In a move to one-up its search-engine rivals, Yahoo on Wednesday announced a new global data-retention policy that far surpasses what Google and Microsoft have proposed.
Indeed, Yahoo is setting the industry standard for data retention with its promise to anonymize user log data within 90 days -- with limited exceptions for fraud, security and legal obligations. Yahoo is also expanding its policy to apply not only to search-log data but also page views, page clicks, ad views, and ad clicks.
"In our world of customized online services, responsible use of data is critical to establishing and maintaining user trust," said Anne Toth, Yahoo's vice president of policy. "We know that our users expect relevant and compelling content and advertising when they visit Yahoo, but they also want assurances that we are focused on protecting their privacy."
Yahoo Gets Aggressive
Privacy advocates, including European Union regulators, have put pressure on search engines to slash data-storage times. The current industry standard is 18 months. Microsoft last week told European regulators it's ready to cut the time it holds users' search data from 18 months to six months -- if other search-engine companies do the same.
"What we've done since April is evaluate the multiple uses of search data to ascertain if we can, in time, move to a six-month time frame," said Peter Cullen, Microsoft's chief privacy strategist. "Our answer is yes, we can, but we don't believe it makes sense for us to make this change until our competitors also commit to meeting this higher standard with respect to both the method and time frame for anonymization."
Yahoo isn't waiting for other search engines to cooperate. Instead, the heads of the business and engineering units at Yahoo worked with the privacy and data-governance teams to review data needs. Their goal was to ensure that Yahoo retains data only long enough to serve its business and user-experience needs while maintaining the ability to fight fraud, secure systems, and meet legal obligations.
"This policy represents Yahoo's assessment of the minimum amount of time we need to retain data in order to respond to the needs of our business while deepening our trusted relationship with users," Toth said. "We're proud this new policy sets a new benchmark for the industry."
What Will Google Do?
Yahoo said users won't see a difference in their experience with Yahoo products or services, and advertisers will continue to leverage its interest-based advertising systems to deliver the most relevant ads. That revelation begs the question: Do users really care how long search engines retain their search data?
"I question to what extent consumers have any awareness of data-retention issues," said Greg Sterling, principal analyst at Sterling Market Intelligence. "They do have awareness that their behavior is tracked online, and there is considerable discomfort with that, but in terms of specific issues as to how long data is kept, I think there is total ignorance on the part of regular consumers."
Yahoo's move also begs questions about what Microsoft, Google and others will do in response to this aggressive policy. Sterling said it puts pressure on the search-engine industry to at least shave time off their data-retention policies. The European Union has pushed for a six-month limit.
"We might see Microsoft quickly come out and say it will cut its policy to six months, or maybe match Yahoo," Sterling said. "If that happens, certainly Google will have to follow suit. Google may not come down to three months, but they may come down to six months. If Google were to be isolated in this, it would not only incur the wrath of the EU regulators but it would also suffer in the press as the other two key players stepped up to the requested standard."
Friday, December 19, 2008
Wednesday, December 17, 2008
Privacy Proponents Prompt President-Elect To Police
Privacy advocates met Tuesday with members of President-elect Barack Obama's Federal Trade Commission transition team to urge that the government more aggressively regulate the online advertising industry.
"The overall message was that the Bush FTC gets an 'F' on privacy," said Jeff Chester, executive director of the Center for Digital Democracy. "We're expecting the Obama team to take a better approach."
Chester, who two years ago filed a complaint with the FTC about online behavioral targeting, is pressing for new laws that would require marketers to seek Web users' permission before tracking them for ad purposes.
Other groups at the one-hour meeting Tuesday with FTC transition team heads Susan Ness and Phil Weiser included the ACLU, Consumer Federation of America, Electronic Frontier Foundation, and World Privacy Forum.
Online ad executives and the Interactive Advertising Bureau have argued that the FTC should not restrict behavioral targeting because the practice does not harm consumers. Ad companies also say that behavioral targeting is often anonymous because they don't collect names, addresses or other so-called personally identifiable information. Instead, companies track users anonymously via cookies as they go from site to site, compile profiles, and then serve ads to users based on their presumed interests.
But privacy advocates have questioned just how anonymous this type of targeting really is. They say that in some circumstances, it might be possible to identify specific individuals from detailed profile information.
In addition, some consumer advocates say behavioral targeting is inherently problematic.
"Behavioral tracking and targeting is actually deceptive on its face because consumers' information is being collected by entities with whom they have no relationship, to whom they didn't give their information, and for purposes of which they're unaware," said Susan Grant, director of consumer protection at the Consumer Federation of America.
Grant added that her organization was concerned that some consumers could face tangible consequences due to behavioral targeting. For instance, she said, companies could potentially use information gleaned from tracking people online to make different offers to different people.
Some of the advocates also criticized the Network Advertising Initiative's new privacy guidelines to the transition team. Pam Dixon, executive director of the World Privacy Forum, said those standards don't adequately protect the privacy of people's medical information.
"To say they're non-starters is an understatement," Dixon said.
The new NAI guidelines call for ad companies to refrain from collecting data about sensitive medical information or serving ads related to such information, unless consumers expressly consent. The prior guidelines said marketers should never collect such data if it was personally identifiable, but allowed them to do so if the information was anonymous and people could opt out.
"The overall message was that the Bush FTC gets an 'F' on privacy," said Jeff Chester, executive director of the Center for Digital Democracy. "We're expecting the Obama team to take a better approach."
Chester, who two years ago filed a complaint with the FTC about online behavioral targeting, is pressing for new laws that would require marketers to seek Web users' permission before tracking them for ad purposes.
Other groups at the one-hour meeting Tuesday with FTC transition team heads Susan Ness and Phil Weiser included the ACLU, Consumer Federation of America, Electronic Frontier Foundation, and World Privacy Forum.
Online ad executives and the Interactive Advertising Bureau have argued that the FTC should not restrict behavioral targeting because the practice does not harm consumers. Ad companies also say that behavioral targeting is often anonymous because they don't collect names, addresses or other so-called personally identifiable information. Instead, companies track users anonymously via cookies as they go from site to site, compile profiles, and then serve ads to users based on their presumed interests.
But privacy advocates have questioned just how anonymous this type of targeting really is. They say that in some circumstances, it might be possible to identify specific individuals from detailed profile information.
In addition, some consumer advocates say behavioral targeting is inherently problematic.
"Behavioral tracking and targeting is actually deceptive on its face because consumers' information is being collected by entities with whom they have no relationship, to whom they didn't give their information, and for purposes of which they're unaware," said Susan Grant, director of consumer protection at the Consumer Federation of America.
Grant added that her organization was concerned that some consumers could face tangible consequences due to behavioral targeting. For instance, she said, companies could potentially use information gleaned from tracking people online to make different offers to different people.
Some of the advocates also criticized the Network Advertising Initiative's new privacy guidelines to the transition team. Pam Dixon, executive director of the World Privacy Forum, said those standards don't adequately protect the privacy of people's medical information.
"To say they're non-starters is an understatement," Dixon said.
The new NAI guidelines call for ad companies to refrain from collecting data about sensitive medical information or serving ads related to such information, unless consumers expressly consent. The prior guidelines said marketers should never collect such data if it was personally identifiable, but allowed them to do so if the information was anonymous and people could opt out.
Google Wants Its Own Fast Track on the Web
The celebrated openness of the Internet -- network providers are not supposed to give preferential treatment to any traffic -- is quietly losing powerful defenders.
Google Inc. has approached major cable and phone companies that carry Internet traffic with a proposal to create a fast lane for its own content, according to documents reviewed by The Wall Street Journal. Google has traditionally been one of the loudest advocates of equal network access for all content providers.
At risk is a principle known as network neutrality: Cable and phone companies that operate the data pipelines are supposed to treat all traffic the same -- nobody is supposed to jump the line.
But phone and cable companies argue that Internet content providers should share in their network costs, particularly with Internet traffic growing by more than 50% annually, according to estimates. Carriers say that to keep up with surging traffic, driven mainly by the proliferation of online video, they need to boost revenue to upgrade their networks. Charging companies for fast lanes is one option.
One major cable operator in talks with Google says it has been reluctant so far to strike a deal because of concern it might violate Federal Communications Commission guidelines on network neutrality.
"If we did this, Washington would be on fire," says one executive at the cable company who is familiar with the talks, referring to the likely reaction of regulators and lawmakers.
Separately, Microsoft Corp. and Yahoo Inc. have withdrawn quietly from a coalition formed two years ago to protect network neutrality. Each company has forged partnerships with the phone and cable companies. In addition, prominent Internet scholars, some of whom have advised President-elect Barack Obama on technology issues, have softened their views on the subject.
The contentious issue has wide ramifications for the Internet as a platform for new businesses. If companies like Google succeed in negotiating preferential treatment, the Internet could become a place where wealthy companies get faster and easier access to the Web than less affluent ones, according to advocates of network neutrality. That could choke off competition, they say.
For computer users, it could mean that Web sites by companies not able to strike fast-lane deals will respond more slowly than those by companies able to pay. In the worst-case scenario, the Internet could become a medium where large companies, such as Comcast Corp. in cable television, would control both distribution and content -- and much of what users can access, according to neutrality advocates.
The developments could test Mr. Obama's professed commitment to network neutrality. "The Internet is perhaps the most open network in history, and we have to keep it that way," he told Google employees a year ago at the company's Mountain View, Calif., campus. "I will take a back seat to no one in my commitment to network neutrality."
But Lawrence Lessig, an Internet law professor at Stanford University and an influential proponent of network neutrality, recently shifted gears by saying at a conference that content providers should be able to pay for faster service. Mr. Lessig, who has known President-elect Barack Obama since their days teaching law at the University of Chicago, has been mentioned as a candidate to head the Federal Communications Commission, which regulates the telecommunications industry.
The shifting positions concern some purists. "What they're talking about is selling you the right to skip ahead in the line," says Ben Scott, policy director of Free Press, a Washington-based advocacy group. "It would mean the first part of your business plan would be a deal with AT&T to get into their super-tier -- that is anathema to a culture of innovation."
Advocates of network neutrality believe it has helped the Internet drive the technology revolution of the past two decades, creating hundreds of thousands of jobs.
The concept of network neutrality originated with the phone business. The nation's longtime telephone monopoly, nicknamed Ma Bell, and its regional successors were prohibited from giving any public phone call preference in how quickly it was connected. When the Internet first boomed in the 1990s, content largely traveled via telephone line, and the rule survived by default.
'Dumbpipes'
The carriers picked up the unflattering nickname "dumbpipes," underscoring their strict noninterference in the Internet traffic surging over their networks. The name heightened resentment among the carriers toward the soaring wealth of the content providers, such as Amazon.com Inc., that couldn't exist without the networks of the telecom and cable companies.
In August 2005, amid a deregulatory environment, the FCC weakened network neutrality to a set of four "guiding principles." The step had the effect of making the FCC's power to enforce network neutrality subject to interpretation, emboldening those looking for ways around it.
Stirring the waters further, major phone companies including AT&T and Verizon announced they intended to create new fast lanes on the Internet -- and would charge content companies a toll to use it. They claimed Internet companies had been getting a free ride.
That unleashed a firestorm of criticism. A diverse group including Internet companies Google, Microsoft and Amazon joined the likes of the Christian Coalition, the National Rifle Association and the pop singer Moby in what they characterized as a fight to "save the Internet." The coalition claimed such steps could endanger freedom of speech.
Advocates of network neutrality also claimed that dismantling the rule would be the first step toward distributors gaining control over content, since they could dictate traffic according to fees charged to content providers. The fortunes of a certain Web site, in other words, might depend on how much it could pay network providers, rather than on its popularity.
That concern would grow if the carriers themselves offer content, which some have tried, with mixed success. AT&T, the country's largest broadband provider, recently launched its own online video service, called VideoCrawler, to compete with YouTube and others.
"One way AT&T can win that competition is to give their own video service preferential treatment on their network," says Robert Topolski, a networking engineer based in Portland, Ore. An AT&T spokesman says the company has no plans to give VideoCrawler preferential treatment on its network.
Mr. Topolski discovered that Comcast was slowing a video file-sharing service called BitTorrent. That discovery eventually led to sanctions against Comcast by the FCC. Comcast has appealed the decision, arguing the FCC did not have the authority to make such a ruling.
In 2006, Microsoft felt strongly enough about the issue that it wrote Congress to declare that saving network neutrality "could dictate whether the U.S. will continue to lead the world in Internet-related technologies."
The debate eventually reached a stalemate. Legislation to codify network neutrality failed to pass, and carriers backed off their plans for a tiered Internet.
During his presidential campaign, Mr. Obama spoke frequently about the Internet, which was a critical tool in his grass-roots effort to reach new voters, and the importance of network neutrality. "Once providers start to give privilege to some Web sites and applications over others, then the smaller voices get squeezed out," he told Google employees a year ago when he campaigned at the company. "And then we all lose."
Obama Advisers
But some of those who advise the new president on technology have changed their view on network neutrality. Stanford's Mr. Lessig, for one, has softened his opposition to variable service tiers. At a conference, he argued that carriers won't become kingmakers so long as the faster service at a higher price is available to anyone willing to pay it.
"There are good reasons to be able to prioritize traffic," Mr. Lessig said later in an interview. "If everyone had to pay the same rates for postal service, than you wouldn't be able to differentiate between sending a greeting card to your grandma versus sending an overnight letter to your lawyer."
Some telecom experts say that broadband is the most profitable service offered by phone and cable companies, and they are simply trying to offset declining revenue from their traditional phone business.
In the two years since Google, Microsoft, Amazon and other Internet companies lined up in favor of network neutrality, the landscape has changed. The Internet companies have formed partnerships with phone and cable companies, making them more dependent on one another.
Microsoft, which appealed to Congress to save network neutrality just two years ago, has changed its position completely. "Network neutrality is a policy avenue the company is no longer pursuing," Microsoft said in a statement. The Redmond, Wash., software giant now favors legislation to allow network operators to offer different tiers of service to content companies.
Microsoft has a deal to provide software for AT&T's Internet television service. A Microsoft spokesman declined to comment whether this arrangement affected the company's position on network neutrality.
Amazon's popular digital-reading device, called the Kindle, offers a dedicated, faster download service, an arrangement Amazon has with Sprint. That has prompted questions in the blogosphere about whether the service violates network neutrality.
"Amazon continues to support adoption of net neutrality rules to protect the longstanding, fundamental openness of the Internet," Amazon said in a statement. It declined to elaborate on its Kindle arrangement.
Amazon had withdrawn from the coalition of companies supporting net neutrality, but it recently was listed once again on the group's Web site. It declined to comment on whether carriers should be allowed to prioritize traffic.
Yahoo now has a digital subscriber-line partnership with AT&T. Some have speculated that the deal has caused Yahoo to go silent on the network-neutrality issue.
An AT&T spokesman said the company should be able to strike any deal it sees fit with content companies. Yahoo said in a statement that carriers and content companies "should find a consensus on how best to ensure that Americans have access to a world-class Internet."
Google Connections
Google, with its dominant market position and its perceived ties to the Obama team, may hold the most sway. One of President-elect Obama's most visible supporters during the campaign was Eric Schmidt, Google's chief executive officer. Mr. Schmidt remains an adviser during the transition.
Eric Schmidt
Google's proposed arrangement with network providers, internally called OpenEdge, would place Google servers directly within the network of the service providers, according to documents reviewed by the Journal. The setup would accelerate Google's service for users. Google has asked the providers it has approached not to talk about the idea, according to people familiar with the plans.
Asked about OpenEdge, Google said only that other companies such as Yahoo and Microsoft could strike similar deals if they desired. But Google's move, if successful, would give it an advantage available to very few.
The matter could come to a head quickly. In approving AT&T's 2006 acquisition of Bell South, the FCC made AT&T agree to shelve plans for a fast lane for 30 months. That moratorium expires in the middle of next year. A Democratic lawmaker has already promised new network-neutrality legislation early in 2009. And a new chairman of the FCC could take a stricter position on forcing companies to comply with network neutrality.
Richard Whitt, Google's head of public affairs, denies the company's proposal would violate network neutrality. Nevertheless, he says he's unsure how committed President-elect Obama will remain to the principle.
"If you look at his plans," says Mr. Whitt, "they are much less specific than they were before."
Google Inc. has approached major cable and phone companies that carry Internet traffic with a proposal to create a fast lane for its own content, according to documents reviewed by The Wall Street Journal. Google has traditionally been one of the loudest advocates of equal network access for all content providers.
At risk is a principle known as network neutrality: Cable and phone companies that operate the data pipelines are supposed to treat all traffic the same -- nobody is supposed to jump the line.
But phone and cable companies argue that Internet content providers should share in their network costs, particularly with Internet traffic growing by more than 50% annually, according to estimates. Carriers say that to keep up with surging traffic, driven mainly by the proliferation of online video, they need to boost revenue to upgrade their networks. Charging companies for fast lanes is one option.
One major cable operator in talks with Google says it has been reluctant so far to strike a deal because of concern it might violate Federal Communications Commission guidelines on network neutrality.
"If we did this, Washington would be on fire," says one executive at the cable company who is familiar with the talks, referring to the likely reaction of regulators and lawmakers.
Separately, Microsoft Corp. and Yahoo Inc. have withdrawn quietly from a coalition formed two years ago to protect network neutrality. Each company has forged partnerships with the phone and cable companies. In addition, prominent Internet scholars, some of whom have advised President-elect Barack Obama on technology issues, have softened their views on the subject.
The contentious issue has wide ramifications for the Internet as a platform for new businesses. If companies like Google succeed in negotiating preferential treatment, the Internet could become a place where wealthy companies get faster and easier access to the Web than less affluent ones, according to advocates of network neutrality. That could choke off competition, they say.
For computer users, it could mean that Web sites by companies not able to strike fast-lane deals will respond more slowly than those by companies able to pay. In the worst-case scenario, the Internet could become a medium where large companies, such as Comcast Corp. in cable television, would control both distribution and content -- and much of what users can access, according to neutrality advocates.
The developments could test Mr. Obama's professed commitment to network neutrality. "The Internet is perhaps the most open network in history, and we have to keep it that way," he told Google employees a year ago at the company's Mountain View, Calif., campus. "I will take a back seat to no one in my commitment to network neutrality."
But Lawrence Lessig, an Internet law professor at Stanford University and an influential proponent of network neutrality, recently shifted gears by saying at a conference that content providers should be able to pay for faster service. Mr. Lessig, who has known President-elect Barack Obama since their days teaching law at the University of Chicago, has been mentioned as a candidate to head the Federal Communications Commission, which regulates the telecommunications industry.
The shifting positions concern some purists. "What they're talking about is selling you the right to skip ahead in the line," says Ben Scott, policy director of Free Press, a Washington-based advocacy group. "It would mean the first part of your business plan would be a deal with AT&T to get into their super-tier -- that is anathema to a culture of innovation."
Advocates of network neutrality believe it has helped the Internet drive the technology revolution of the past two decades, creating hundreds of thousands of jobs.
The concept of network neutrality originated with the phone business. The nation's longtime telephone monopoly, nicknamed Ma Bell, and its regional successors were prohibited from giving any public phone call preference in how quickly it was connected. When the Internet first boomed in the 1990s, content largely traveled via telephone line, and the rule survived by default.
'Dumbpipes'
The carriers picked up the unflattering nickname "dumbpipes," underscoring their strict noninterference in the Internet traffic surging over their networks. The name heightened resentment among the carriers toward the soaring wealth of the content providers, such as Amazon.com Inc., that couldn't exist without the networks of the telecom and cable companies.
In August 2005, amid a deregulatory environment, the FCC weakened network neutrality to a set of four "guiding principles." The step had the effect of making the FCC's power to enforce network neutrality subject to interpretation, emboldening those looking for ways around it.
Stirring the waters further, major phone companies including AT&T and Verizon announced they intended to create new fast lanes on the Internet -- and would charge content companies a toll to use it. They claimed Internet companies had been getting a free ride.
That unleashed a firestorm of criticism. A diverse group including Internet companies Google, Microsoft and Amazon joined the likes of the Christian Coalition, the National Rifle Association and the pop singer Moby in what they characterized as a fight to "save the Internet." The coalition claimed such steps could endanger freedom of speech.
Advocates of network neutrality also claimed that dismantling the rule would be the first step toward distributors gaining control over content, since they could dictate traffic according to fees charged to content providers. The fortunes of a certain Web site, in other words, might depend on how much it could pay network providers, rather than on its popularity.
That concern would grow if the carriers themselves offer content, which some have tried, with mixed success. AT&T, the country's largest broadband provider, recently launched its own online video service, called VideoCrawler, to compete with YouTube and others.
"One way AT&T can win that competition is to give their own video service preferential treatment on their network," says Robert Topolski, a networking engineer based in Portland, Ore. An AT&T spokesman says the company has no plans to give VideoCrawler preferential treatment on its network.
Mr. Topolski discovered that Comcast was slowing a video file-sharing service called BitTorrent. That discovery eventually led to sanctions against Comcast by the FCC. Comcast has appealed the decision, arguing the FCC did not have the authority to make such a ruling.
In 2006, Microsoft felt strongly enough about the issue that it wrote Congress to declare that saving network neutrality "could dictate whether the U.S. will continue to lead the world in Internet-related technologies."
The debate eventually reached a stalemate. Legislation to codify network neutrality failed to pass, and carriers backed off their plans for a tiered Internet.
During his presidential campaign, Mr. Obama spoke frequently about the Internet, which was a critical tool in his grass-roots effort to reach new voters, and the importance of network neutrality. "Once providers start to give privilege to some Web sites and applications over others, then the smaller voices get squeezed out," he told Google employees a year ago when he campaigned at the company. "And then we all lose."
Obama Advisers
But some of those who advise the new president on technology have changed their view on network neutrality. Stanford's Mr. Lessig, for one, has softened his opposition to variable service tiers. At a conference, he argued that carriers won't become kingmakers so long as the faster service at a higher price is available to anyone willing to pay it.
"There are good reasons to be able to prioritize traffic," Mr. Lessig said later in an interview. "If everyone had to pay the same rates for postal service, than you wouldn't be able to differentiate between sending a greeting card to your grandma versus sending an overnight letter to your lawyer."
Some telecom experts say that broadband is the most profitable service offered by phone and cable companies, and they are simply trying to offset declining revenue from their traditional phone business.
In the two years since Google, Microsoft, Amazon and other Internet companies lined up in favor of network neutrality, the landscape has changed. The Internet companies have formed partnerships with phone and cable companies, making them more dependent on one another.
Microsoft, which appealed to Congress to save network neutrality just two years ago, has changed its position completely. "Network neutrality is a policy avenue the company is no longer pursuing," Microsoft said in a statement. The Redmond, Wash., software giant now favors legislation to allow network operators to offer different tiers of service to content companies.
Microsoft has a deal to provide software for AT&T's Internet television service. A Microsoft spokesman declined to comment whether this arrangement affected the company's position on network neutrality.
Amazon's popular digital-reading device, called the Kindle, offers a dedicated, faster download service, an arrangement Amazon has with Sprint. That has prompted questions in the blogosphere about whether the service violates network neutrality.
"Amazon continues to support adoption of net neutrality rules to protect the longstanding, fundamental openness of the Internet," Amazon said in a statement. It declined to elaborate on its Kindle arrangement.
Amazon had withdrawn from the coalition of companies supporting net neutrality, but it recently was listed once again on the group's Web site. It declined to comment on whether carriers should be allowed to prioritize traffic.
Yahoo now has a digital subscriber-line partnership with AT&T. Some have speculated that the deal has caused Yahoo to go silent on the network-neutrality issue.
An AT&T spokesman said the company should be able to strike any deal it sees fit with content companies. Yahoo said in a statement that carriers and content companies "should find a consensus on how best to ensure that Americans have access to a world-class Internet."
Google Connections
Google, with its dominant market position and its perceived ties to the Obama team, may hold the most sway. One of President-elect Obama's most visible supporters during the campaign was Eric Schmidt, Google's chief executive officer. Mr. Schmidt remains an adviser during the transition.
Eric Schmidt
Google's proposed arrangement with network providers, internally called OpenEdge, would place Google servers directly within the network of the service providers, according to documents reviewed by the Journal. The setup would accelerate Google's service for users. Google has asked the providers it has approached not to talk about the idea, according to people familiar with the plans.
Asked about OpenEdge, Google said only that other companies such as Yahoo and Microsoft could strike similar deals if they desired. But Google's move, if successful, would give it an advantage available to very few.
The matter could come to a head quickly. In approving AT&T's 2006 acquisition of Bell South, the FCC made AT&T agree to shelve plans for a fast lane for 30 months. That moratorium expires in the middle of next year. A Democratic lawmaker has already promised new network-neutrality legislation early in 2009. And a new chairman of the FCC could take a stricter position on forcing companies to comply with network neutrality.
Richard Whitt, Google's head of public affairs, denies the company's proposal would violate network neutrality. Nevertheless, he says he's unsure how committed President-elect Obama will remain to the principle.
"If you look at his plans," says Mr. Whitt, "they are much less specific than they were before."
Thursday, December 11, 2008
Center For Democracy Calls For New Privacy Laws
The Center for Democracy & Technology has issued its wish list for the Obama administration and, high on the agenda, is a call for new privacy laws.
"President Obama should work with Congress to enact a comprehensive, technology-neutral consumer privacy law establishing meaningful safeguards for the personal information that companies collect from consumers," the document states. "Such a law should be broad enough to protect American consumers both online and in the 'brick and mortar' world."
The Center for Democracy & Technology's document is quite broad -- deliberately so, to leave room for interested parties to weigh in on the specifics.
Even so, the organization begs the critical question of what, exactly, constitutes "personal information." For years, many online ad executives involved in behavioral targeting or analytics have said they don't deal in "personally identifiable information" because they aren't collecting users' names, addresses, email addresses or telephone numbers. Therefore, Web execs argue, behavioral targeting and/or analytics companies don't need to obtain people's explicit consent before collecting data.
But the reality is that people can be identified even without so-called "personally identifiable information." For instance, it's possible to deduce a computer user's identity by looking at all of the searches originating at that computer -- as the world learned when AOL released search queries of 650,000 "anonymous" users. Within days of the data breach, The New York Times identified one AOL user based on her search history and ran front-page story about her.
If there's going to be new legislation addressing privacy, one of the first orders of business should be shedding old definitions of "personally identifiable information" and coming up with new standards setting out what types of personal information will be protected.
"President Obama should work with Congress to enact a comprehensive, technology-neutral consumer privacy law establishing meaningful safeguards for the personal information that companies collect from consumers," the document states. "Such a law should be broad enough to protect American consumers both online and in the 'brick and mortar' world."
The Center for Democracy & Technology's document is quite broad -- deliberately so, to leave room for interested parties to weigh in on the specifics.
Even so, the organization begs the critical question of what, exactly, constitutes "personal information." For years, many online ad executives involved in behavioral targeting or analytics have said they don't deal in "personally identifiable information" because they aren't collecting users' names, addresses, email addresses or telephone numbers. Therefore, Web execs argue, behavioral targeting and/or analytics companies don't need to obtain people's explicit consent before collecting data.
But the reality is that people can be identified even without so-called "personally identifiable information." For instance, it's possible to deduce a computer user's identity by looking at all of the searches originating at that computer -- as the world learned when AOL released search queries of 650,000 "anonymous" users. Within days of the data breach, The New York Times identified one AOL user based on her search history and ran front-page story about her.
If there's going to be new legislation addressing privacy, one of the first orders of business should be shedding old definitions of "personally identifiable information" and coming up with new standards setting out what types of personal information will be protected.
Tuesday, December 2, 2008
Delete Cookies, Says New Privacy Forum
The AT&T-backed think tank Future of Privacy Forum has launched its first initiative: a campaign warning consumers how search engines store their queries and marketers use online cookies.
"You may not be aware that when you visit a site you're actually a part of a complex advertising and marketing mechanism," the group cautions. "Very few things on the Internet are completely anonymous."
The group goes on to instruct people about options to enhance privacy. The advice includes directives to delete cookies and use Microsoft's Internet Explorer 8 browser -- which includes a feature that can block the cookies that track users across sites for ad-serving purposes. The organization also suggests that searchers use IAC's Ask Eraser, which deletes some log files tying search queries to IP addresses.
With these recommendations, the group appears to be setting itself up as close to the polar opposite of industry organizations like Safecount or the Network Advertising Initiative. Safecount, founded in 2005 in response to reports that users routinely deleted cookies, touted their benefits. "Cookies help advertisers understand if their ads are working, and they help researchers make accurate counts through the surveys they invite you and other consumers to participate in. ... In most cases, it's this advertising that enables us all to visit and access our favorite websites for free," Safecount says on its site.
Additionally, AT&T has gone on record as favoring an opt-in model to behavioral advertising, or serving ads to people based on their Web-surfing activity. The company not only says it intends to require opt-in consent for behavioral targeting, but also believes all companies should obtain users' explicit consent before tracking them online. This stance is at odds with groups like the Network Advertising Initiative or Interactive Advertising Bureau, which typically call on companies to notify users about tracking and allow them to opt out.
Separately, while the Future of Privacy Forum, hasn't mentioned Google by name, it's becoming increasingly clear that the think tank is no fan of the world's largest search engine. This stance isn't a huge surprise when you consider the group is backed by AT&T -- which, like other ISPs, has been at odds with Google about both net neutrality and privacy.
In general, network operators say they should be able to decide how to manage traffic, while Google is one of the biggest advocates of net neutrality, or the principle that ISPs should treat all traffic equally. Some ISPs, like Verizon, have made it clear they specifically resent Google profiting off of Web visits they enable.
Privacy advocates in general have criticized Google for its decision to store IP logs tying search queries to specific IP addresses. Among other reasons, there's a concern that Google would combine records about search activity with information gleaned from other sources about which Web sites people visit to create profiles that would be used for marketing purposes.
The Future of Privacy Forum suggestion that searches use Ask.com's Ask Eraser indicate that it, too, isn't happy about the sheer quantity of data that Google has on hand about Web users. If nothing else, the recommendation seems designed to intensify scrutiny of the company and its data collection practices.
"You may not be aware that when you visit a site you're actually a part of a complex advertising and marketing mechanism," the group cautions. "Very few things on the Internet are completely anonymous."
The group goes on to instruct people about options to enhance privacy. The advice includes directives to delete cookies and use Microsoft's Internet Explorer 8 browser -- which includes a feature that can block the cookies that track users across sites for ad-serving purposes. The organization also suggests that searchers use IAC's Ask Eraser, which deletes some log files tying search queries to IP addresses.
With these recommendations, the group appears to be setting itself up as close to the polar opposite of industry organizations like Safecount or the Network Advertising Initiative. Safecount, founded in 2005 in response to reports that users routinely deleted cookies, touted their benefits. "Cookies help advertisers understand if their ads are working, and they help researchers make accurate counts through the surveys they invite you and other consumers to participate in. ... In most cases, it's this advertising that enables us all to visit and access our favorite websites for free," Safecount says on its site.
Additionally, AT&T has gone on record as favoring an opt-in model to behavioral advertising, or serving ads to people based on their Web-surfing activity. The company not only says it intends to require opt-in consent for behavioral targeting, but also believes all companies should obtain users' explicit consent before tracking them online. This stance is at odds with groups like the Network Advertising Initiative or Interactive Advertising Bureau, which typically call on companies to notify users about tracking and allow them to opt out.
Separately, while the Future of Privacy Forum, hasn't mentioned Google by name, it's becoming increasingly clear that the think tank is no fan of the world's largest search engine. This stance isn't a huge surprise when you consider the group is backed by AT&T -- which, like other ISPs, has been at odds with Google about both net neutrality and privacy.
In general, network operators say they should be able to decide how to manage traffic, while Google is one of the biggest advocates of net neutrality, or the principle that ISPs should treat all traffic equally. Some ISPs, like Verizon, have made it clear they specifically resent Google profiting off of Web visits they enable.
Privacy advocates in general have criticized Google for its decision to store IP logs tying search queries to specific IP addresses. Among other reasons, there's a concern that Google would combine records about search activity with information gleaned from other sources about which Web sites people visit to create profiles that would be used for marketing purposes.
The Future of Privacy Forum suggestion that searches use Ask.com's Ask Eraser indicate that it, too, isn't happy about the sheer quantity of data that Google has on hand about Web users. If nothing else, the recommendation seems designed to intensify scrutiny of the company and its data collection practices.
Tuesday, November 11, 2008
NebuAd Faces Suit Alleging Privacy Violations
A group of 15 Web users filed a lawsuit Monday against behavioral targeting company NebuAd and six Internet service providers that tested the company's platform.
The lawsuit, brought in federal district court in San Jose, Calif., alleges that NebuAd's platform violated Web users' privacy. NebuAd purchased information about subscribers' Web activity from Internet service providers and used that data to send people targeted ads.
"The collection of data by the NebuAd device was wholesale and all-encompassing," the lawsuit alleges. "Like a vacuum cleaner, everything passing through the pipe of the consumer's internet connection was sucked up, copied, and forwarded to the California processing center. Regardless of any representations to the contrary--all data--whether sensitive, financial, personal, private, complete with all identifying information, and all personally identifying information, was recorded and transmitted to the California NebuAd facility."
Several months ago, the Redwood City, Calif.-based company said it was going to retreat from behavioral targeting based on data provided by Internet service providers. But before making that decision, the company tested its platform with at least six broadband service providers--Bresnan Communications, Cable One, CenturyTel, Embarq, Knology and WOW, all of which were named as defendants in the lawsuit.
NebuAd said that all data collected was anonymous, in that the company did not know users' names or phone number and did not retain copies of the IP address associated with users. NebuAd also said that it did not collect sensitive data, and that users would be able to opt out of the platform.
But privacy advocates and other critics were skeptical. Among other concerns, advocates said it might be possible to figure out people's identities from the massive clickstream information that NebuAd was collecting.
Consumer advocates also were alarmed by the sheer scope of information available to NebuAd. Unlike older behavioral targeting companies that only collected data from a network of publishers, Internet service providers have access to everything--including activity at search engines and at non-commercial sites, such as sites operated by religious groups.
Congress held hearings this summer after learning of NebuAd's platform. As part of its investigation, the House Energy and Commerce Committee sent letters to 29 Internet service providers, asking if they had worked with the company.
The six Internet service providers named in the lawsuit all answered that they had tested NebuAd's platform. One of the companies, the Washington Post Company's Cable One, acknowledged that it did not notify customers about the NebuAd test or allow them to opt out.
The plaintiffs, who are seeking class-action status, allege that NebuAd violated a federal wiretap law, California privacy law and computer fraud law, among others. They are asking for damages as well as an injunction ordering the company to delete any data about them.
The lawyers who brought the case--Alan Himmelfarb and Scott Kamber of the firm Kamber Edelson, based in Vernon, Calif. and New York, and Joseph Malley of Dallas--recently sued Facebook for violating members' privacy with the Beacon ad program. That program, launched last November, initially informed users about their friends' purchases, unless they opted out. Facebook later made the program opt-in only.
The lawsuit, brought in federal district court in San Jose, Calif., alleges that NebuAd's platform violated Web users' privacy. NebuAd purchased information about subscribers' Web activity from Internet service providers and used that data to send people targeted ads.
"The collection of data by the NebuAd device was wholesale and all-encompassing," the lawsuit alleges. "Like a vacuum cleaner, everything passing through the pipe of the consumer's internet connection was sucked up, copied, and forwarded to the California processing center. Regardless of any representations to the contrary--all data--whether sensitive, financial, personal, private, complete with all identifying information, and all personally identifying information, was recorded and transmitted to the California NebuAd facility."
Several months ago, the Redwood City, Calif.-based company said it was going to retreat from behavioral targeting based on data provided by Internet service providers. But before making that decision, the company tested its platform with at least six broadband service providers--Bresnan Communications, Cable One, CenturyTel, Embarq, Knology and WOW, all of which were named as defendants in the lawsuit.
NebuAd said that all data collected was anonymous, in that the company did not know users' names or phone number and did not retain copies of the IP address associated with users. NebuAd also said that it did not collect sensitive data, and that users would be able to opt out of the platform.
But privacy advocates and other critics were skeptical. Among other concerns, advocates said it might be possible to figure out people's identities from the massive clickstream information that NebuAd was collecting.
Consumer advocates also were alarmed by the sheer scope of information available to NebuAd. Unlike older behavioral targeting companies that only collected data from a network of publishers, Internet service providers have access to everything--including activity at search engines and at non-commercial sites, such as sites operated by religious groups.
Congress held hearings this summer after learning of NebuAd's platform. As part of its investigation, the House Energy and Commerce Committee sent letters to 29 Internet service providers, asking if they had worked with the company.
The six Internet service providers named in the lawsuit all answered that they had tested NebuAd's platform. One of the companies, the Washington Post Company's Cable One, acknowledged that it did not notify customers about the NebuAd test or allow them to opt out.
The plaintiffs, who are seeking class-action status, allege that NebuAd violated a federal wiretap law, California privacy law and computer fraud law, among others. They are asking for damages as well as an injunction ordering the company to delete any data about them.
The lawyers who brought the case--Alan Himmelfarb and Scott Kamber of the firm Kamber Edelson, based in Vernon, Calif. and New York, and Joseph Malley of Dallas--recently sued Facebook for violating members' privacy with the Beacon ad program. That program, launched last November, initially informed users about their friends' purchases, unless they opted out. Facebook later made the program opt-in only.
Friday, November 7, 2008
Ringleader's Privacy Problem: No Opt-Out Of Tracking
NebuAd might think it had problems with privacy advocates, but that's nothing compared to what's in store for nascent mobile ad networks.
One such network, Ringleader Digital, has unveiled its new "media stamp" -- a cookie-like item that creates and stores profiles about cell users based on the mobile sites they visit. Unlike online advertising cookies, however, the media stamps are stored on Ringleader Digital's servers and not browsers, which means users can't delete them.
Ringleader Digital collects information based on characteristics of the device, but says it can gather enough data this way to create unique, "anonymous" stamps for every mobile phone user.
"We track devices, not individuals," the company said in a privacy statement issued today. Ringleader Digital adds that it doesn't collect mobile phone number, names, addresses or other so-called "personally identifiable information."
But the notion that anything other than name, address or phone number is "anonymous" has been discredited for a long time now. Consider, nearly every privacy organization, not to mention U.S. courts and lawmakers, hold that people have a privacy interest in their IP addresses -- even though they weren't traditionally considered personally identifiable. One reason is because examining enough activity associated with the same IP address can reveal that user's identity -- as famously happened when AOL released search histories for 650,000 "anonymized" IP addresses.
Thelma Arnold, formerly known as AOL User 4417749, was identified by The New York Times within days of the breach.
Cell phones are even more likely to be tied to a specific individual than an IP address. After all, one person sometimes connects to the Web from different IP addresses (at home and at work, for instance), just as family members might share the same IP address. But many users just have one cell phone, and they keep it with them all the time.
Unlike the doomed ISP-based behavioral targeting company NebuAd, the media stamp only collects information about users when they visit sites of participating publishers. That makes the company seem more similar to a Web-based behavioral targeting company like Tacoda or Revenue Science, and possibly more palatable to privacy advocates.
But, unlike the case with Tacoda, Revenue Science or other behavioral targeting companies, there is no way for consumers to avoid being tracked by Ringleader Digital. The company says people will be able to opt out of receiving targeted ads, but not out of the profile creation and storage. There's little chance that this kind of opt-out will satisfy privacy advocates.
For now, Ringleader Digital has signed up four publishers, including local search company go2 Media and mobile entertainment company Thumbplay. The mobile ad network plans to test the platform early next year.
One such network, Ringleader Digital, has unveiled its new "media stamp" -- a cookie-like item that creates and stores profiles about cell users based on the mobile sites they visit. Unlike online advertising cookies, however, the media stamps are stored on Ringleader Digital's servers and not browsers, which means users can't delete them.
Ringleader Digital collects information based on characteristics of the device, but says it can gather enough data this way to create unique, "anonymous" stamps for every mobile phone user.
"We track devices, not individuals," the company said in a privacy statement issued today. Ringleader Digital adds that it doesn't collect mobile phone number, names, addresses or other so-called "personally identifiable information."
But the notion that anything other than name, address or phone number is "anonymous" has been discredited for a long time now. Consider, nearly every privacy organization, not to mention U.S. courts and lawmakers, hold that people have a privacy interest in their IP addresses -- even though they weren't traditionally considered personally identifiable. One reason is because examining enough activity associated with the same IP address can reveal that user's identity -- as famously happened when AOL released search histories for 650,000 "anonymized" IP addresses.
Thelma Arnold, formerly known as AOL User 4417749, was identified by The New York Times within days of the breach.
Cell phones are even more likely to be tied to a specific individual than an IP address. After all, one person sometimes connects to the Web from different IP addresses (at home and at work, for instance), just as family members might share the same IP address. But many users just have one cell phone, and they keep it with them all the time.
Unlike the doomed ISP-based behavioral targeting company NebuAd, the media stamp only collects information about users when they visit sites of participating publishers. That makes the company seem more similar to a Web-based behavioral targeting company like Tacoda or Revenue Science, and possibly more palatable to privacy advocates.
But, unlike the case with Tacoda, Revenue Science or other behavioral targeting companies, there is no way for consumers to avoid being tracked by Ringleader Digital. The company says people will be able to opt out of receiving targeted ads, but not out of the profile creation and storage. There's little chance that this kind of opt-out will satisfy privacy advocates.
For now, Ringleader Digital has signed up four publishers, including local search company go2 Media and mobile entertainment company Thumbplay. The mobile ad network plans to test the platform early next year.
Tuesday, October 28, 2008
The PPC Buying Cycle: Buyer Beware!
How often have you heard that keyword level performance data can be misleading? That PPC managers need to consider the phases of the buying cycle when evaluating terms? That specific keywords tend to steal conversions from the more general keywords that started the customer's consideration, and that you should keep spending money on the general terms even though the efficiency looks awful?
It's pretty obvious why the engines might want to trumpet this story: it makes them money. By convincing advertisers that they should spend money on general search terms regardless of the observed efficiency advertisers are encouraged to spend without the moorings associated with ROI goals.
Real data about the buying cycle
Google and Compete Inc. presented a study of the buying cycle that managed to answer none of the salient questions.
We presented a study almost three years ago at SES that challenged the notion of the buying cycle, but decided it was time to revisit the topic.
First, we grabbed data from a number of retail clients representing different verticals and different business models (such as pure plays, catalogers, brick and mortar retail). We then sought to answer the questions:
1. How often do potential customers see multiple ads before placing an order?
2. Does the interaction happen the way search engines say it does?
3. Did we find that the first ad, the last ad, or a combination of ads a potential customer saw led to a purchase?
4. Do the different types of retail businesses witness different behaviors?
Impact of cookie window length
First, let's talk about cookie windows. Longer windows show greater impact by multiple ads. But for a retailer, unless your Average Order Value (AOV) is huge, you need to place some "make sense" limits on how long to give credit to an ad. Most of our clients have windows of 14 to 30 days with some shorter and some longer depending on what the data suggests. Out of respect for the argument that there is this long consideration cycle, I went ahead and looked at a 45 day window for these clients.
Impact of non-branded searches
We looked the complete list of searchers that someone did before purchasing, and for the purposes of the study, only looked at data for buyers who did at least two non-branded searches. We define "brand" as the retailer's trademark and variants exclusively, hence "Sony Cybershot" is a non-brand phrase for Best Buy, but a brand phrase for Sony.com. For well known retailers there is a 4% - 8% impact of non-brand clicks being followed by brand clicks as customers remember that they found the perfect ring at Zales. We count these as non-brand orders, and and not used for our study unless there was more than one non-brand keyword involved. With those parameters understood, we found that interesting cases of multiple non-brand keyword touches occurred in between 10% and 15% of the orders for the vast majority of retailers. A few higher, a few lower. That's not zero, but it's not earth-shattering either.
More interesting: when we spent some time studying the impacted orders we found that in only about 35% of the cases did the story play out as advertised, with general searches being followed by more specific searches; in about 15% of the cases the other keywords were simply slight variations on the initial search (eg: "VCR sales" and "Buy VCR", or "Nikon lens" and "Nikon lenses") and in 50% of the cases the initial keyword had no relationship whatsoever to the last keyword prior to the order (eg "loveseat slipcovers" and "gold earrings").
The more we extend the cookie window the greater the propensity for the keywords to be unrelated, indicating that, in fact these were separate shopping events, and that person looking for loveseat slipcovers, bought from someone else :-( Our research on what the person actually purchased was anecdotal, we just tested 15 or 20 samples and found that in each case the order related to the last keyword, not the first.
Those sites that appeal to hobby enthusiasts see more customer interactions from views of multiple ads than general retailers. Indeed, the impacts of AOV, business type and vertical were all quite interesting.
What this means about the buying cycle
To our thinking this confirms several tenets of search marketing strategy:
- The engines are not evil, but neither should they be expected to look out for your interests
- Cookie windows matter and should be carefully considered. I'll publish our methodology for helping retailers determine their window over on the RKG Blog in the next week or so.
- Within paid search, "last click" credit allocation schemes seem to be a better proxy for the truth than either "first click" or "shared credit"
- If Keyword level performance data suggests a keyword is underperforming, it probably is.
Researching your own search data is a valuable exercise. It may help you determine whether the Buying Cycle should impact your keyword efficiency targets, or whether, for you, it's much ado about nothing.
Monday, October 27, 2008
Report: Big Three Agree To Code Of Conduct For Repressive Regimes
In 2004, Chinese journalist Shi Tao used what he believed was an anonymous account from Yahoo to tell an overseas organization that the Chinese government had warned his newspaper against covering the 15th anniversary of the Tiananmen Square crackdown. Another Chinese dissident, Wang Xiaoning, had posted a message calling for political reform to a Yahoo Group.
Both were arrested and sentenced to 10 years in prison after Yahoo revealed their names to the Chinese authorities. Since then, the company has taken a lot of flak for that decision, including a public condemnation by Congress. The families of the dissidents also filed a lawsuit, which Yahoo settled last year.
Additionally, shareholder Andrew Knopf sued the company this summer for breaching its fiduciary duty by cooperating with the Chinese authorities -- a move that he said harmed the company's "goodwill and reputation."
Now, Yahoo, along with frenemies Microsoft and Google, has agreed to a voluntary code of conduct for dealing with repressive regimes, according to the San Francisco Chronicle. That paper reports that the guidelines call on companies like Yahoo to push back, somewhat, by interpreting governmental requests for information narrowly.
But these types of voluntary agreements only go so far.
Yahoo -- which sold its China division to Alibaba Group and became a minority stakeholder in 2005 -- has always said it had no realistic choice other than to honor the Chinese government's request for information.
U.S. companies like Yahoo tend to argue that they must follow the laws in other countries where they do business -- even if that means disclosing names of users whose only crime was to criticize their leaders.
But if Yahoo and other U.S. businesses want to protect their users, they're going to have to consider flat-out defying foreign governments. Yes, it's possible that this course of action could result in companies shuttering abroad. Even so, there's a long-term benefit to standing up for human rights.
Both were arrested and sentenced to 10 years in prison after Yahoo revealed their names to the Chinese authorities. Since then, the company has taken a lot of flak for that decision, including a public condemnation by Congress. The families of the dissidents also filed a lawsuit, which Yahoo settled last year.
Additionally, shareholder Andrew Knopf sued the company this summer for breaching its fiduciary duty by cooperating with the Chinese authorities -- a move that he said harmed the company's "goodwill and reputation."
Now, Yahoo, along with frenemies Microsoft and Google, has agreed to a voluntary code of conduct for dealing with repressive regimes, according to the San Francisco Chronicle. That paper reports that the guidelines call on companies like Yahoo to push back, somewhat, by interpreting governmental requests for information narrowly.
But these types of voluntary agreements only go so far.
Yahoo -- which sold its China division to Alibaba Group and became a minority stakeholder in 2005 -- has always said it had no realistic choice other than to honor the Chinese government's request for information.
U.S. companies like Yahoo tend to argue that they must follow the laws in other countries where they do business -- even if that means disclosing names of users whose only crime was to criticize their leaders.
But if Yahoo and other U.S. businesses want to protect their users, they're going to have to consider flat-out defying foreign governments. Yes, it's possible that this course of action could result in companies shuttering abroad. Even so, there's a long-term benefit to standing up for human rights.
Friday, October 17, 2008
Wednesday, October 15, 2008
Verizon: Trust Us, We Won't Sell Data!
Verizon recently told lawmakers that it had no plans to provide data about subscribers' Web activity to behavioral targeting companies like Phorm or NebuAd unless consumers specifically consented.
Verizon, along with Time Warner and AT&T, also indicated they believe that all behavioral targeting companies should only track Web users that had affirmatively opted in. While none of the companies went on record as supporting new laws requiring opt-in consent, the remarks certainly suggested that they might favor new regulations.
"The largely invisible practices of ad networks and search engines raise at least the same privacy concerns as do the online behavioral advertising techniques that ISPs could employ," Dorothy Attwood, chief privacy officer at AT&T, testified. "A policy regime that applies only to one set of actors will arbitrarily favor one business model or technology over another."
Now, however, Verizon appears to oppose new privacy laws. A recent post on the company's policy blog (first reported by GigaOm), concludes that self-regulation will suffice to protect people's privacy, because companies know they will face bad publicity if they violate users' trust.
To some limited extent, that might be true. No ISPs are currently testing NebuAd's platform, and that's probably at least in part because they weren't prepared for the bad PR. But it also seems likely that Congressional pressure, including the threat of new regulation, made them back down.
With or without Verizon's support, new legislation might be coming. House member Ed Markey, a Democrat from Massachusetts, has said ISPs should not sell information about subscribers' Web histories unless users have given opt-in consent, and some observers think he might introduce legislation to that effect next year.
Meanwhile, NebuAd rival Phorm is still facing pressure abroad. While U.K. authorities cleared the company recently, E.U. officials aren't happy about the secret tests that were conducted two years ago. Last week, a regulator sent a second letter to the U.K. government, demanding to know how the country intended to enforce European privacy laws that restrict companies' ability to collect personal data about individuals.
Verizon, along with Time Warner and AT&T, also indicated they believe that all behavioral targeting companies should only track Web users that had affirmatively opted in. While none of the companies went on record as supporting new laws requiring opt-in consent, the remarks certainly suggested that they might favor new regulations.
"The largely invisible practices of ad networks and search engines raise at least the same privacy concerns as do the online behavioral advertising techniques that ISPs could employ," Dorothy Attwood, chief privacy officer at AT&T, testified. "A policy regime that applies only to one set of actors will arbitrarily favor one business model or technology over another."
Now, however, Verizon appears to oppose new privacy laws. A recent post on the company's policy blog (first reported by GigaOm), concludes that self-regulation will suffice to protect people's privacy, because companies know they will face bad publicity if they violate users' trust.
To some limited extent, that might be true. No ISPs are currently testing NebuAd's platform, and that's probably at least in part because they weren't prepared for the bad PR. But it also seems likely that Congressional pressure, including the threat of new regulation, made them back down.
With or without Verizon's support, new legislation might be coming. House member Ed Markey, a Democrat from Massachusetts, has said ISPs should not sell information about subscribers' Web histories unless users have given opt-in consent, and some observers think he might introduce legislation to that effect next year.
Meanwhile, NebuAd rival Phorm is still facing pressure abroad. While U.K. authorities cleared the company recently, E.U. officials aren't happy about the secret tests that were conducted two years ago. Last week, a regulator sent a second letter to the U.K. government, demanding to know how the country intended to enforce European privacy laws that restrict companies' ability to collect personal data about individuals.
Monday, October 13, 2008
Study: Quadruple the Number of Visitors Rejecting Third-Party Cookies
Users have apparently been adding insult (rejection) to injury (deletion) when it comes to the cookie-deletion controversy. The percentage of website visitors rejecting third-party cookies quadrupled last year, from roughly 3 percent in January to 12 percent in December and has hovered at that rate up to this month, according to WebTrends, MediaPost writes. The analytics company looked at records of some five billion visitor sessions, during 16 months, on thousands of its clients' websites.
The WebTrends research showed that third-party rejections occurred most frequently in retail, with 16.7 percent of visitors declining third-party cookies; other high-rejection-rate categories are telecom (15.4 percent), healthcare (14.7 percent), manufacturing (13.3 percent), transportation (13 percent) and media (12 percent).
iMedia writes that WebTrends has launched version 7.5 of its analytics tool, which will better deal with the cookie-deletion controversy. The new features will allow the company, and publishers, to "bypass the third party cookies and leverage the first party cookies that the customers are already setting," according to a WebTrends spokesperson.
The WebTrends research showed that third-party rejections occurred most frequently in retail, with 16.7 percent of visitors declining third-party cookies; other high-rejection-rate categories are telecom (15.4 percent), healthcare (14.7 percent), manufacturing (13.3 percent), transportation (13 percent) and media (12 percent).
iMedia writes that WebTrends has launched version 7.5 of its analytics tool, which will better deal with the cookie-deletion controversy. The new features will allow the company, and publishers, to "bypass the third party cookies and leverage the first party cookies that the customers are already setting," according to a WebTrends spokesperson.
Burst Cookie Survey: Consumers 'Don't Understand, Say Maybe Useful, But Some Delete Anyhow'
Burst Media has weighed in on the internet cookie controversy with its own survey, slicing and dicing the responses (see below) of over 10,000 web users (14 and older) about their knowledge and perception of internet cookies - and the extent of and reasons for cookie deletion. "Privacy and security issues taint online users' overall perception of Internet cookies," said Burst Research Manager Chuck Moran. But adds, "Only one out of four say they want internet cookies eliminated…[so] there is significant opportunity for the interactive industry…to build user understanding and trust."
Nearly one-third (30.4 percent) of respondents say they know "Nothing/Never Heard of" cookies. Only one in five (21.6 percent) say they know "A lot" about Internet cookies; 28.1 percent say they know "Some information, but not a lot," and 19.9 percent say they know "A little." Survey respondents were also asked what should be done about cookies - near equal proportions agree (26.5 percent) as disagree (25.8 percent) with "Internet cookies should be eliminated"; and nearly half (47.7 percent) say they are unsure.
Some 38.4 percent of all respondents say they delete cookies at least once a month. This number increases to 42.1 percent among 25-54 year-old adults. Also, 60.6 percent of respondents who delete cookies say they delete "all Internet cookies." More than one-quarter (28.2 percent) say they keep some cookies they "know they need or want," and 11.2 percent say they delete cookies only from unfamiliar websites.
Less than half (48.1 percent) of all respondents say they have deleted cookies from their computer. Men are more likely than women to say so: 54.5 percent versus 41.8 percent. Within the core adult (25-54 years) segment, nearly three out of five (58.4 percent) men and 47.4 percent of women report deleting cookies.
Over half (58.2 percent) who said they know "a little" about cookies said cookies "Keep them from having to refill personal information" when visiting a shopping or commercial website. Similarly, 55.6 percent of that respondent group agree that cookies "Allow [them] to enter sites they have registered with" without reentering a username/password each time they visit. Few of them disagree with these statements; for both statements about one-third of respondents are unsure. The "a little" respondents rejected the statement "Internet cookies can keep me from seeing the same online advertisement over and over again". Only one out of five (23.6 percent) respondents agree with this statement - and one-third (34.9 percent) disagree.
Nearly one-third (30.4 percent) of respondents say they know "Nothing/Never Heard of" cookies. Only one in five (21.6 percent) say they know "A lot" about Internet cookies; 28.1 percent say they know "Some information, but not a lot," and 19.9 percent say they know "A little." Survey respondents were also asked what should be done about cookies - near equal proportions agree (26.5 percent) as disagree (25.8 percent) with "Internet cookies should be eliminated"; and nearly half (47.7 percent) say they are unsure.
Some 38.4 percent of all respondents say they delete cookies at least once a month. This number increases to 42.1 percent among 25-54 year-old adults. Also, 60.6 percent of respondents who delete cookies say they delete "all Internet cookies." More than one-quarter (28.2 percent) say they keep some cookies they "know they need or want," and 11.2 percent say they delete cookies only from unfamiliar websites.
Less than half (48.1 percent) of all respondents say they have deleted cookies from their computer. Men are more likely than women to say so: 54.5 percent versus 41.8 percent. Within the core adult (25-54 years) segment, nearly three out of five (58.4 percent) men and 47.4 percent of women report deleting cookies.
Over half (58.2 percent) who said they know "a little" about cookies said cookies "Keep them from having to refill personal information" when visiting a shopping or commercial website. Similarly, 55.6 percent of that respondent group agree that cookies "Allow [them] to enter sites they have registered with" without reentering a username/password each time they visit. Few of them disagree with these statements; for both statements about one-third of respondents are unsure. The "a little" respondents rejected the statement "Internet cookies can keep me from seeing the same online advertisement over and over again". Only one out of five (23.6 percent) respondents agree with this statement - and one-third (34.9 percent) disagree.
Making Cookies Digestible for Users
The Wall Street Journal takes its turn at laying out marketers' palliative attempts to make sure that cookies don't continue to cause computer users heartburn (via paidcontent). With a significant proportion of users misunderstanding - and deleting - cookies, marketers and publishers are scrambling, according to the WSJ piece, which refers to the recently founded industry group Safecount, formed in part to counter the efforts of antispyware makers that sometimes lump legitimate cookies with actual threats found in computers. Others want to lobby Congress. And some have apparently moved on and are experimenting with creative, probably controversial, approaches that let sites serve up targeted ads even if a user has deleted cookies.
One company has begun marketing a technology known as a persistent identification element, or PIE, which uses Flash to secretly make backup copies of cookies before they are deleted. Apparently a handful of publishers and advertising companies are using the technology to track users.
One company has begun marketing a technology known as a persistent identification element, or PIE, which uses Flash to secretly make backup copies of cookies before they are deleted. Apparently a handful of publishers and advertising companies are using the technology to track users.
Jupiter: Wealthy, Web-Experienced Users Delete Cookies Most
Those who have more experience with the web and are wealthier are the most likely to delete cookies, according to a Jupiter Research report, "Profile of the Cookie Deleter," a follow-up of the cookie study from earlier this year that spread conflicting shockwaves through the world of online advertising with the claim that 40 percent of web users monthly delete cookies. Citing the new report, MediaPost reports that 60 percent of consumers online for more than five years report deleting cookies, compared with 34 percent only online for less than one year. Those from households with annual incomes over $60,000 were also more likely to delete cookies than those less affluent.
Among cookie deleters, a high percentage said they do so manually: 56 percent of male respondents and 47 percent of female respondents. And 30 percent of men, along with 24 percent of women, say they use cookie-deleting applications. Furthermore, 31 percent of men and 20 percent of women say they actively block new cookies.
Cookie deletion, usually prompted by privacy and security concerns, may not be as much a concern for younger users of the web. Only 33 percent of respondents between the ages 18 and 24 say they pay attention to stories and articles about internet privacy and security, compared with 62 percent who are age 45 and older.
Among cookie deleters, a high percentage said they do so manually: 56 percent of male respondents and 47 percent of female respondents. And 30 percent of men, along with 24 percent of women, say they use cookie-deleting applications. Furthermore, 31 percent of men and 20 percent of women say they actively block new cookies.
Cookie deletion, usually prompted by privacy and security concerns, may not be as much a concern for younger users of the web. Only 33 percent of respondents between the ages 18 and 24 say they pay attention to stories and articles about internet privacy and security, compared with 62 percent who are age 45 and older.
Marketers May Not Recognize Click Fraud
Research released this week on click fraud from Ben Edelman, attorney and assistant professor at the Harvard Business School in the Negotiation, Organizations & Markets unit, suggests online marketers lack the technical expertise to tell when they're being robbed.
Edelman finds online advertising fraud can happen without sophisticated spyware, even to cost-per-action advertisers. At first glance, conversion-contingent advertising (cost-per-action/CPA, affiliate marketing) seems the perfect way to prevent online advertising fraud. By paying partners only when a sale actually occurs, advertisers often expect to substantially eliminate fraud. Unfortunately, he says, this view is overly simplistic and optimistic.
Edelman notes in his report that banner ads from Allebrands invisibly load affiliate links, which is the simplest example to understand. Other affiliates load affiliate links and drop affiliate cookies as users merely view a banner ad. By viewing a banner ad on a third-party Web page, he explains, "the affiliate can drop its cookies and obtain a commission on purchases users make from the targeted merchants within the return-days period."
Edelman finds online advertising fraud can happen without sophisticated spyware, even to cost-per-action advertisers. At first glance, conversion-contingent advertising (cost-per-action/CPA, affiliate marketing) seems the perfect way to prevent online advertising fraud. By paying partners only when a sale actually occurs, advertisers often expect to substantially eliminate fraud. Unfortunately, he says, this view is overly simplistic and optimistic.
Edelman notes in his report that banner ads from Allebrands invisibly load affiliate links, which is the simplest example to understand. Other affiliates load affiliate links and drop affiliate cookies as users merely view a banner ad. By viewing a banner ad on a third-party Web page, he explains, "the affiliate can drop its cookies and obtain a commission on purchases users make from the targeted merchants within the return-days period."
Wednesday, September 10, 2008
Google Reacts to EU Scrutiny, Cuts Data Retention Period
Google announced today it will cut the amount of time it stores users' IP addresses from 18 months to nine, in response to scrutiny from European regulatory bodies.
A statement posted on the company blog today reads, "We're significantly shortening our previous 18-month retention policy to address regulatory concerns and to take another step to improve privacy for our users."
The move could also serve to placate privacy advocates concerned with Google's increasing dominance of the advertising market, and in particular its proposed tie-up with Yahoo.
The Article 29 Working Party, an EU regulatory body, has repeatedly expressed concerns about the use of data collected by search engines, and the potential for such data to be used illegally.
In response, Google agreed to limit the amount of time it kept users' search data to 18 months in June 2007.
Speaking with ClickZ news in February, Google's Policy Communications Manager for Europe, the Middle East and Asia, Jon Steinback, said that 18 months represented "the right balance between user privacy, and maintaining the security and innovation of [Google's] underlying systems."
Today's blog post says much the same, and argues that a further reduction in the retention period will limit Google's ability to use the data for future innovation. It adds, however, that Google engineers have developed methods for "preserving more of the data's utility" while also anonymizing IP addresses sooner. "[Google is] glad that this will bring some additional improvement in privacy," the blog post adds.
Under its new policy, the search giant will also make adjustments to its Google Suggest system, which recommends search terms based on what users have already typed into the search engine. Any data collected from these searches will now be erased after 24 hours.
The new data retention policies should be in place by the end of the month.
A statement posted on the company blog today reads, "We're significantly shortening our previous 18-month retention policy to address regulatory concerns and to take another step to improve privacy for our users."
The move could also serve to placate privacy advocates concerned with Google's increasing dominance of the advertising market, and in particular its proposed tie-up with Yahoo.
The Article 29 Working Party, an EU regulatory body, has repeatedly expressed concerns about the use of data collected by search engines, and the potential for such data to be used illegally.
In response, Google agreed to limit the amount of time it kept users' search data to 18 months in June 2007.
Speaking with ClickZ news in February, Google's Policy Communications Manager for Europe, the Middle East and Asia, Jon Steinback, said that 18 months represented "the right balance between user privacy, and maintaining the security and innovation of [Google's] underlying systems."
Today's blog post says much the same, and argues that a further reduction in the retention period will limit Google's ability to use the data for future innovation. It adds, however, that Google engineers have developed methods for "preserving more of the data's utility" while also anonymizing IP addresses sooner. "[Google is] glad that this will bring some additional improvement in privacy," the blog post adds.
Under its new policy, the search giant will also make adjustments to its Google Suggest system, which recommends search terms based on what users have already typed into the search engine. Any data collected from these searches will now be erased after 24 hours.
The new data retention policies should be in place by the end of the month.
Thursday, August 28, 2008
Microsoft's Privacy Features Can't Outwit ISP-Based Tracking
Privacy advocates and lawmakers have increasingly turned their attention to behavioral targeting companies that track users across the Web and serve ads based on their activity. Now, Microsoft is throwing itself into the debate with a new product that could foil some forms of behavioral targeting.
The company has just said its new version of the Internet Explorer browser will help people keep their Web-surfing activity confidential. The browser will come with two new privacy-friendly features: InPrivate Browsing and InPrivate Blocking. When turned on, InPrivate Browsing will automatically clear users' Web history while InPrivate Blocking will prevent companies from setting tracking cookies or otherwise tracking users across a variety of sites.
Privacy advocates are cheering the programs for giving consumers more control over who can view their Web behavior. While InPrivate Browsing seems somewhat overhyped -- users could previously delete their cache files or cookies manually -- InPrivate Blocking appears to make it much easier for users to automatically block tracking.
Still, before anyone gets lulled into a false sense of privacy, keep in mind that InPrivate Blocking won't necessarily prevent the newest and most controversial type of program to hit the Web -- ISP-based tracking.
That's because Microsoft's program only affects what's stored on users' own computers. ISPs still know all Web sites visited and can still sell that information to companies like NebuAd and Phorm.
NebuAd also stores information about users on cookies, so InPrivate Blocking might theoretically have an impact on the platform, but it's not clear that it would render it useless. Phorm relies on a different type of platform -- one that doesn't appear likely to be affected by Microsoft's new privacy features.
Which means that Microsoft's new program won't moot the policy debate underway in Washington. If anything, the program highlights just how difficult it is for users to control ISP-based targeting.
The company has just said its new version of the Internet Explorer browser will help people keep their Web-surfing activity confidential. The browser will come with two new privacy-friendly features: InPrivate Browsing and InPrivate Blocking. When turned on, InPrivate Browsing will automatically clear users' Web history while InPrivate Blocking will prevent companies from setting tracking cookies or otherwise tracking users across a variety of sites.
Privacy advocates are cheering the programs for giving consumers more control over who can view their Web behavior. While InPrivate Browsing seems somewhat overhyped -- users could previously delete their cache files or cookies manually -- InPrivate Blocking appears to make it much easier for users to automatically block tracking.
Still, before anyone gets lulled into a false sense of privacy, keep in mind that InPrivate Blocking won't necessarily prevent the newest and most controversial type of program to hit the Web -- ISP-based tracking.
That's because Microsoft's program only affects what's stored on users' own computers. ISPs still know all Web sites visited and can still sell that information to companies like NebuAd and Phorm.
NebuAd also stores information about users on cookies, so InPrivate Blocking might theoretically have an impact on the platform, but it's not clear that it would render it useless. Phorm relies on a different type of platform -- one that doesn't appear likely to be affected by Microsoft's new privacy features.
Which means that Microsoft's new program won't moot the policy debate underway in Washington. If anything, the program highlights just how difficult it is for users to control ISP-based targeting.
Friday, August 15, 2008
Latest YouTube Fuss Shows Tech Limits In Piracy Screens
As of this morning, a two-minute clip showing a protest in New York by Students For A Free Tibet can once again be seen on YouTube. But earlier this week, the clip disappeared after the International Olympic Committee sent YouTube a takedown notice.
The video, "Beijing Olympics Opening Ceremony," included some images related to the Olympics, but clearly doesn't violate the IOC's copyright. Even the IOC now realizes this. When YouTube questioned the Olympics committee about the takedown, the IOC withdrew it.
The IOC sent the takedown notice because it was relying on a computer program to flag videos that violate its copyright, according to the Guardian. But, as such programs are wont to do, it wrongly identified a non-infringing video.
While the video is back up now, the incident highlights one of the problems with attempting to use technology to screen out pirated material: Such technology is notoriously unreliable. It results in the preemptive ban of some legitimate material while also failing to catch some pirated material.
Those flaws are one justification for the current copyright scheme laid out in the Digital Millennium Copyright Act, which allows companies to host user-generated clips without first vetting them for copyright infringement. The DMCA provides that as long as Web companies take down such clips when the copyright holder complains, they're generally immune from liability.
Companies like Viacom would like to see that change. Viacom, which sued YouTube for $1 billion for copyright infringement, argues that YouTube should proactively install filters to screen out Viacom content.
As this latest IOC takedown snafu shows, there are good reasons why YouTube is fighting the notion that it's legally required to engage in such preemptive screening.
Wednesday, August 13, 2008
Cable One's Privacy Gaffe
When privacy advocates first said that ISPs might be violating federal wiretap laws by selling information about users' Web activity to behavioral targeting company NebuAd, the company said it always obtained users' consent to the tracking.
Or, more precisely, NebuAd said it allows users to opt out of receiving targeted ads. Many advocates questioned whether deploying tracking technology by default and putting the burden on users to opt out really satisfied the requirement that users consent, but at least NebuAd could say with something of a straight face that people had some choice in the matter.
But now it's come out that at least one ISP, The Washington Post Company's Cable One, didn't even give subscribers that option. In response to a Congressional inquiry, Cable One said it didn't allow users to decline to participate in a recent test of NebuAd's platform. Letting users opt out of tests of new technology "would stifle our ability to test new technologies that have the potential to offer significant benefits to our customers," the company told Congress. Instead, Cable One went ahead and allowed NebuAd to deploy its technology to track the Web activity of 14,000 cable modem subscribers in Anniston, Ala. for six months.
Cable One justified the failure to let users opt out by saying that subscribers knew the company might spy on their Web activity when they signed up for broadband because the acceptable use policy mentions that the company may occasionally monitor "bandwidth, usage, and content." Of course, even if it's true that subscribers read the fine print in the acceptable use agreement and knew that Cable One might be watching them online, they still didn't know that Cable One would sell their clickstream data to NebuAd. And, even more important, they had no way to opt out of it.
NebuAd didn't collect names, addresses or other personal information, but industry observers ranging from privacy advocates to the FTC still say that people still should have some say over whether they're tracked for ad-serving purposes.
Other companies to test NebuAd didn't do much better. CenturyTel, Embarq and Knology are among those who buried news of the test in obscure language in their privacy policies, but at least subscribers had the chance -- remote though it was -- to learn about NebuAd and opt out.
The companies might, arguably, have followed the letter of privacy principles, if not the spirit.
But Cable One didn't follow either the letter or spirit of well-established online privacy principles. And it arguably violated federal wiretap laws. It wouldn't be at all surprising if lawyers soon descended on Anniston, Ala. in search of plaintiffs for what might become the first lawsuit triggered by NebuAd.
Or, more precisely, NebuAd said it allows users to opt out of receiving targeted ads. Many advocates questioned whether deploying tracking technology by default and putting the burden on users to opt out really satisfied the requirement that users consent, but at least NebuAd could say with something of a straight face that people had some choice in the matter.
But now it's come out that at least one ISP, The Washington Post Company's Cable One, didn't even give subscribers that option. In response to a Congressional inquiry, Cable One said it didn't allow users to decline to participate in a recent test of NebuAd's platform. Letting users opt out of tests of new technology "would stifle our ability to test new technologies that have the potential to offer significant benefits to our customers," the company told Congress. Instead, Cable One went ahead and allowed NebuAd to deploy its technology to track the Web activity of 14,000 cable modem subscribers in Anniston, Ala. for six months.
Cable One justified the failure to let users opt out by saying that subscribers knew the company might spy on their Web activity when they signed up for broadband because the acceptable use policy mentions that the company may occasionally monitor "bandwidth, usage, and content." Of course, even if it's true that subscribers read the fine print in the acceptable use agreement and knew that Cable One might be watching them online, they still didn't know that Cable One would sell their clickstream data to NebuAd. And, even more important, they had no way to opt out of it.
NebuAd didn't collect names, addresses or other personal information, but industry observers ranging from privacy advocates to the FTC still say that people still should have some say over whether they're tracked for ad-serving purposes.
Other companies to test NebuAd didn't do much better. CenturyTel, Embarq and Knology are among those who buried news of the test in obscure language in their privacy policies, but at least subscribers had the chance -- remote though it was -- to learn about NebuAd and opt out.
The companies might, arguably, have followed the letter of privacy principles, if not the spirit.
But Cable One didn't follow either the letter or spirit of well-established online privacy principles. And it arguably violated federal wiretap laws. It wouldn't be at all surprising if lawyers soon descended on Anniston, Ala. in search of plaintiffs for what might become the first lawsuit triggered by NebuAd.
Tuesday, August 12, 2008
Google, Yahoo Cut Cookies For Search Ad Deal
Google and Yahoo promise to let users opt out of cookies online after they, Microsoft and ISPs are challenged by lawmakers in the House Committee on Energy and Commerce. Though the cookie cutting is positioned as a way to help protect users' privacy interests, the real reason for it is that Google and Yahoo want to clean their plates as they prepare to argue the merits of their joint search ad deal to the DOJ.
The media and bloggers rushed Aug. 8 to cover the fact that Yahoo said it will let its users opt out of custom ads on its Web site, while Google said that it will let its own users opt out of a single cookie for both DoubleClick ad serving and the Google content network.
Yahoo's and Google's cookie-cutting moves, as I like to call them, were announced as a measured response to a Congressional inquiry about ad customization sent to 33 companies from the House Committee on Energy and Commerce the previous week.
Appeasing the committee is important; the committee wants to determine whether the way that search engines and ISPs track Web searches is legal.
While Google and Yahoo moved to soothe the committee, the more crucial questions are why Yahoo and Google didn't do this sooner, and why they did do this so quickly while the other 31 companies are weighing the request.
They didn't do it sooner because nothing was weighing on them. No group had leverage to make Google and Yahoo let users opt out of cookies, and frankly, not enough users are savvy enough or care enough to force the companies' hands.
I know plenty of people who use Google and Yahoo and don't realize that their Web-surfing habits dictate ad dispersal.
But the government is a bit more savvy, and there is one big reason why Google and Yahoo practically fell prostrate in answering the House so fast.
Google and Yahoo have a pretty significant search advertising pact in the works. The only reason it isn't in effect now is that they vowed to wait three and a half months to let the Department of Justice review it for approval.
They announced the deal June 12, and if all goes well, they could begin their agreement by the end of September. But the deal faces opposition from Microsoft, privacy advocates and others scared to death that Google is gaining too much power in the market.
By answering the House Committee on Energy and Commerce's requests for information about how their advertising works, both Google and Yahoo want to make sure those issues don't delay their search ad deal any further. The Senate subcommittee is already looking at this search ad deal.
So, what exactly did the companies announce? Yahoo Aug. 8 said in a letter to the House Committee on Energy and Commerce that it will offer opt-out of customized advertising on Yahoo.com, expanding its existing opt-out program for customized ads served by Yahoo on third-party networks.
"We understand that there are some users who prefer not to receive customized advertising, and this opt-out will offer them even greater choice," said Anne Toth, Yahoo's head of privacy and vice president for policy.
This new opt-out capability will be available for consumers by the end of August. The tool will be accessible through a link in Yahoo's privacy center, which is linked on the home page and nearly every page on the Yahoo network.
Google went a little further in its letter to the committee, specifically telling the members that it does not do so-called "deep-packet" inspection to derive information about users to better target them with ads.
However, Google did acknowledge in its letter that it does believe that behavioral advertising, if done carefully, can be a valuable tool for the company to leverage. Google noted in its letter:
Though it is not the focus of our business today, we also believe that behavioral advertising can be done in ways that are responsible and protective of consumer privacy and the security of consumers' information.
The key question that Google has yet to answer is how. How will it institute viable behavioral advertising without using cookies and Web-surfing behavior to know what its users are doing online?
This will continue to be a crucial issue as Google, Yahoo, Microsoft and other companies that depend on online ads as a revenue stream leverage behavioral targeted ad capabilities to place the right ad in front of the most appropriate Web consumer.
These companies will have to strike a balance between leveraging information about users' Web-surfing habits to create more appropriate ads, and respecting users' privacy.
The latest cookie cutting from Google and Yahoo is being positioned as a move toward the latter, but again, I just think the vendors felt compelled to make these moves to keep their plates as clean as possible as they attempt to sway the DOJ on the legitimacy of their search ad deal.
The media and bloggers rushed Aug. 8 to cover the fact that Yahoo said it will let its users opt out of custom ads on its Web site, while Google said that it will let its own users opt out of a single cookie for both DoubleClick ad serving and the Google content network.
Yahoo's and Google's cookie-cutting moves, as I like to call them, were announced as a measured response to a Congressional inquiry about ad customization sent to 33 companies from the House Committee on Energy and Commerce the previous week.
Appeasing the committee is important; the committee wants to determine whether the way that search engines and ISPs track Web searches is legal.
While Google and Yahoo moved to soothe the committee, the more crucial questions are why Yahoo and Google didn't do this sooner, and why they did do this so quickly while the other 31 companies are weighing the request.
They didn't do it sooner because nothing was weighing on them. No group had leverage to make Google and Yahoo let users opt out of cookies, and frankly, not enough users are savvy enough or care enough to force the companies' hands.
I know plenty of people who use Google and Yahoo and don't realize that their Web-surfing habits dictate ad dispersal.
But the government is a bit more savvy, and there is one big reason why Google and Yahoo practically fell prostrate in answering the House so fast.
Google and Yahoo have a pretty significant search advertising pact in the works. The only reason it isn't in effect now is that they vowed to wait three and a half months to let the Department of Justice review it for approval.
They announced the deal June 12, and if all goes well, they could begin their agreement by the end of September. But the deal faces opposition from Microsoft, privacy advocates and others scared to death that Google is gaining too much power in the market.
By answering the House Committee on Energy and Commerce's requests for information about how their advertising works, both Google and Yahoo want to make sure those issues don't delay their search ad deal any further. The Senate subcommittee is already looking at this search ad deal.
So, what exactly did the companies announce? Yahoo Aug. 8 said in a letter to the House Committee on Energy and Commerce that it will offer opt-out of customized advertising on Yahoo.com, expanding its existing opt-out program for customized ads served by Yahoo on third-party networks.
"We understand that there are some users who prefer not to receive customized advertising, and this opt-out will offer them even greater choice," said Anne Toth, Yahoo's head of privacy and vice president for policy.
This new opt-out capability will be available for consumers by the end of August. The tool will be accessible through a link in Yahoo's privacy center, which is linked on the home page and nearly every page on the Yahoo network.
Google went a little further in its letter to the committee, specifically telling the members that it does not do so-called "deep-packet" inspection to derive information about users to better target them with ads.
However, Google did acknowledge in its letter that it does believe that behavioral advertising, if done carefully, can be a valuable tool for the company to leverage. Google noted in its letter:
Though it is not the focus of our business today, we also believe that behavioral advertising can be done in ways that are responsible and protective of consumer privacy and the security of consumers' information.
The key question that Google has yet to answer is how. How will it institute viable behavioral advertising without using cookies and Web-surfing behavior to know what its users are doing online?
This will continue to be a crucial issue as Google, Yahoo, Microsoft and other companies that depend on online ads as a revenue stream leverage behavioral targeted ad capabilities to place the right ad in front of the most appropriate Web consumer.
These companies will have to strike a balance between leveraging information about users' Web-surfing habits to create more appropriate ads, and respecting users' privacy.
The latest cookie cutting from Google and Yahoo is being positioned as a move toward the latter, but again, I just think the vendors felt compelled to make these moves to keep their plates as clean as possible as they attempt to sway the DOJ on the legitimacy of their search ad deal.
Thursday, July 31, 2008
Comcast Faces Sanctions But Still Gains Subscribers
Comcast gained 278,000 new broadband customers last quarter, with more than two-thirds migrating from DSL service, the company said today.
The report comes on the heels of reports that Verizon lost 100,000 DSL subscribers (though many of those replaced their DSL service with Verizon's FIOS) and that AT&T added only 46,000 new DSL customers.
So, even though DSL connections aren't as appealing as they once were, the good news is that broadband use is still growing. But the bad news is that demand is outpacing capacity, especially as more and more people turn to the Web for bandwidth-intensive video.
In fact, it's questionable how many of those new Comcast subscribers will be any happier with their broadband service than they were when they used DSL connections. DSL and cable modems are both considered broadband, but cable modems -- at least theoretically -- sometimes have higher top speeds than DSL lines.
In reality, cable providers aren't able to offer as much bandwidth as people currently want. Comcast has already admitted it slowed peer-to-peer traffic to manage congestion on its network -- actions that spurred net neutrality groups to complain to the FCC that Comcast violated net neutrality principles. The FCC is expected to officially rule against the cable company on Friday.
Comcast's peer-to-peer throttling might be the most high-profile example of the consequences of network congestion, but it's not the only one. A recent study by the Max Planck Institute for Software Systems in Germany showed that Cox also was blocking users from file-sharing sites.
At the same time, demand for bandwidth is only going to grow in the future. A new Integrated Media Measurement Inc. study shows that more than 20% of viewers now watch prime-time television online, up from 6% last fall.
While Comcast should be glad that people are signing up for its Internet service, the company, like other service providers, still must figure out how to make sure those subscribers can use the bandwidth they're paying for.
The report comes on the heels of reports that Verizon lost 100,000 DSL subscribers (though many of those replaced their DSL service with Verizon's FIOS) and that AT&T added only 46,000 new DSL customers.
So, even though DSL connections aren't as appealing as they once were, the good news is that broadband use is still growing. But the bad news is that demand is outpacing capacity, especially as more and more people turn to the Web for bandwidth-intensive video.
In fact, it's questionable how many of those new Comcast subscribers will be any happier with their broadband service than they were when they used DSL connections. DSL and cable modems are both considered broadband, but cable modems -- at least theoretically -- sometimes have higher top speeds than DSL lines.
In reality, cable providers aren't able to offer as much bandwidth as people currently want. Comcast has already admitted it slowed peer-to-peer traffic to manage congestion on its network -- actions that spurred net neutrality groups to complain to the FCC that Comcast violated net neutrality principles. The FCC is expected to officially rule against the cable company on Friday.
Comcast's peer-to-peer throttling might be the most high-profile example of the consequences of network congestion, but it's not the only one. A recent study by the Max Planck Institute for Software Systems in Germany showed that Cox also was blocking users from file-sharing sites.
At the same time, demand for bandwidth is only going to grow in the future. A new Integrated Media Measurement Inc. study shows that more than 20% of viewers now watch prime-time television online, up from 6% last fall.
While Comcast should be glad that people are signing up for its Internet service, the company, like other service providers, still must figure out how to make sure those subscribers can use the bandwidth they're paying for.
Monday, July 28, 2008
Cuil Touts User Privacy
A group of Google vets are taking on their former employer with the launch of a new search engine, Cuil.
The engine, unveiled today, boasts it indexes 120 billion pages -- or three times Google's 40 billion. But these raw numbers aren't all that useful when determining whether a search engine can return pages related to users' queries. Index size also isn't an especially reliable metric, because different companies sometimes use different tallying methods.
Regardless, Cuil certainly isn't the first would-be Google rival. The search giant's success has spawned a host of entrants into search, but none have come close to putting a dent in Google's commanding market share.
Cuil also had some crashes this morning, but that's not necessarily a bad sign; sites often need to get some bugs ironed out when they launch.
In some ways, what's most notable about Cuil is that the company is touting itself as privacy-friendly. The home page contains just two links -- "About Cuil" and "Your Privacy." Users who click on the privacy link land on a page that states, "We do not collect any personally identifiable information, period. We have no idea who sends queries: not by name, not by IP address, and not by cookies." Cuil also states it doesn't store logs of users' activity on the site.
If nothing else, Cuil's move shows that privacy considerations are top of mind in Silicon Valley these days. Companies might disagree about the wisdom of storing IP addresses, but there's no real question that query logs can reveal users' identities, as the world learned two years ago AOL released three months' worth of query data for 650,000 anonymized users. One such user, Thelma Arnold, was identified in a matter of days by The New York Times.
Google insists that it needs to store query logs to improve its search results and to guard against click fraud. But the emergence of companies like Cuil calls into question whether Google needs this information as much as it says it does.
The engine, unveiled today, boasts it indexes 120 billion pages -- or three times Google's 40 billion. But these raw numbers aren't all that useful when determining whether a search engine can return pages related to users' queries. Index size also isn't an especially reliable metric, because different companies sometimes use different tallying methods.
Regardless, Cuil certainly isn't the first would-be Google rival. The search giant's success has spawned a host of entrants into search, but none have come close to putting a dent in Google's commanding market share.
Cuil also had some crashes this morning, but that's not necessarily a bad sign; sites often need to get some bugs ironed out when they launch.
In some ways, what's most notable about Cuil is that the company is touting itself as privacy-friendly. The home page contains just two links -- "About Cuil" and "Your Privacy." Users who click on the privacy link land on a page that states, "We do not collect any personally identifiable information, period. We have no idea who sends queries: not by name, not by IP address, and not by cookies." Cuil also states it doesn't store logs of users' activity on the site.
If nothing else, Cuil's move shows that privacy considerations are top of mind in Silicon Valley these days. Companies might disagree about the wisdom of storing IP addresses, but there's no real question that query logs can reveal users' identities, as the world learned two years ago AOL released three months' worth of query data for 650,000 anonymized users. One such user, Thelma Arnold, was identified in a matter of days by The New York Times.
Google insists that it needs to store query logs to improve its search results and to guard against click fraud. But the emergence of companies like Cuil calls into question whether Google needs this information as much as it says it does.
Friday, July 25, 2008
A new deal between the U.K. record labels' group and six British
Internet service providers calls for the ISPs to start taking action against subscribers who allegedly download pirated material. Under the arrangement, the ISPs will send warning letters to users suspected of sharing copyrighted material.
After a set number of warnings, it's possible that ISPs will start throttling traffic, but there's no agreement yet on this point. One ISP, Carphone Warehouse, has gone on record as saying it won't implement any sort of "three strikes" rule that would cut off subscribers' connections after several warnings, according to PC Pro.
The U.K. record labels' organization, BPI, seems happy with this deal, calling it "a groundbreaking agreement.... on measures to help significantly reduce illegal filesharing."
But the reality is that this plan is likely to do nothing other than highlight how hard it is to detect online piracy. An April study showed that filters are routinely stymied by encryption techniques.
And three University of Washington computer scientists reported last month that they received hundreds of takedown notices wrongly accusing them of infringing copyright. "Our results show that potentially any Internet user is at risk for receiving DMCA takedown notices today," they wrote in the report ""Challenges and Directions for Monitoring P2P File Sharing Networks -- or -- Why My Printer Received a DMCA Takedown Notice."
When innocent users start getting notices that they're suspected of piracy -- and it's inevitable that they will -- the record labels will face an even bigger public relations problem than at present. And users who are infringing copyright might learn that they need to use encryption technology, but there's no reason to think they will stop trading files. If anything, this deal just escalates a brewing battle between Web users and the record labels, while doing nothing to encourage people to pay for music.
After a set number of warnings, it's possible that ISPs will start throttling traffic, but there's no agreement yet on this point. One ISP, Carphone Warehouse, has gone on record as saying it won't implement any sort of "three strikes" rule that would cut off subscribers' connections after several warnings, according to PC Pro.
The U.K. record labels' organization, BPI, seems happy with this deal, calling it "a groundbreaking agreement.... on measures to help significantly reduce illegal filesharing."
But the reality is that this plan is likely to do nothing other than highlight how hard it is to detect online piracy. An April study showed that filters are routinely stymied by encryption techniques.
And three University of Washington computer scientists reported last month that they received hundreds of takedown notices wrongly accusing them of infringing copyright. "Our results show that potentially any Internet user is at risk for receiving DMCA takedown notices today," they wrote in the report ""Challenges and Directions for Monitoring P2P File Sharing Networks -- or -- Why My Printer Received a DMCA Takedown Notice."
When innocent users start getting notices that they're suspected of piracy -- and it's inevitable that they will -- the record labels will face an even bigger public relations problem than at present. And users who are infringing copyright might learn that they need to use encryption technology, but there's no reason to think they will stop trading files. If anything, this deal just escalates a brewing battle between Web users and the record labels, while doing nothing to encourage people to pay for music.
Markey 'Still Troubled' By NebuAd Test
Only 15 Embarq subscribers out of 26,000 asked the company to refrain from selling information about their Web surfing history to behavioral targeting company NebuAd.
That was one of the additional details Embarq revealed late Wednesday in a second letter responding to a Congressional inquiry about its test of NebuAd's platform.
If the proportion of opt-outs sounds low, consider that the vast majority of Embarq subscribers probably had no idea that the company was conducting such a test. That's because Embarq chose to inform subscribers of the test, conducted in Gardner, Kan., by revising its privacy policy about two weeks before embarking on the experiment.
The company posted the revision online, on its own corporate site -- a type of notice that seems designed to ensure as few people as possible read it. After all, subscribers who use the Web in typical ways -- to read newspapers, check e-mail, watch TV, read blogs or otherwise consume media -- could easily do so for months, if not years, without ever thinking to visit their ISP's home page to investigate whether the company had decided to start selling their data.
Rep. Ed Markey, who held a hearing last week about NebuAd, isn't satisfied. "I am still troubled by the company's failure to directly inform their consumers of the consumer data gathering test and the notion that an 'opt-out' option is a sufficient standard for such sweeping data gathering."
Privacy advocates say that ISP-based behavioral targeting violates wiretap laws unless subscribers consent. Some states additionally require that both parties to a conversation consent -- meaning that publishers seemingly also need to give permission to share the information. Advocates also are concerned because ISPs have access to users' entire clickstream histories, from every search conducted to every Web site visited. NebuAd says it doesn't collect "sensitive" information or store names, addresses or other information that could be used to identify individual users, but advocates are skeptical. After all, even without names or IP addresses, a detailed clickstream history can in itself provide clues to users' identities -- especially if people conduct searches on, say, their own names, hometowns, employers, and the like.
If NebuAd wants to convince lawmakers its program is legitimate, it needs to do a better job of making sure that subscribers know about it and can make a decision about whether to participate.
That was one of the additional details Embarq revealed late Wednesday in a second letter responding to a Congressional inquiry about its test of NebuAd's platform.
If the proportion of opt-outs sounds low, consider that the vast majority of Embarq subscribers probably had no idea that the company was conducting such a test. That's because Embarq chose to inform subscribers of the test, conducted in Gardner, Kan., by revising its privacy policy about two weeks before embarking on the experiment.
The company posted the revision online, on its own corporate site -- a type of notice that seems designed to ensure as few people as possible read it. After all, subscribers who use the Web in typical ways -- to read newspapers, check e-mail, watch TV, read blogs or otherwise consume media -- could easily do so for months, if not years, without ever thinking to visit their ISP's home page to investigate whether the company had decided to start selling their data.
Rep. Ed Markey, who held a hearing last week about NebuAd, isn't satisfied. "I am still troubled by the company's failure to directly inform their consumers of the consumer data gathering test and the notion that an 'opt-out' option is a sufficient standard for such sweeping data gathering."
Privacy advocates say that ISP-based behavioral targeting violates wiretap laws unless subscribers consent. Some states additionally require that both parties to a conversation consent -- meaning that publishers seemingly also need to give permission to share the information. Advocates also are concerned because ISPs have access to users' entire clickstream histories, from every search conducted to every Web site visited. NebuAd says it doesn't collect "sensitive" information or store names, addresses or other information that could be used to identify individual users, but advocates are skeptical. After all, even without names or IP addresses, a detailed clickstream history can in itself provide clues to users' identities -- especially if people conduct searches on, say, their own names, hometowns, employers, and the like.
If NebuAd wants to convince lawmakers its program is legitimate, it needs to do a better job of making sure that subscribers know about it and can make a decision about whether to participate.
Wednesday, July 23, 2008
The Case Of The Too-Private Privacy Notice
To defend itself from charges that it sold subscribers' Web-surfing data without their consent, Internet service provider Embarq has issued the absurd defense that it notified subscribers by posting a revision to its privacy policy online.
Even more ludicrous, Embarq attempts to argue that such a procedure is consistent with the Federal Trade Commission's proposed voluntary guidelines for behavioral advertising.
Embarq earlier this year tested NebuAd's behavioral targeting platform. NebuAd, unlike network-based behavioral targeting companies, works with ISPs to collect data about Web sites users visit and then send them targeted ads.
Digital rights advocates say this program violates federal wiretap laws, and some lawmakers have said that it should require users' explicit consent. NebuAd says that users can always opt out of the program -- but, of course, that's only an option for users who are aware of it.
Embarq, like most companies that have tested NebuAd's platform, "notified" subscribers by quietly changing its privacy policy. When lawmakers learned of this test and demanded answers, Embarq justified its procedure as consistent with FTC proposed guidelines and with the way ad networks notify users about behavioral targeting. Embarq is wrong on both counts.
Yes, many Web publishers that participate in ad networks inform visitors about that via policy privacies. Whether anyone reads those policies is open to debate, but at least they're posted at the sites where the data is being collected.
Embarq simply revised the privacy policy on its own site -- a site that it's hard to imagine Embarq customers have much reason to frequently visit. Even if some subscribers go to Embarq's site to pay their Internet access bills online, it's not likely that this happens more than once a month. But Embarq only revised its policy around two weeks before conducting the test.
Additionally, the FTC's proposed voluntary guidelines call for notice at "every website where data is collected for behavioral advertising." Embarq wasn't collecting data on its own sites. It was collecting data at sites like Google, Yahoo and NYTimes.com. It's safe to assume that very few if any Embarq subscribers who visited those sites had no inkling that Embarq was selling that information. Clearly Embarq wanted it that way.
Congress member Ed Markey has already made it clear he's not happy with how the NebuAd tests were conducted. "We need to have remedial legal courses for some corporate general counsels," he said at a hearing last week. Embarq's response to Markey isn't likely to change his mind about that.
Even more ludicrous, Embarq attempts to argue that such a procedure is consistent with the Federal Trade Commission's proposed voluntary guidelines for behavioral advertising.
Embarq earlier this year tested NebuAd's behavioral targeting platform. NebuAd, unlike network-based behavioral targeting companies, works with ISPs to collect data about Web sites users visit and then send them targeted ads.
Digital rights advocates say this program violates federal wiretap laws, and some lawmakers have said that it should require users' explicit consent. NebuAd says that users can always opt out of the program -- but, of course, that's only an option for users who are aware of it.
Embarq, like most companies that have tested NebuAd's platform, "notified" subscribers by quietly changing its privacy policy. When lawmakers learned of this test and demanded answers, Embarq justified its procedure as consistent with FTC proposed guidelines and with the way ad networks notify users about behavioral targeting. Embarq is wrong on both counts.
Yes, many Web publishers that participate in ad networks inform visitors about that via policy privacies. Whether anyone reads those policies is open to debate, but at least they're posted at the sites where the data is being collected.
Embarq simply revised the privacy policy on its own site -- a site that it's hard to imagine Embarq customers have much reason to frequently visit. Even if some subscribers go to Embarq's site to pay their Internet access bills online, it's not likely that this happens more than once a month. But Embarq only revised its policy around two weeks before conducting the test.
Additionally, the FTC's proposed voluntary guidelines call for notice at "every website where data is collected for behavioral advertising." Embarq wasn't collecting data on its own sites. It was collecting data at sites like Google, Yahoo and NYTimes.com. It's safe to assume that very few if any Embarq subscribers who visited those sites had no inkling that Embarq was selling that information. Clearly Embarq wanted it that way.
Congress member Ed Markey has already made it clear he's not happy with how the NebuAd tests were conducted. "We need to have remedial legal courses for some corporate general counsels," he said at a hearing last week. Embarq's response to Markey isn't likely to change his mind about that.
Monday, July 21, 2008
Find Evidence on Your Opponent's Web Site
One of the best places on the Internet to find information about a company
-- such as a litigation adversary -- is the company's own Web site. But while a visitor researches a company, the company may be researching the visitor, revealing more than the researcher would like. In addition, the company may at any time change or remove information on its Web site that may be most valuable to the researcher. This article discusses the information that Web site owners can learn about visitors to their site, and shows ways to see older versions of Web pages that may have been changed or removed.
Web sites routinely collect certain information from visitors to maintain statistics and to enhance the visitor's experience on the Web site. Much of this information may be sent from the visitor's computer to the Web site without the visitor's knowledge, and may reveal more than the visitor expects. A Web site owner can learn many things about visitors through "cookies" and environment variables such as the IP address.
A "cookie" is a small piece of information written on a visitor's computer by a Web site. A cookie might contain the visitor's Web site user name and password, display preferences or even name and address. When a Web site offers to "remember" a visitor, it is offering to write cookies. Cookies stay on the visitor's computer after the visitor has left the Web site, closed the Web browser, disconnected from the Internet and even turned off the computer. If a visitor provides his name and e-mail address to a Web site, that information might be stored in a cookie, and would be available to the Web site on the next visit, which could be months later.
Cookies have received a great deal of attention in the media because privacy advocates are concerned about the way advertisers use cookies. However, cookies are probably not a significant concern for those performing covert research on an opposing party's Web site. As a general rule, cookies contain only information that the visitor has provided to the Web site or information that the Web site could have obtained without cookies.
If a visitor is concerned about information that might be stored in cookies, cookies can be erased. In the Internet Explorer Web browser, for example, the visitor can pick Tools menu, Internet Options, General, Delete Cookies. This can be done at any time -- before, during or after the visit to a Web site -- and will immediately delete all cookies. Unfortunately, this will also delete desirable cookies, such as Westlaw or Lexis logins. For those who wish to preserve desirable cookies while deleting undesirable cookies, there is privacy software that provides enhanced cookie management.
A greater concern for those performing covert research is environment variables, particularly the Internet Protocol address. The IP address is a unique identifying set of numbers used to direct communications through a network or the Internet. A Web site always has access to every visitor's IP address: Without that information, the Web site and visitor would not be able to communicate. However, the IP address may reveal more than the visitor realizes.
Most larger businesses, including large law firms, have "static" IP addresses, permanent IP addresses that specifically identify the company. For example, the static IP address 67.200.59.2 can easily be identified as the Young Conaway law firm. Most smaller businesses and residential connections to the Internet use "dynamic" IP addresses, temporary addresses that are assigned when the person connects to the Internet and may be different every time. The dynamic IP address 141.158.235.41 can be identified as a customer of the Verizon Internet service in the Philadelphia area, but cannot be connected to a specific individual or company.
The Web site Broadband Reports has a useful tool to show what can be learned from a person's IP address. When a person visits www.dslreports.com/whois, the page displays the visitor's current IP address. That IP address can then be entered in the WhoIs box to learn what is readily known about that IP address. Another site, www.IP-adress.com, displays the IP address of the current visitor with a map showing the locality associated with the IP address.
Web sites routinely store IP addresses for statistical purposes, but Web site owners do not ordinarily analyze the IP address of every visitor to a Web site, so there is little concern in casually browsing public areas of an opponent's Web site. However, Web site owners are likely to check the IP address when there is suspicious behavior. For example, they might check the IP address of a person who tries to view a confidential, blocked or hidden page. They might check the source of an e-mail requesting information about the company or its products. Users should be aware that the e-mail sender's identity cannot be concealed by using Web e-mail services, such as a Hotmail, Gmail or Yahoo Mail -- these services embed the sender's IP address in the e-mail. The only way to effectively conceal the sender's identity is to send the e-mail from some other location, such as a home computer, a public library or an Internet cafe.
Web site owners may also track the IP addresses of messages posted on the Web site's message boards or chats conducted through online chat services, and are likely to check the address if the post or chat is suspicious in nature. For example, if a visitor posts a message on a customer support message board asking if any other customers have had a particular problem with the company's product, the site owner might be inclined to check the poster's IP address.
Environment variables can also reveal the last page that the visitor saw before coming to the current page, the page where the visitor clicked a link to come to the current page. Like IP addresses, this is not the sort of thing that a Web site owner normally checks in the absence of suspicious activity. However, if a page on one site links to a page on another site that is supposed to be confidential or hidden, the host of the latter site might look into the former site and into the visitors who clicked that link.
Other information found in environment variables is generally less of a concern for covert research. For example, environment variables reveal the visitor's browser (Internet Explorer, Firefox, Opera, etc.), which is not especially confidential. Hypothetically, environment variables could reveal a visitor's network login, but as a practical matter that information is rarely revealed.
THE WAYBACK MACHINE
Browsing a party's Web site will only show the information that the Web site owner currently wants visitors to see. Sometimes, the most valuable information about an opposing party is the information that has been changed or removed. Fortunately, there are ways to see older versions of Web pages. Pages that were changed recently can be viewed through Google's cache feature. Pages that were changed months or years ago may be available through the Internet Archive, also known as the Wayback Machine. Viewing these older versions of Web pages avoids the privacy risks discussed above: The copied pages are not on the company's Web site, so the company has no record of the researcher's activities.
When Google indexes Web pages, it stores a copy, referred to as a "cached" page. Google provides a link labeled "Cached" that allows researchers to view this copy. This cached version may be a day, a week or a month old, depending on how recently Google indexed the page.
Google's cache is most useful when the page found in a search doesn't fit the search performed. The mismatch occurs because the page has changed since it was indexed. The cached version will show the page as it appeared when it was indexed, with the search terms highlighted. The cache can also be useful when seeking information that is known to have been recently removed. If a researcher recently saw useful information on a Web site but that information is no longer there, a Google search for the missing information could turn up a cached version of the page that would contain the desired information. Google discusses its cache feature in detail in the Google Guide at Cached Pages.
If older versions of Web pages are desired, they may be found in the Internet Archive, better known as the Wayback Machine, a reference to the "Peabody's Improbable History" segment on the classic "Rocky and Bullwinkle" cartoons. The Wayback Machine crawls the Internet and makes copies of Web pages, storing them as they existed at some time in the past. It currently stores more than 85 billion Web pages, comprising two petabytes of information, archived since 1996.
The Wayback Machine does not allow visitors to search the archive's content; it simply retrieves older versions of a page with a known Web address. The page may not look precisely the way it did at that time: Images, formatting or code may be missing from the page. However, the text of the page is as it was on the day it was archived. Links on the page will function, and will take the visitor to archived versions of the linked page, allowing visitors to browse through an older version of the site. This is very useful if the precise address of the desired old page is unknown. Users should be aware, however, that the linked page may not be from precisely the same date as the linking page. It is important to watch the URL (Web address), which indicates the date in a year-month-day format. For example, the Wayback Machine contains a version of the Young Conaway home page archived on Aug. 11, 2007, with this URL: http://web.archive.org/web/20070811170145/http://ycst.com/. The page links to an article about the firm's support for the South Asian Bar Association that was archived on June 29, 2007, with this URL: http://web.archive.org/web/20070629214521/ycst.com/newsart.htm?a=179.
The Wayback Machine can be used to find older versions of guidelines, policies or procedures of an organization that have since been changed. It may contain claims that the company made about its products, services or business prospects that it may now deny. It may show when a company possessed particular information. It may hold older versions of manuals or documentation that are no longer available.
USE AS EVIDENCE IN LITIGATION
The Wayback Machine has been used several times as evidence in trade secret and copyright infringement cases. See Syncsort Inc. v. Innovative Routines International Inc., No. 04-3623, 2008 U.S. Dist. Lexis 35364 (D.N.J. April 30, 2008) (to prove that information was not a trade secret because it was publicly available on the Internet at one time); Allen v. The Ghoulish Gallery, No. 06cv371, 2007 U.S. Dist. Lexis 86224 (S.D. Calif. Nov. 20, 2007) (to prove validity of copyright claim); Telewizja Polska USA Inc. v. Echostar Satellite Corp., No. 02 C 3293, 2004 U.S. Dist. Lexis 20845 (N.D. Ill. Oct. 14, 2004) (to demonstrate inaccurate claims made in opposing party's past advertising).
However, use of the Wayback Machine as evidence has been questioned as hearsay under Fed. R. Evid. 801 and as lacking authentication under Fed. R. Evid. 901. See, e.g., Novak v. Tucows Inc., No. 06-CV-1909, 2007 U.S. Dist. Lexis 21269 (E.D.N.Y. March 26, 2007); Chamilia LLC v. Pandora Jewelry LLC, No. 04-CV-6017, 2007 U.S. Dist. Lexis 71246 (S.D.N.Y. Sept. 24, 2007); and St. Luke's Cataract & Laser Inst. P.A. v. Sanderson, No. 8:06-CV-223, 2006 U.S. Dist. Lexis 28873 (M.D. Fla. May 12, 2006), though one court has permitted its use over such objections. See Telewizja Polska USA, 2004 U.S. Dist. Lexis 20845, at *6 (finding an affidavit to be sufficient authentication, and the information not hearsay as an admission by a party-opponent). Nevertheless, the Wayback Machine remains a valuable research tool, even if its contents cannot be used for evidence.
Researching an opposing party's Web site, both past and present content, can be a valuable source of information. But researchers must remember that if they are looking at their opponent's current Web site, rather than an older copy, the Web site owner may be aware of who they are and what they are doing.
-- such as a litigation adversary -- is the company's own Web site. But while a visitor researches a company, the company may be researching the visitor, revealing more than the researcher would like. In addition, the company may at any time change or remove information on its Web site that may be most valuable to the researcher. This article discusses the information that Web site owners can learn about visitors to their site, and shows ways to see older versions of Web pages that may have been changed or removed.
Web sites routinely collect certain information from visitors to maintain statistics and to enhance the visitor's experience on the Web site. Much of this information may be sent from the visitor's computer to the Web site without the visitor's knowledge, and may reveal more than the visitor expects. A Web site owner can learn many things about visitors through "cookies" and environment variables such as the IP address.
A "cookie" is a small piece of information written on a visitor's computer by a Web site. A cookie might contain the visitor's Web site user name and password, display preferences or even name and address. When a Web site offers to "remember" a visitor, it is offering to write cookies. Cookies stay on the visitor's computer after the visitor has left the Web site, closed the Web browser, disconnected from the Internet and even turned off the computer. If a visitor provides his name and e-mail address to a Web site, that information might be stored in a cookie, and would be available to the Web site on the next visit, which could be months later.
Cookies have received a great deal of attention in the media because privacy advocates are concerned about the way advertisers use cookies. However, cookies are probably not a significant concern for those performing covert research on an opposing party's Web site. As a general rule, cookies contain only information that the visitor has provided to the Web site or information that the Web site could have obtained without cookies.
If a visitor is concerned about information that might be stored in cookies, cookies can be erased. In the Internet Explorer Web browser, for example, the visitor can pick Tools menu, Internet Options, General, Delete Cookies. This can be done at any time -- before, during or after the visit to a Web site -- and will immediately delete all cookies. Unfortunately, this will also delete desirable cookies, such as Westlaw or Lexis logins. For those who wish to preserve desirable cookies while deleting undesirable cookies, there is privacy software that provides enhanced cookie management.
A greater concern for those performing covert research is environment variables, particularly the Internet Protocol address. The IP address is a unique identifying set of numbers used to direct communications through a network or the Internet. A Web site always has access to every visitor's IP address: Without that information, the Web site and visitor would not be able to communicate. However, the IP address may reveal more than the visitor realizes.
Most larger businesses, including large law firms, have "static" IP addresses, permanent IP addresses that specifically identify the company. For example, the static IP address 67.200.59.2 can easily be identified as the Young Conaway law firm. Most smaller businesses and residential connections to the Internet use "dynamic" IP addresses, temporary addresses that are assigned when the person connects to the Internet and may be different every time. The dynamic IP address 141.158.235.41 can be identified as a customer of the Verizon Internet service in the Philadelphia area, but cannot be connected to a specific individual or company.
The Web site Broadband Reports has a useful tool to show what can be learned from a person's IP address. When a person visits www.dslreports.com/whois, the page displays the visitor's current IP address. That IP address can then be entered in the WhoIs box to learn what is readily known about that IP address. Another site, www.IP-adress.com, displays the IP address of the current visitor with a map showing the locality associated with the IP address.
Web sites routinely store IP addresses for statistical purposes, but Web site owners do not ordinarily analyze the IP address of every visitor to a Web site, so there is little concern in casually browsing public areas of an opponent's Web site. However, Web site owners are likely to check the IP address when there is suspicious behavior. For example, they might check the IP address of a person who tries to view a confidential, blocked or hidden page. They might check the source of an e-mail requesting information about the company or its products. Users should be aware that the e-mail sender's identity cannot be concealed by using Web e-mail services, such as a Hotmail, Gmail or Yahoo Mail -- these services embed the sender's IP address in the e-mail. The only way to effectively conceal the sender's identity is to send the e-mail from some other location, such as a home computer, a public library or an Internet cafe.
Web site owners may also track the IP addresses of messages posted on the Web site's message boards or chats conducted through online chat services, and are likely to check the address if the post or chat is suspicious in nature. For example, if a visitor posts a message on a customer support message board asking if any other customers have had a particular problem with the company's product, the site owner might be inclined to check the poster's IP address.
Environment variables can also reveal the last page that the visitor saw before coming to the current page, the page where the visitor clicked a link to come to the current page. Like IP addresses, this is not the sort of thing that a Web site owner normally checks in the absence of suspicious activity. However, if a page on one site links to a page on another site that is supposed to be confidential or hidden, the host of the latter site might look into the former site and into the visitors who clicked that link.
Other information found in environment variables is generally less of a concern for covert research. For example, environment variables reveal the visitor's browser (Internet Explorer, Firefox, Opera, etc.), which is not especially confidential. Hypothetically, environment variables could reveal a visitor's network login, but as a practical matter that information is rarely revealed.
THE WAYBACK MACHINE
Browsing a party's Web site will only show the information that the Web site owner currently wants visitors to see. Sometimes, the most valuable information about an opposing party is the information that has been changed or removed. Fortunately, there are ways to see older versions of Web pages. Pages that were changed recently can be viewed through Google's cache feature. Pages that were changed months or years ago may be available through the Internet Archive, also known as the Wayback Machine. Viewing these older versions of Web pages avoids the privacy risks discussed above: The copied pages are not on the company's Web site, so the company has no record of the researcher's activities.
When Google indexes Web pages, it stores a copy, referred to as a "cached" page. Google provides a link labeled "Cached" that allows researchers to view this copy. This cached version may be a day, a week or a month old, depending on how recently Google indexed the page.
Google's cache is most useful when the page found in a search doesn't fit the search performed. The mismatch occurs because the page has changed since it was indexed. The cached version will show the page as it appeared when it was indexed, with the search terms highlighted. The cache can also be useful when seeking information that is known to have been recently removed. If a researcher recently saw useful information on a Web site but that information is no longer there, a Google search for the missing information could turn up a cached version of the page that would contain the desired information. Google discusses its cache feature in detail in the Google Guide at Cached Pages.
If older versions of Web pages are desired, they may be found in the Internet Archive, better known as the Wayback Machine, a reference to the "Peabody's Improbable History" segment on the classic "Rocky and Bullwinkle" cartoons. The Wayback Machine crawls the Internet and makes copies of Web pages, storing them as they existed at some time in the past. It currently stores more than 85 billion Web pages, comprising two petabytes of information, archived since 1996.
The Wayback Machine does not allow visitors to search the archive's content; it simply retrieves older versions of a page with a known Web address. The page may not look precisely the way it did at that time: Images, formatting or code may be missing from the page. However, the text of the page is as it was on the day it was archived. Links on the page will function, and will take the visitor to archived versions of the linked page, allowing visitors to browse through an older version of the site. This is very useful if the precise address of the desired old page is unknown. Users should be aware, however, that the linked page may not be from precisely the same date as the linking page. It is important to watch the URL (Web address), which indicates the date in a year-month-day format. For example, the Wayback Machine contains a version of the Young Conaway home page archived on Aug. 11, 2007, with this URL: http://web.archive.org/web/20070811170145/http://ycst.com/. The page links to an article about the firm's support for the South Asian Bar Association that was archived on June 29, 2007, with this URL: http://web.archive.org/web/20070629214521/ycst.com/newsart.htm?a=179.
The Wayback Machine can be used to find older versions of guidelines, policies or procedures of an organization that have since been changed. It may contain claims that the company made about its products, services or business prospects that it may now deny. It may show when a company possessed particular information. It may hold older versions of manuals or documentation that are no longer available.
USE AS EVIDENCE IN LITIGATION
The Wayback Machine has been used several times as evidence in trade secret and copyright infringement cases. See Syncsort Inc. v. Innovative Routines International Inc., No. 04-3623, 2008 U.S. Dist. Lexis 35364 (D.N.J. April 30, 2008) (to prove that information was not a trade secret because it was publicly available on the Internet at one time); Allen v. The Ghoulish Gallery, No. 06cv371, 2007 U.S. Dist. Lexis 86224 (S.D. Calif. Nov. 20, 2007) (to prove validity of copyright claim); Telewizja Polska USA Inc. v. Echostar Satellite Corp., No. 02 C 3293, 2004 U.S. Dist. Lexis 20845 (N.D. Ill. Oct. 14, 2004) (to demonstrate inaccurate claims made in opposing party's past advertising).
However, use of the Wayback Machine as evidence has been questioned as hearsay under Fed. R. Evid. 801 and as lacking authentication under Fed. R. Evid. 901. See, e.g., Novak v. Tucows Inc., No. 06-CV-1909, 2007 U.S. Dist. Lexis 21269 (E.D.N.Y. March 26, 2007); Chamilia LLC v. Pandora Jewelry LLC, No. 04-CV-6017, 2007 U.S. Dist. Lexis 71246 (S.D.N.Y. Sept. 24, 2007); and St. Luke's Cataract & Laser Inst. P.A. v. Sanderson, No. 8:06-CV-223, 2006 U.S. Dist. Lexis 28873 (M.D. Fla. May 12, 2006), though one court has permitted its use over such objections. See Telewizja Polska USA, 2004 U.S. Dist. Lexis 20845, at *6 (finding an affidavit to be sufficient authentication, and the information not hearsay as an admission by a party-opponent). Nevertheless, the Wayback Machine remains a valuable research tool, even if its contents cannot be used for evidence.
Researching an opposing party's Web site, both past and present content, can be a valuable source of information. But researchers must remember that if they are looking at their opponent's current Web site, rather than an older copy, the Web site owner may be aware of who they are and what they are doing.
Thursday, July 17, 2008
rpath.org Privacy Policy
Preface: We intend this policy to be a common-sense policy supporting minimal use and storage of private information. Our goal for this site is to store as little private personal information as is technically and legally feasible.
The term "The Service" as used in this document means the Conary repository hosting service accessible via http://www.rpath.com/rbuilder/ and all software development projects created via http://www.rpath.com/rbuilder/, hosted in the rpath.org domain.
We will never sell, rent, or otherwise transfer your private information that you give to us unless required by law or regulation; we will not use your information for unsolicited commercial email without your express permission (opt-in); you may request to be removed from our lists and we will use our best efforts to honor your request within 30 days.
We may send you automated email messages that are not unsolicited commercial email. By way of example and not limitation:
We may send periodic emails purely to verify that the email data that you have provided to us is still valid. We may, from time to time, inform you of any changes to this privacy policy or our terms of service by email.
Private information may include the following information in your user profile:
email address
full name
passwords and other authentication information such as hints
other contact information, such as phone number and address
You may be given the option whether to mark some such information as private or public. The profile information may also include other information we collect, as required by law.
All other information on the site is to be considered public information, and storing private information on this service, except for personal account information, is prohibited by the terms of service.
Some use of this site may intrinisically disclose personal information.
When you commit to a Conary archive, the name and contact information you provide will be permanently recorded in the Conary archive. When you send mail to a mailing list, the email address you use will be provided in the email that is sent, and will be stored in the permanent archives on our site. Any information at all that you commit to a Conary archive will be publically visible.
These examples are by way of example and not limitation.
We may collect, analyze, and store detailed and aggregate network information, including domain names, in order to monitor trends. We may share or publish this information only in aggregate form.
The full functionality of this site may, at our discretion, require the use of "cookies", which store data on your hard drive or in memory on your computer.
This privacy policy applies only to The Service, and not to any other services provided by rPath, Inc. Links on this site to URLs not part of The Service are not covered by this privacy policy.
In order to enhance security and guard the privacy of your information, we may take any actions necessary, such as security audits by persons or automated tools. Access to your private information will be limited to individuals who have a non-disclosure agreement.
If site security has been compromised in any way, we reserve the right to notify and cooperate fully with appropriate law enforcement officials, and to take other measures that we believe to be appropriate. If we are aware that your private information has been disclosed, we will attempt to notify you by email, as soon as possible and permitted by law or regulation, of the information we possess related to the disclosure of your private information.
We may change this policy from time to time. Any such changes will not make previously private personal information public, unless required by law. A change to this privacy policy will be posted at the following URL http://www.rpath.com/permanent/rbo-privacy.html, and we will send email to active users notifying them of the change 15 days prior to change, unless otherwise required by law or regulation.
This document expresses our policy for maintaining your privacy. We do not guarantee any specific performance under these terms. In particular, circumstances over which we have no control may cause your information to be disclosed. We will not be liable if your information is disclosed.
Your use of any services provided as part of The Service signify your acceptance of these terms.
The term "The Service" as used in this document means the Conary repository hosting service accessible via http://www.rpath.com/rbuilder/ and all software development projects created via http://www.rpath.com/rbuilder/, hosted in the rpath.org domain.
We will never sell, rent, or otherwise transfer your private information that you give to us unless required by law or regulation; we will not use your information for unsolicited commercial email without your express permission (opt-in); you may request to be removed from our lists and we will use our best efforts to honor your request within 30 days.
We may send you automated email messages that are not unsolicited commercial email. By way of example and not limitation:
We may send periodic emails purely to verify that the email data that you have provided to us is still valid. We may, from time to time, inform you of any changes to this privacy policy or our terms of service by email.
Private information may include the following information in your user profile:
email address
full name
passwords and other authentication information such as hints
other contact information, such as phone number and address
You may be given the option whether to mark some such information as private or public. The profile information may also include other information we collect, as required by law.
All other information on the site is to be considered public information, and storing private information on this service, except for personal account information, is prohibited by the terms of service.
Some use of this site may intrinisically disclose personal information.
When you commit to a Conary archive, the name and contact information you provide will be permanently recorded in the Conary archive. When you send mail to a mailing list, the email address you use will be provided in the email that is sent, and will be stored in the permanent archives on our site. Any information at all that you commit to a Conary archive will be publically visible.
These examples are by way of example and not limitation.
We may collect, analyze, and store detailed and aggregate network information, including domain names, in order to monitor trends. We may share or publish this information only in aggregate form.
The full functionality of this site may, at our discretion, require the use of "cookies", which store data on your hard drive or in memory on your computer.
This privacy policy applies only to The Service, and not to any other services provided by rPath, Inc. Links on this site to URLs not part of The Service are not covered by this privacy policy.
In order to enhance security and guard the privacy of your information, we may take any actions necessary, such as security audits by persons or automated tools. Access to your private information will be limited to individuals who have a non-disclosure agreement.
If site security has been compromised in any way, we reserve the right to notify and cooperate fully with appropriate law enforcement officials, and to take other measures that we believe to be appropriate. If we are aware that your private information has been disclosed, we will attempt to notify you by email, as soon as possible and permitted by law or regulation, of the information we possess related to the disclosure of your private information.
We may change this policy from time to time. Any such changes will not make previously private personal information public, unless required by law. A change to this privacy policy will be posted at the following URL http://www.rpath.com/permanent/rbo-privacy.html, and we will send email to active users notifying them of the change 15 days prior to change, unless otherwise required by law or regulation.
This document expresses our policy for maintaining your privacy. We do not guarantee any specific performance under these terms. In particular, circumstances over which we have no control may cause your information to be disclosed. We will not be liable if your information is disclosed.
Your use of any services provided as part of The Service signify your acceptance of these terms.
Wednesday, July 16, 2008
Google Cookies
Google cookies - When you visit Google, they send one or more cookies - a small file containing a string of characters - to your computer that uniquely identifies your browser.
Google then uses cookies to improve the quality of service by storing user preferences and tracking user trends, such as how people search.
Most browsers are initially set up to accept cookies, but you can reset your browser to refuse all cookies or to indicate when a cookie is being sent.
Some Google features and services may not function properly if your cookies are disabled.
Google then uses cookies to improve the quality of service by storing user preferences and tracking user trends, such as how people search.
Most browsers are initially set up to accept cookies, but you can reset your browser to refuse all cookies or to indicate when a cookie is being sent.
Some Google features and services may not function properly if your cookies are disabled.
Wednesday, July 9, 2008
Skeptics Question NebuAd's Privacy Claims
To hear NebuAd CEO Bob Dykes tell it, the controversial company is the best thing to come along for online privacy in a very long time.
"NebuAd's systems are designed so that no one, not even the government, can determine the identity of our users," Dykes told the Senate commerce committee today at a hearing in Washington.
NebuAd partners with ISPs to gather data that's used to send consumers targeted ads. Its platform riles privacy advocates because ISPs have access to users' entire Web-surfing history, ranging from every search made to every Web site visited.
Dykes insists that any information that isn't relevant to particular marketing segments is immediately discarded and that the company doesn't store users' names, identifying information or IP addresses. NebuAd converts IP addresses into other, random, identifiers via a supposedly irreversible and uncrackable formula, Dykes said.
He added that the company developed its platform in 2006, shortly after AOL posted search histories of 650,000 Web users online -- a blunder still considered among the worst privacy breaches to date. Even though AOL had "anonymized" the IP addresses, it proved possible to identify users simply by examining their search histories. Dykes said the company aimed to design a platform that would make a similar breach impossible.
Privacy advocates, meanwhile, weren't convinced. Leslie Harris, president and CEO of the digital rights group Center for Democracy & Technology, argued that NebuAd's platform seems to violate federal wiretap laws.
Byron Dorgan, the Senator who chaired today's hearing, also seemed unpersuaded. He questioned NebuAd's decision to let users opt out of the service, as opposed to asking them to affirmatively consent to it. Dorgan said if his ISP approached him to ask if he would allow another company to view every site he visited, his answer would be an unequivocal no. "Of course it's not okay. Are you kidding me? N-O. No."
One topic didn't come up at today's hearing: adware.
Recent media reports have highlighted the fact that several veterans of adware company Claria (formerly Gator) are now executives at NebuAd. Additionally, NebuAd rival Phorm used to be an adware company.
Certainly, there are some superficial similarities. Adware companies target ads to Web users based on the sites they visit. But then again, so do all behavioral targeting companies. It's true that older behavioral targeting companies only collect data from a limited number of sites, while adware companies, as well as Phorm and NebuAd, have access to all sites users visit.
But adware companies -- at least in theory -- look somewhat different from a privacy point of view than Phorm and NebuAd. Consider, adware companies are theoretically opt-in, in that consumers must affirmatively download the ad-serving software. (Admittedly, that isn't always the case, given rogue installers' ingenuity in hijacking people's computers and loading them with software.) But NebuAd and Phorm are both opt-out, meaning that consumers who don't read the notifications will automatically be included in the program.
NebuAd and Phorm's business model is different from adware in at least one other key respect. Adware companies traditionally served pop-ups that competed with publishers' own ads. NebuAd and Phorm only serve ads on Web sites of publishers they have deals with.
That's not to say that publishers by and large will embrace NebuAd and Phorm. Both companies harvest information from Web sites they have no relationship with -- activities that may well lead to lawsuits. In fact, the Center for Democracy & Technology this week pointed out that at least 12 states require that both parties to a conversation consent to it being recorded. Even if Web users agree to participate in NebuAd or Phorm's programs, the Web sites they visit might not likewise agree.
"NebuAd's systems are designed so that no one, not even the government, can determine the identity of our users," Dykes told the Senate commerce committee today at a hearing in Washington.
NebuAd partners with ISPs to gather data that's used to send consumers targeted ads. Its platform riles privacy advocates because ISPs have access to users' entire Web-surfing history, ranging from every search made to every Web site visited.
Dykes insists that any information that isn't relevant to particular marketing segments is immediately discarded and that the company doesn't store users' names, identifying information or IP addresses. NebuAd converts IP addresses into other, random, identifiers via a supposedly irreversible and uncrackable formula, Dykes said.
He added that the company developed its platform in 2006, shortly after AOL posted search histories of 650,000 Web users online -- a blunder still considered among the worst privacy breaches to date. Even though AOL had "anonymized" the IP addresses, it proved possible to identify users simply by examining their search histories. Dykes said the company aimed to design a platform that would make a similar breach impossible.
Privacy advocates, meanwhile, weren't convinced. Leslie Harris, president and CEO of the digital rights group Center for Democracy & Technology, argued that NebuAd's platform seems to violate federal wiretap laws.
Byron Dorgan, the Senator who chaired today's hearing, also seemed unpersuaded. He questioned NebuAd's decision to let users opt out of the service, as opposed to asking them to affirmatively consent to it. Dorgan said if his ISP approached him to ask if he would allow another company to view every site he visited, his answer would be an unequivocal no. "Of course it's not okay. Are you kidding me? N-O. No."
One topic didn't come up at today's hearing: adware.
Recent media reports have highlighted the fact that several veterans of adware company Claria (formerly Gator) are now executives at NebuAd. Additionally, NebuAd rival Phorm used to be an adware company.
Certainly, there are some superficial similarities. Adware companies target ads to Web users based on the sites they visit. But then again, so do all behavioral targeting companies. It's true that older behavioral targeting companies only collect data from a limited number of sites, while adware companies, as well as Phorm and NebuAd, have access to all sites users visit.
But adware companies -- at least in theory -- look somewhat different from a privacy point of view than Phorm and NebuAd. Consider, adware companies are theoretically opt-in, in that consumers must affirmatively download the ad-serving software. (Admittedly, that isn't always the case, given rogue installers' ingenuity in hijacking people's computers and loading them with software.) But NebuAd and Phorm are both opt-out, meaning that consumers who don't read the notifications will automatically be included in the program.
NebuAd and Phorm's business model is different from adware in at least one other key respect. Adware companies traditionally served pop-ups that competed with publishers' own ads. NebuAd and Phorm only serve ads on Web sites of publishers they have deals with.
That's not to say that publishers by and large will embrace NebuAd and Phorm. Both companies harvest information from Web sites they have no relationship with -- activities that may well lead to lawsuits. In fact, the Center for Democracy & Technology this week pointed out that at least 12 states require that both parties to a conversation consent to it being recorded. Even if Web users agree to participate in NebuAd or Phorm's programs, the Web sites they visit might not likewise agree.
Subscribe to:
Posts (Atom)