as much as possible on individual consumers so they can be targeted online, remains the fundamental approach.
The advertising lobby has been working to undermine the FTC’s ability to serve the public interest. Advertisers are fearful that the FTC–finally awakened from a long digital slumber–will actually investigate the numerous problems linked especially to marketing (think prescription drugs, financial marketing of subprime loans, etc.). They are especially concerned that the FTC will effectively address privacy and consumer protection problems related to privacy, interactive advertising, children and adolescents, and “green” marketing. Here’s the letter which was sent late yesterday to Chairman Waxman and Ranking Member Barton:
October 28, 2009
Chairman Henry Waxman
Rep. Joe Barton, Ranking Member
Energy and Commerce Committee
(via email)
Dear Chairman Waxman and Rep. Barton:
We write to support the provisions in H.R. 3126, the “Consumer Financial Protection Agency Act of 2009†(CFPA Act), designed to ensure that the Federal Trade Commission has the resources and authority to protect consumers from unfair and deceptive practices.
We believe that the FTC must play a more proactive role addressing critical consumer concerns, including privacy, online marketing, and food advertising to young people. Therefore, we fully support the legislative language in H.R.3126 that would enable the commission to conduct consumer protection rulemaking under the provisions of the Administrative Procedures Act (APA); provide it with aiding and abetting liability for violations of the Section 5 of the FTC Act involving unfair or deceptive practices; and enable it to seek civil penalty liability for unfair and deceptive practices found to violate Section 5. We also support providing the FTC independent litigating authority in civil penalty cases.
As you know, the FTC’s ability to serve consumers has been hamstrung because of its “Magnuson-Moss†rulemaking procedure. As a result, the FTC has not been able to effectively engage in a timely and effective rulemaking process. By providing the FTC with the same APA rulemaking authority enjoyed by other federal agencies, it will enable the commission to engage in consumer protection activities in a timely manner.
Respectfully,
American Academy of Child and Adolescent Psychiatry
Campaign for Commercial Free Childhood
Center for Democracy and Technology
Center for Digital Democracy
Center for Science in the Public Interest
Children Now
Consumer Federation of America
Consumer Action
Consumers Union
Consumer Watchdog
Free Press
Electronic Frontier Foundation
Media Access Project
Privacy Rights Clearinghouse
Privacy Times
Public Citizen
Public Knowledge
Public Health Institute
U.S. PIRG
World Privacy Forum
David Britt, CEO (retired) Sesame Workshop
Prof. Kelly Brownell, Yale University
Prof. Robert McChesney, University of Illinois at Urbana-Champaign
File this under “we aren’t concerned about the public interest when it may affect our bottom line.” At yesterday’s Web 2.0 Summit conference, a panel on the future of news included representatives from HuffPo, Google, the NYT and others. When a question was asked from the audience about behavioral targeting, here’s what Huffington Post CEO Eric Hippeau said [according to the WSJ]:
“it’s much ado about nothing. “I’d much rather see an ad I’m interested in,†he says. Efforts at regulation are made by people who “don’t get it.â€
Shame on Mr. Hippeau.  Perhaps he opposes protecting consumer privacy because it would be inconvenient while his company expands its online ad targeting business. HuffPost uses a range of online data collection and targeting tools, including Pubmatic for ad optimization, and Admeld. It uses Time Warner’s behavioral targeting subsidiary Tacoda [advertising.com] and also Google’s DoubleClick service. Here’s an excerpt from HuffPost’s privacy policy:
“The more we know about you, the better we are able to customize our web site to suit your personal preferences and interests… We may also from time to time send you messages about our marketing partners’ products. To maintain a site that is free of charge and does not require registration, we display advertisements on our web site. We also use the information you give us to help our advertisers target the audience they want to reach…the ads appearing on HuffingtonPost.com are delivered to you by DoubleClick, our Web advertising serving partner. Information about your visit to this site, such as number of times you have viewed an ad (but not your name, address, or other personal information), is used to serve ads to you on this site. And, in the course of serving advertisements to this site, third party advertisers may place or recognize a unique cookie on your browser.”
As we have said, we can both protect privacy and also foster the growth of the online ad market. Mr. Hippeau revealed a starkly uninformed–and crass–dimension to the HuffPo’s corporate leadership.
The Facebook economy—built on allowing marketers to harness what’s called the “social graph”–is big business (and will grow as consumers also buy more virtual goods). AllFacebook reports that:
“When the Facebook platform launched two and a half years ago a massive cost per install economy sprouted up. Whether it was individual developers looking for more users or large brands looking to expand the user base of their branded applications, money was flowing…There are entire ad networks still supported by the cost per install economy…So how much do fans sell for? There’s a wide range but I’ve heard Facebook is selling fans between $4 and $10. That adds up to substantial revenue for Facebook. For example, let’s assume that the top 100 advertisers each want to purchase 100,000 fans. Theoretically Facebook could generate $100 million just from the top 100 advertisers. As you move down the long tail the numbers begin to add up quickly.”
source: If Brands Want Fans, Facebook Will Sell Them Fans. Nick O’Neill. AllFacebook. Oct. 20, 2009.
Steve Lohr of the New York Times reports in Bits that “Murthy Nukala, the chief executive of Adchemy, calls his company’s technology “statistical personalization.†It doesn’t really identify a person, he said. But by probing vast data sets, from click streams to marketing information from firms like Acxiom, Adchemy can identify the sorts of people -– by age, gender and interests -– that advertisers want to pinpoint.“We don’t hold any data. We just connect to 30 or 40 data sources,†Mr. Nukala said.”
Adchemy is a good example of the growing data collection apparatus that fine-tunes the pitch by using “customized marketing content” along with its real-time analysis. Here’s an excerpt from its website:
Highly customized marketing based on visitor context. All prospects – even anonymous ones – can be described by multiple attributes, including publisher, placement, search query, ad displayed, ad element clicked, geography, demographics, time of day/week/month and other marketer-defined attributes. Adchemy calls the sum total of all these attributes “visitor context.” At every level of the Customer Acquisition Funnel, the Adchemy Digital Marketing Platform dynamically generates the most customized marketing content for the prospect based on the visitor context.
Continuously optimized, real-time content delivery. Based on the user’s visitor context, the best content is served to each visitor in real time without any manual, human involvement. The learning engines proactively synthesize advertising performance and respond automatically to each customer with appropriate content based on powerful patent-pending statistical techniques. Adchemy’s patent-pending statistical techniques speed up the traditionally slow process of gathering statistically significant marketing insights.
The 4A’S advertising trade and lobby organization sent a letter to the Department of Justice yesterday supporting the Microsoft/Yahoo search merger deal. Among the five signatories from some of the biggest and most powerful ad companies was the head of the Publicis Groupe. But missing from the `approve this deal’ letter was any acknowledgment that Publicis is a partner of Microsoft–something we and other consumer groups have asked the DoJ to investigate as part of its review.
The recent deal between Microsoft and Publicis includes the sale of Razorfish, combined online ad activities and also data sharing.  In addition, Microsoft is expected to own 3% of Publicis after the deal closes, according to the Wall Street Journal.
The letter to the DoJ should have disclosed this and other conflicts of interest.