A coalition of Web companies including Google, AOL and Microsoft, along with digital rights groups like the Electronic Frontier Foundation, are calling on Congress to enact new online privacy protections.
The organizations have formed the group, Digital Due Process, which is urging lawmakers to protect information that is not generally accessible by the public, including emails, some photos and videos, cell phone location data, and even search queries. Specifically, the coalition argues that such information should remain private unless courts issue search warrants for it.
The Electronic Privacy Communications Act already says that Internet service providers can't disclose some data without search warrants, including many emails that are less than 180 days old. But the 1986 statute does not appear to cover much of the data that users currently store online.
In some circumstances, the government can obtain access to material uploaded by users simply by issuing subpoenas -- which are easier to obtain than search warrants. In general, courts require that officials have probable cause of criminal activity to obtain a search warrant, but will issue subpoenas as long as the information requested is considered "relevant" to an investigation.
Google's Richard Salgado, senior counsel for law enforcement and information security, says that updating the law will provide some needed clarity in the space. "It will be much easier to keep our users informed about how their data is protected from disclosure to the government," he says.
Although the Electronic Communications Privacy Act is somewhat dated, its provisions banning ISPs from disclosing some data have been used by consumers in lawsuits alleging privacy violations by online companies. Currently, social networking sites Classmates.com and Facebook are facing lawsuits alleging violations of the ECPA.
In addition, when consumers filed a potential class-action privacy lawsuit against behavioral targeting company NebuAd and its Internet service provider partners, the consumers alleged that the companies had violated the law by using data about users' Web-surfing activity to serve them ads.
Wednesday, March 31, 2010
Tuesday, March 30, 2010
Privacy Rules Only Apply to New Products
by Kaila Colbin
Let's face it: Facebook is a privacy disaster. From the Beacon disaster to Zuckerberg brazenly declaring that nobody wants privacy anymore (and that's why we're now supplying all your data to search engines), FB has led the pack in consistently compromising the integrity of our data. The company's latest move, announced last week, involves Facebook's occasional "need to provide General Information about you to pre-approved third party websites and applications that use Platform at the time you visit" -- again using Facebook'ssignature move of making changes opt-out rather than opt-in.
Oddly, nobody seems to care. User numbers continue to skyrocket -- the more than 400 million members dwarfing the mere 73,000 folks who have signed on to the "Facebook, stop invading my privacy!" petition. The masses continue to share billions of photos, blog posts, notes and events with each other every month.
Back in January, Zuckerberg explained that the company's ever-decreasing privacy protection was in recognition of its need to "always keep a beginner's mind and what would we do if we were starting the company now and we decided that these would be the social norms now and we just went for it."
A couple of people cried foul. The ACLU is taking note. But we'll continue to use Facebook, no matter how badly its purveyors treat us, because that's where everyone else is. Nobody wants to be the first to try to start a new party in an empty room.
So does this mean actual beginners -- companies that don't yet have hundreds of millions of active users -- can have the same kind of mind, one that doesn't care about flouting people's privacy? Don't bet on it. When it comes to new products, we're hypocrites who will gladly take the moral high ground.
Take Buzz. Google's ill-fated offering was never going to get traction, attempting as it did to skip straight to the early majority and circumvent the normal laws of consumer uptake. We haven't collectively invested trillions of hours in it; we haven't collectively recorded the past six years of our lives on it. Although we might, in a fit of irony, join a Facebook group to protest Facebook's disrespectful behavior, we'll out and out sue Google for Buzz.
And that's Google. Buzz is still on my Gmail (although David Berkowitz is singlehandedly filling the feed) and the impact of the failure is insignificant in the grander scheme of the search giant. Remember Phorm? Two years ago, that company's behavioral targeting platform got shut down before it ever got off the ground. Sure, the offering infringed on privacy -- but I doubt it would come out worse than Facebook in a blind comparison. Last week, Phorm CEO Ken Ertegrul announced that it's launching commercial operations in Brazil. Although Ertegrul speaks of "the many lessons learnt from experiences in other markets," the announcement doesn't clarify whether the Brazilian service will be opt-out or opt-in, which is of course the crux of the problem.
If it's opt-out, watch out, Phorm. You can be cut loose at the drop of a hat. 73,000 complaining members might not be much to Facebook, but they'd likely be enough to dissolve the tenuous bonds of a nascent partnership in Brazil.
What's the lesson? You can get away with whatever egregious privacy violations you like -- as long as you're already entrenched in the market. If you're a newbie, though, tread softly or you'll never get off the ground.
What are your thoughts on privacy, and, more importantly, do you change your behavior accordingly?
Let's face it: Facebook is a privacy disaster. From the Beacon disaster to Zuckerberg brazenly declaring that nobody wants privacy anymore (and that's why we're now supplying all your data to search engines), FB has led the pack in consistently compromising the integrity of our data. The company's latest move, announced last week, involves Facebook's occasional "need to provide General Information about you to pre-approved third party websites and applications that use Platform at the time you visit" -- again using Facebook'ssignature move of making changes opt-out rather than opt-in.
Oddly, nobody seems to care. User numbers continue to skyrocket -- the more than 400 million members dwarfing the mere 73,000 folks who have signed on to the "Facebook, stop invading my privacy!" petition. The masses continue to share billions of photos, blog posts, notes and events with each other every month.
Back in January, Zuckerberg explained that the company's ever-decreasing privacy protection was in recognition of its need to "always keep a beginner's mind and what would we do if we were starting the company now and we decided that these would be the social norms now and we just went for it."
A couple of people cried foul. The ACLU is taking note. But we'll continue to use Facebook, no matter how badly its purveyors treat us, because that's where everyone else is. Nobody wants to be the first to try to start a new party in an empty room.
So does this mean actual beginners -- companies that don't yet have hundreds of millions of active users -- can have the same kind of mind, one that doesn't care about flouting people's privacy? Don't bet on it. When it comes to new products, we're hypocrites who will gladly take the moral high ground.
Take Buzz. Google's ill-fated offering was never going to get traction, attempting as it did to skip straight to the early majority and circumvent the normal laws of consumer uptake. We haven't collectively invested trillions of hours in it; we haven't collectively recorded the past six years of our lives on it. Although we might, in a fit of irony, join a Facebook group to protest Facebook's disrespectful behavior, we'll out and out sue Google for Buzz.
And that's Google. Buzz is still on my Gmail (although David Berkowitz is singlehandedly filling the feed) and the impact of the failure is insignificant in the grander scheme of the search giant. Remember Phorm? Two years ago, that company's behavioral targeting platform got shut down before it ever got off the ground. Sure, the offering infringed on privacy -- but I doubt it would come out worse than Facebook in a blind comparison. Last week, Phorm CEO Ken Ertegrul announced that it's launching commercial operations in Brazil. Although Ertegrul speaks of "the many lessons learnt from experiences in other markets," the announcement doesn't clarify whether the Brazilian service will be opt-out or opt-in, which is of course the crux of the problem.
If it's opt-out, watch out, Phorm. You can be cut loose at the drop of a hat. 73,000 complaining members might not be much to Facebook, but they'd likely be enough to dissolve the tenuous bonds of a nascent partnership in Brazil.
What's the lesson? You can get away with whatever egregious privacy violations you like -- as long as you're already entrenched in the market. If you're a newbie, though, tread softly or you'll never get off the ground.
What are your thoughts on privacy, and, more importantly, do you change your behavior accordingly?
Friday, March 26, 2010
FCC Must Stop Telecom Carriers From Acting Like 'Medieval Barons,' Says Digital Rights Group
The digital rights groups Free Press and Public Knowledge have reiterated a request that the Federal Communications Commission establish new regulations governing text messaging.
"Rather than impose a rule of law to govern text messaging, the Commission has allowed carriers to act like medieval barons exercising high and low justice over their serfs -- exacting whatever fees they desire and expecting businesses and non-profits to beg for the privilege to innovate as an act of grace rather than expect to make plans as a matter of right," the groups wrote in a letter filed on Thursday.
The letter came on the heels of a report in The New York Times alleging that Sprint had threatened to cut off a short code used by the charity Catholic Relief Services to raise funds for Haiti.
Catholic Relief Services uses the short code aggregator Mobile Commons as an intermediary. Jed Alpert, a founder of Mobile Commons, said in a declaration that he learned in January that Sprint intended to discontinue Catholic Relief Services' short code unless the charity stopped its text-to-call program -- which offers to connect people who send in text messages to a call center. He also alleged that Sprint said it would cut off the short code on March 29.
A Sprint spokesperson said Thursday that the company has no plans to cut off the charity's short code. "Sprint has not blocked the short codes in question, has not threatened to block the short code in question, and does not have any intention to suspend the short code in question," says Public Affairs Manager John Taylor.
Taylor also says that Sprint merely requested that Mobile Commons provide additional information, including certifications that all of the charities it works with are entitled to nonprofit status under the tax code. "Vetting charities is not our core competency," Taylor says.
Public Knowledge and Free Press first asked the FCC to prohibit wireless companies from censoring text messages more than two years ago, shortly after reports surfaced that Verizon barred the abortion rights group NARAL Pro-Choice America from sending messages to supporters. The company reversed its decision after an article about the situation ran in The New York Times. Earlier in 2007, several carriers refused to run text messages from a rival, Rebtel, that offers Voice over Internet Protocol service.
The digital rights groups are asking the FCC to either classify text messages as "Title 2" services -- which would mean that common carrier rules apply to them -- or to use some other legal theory to ban discrimination. "In the absence of even the threat of regulatory oversight, carriers have continued to impose new fees, new requirements, and new restrictions on both nonprofits and commercial enterprises attempting to utilize this increasingly popular means of communication," they argue.
"Rather than impose a rule of law to govern text messaging, the Commission has allowed carriers to act like medieval barons exercising high and low justice over their serfs -- exacting whatever fees they desire and expecting businesses and non-profits to beg for the privilege to innovate as an act of grace rather than expect to make plans as a matter of right," the groups wrote in a letter filed on Thursday.
The letter came on the heels of a report in The New York Times alleging that Sprint had threatened to cut off a short code used by the charity Catholic Relief Services to raise funds for Haiti.
Catholic Relief Services uses the short code aggregator Mobile Commons as an intermediary. Jed Alpert, a founder of Mobile Commons, said in a declaration that he learned in January that Sprint intended to discontinue Catholic Relief Services' short code unless the charity stopped its text-to-call program -- which offers to connect people who send in text messages to a call center. He also alleged that Sprint said it would cut off the short code on March 29.
A Sprint spokesperson said Thursday that the company has no plans to cut off the charity's short code. "Sprint has not blocked the short codes in question, has not threatened to block the short code in question, and does not have any intention to suspend the short code in question," says Public Affairs Manager John Taylor.
Taylor also says that Sprint merely requested that Mobile Commons provide additional information, including certifications that all of the charities it works with are entitled to nonprofit status under the tax code. "Vetting charities is not our core competency," Taylor says.
Public Knowledge and Free Press first asked the FCC to prohibit wireless companies from censoring text messages more than two years ago, shortly after reports surfaced that Verizon barred the abortion rights group NARAL Pro-Choice America from sending messages to supporters. The company reversed its decision after an article about the situation ran in The New York Times. Earlier in 2007, several carriers refused to run text messages from a rival, Rebtel, that offers Voice over Internet Protocol service.
The digital rights groups are asking the FCC to either classify text messages as "Title 2" services -- which would mean that common carrier rules apply to them -- or to use some other legal theory to ban discrimination. "In the absence of even the threat of regulatory oversight, carriers have continued to impose new fees, new requirements, and new restrictions on both nonprofits and commercial enterprises attempting to utilize this increasingly popular means of communication," they argue.
Thursday, March 25, 2010
FTC To Consider New Restrictions On Collecting Data From Children
The Federal Trade Commission said Wednesday that it's seeking input from the public about whether to broaden regulations aimed at preserving children's privacy online.
The last time the FTC issued regulations regarding the federal Children's Online Privacy Protection Act was in 2000. The commission said it's now considering revamping the regulations due to "changes to the online environment ... including children's increasing use of mobile technology to access the Internet."
The 12-year-old Children's Online Privacy Protection Act prohibits companies from collecting personal information from children younger than 13 without their parents' consent. In a notice published in the Federal Register, the FTC specifically asks how the regulations regarding that law should apply to new platforms, including mobile, interactive TV and interactive gaming.
The commission also says it's considering whether the definition of "personal information" should be expanded to include "persistent IP addresses, mobile geolocation information or information collected in connection with online behavioral advertising."
That language is yet another sign that the FTC is concerned that even supposedly non-personally identifiable information -- that is, data other than name, address, phone numbers, etc. -- could be used to identify specific users. Last year, the FTC said in suggested guidelines for behavioral targeting that clickstream data potentially could be tied back to particular users.
Privacy advocate Jeff Chester, executive director of the Center for Digital Democracy, says he supports a ban on the use of behavioral targeting techniques on commercial sites geared toward children. "The agency must bring its regulations on COPPA up to date, including specifically prohibiting the use of cookies and other techniques that track, profile and target kids on children's commercial sites," he said.
Chester also said that advocates have asked the FTC to specifically address efforts to collect data from TV viewers.
The last time the FTC issued regulations regarding the federal Children's Online Privacy Protection Act was in 2000. The commission said it's now considering revamping the regulations due to "changes to the online environment ... including children's increasing use of mobile technology to access the Internet."
The 12-year-old Children's Online Privacy Protection Act prohibits companies from collecting personal information from children younger than 13 without their parents' consent. In a notice published in the Federal Register, the FTC specifically asks how the regulations regarding that law should apply to new platforms, including mobile, interactive TV and interactive gaming.
The commission also says it's considering whether the definition of "personal information" should be expanded to include "persistent IP addresses, mobile geolocation information or information collected in connection with online behavioral advertising."
That language is yet another sign that the FTC is concerned that even supposedly non-personally identifiable information -- that is, data other than name, address, phone numbers, etc. -- could be used to identify specific users. Last year, the FTC said in suggested guidelines for behavioral targeting that clickstream data potentially could be tied back to particular users.
Privacy advocate Jeff Chester, executive director of the Center for Digital Democracy, says he supports a ban on the use of behavioral targeting techniques on commercial sites geared toward children. "The agency must bring its regulations on COPPA up to date, including specifically prohibiting the use of cookies and other techniques that track, profile and target kids on children's commercial sites," he said.
Chester also said that advocates have asked the FTC to specifically address efforts to collect data from TV viewers.
Monday, March 22, 2010
FTC to Patrolling Bad Behavior
Patrolling Bad Behavior
New FTC powers, Boucher bill could crimp Web $$
March 21, 2010
-By Mike Shields
The government may soon wield a great deal more power over the online advertising business, and that's quickly spreading fear across the entire ecosystem, including publishers, ad networks, agencies and even their clients.
Virginia Congressman Rick Boucher is set to introduce a consumer privacy bill over the next few weeks that will likely impact the entire $25 billion online ad market, according to sources. And while that's got many worried, another seemingly unrelated piece of legislation—the proposed financial reform bill aimed at cleaning up Wall Street—has industry insiders sweating. Baked into that bill is language that would grant expanded powers to the Federal Trade Commission, which could theoretically go after shady advertisers or data abusers faster, hit them harder and punish any other companies that enabled their illegitimate activities.
For their part, the feds believe some of the paranoia is misplaced. In fact, while many have feared that privacy legislation would require consumers to actively opt in to receive targeted ads, Rep. Boucher (a Democrat) told Mediaweek his bill would be less onerous. "Where I want to go with this is generally opt out," he said, meaning Web users would be able to opt out of receiving targeted ads. That's easier for publishers and advertisers to stomach, though Boucher's bill will likely require them to be far more upfront in how they use consumer data.
Boucher sees that as a positive. "If I were [a publisher or advertiser], I would want Internet users to have a sense that their experience is more secure, that they know what information is collected about them, and they be given much more control. They will be more trusting of electronic commerce...It's good for business."
Meanwhile, the FTC says it's only out to get the real bad guys. "We think the industry needs to do a better job of ensuring that consumers know what they are agreeing to with online advertising," said FTC Chairman Jon Leibowitz. "The new rule-making authority is really about hard-core fraud. It doesn't make sense to initiate rule making where business practices and consumer attitudes are still evolving like behavioral targeting...We prefer self-regulation. We would not be looking at rule making [in this area]."
The new rule-making power Leibowitz is referring to is known as APA (Administrative Procedure Act) Rulemaking, clout the agency had briefly in the 1970s until it was stripped away. More recently, the FTC has been faced with slow, byzantine procedures when it wants to establish new enforcement rules, which Leibowitz said hinders its efforts, especially in the fast-moving tech space.
Such unregulated power is what's worrying many ad execs. Even more fearsome is the idea that, under its new authority, the FTC would be able to impose financial penalties on violators running into the millions. Those penalties could apply to companies seen as aiding and abetting the guilty party. In theory, an ad network that does something wrong could implicate its site partner, as well as agency and advertiser. "That really scares you," said Mike Zaneis, the Interactive Advertising Bureau's vp, public policy. "That would definitely create a chilling effect throughout the industry."
Dan Jaffe, evp of the Association of National Advertisers, spoke out last week against what he sees as an FTC power grab, arguing the agency's primary reason for being—nailing "unfair" or "deceptive" commercial practices—is far too broad: "It is very possible that an honest advertiser trying to do its best is found to be doing something deceptive or unfair."
Leibowitz countered that the aiding and abetting aspect of the law is geared more for companies that are willing to facilitate crime, not unknowing publishers. Still, if the FTC gets the new power and is as aggressive as some are expecting, it could create a climate in which many traditional brands become ultracautious. "Clients are extremely sensitive about this," said Grace Liau, vp, group director, Digitas. "I think it would slow business, period."
New FTC powers, Boucher bill could crimp Web $$
March 21, 2010
-By Mike Shields
The government may soon wield a great deal more power over the online advertising business, and that's quickly spreading fear across the entire ecosystem, including publishers, ad networks, agencies and even their clients.
Virginia Congressman Rick Boucher is set to introduce a consumer privacy bill over the next few weeks that will likely impact the entire $25 billion online ad market, according to sources. And while that's got many worried, another seemingly unrelated piece of legislation—the proposed financial reform bill aimed at cleaning up Wall Street—has industry insiders sweating. Baked into that bill is language that would grant expanded powers to the Federal Trade Commission, which could theoretically go after shady advertisers or data abusers faster, hit them harder and punish any other companies that enabled their illegitimate activities.
For their part, the feds believe some of the paranoia is misplaced. In fact, while many have feared that privacy legislation would require consumers to actively opt in to receive targeted ads, Rep. Boucher (a Democrat) told Mediaweek his bill would be less onerous. "Where I want to go with this is generally opt out," he said, meaning Web users would be able to opt out of receiving targeted ads. That's easier for publishers and advertisers to stomach, though Boucher's bill will likely require them to be far more upfront in how they use consumer data.
Boucher sees that as a positive. "If I were [a publisher or advertiser], I would want Internet users to have a sense that their experience is more secure, that they know what information is collected about them, and they be given much more control. They will be more trusting of electronic commerce...It's good for business."
Meanwhile, the FTC says it's only out to get the real bad guys. "We think the industry needs to do a better job of ensuring that consumers know what they are agreeing to with online advertising," said FTC Chairman Jon Leibowitz. "The new rule-making authority is really about hard-core fraud. It doesn't make sense to initiate rule making where business practices and consumer attitudes are still evolving like behavioral targeting...We prefer self-regulation. We would not be looking at rule making [in this area]."
The new rule-making power Leibowitz is referring to is known as APA (Administrative Procedure Act) Rulemaking, clout the agency had briefly in the 1970s until it was stripped away. More recently, the FTC has been faced with slow, byzantine procedures when it wants to establish new enforcement rules, which Leibowitz said hinders its efforts, especially in the fast-moving tech space.
Such unregulated power is what's worrying many ad execs. Even more fearsome is the idea that, under its new authority, the FTC would be able to impose financial penalties on violators running into the millions. Those penalties could apply to companies seen as aiding and abetting the guilty party. In theory, an ad network that does something wrong could implicate its site partner, as well as agency and advertiser. "That really scares you," said Mike Zaneis, the Interactive Advertising Bureau's vp, public policy. "That would definitely create a chilling effect throughout the industry."
Dan Jaffe, evp of the Association of National Advertisers, spoke out last week against what he sees as an FTC power grab, arguing the agency's primary reason for being—nailing "unfair" or "deceptive" commercial practices—is far too broad: "It is very possible that an honest advertiser trying to do its best is found to be doing something deceptive or unfair."
Leibowitz countered that the aiding and abetting aspect of the law is geared more for companies that are willing to facilitate crime, not unknowing publishers. Still, if the FTC gets the new power and is as aggressive as some are expecting, it could create a climate in which many traditional brands become ultracautious. "Clients are extremely sensitive about this," said Grace Liau, vp, group director, Digitas. "I think it would slow business, period."
Thursday, March 18, 2010
Obama Goes After Google: Google’s Buzz Launch Was ‘Irresponsible Conduct’
An outgoing FTC commissioner has slammed Google over the way it launched Google Buzz last month, calling the episode a case of “irresponsible conduct.” According to PC World, FTC Commissioner Pamela Jones Harbour also said Google and other online companies may face tougher penalties if they don’t do a better job of protecting consumer privacy.
The PC World article includes some strongly-worded criticisms about how Google launched its Buzz social networking service:
“Google consistently tells the public to ‘just trust us,’” she said. “But based on my observations, I do not believe consumer privacy played any significant role in the release of Buzz.”
A reasonable consumer would conclude that the launch of Buzz was a “material change” their relationship with Google’s Gmail, she said. “When users created Gmail accounts, they signed up for e-mail services,” she said. “Their expectations did not include social networking.”
Negative reaction to Buzz was quick and widespread after its February 9th launch. Google immediately began changing how Buzz works, and eventually issued a public apology that said Google “failed to appreciate that users have differing privacy expectations.”
But Commissioner Harbour also took exception to that approach during today’s FTC privacy workshop.
“I would like to see the commission take the position of intolerance toward companies that push the privacy envelop, then backtrack and modify their offerings after facing consumer and regulator backlash.”
Harbour, whom PC World says is leaving the FTC next month, also spoke critically of Facebook’s long-running privacy issues, and called for online companies to use encryption more often to protect their users personal data.
The PC World article includes some strongly-worded criticisms about how Google launched its Buzz social networking service:
“Google consistently tells the public to ‘just trust us,’” she said. “But based on my observations, I do not believe consumer privacy played any significant role in the release of Buzz.”
A reasonable consumer would conclude that the launch of Buzz was a “material change” their relationship with Google’s Gmail, she said. “When users created Gmail accounts, they signed up for e-mail services,” she said. “Their expectations did not include social networking.”
Negative reaction to Buzz was quick and widespread after its February 9th launch. Google immediately began changing how Buzz works, and eventually issued a public apology that said Google “failed to appreciate that users have differing privacy expectations.”
But Commissioner Harbour also took exception to that approach during today’s FTC privacy workshop.
“I would like to see the commission take the position of intolerance toward companies that push the privacy envelop, then backtrack and modify their offerings after facing consumer and regulator backlash.”
Harbour, whom PC World says is leaving the FTC next month, also spoke critically of Facebook’s long-running privacy issues, and called for online companies to use encryption more often to protect their users personal data.
Tuesday, March 16, 2010
FCC Broadband Plan Focuses on Privacy, Competition
The Federal Communications Commission's ambitious national broadband plan will include recommendations aimed at ensuring consumers' online privacy, according to an executive summary released on Monday.
While the six-page summary was short on details, the FCC said it intends to suggest measures to "clarify the relationship between users and their online profiles ... including the obligation of firms collecting personal information to allow consumers to know what information is being collected, consent to such collection, correct it if necessary, and control disclsoure of such information to third parties."
The FCC in January asked for comments about online privacy in response to a proposed notice of inquiry submitted by the digital rights group Center for Democracy & Technology. But it wasn't clear until Monday whether the FCC intended to address the issue in its broadband plan.
The decision to address privacy at all could prove controversial. Earlier this year, the Interactive Advertising Bureau had asked the FCC to refrain from considering online privacy in the broadband plan. The IAB argued that Congress tasked the FCC to formulate a broadband plan as part of a stimulus bill that "makes no mention of privacy" and was aimed at "furthering the build out of a high-speed broadband infrastructure across the country."
Now that the FCC is issuing privacy recommendations, early indications are that the commission might have incorporated standards that are fast becoming outdated.
For instance, the summary released on Monday focused on a notice-and-choice regime for the collection of "personal information."
But Jules Polonetsky, co-chairman and director of the think tank Future of Privacy Forum, says that policymakers seem to be shifting away from the notice-and-choice framework -- at least when it involves providing notice and an opportunity to opt out of targeting in lengthy, legalese-filled privacy policies. "Progressive thinkers in government are laying the groundwork to evolve beyond that mode of thinking," he says.
A recent article in The New York Times quoted Daniel Weitzner, a policy official at the Commerce Department's National Telecommunications and Information Administration, as saying: "There are essentially no defenders anymore of the pure notice-and-choice model."
In addition, the FCC's executive summary focused on personal information, but there's currently a great deal of disagreement about what that term means.
Ad industry executives have often defined "personally identifiable information" as name, address, email address or phone number, but consumer advocates and policymakers have been pressuring for more expansive definitions. They argue that people can be identified based on even so-called anonymous data if enough of it is collected. Search queries alone can be used to identify people, as happened after AOL released three months' worth of such queries.
Last year, the Federal Trade Commission said that even non-personally identifiable information could be used to identify specific users.
The broadband plan also will include recommendations aimed at improving competition. Among other suggestions, the FCC will recommend "comprehensive review of wholesale competition rules to help ensure competition in fixed and mobile broadband services," as well as rules requiring increased transparency in performance. In addition, the FCC also will ask broadcasters to give back spectrum that can be used for wireless computing.
While the six-page summary was short on details, the FCC said it intends to suggest measures to "clarify the relationship between users and their online profiles ... including the obligation of firms collecting personal information to allow consumers to know what information is being collected, consent to such collection, correct it if necessary, and control disclsoure of such information to third parties."
The FCC in January asked for comments about online privacy in response to a proposed notice of inquiry submitted by the digital rights group Center for Democracy & Technology. But it wasn't clear until Monday whether the FCC intended to address the issue in its broadband plan.
The decision to address privacy at all could prove controversial. Earlier this year, the Interactive Advertising Bureau had asked the FCC to refrain from considering online privacy in the broadband plan. The IAB argued that Congress tasked the FCC to formulate a broadband plan as part of a stimulus bill that "makes no mention of privacy" and was aimed at "furthering the build out of a high-speed broadband infrastructure across the country."
Now that the FCC is issuing privacy recommendations, early indications are that the commission might have incorporated standards that are fast becoming outdated.
For instance, the summary released on Monday focused on a notice-and-choice regime for the collection of "personal information."
But Jules Polonetsky, co-chairman and director of the think tank Future of Privacy Forum, says that policymakers seem to be shifting away from the notice-and-choice framework -- at least when it involves providing notice and an opportunity to opt out of targeting in lengthy, legalese-filled privacy policies. "Progressive thinkers in government are laying the groundwork to evolve beyond that mode of thinking," he says.
A recent article in The New York Times quoted Daniel Weitzner, a policy official at the Commerce Department's National Telecommunications and Information Administration, as saying: "There are essentially no defenders anymore of the pure notice-and-choice model."
In addition, the FCC's executive summary focused on personal information, but there's currently a great deal of disagreement about what that term means.
Ad industry executives have often defined "personally identifiable information" as name, address, email address or phone number, but consumer advocates and policymakers have been pressuring for more expansive definitions. They argue that people can be identified based on even so-called anonymous data if enough of it is collected. Search queries alone can be used to identify people, as happened after AOL released three months' worth of such queries.
Last year, the Federal Trade Commission said that even non-personally identifiable information could be used to identify specific users.
The broadband plan also will include recommendations aimed at improving competition. Among other suggestions, the FCC will recommend "comprehensive review of wholesale competition rules to help ensure competition in fixed and mobile broadband services," as well as rules requiring increased transparency in performance. In addition, the FCC also will ask broadcasters to give back spectrum that can be used for wireless computing.
Friday, March 12, 2010
Who Owns The Privacy?
Online privacy has become an issue that finally has bled outside of the realm of behavioral targeting and it is quite rightly taking its place in discussions of ad spending, publishing and targeting of all kinds. We have been weaving it ever more deeply into the coverage at MediaPost's own OnlineMediaDaily (courtesy of specialist Wendy Davis) and the programming of the OMMA shows themselves.
At last month's OMMA Behavioral, the Interactive Advertising's Bureau's point man on public policy, Mike Zaneis, walked us through the new effort to create standardized iconography and messaging around disclosure about data collection and tracking, opt-outs, etc. Zaneis says that the IAB and its partners in the cross-industry consortium working on the project will run over 1 billion ad impressions this year to get the word out.
While some may say that the campaign is too little too late, he argues that the regulatory and legislative groups he lobbies in Washington are appreciating the effort. According to the analytics on the ad campaign, 10% of the ads being delivered get moused over, which in many cases expands the ad to offer information about ad targeting. The next wave of the effort will involve standard icons and labels that will run with ads and on publisher Web sites. For the full presentation, you can access the video/audio of Zaneis' talk here.
While the industry initiative to implement and enforce self-regulation may be slower to market than many expected, it is dovetailing with rising concern that privacy matters to everyone's bottom line. Next week in San Francisco at OMMA Global, we are taking the privacy issue that usually sits in a track about ad nets or behavioral targeting, and instead moving it into the track for publishers. The panel on Wednesday -- "Can Publishers Take Ownership of Privacy?" -- will address the critical problem of how the privacy issue ultimately will have to be taken up by the place where consumers have a direct relationship, the publisher.
I think publishers are going to have to take a good deal of the ownership of privacy and be much more aware of the policies of the partners they use. For the last several weeks I have been using the latest iteration of the Ghostery plug-in for Firefox. This tool tracks the trackers. It shows the user which ad nets and other analytics programs are using unique identifiers with your browser.
What I find really interesting here is the new pop-up window that superimposes the identities of the trackers on every page on which you land. From Google Analytics to ad exchanges and data providers, the full list gets daunting quickly at some sites. Now a part of the experience of landing on any site is seeing very clearly from the outset which cookies and beacons are at play.The net effect of this process is fascinating, because it gives the user a peek at a publisher's business model and the aggressiveness of their data strategy.
Does such knowledge change my browsing habits? No, not yet. Does it change my relationship with the publisher? To a degree. I now have a stronger sense of how the publisher is leveraging and placing value on my presence. In an indirect way, greater transparency about user tracking reinforces the notion that consumer behaviors have a cash value in the media economy. In making the case that targeting is critical to the survival of online media, publishers and advertisers are also making the case with consumers that their attention has value and that the user herself may be able to barter some of this value more effectively. As a consumer, the publishers appears to own my privacy protection, because they are the ones most obviously profiting from my data.
I was speaking with a senior ad agency executive the other day about the trends in digital advertising this year. He was among the first on the buy side to make the strong case to me that spending and privacy are going to be linked. As agencies develop demand-side platforms that aggregate audiences and inventory on behalf of clients, then the now-familiar question "who owns the data" becomes more insistent among publishers, third-party data providers and ad networks.
"Privacy and who owns the data are opposite sides of the same coin," he told me. "Until we get to the solution of both those issues, it renders the value of online media as specious." In other words, until the advertisers (or even the publishers, for that matter) know what they can extract from the data they collect and how it can be used, then it is difficult to price advertising. "Resolving the privacy issue in turn informs who owns the data, which informs how online display media is priced," he argued.
Now privacy is inextricably entwined with the publisher's and advertiser's bottom line.
At last month's OMMA Behavioral, the Interactive Advertising's Bureau's point man on public policy, Mike Zaneis, walked us through the new effort to create standardized iconography and messaging around disclosure about data collection and tracking, opt-outs, etc. Zaneis says that the IAB and its partners in the cross-industry consortium working on the project will run over 1 billion ad impressions this year to get the word out.
While some may say that the campaign is too little too late, he argues that the regulatory and legislative groups he lobbies in Washington are appreciating the effort. According to the analytics on the ad campaign, 10% of the ads being delivered get moused over, which in many cases expands the ad to offer information about ad targeting. The next wave of the effort will involve standard icons and labels that will run with ads and on publisher Web sites. For the full presentation, you can access the video/audio of Zaneis' talk here.
While the industry initiative to implement and enforce self-regulation may be slower to market than many expected, it is dovetailing with rising concern that privacy matters to everyone's bottom line. Next week in San Francisco at OMMA Global, we are taking the privacy issue that usually sits in a track about ad nets or behavioral targeting, and instead moving it into the track for publishers. The panel on Wednesday -- "Can Publishers Take Ownership of Privacy?" -- will address the critical problem of how the privacy issue ultimately will have to be taken up by the place where consumers have a direct relationship, the publisher.
I think publishers are going to have to take a good deal of the ownership of privacy and be much more aware of the policies of the partners they use. For the last several weeks I have been using the latest iteration of the Ghostery plug-in for Firefox. This tool tracks the trackers. It shows the user which ad nets and other analytics programs are using unique identifiers with your browser.
What I find really interesting here is the new pop-up window that superimposes the identities of the trackers on every page on which you land. From Google Analytics to ad exchanges and data providers, the full list gets daunting quickly at some sites. Now a part of the experience of landing on any site is seeing very clearly from the outset which cookies and beacons are at play.The net effect of this process is fascinating, because it gives the user a peek at a publisher's business model and the aggressiveness of their data strategy.
Does such knowledge change my browsing habits? No, not yet. Does it change my relationship with the publisher? To a degree. I now have a stronger sense of how the publisher is leveraging and placing value on my presence. In an indirect way, greater transparency about user tracking reinforces the notion that consumer behaviors have a cash value in the media economy. In making the case that targeting is critical to the survival of online media, publishers and advertisers are also making the case with consumers that their attention has value and that the user herself may be able to barter some of this value more effectively. As a consumer, the publishers appears to own my privacy protection, because they are the ones most obviously profiting from my data.
I was speaking with a senior ad agency executive the other day about the trends in digital advertising this year. He was among the first on the buy side to make the strong case to me that spending and privacy are going to be linked. As agencies develop demand-side platforms that aggregate audiences and inventory on behalf of clients, then the now-familiar question "who owns the data" becomes more insistent among publishers, third-party data providers and ad networks.
"Privacy and who owns the data are opposite sides of the same coin," he told me. "Until we get to the solution of both those issues, it renders the value of online media as specious." In other words, until the advertisers (or even the publishers, for that matter) know what they can extract from the data they collect and how it can be used, then it is difficult to price advertising. "Resolving the privacy issue in turn informs who owns the data, which informs how online display media is priced," he argued.
Now privacy is inextricably entwined with the publisher's and advertiser's bottom line.
Thursday, March 11, 2010
FCC Commissioner Calls For Examination Of Broadband Price Hikes
Federal Communications Commission member Mignon Clyburn said Wednesday that recent broadband price hikes "should raise a red flag" for the commission. "When prices rise across the industry, and where there are only a limited number of players in the game, we have to ask ourselves whether there is any meaningful competition in the marketplace," she said.
Clyburn didn't mention any broadband companies by name, but her statement obviously referred to recent reports that Comcast and AT&T are rolling out rate hikes.
This week, it emerged that Comcast will raise rates for some services by $2 a month in the New Jersey area. Subscribers who purchase "economy" 1 Mbps downstream service, and don't bundle it with other features, will see prices increase to $40.95; subscribers to 12 Mbps "performance" will see unbundled rates rise to $59.95. News of Comcast's rate increases came shortly after a report that AT&T also is raising the price of broadband for some customers.
The reports also come days before the FCC is slated to present Congress with a national broadband plan aimed at improving high-speed Web service in the country. Among other factors, the FCC has already identified the cost of broadband as one impediment to wider adoption.
Earlier this year, the FCC released a study showing that 35% of Americans lack home broadband lines. A big chunk of that group -- 36% -- said that broadband cost too much. (That group includes people who find monthly subscription fees and installation prices too high, as well as those who say a computer itself is too costly.)
Clyburn's comments were cheered by broadband advocacy group Free Press, which earlier this week called on the FCC to "do something bold and decisive to promote meaningful competition."
"For too long, the FCC has avoided confronting the competition problem, leaving American consumers and business at the mercy of the phone and cable companies," Free Press policy director Ben Scott said in a statement. "Congress wants a plan for universal, affordable and robust broadband, and a meaningful competition policy is the key to achieving those goals."
Scott also stated that goals for increased broadband adoption "cannot be met with hope that wireless broadband might someday discipline prices."
That remark appeared to be directed at an FCC announcement earlier this week indicating that the national broadband plan would include plans to consider using spectrum for free or low-cast wirelss broadband service.
Clyburn didn't mention any broadband companies by name, but her statement obviously referred to recent reports that Comcast and AT&T are rolling out rate hikes.
This week, it emerged that Comcast will raise rates for some services by $2 a month in the New Jersey area. Subscribers who purchase "economy" 1 Mbps downstream service, and don't bundle it with other features, will see prices increase to $40.95; subscribers to 12 Mbps "performance" will see unbundled rates rise to $59.95. News of Comcast's rate increases came shortly after a report that AT&T also is raising the price of broadband for some customers.
The reports also come days before the FCC is slated to present Congress with a national broadband plan aimed at improving high-speed Web service in the country. Among other factors, the FCC has already identified the cost of broadband as one impediment to wider adoption.
Earlier this year, the FCC released a study showing that 35% of Americans lack home broadband lines. A big chunk of that group -- 36% -- said that broadband cost too much. (That group includes people who find monthly subscription fees and installation prices too high, as well as those who say a computer itself is too costly.)
Clyburn's comments were cheered by broadband advocacy group Free Press, which earlier this week called on the FCC to "do something bold and decisive to promote meaningful competition."
"For too long, the FCC has avoided confronting the competition problem, leaving American consumers and business at the mercy of the phone and cable companies," Free Press policy director Ben Scott said in a statement. "Congress wants a plan for universal, affordable and robust broadband, and a meaningful competition policy is the key to achieving those goals."
Scott also stated that goals for increased broadband adoption "cannot be met with hope that wireless broadband might someday discipline prices."
That remark appeared to be directed at an FCC announcement earlier this week indicating that the national broadband plan would include plans to consider using spectrum for free or low-cast wirelss broadband service.
Thursday, March 4, 2010
Leaked intelligence documents: Here's what Facebook and Comcast will tell the police about you
Wonder what information Facebook and Comcast will turn over to police and intelligence agencies about you? Cryptome, the site that last week posted the leaked Microsoft "spy" manual, has posted company documents that purport to describe what those companies will reveal about you. As with the Microsoft document, the information is eye-opening.
Keep in mind that what the companies turn over to police and intelligence agencies is not illegal. The companies are all, in their own ways, following the law. Still, it's disconcerting to see all that's available about you, if the documents are real and to be trusted. Here's the rundown on each.
Facebook
The "Facebook Subpoena/Search Warrant Guidelines" from the Cryptome site are dated 2008, so there's a chance they've been superseded. The document spells out how law enforcement and intelligence agenices should go about requesting information about Facebook users, and details what information is turned over.
Following is what Facebook will turn over about you, taken verbatim from the guide:
Types of Information Available
User Neoprint
The Neoprint is an expanded view of a given user profile. A request should specify that they are requesting a “Neoprint of used Id XXXXXX”.
User Photoprint
The Photoprint is a compilation of all photos uploaded by the user that have not been deleted, along with all photos uploaded by any user which have the requested user tagged in them. A request should specify that they are requesting a “Photoprint of user Id XXXXXX”.
User Contact Info
All user contact information input by the user and not subsequently deleted by the user is available, regardless of whether it is visible in their profile. This information may include the following:
Name
Birth date
Contact e-mail address(s)
Physical address
City
State
Zip
Phone
Cell
Work phone
Screen name (usually for AOL Messenger/iChat)
Website
With the exception of contact e-mail and activated mobile numbers, Facebook validates none of this information. A request should specify that they are requesting "Contact information of user specified by [some other piece of contact information]". No historical data is retained.
Group Contact Info
Where a group is known, we will provide a list of users currently registered in a group. We will also provide a PDF of the current status of the group profile page.
A request should specify that they are requesting "Contact information for group XXXXXX".
No historical data is retained.
IP Logs
IP logs can be produced for a given user ID or IP address. A request should specify that they are requesting the "IP log of user Id XXXXXX" or "IP log of IP address xxx.xxx.xxx.xxx".
The log contains the following information:
* Script – script executed. For instance, a profile view of the URL http://www.facebook.com/profile.php?id=29445421 would populate script with "profile.php"
* Scriptget – additional information passed to the script. In the above example, scriptget would contain "id=29445421"
* Userid – The Facebook user id of the account active for the request
* View time – date of execution in Pacific Time
* IP – source IP address
IP log data is generally retained for 90 days from present date. However, this data source is under active and major redevelopment and data may be retained for a longer or shorter period.
Special Requests
The Facebook Security Team may be able to retrieve specific information not addressed in the general categories above. Please contact Facebook if you have a specific investigative need prior to issuing a subpoena or warrant.
Comcast
The Comcast document is labeled "Comcast Cable Law Enforcement Handbook," and is dated 2007, so there's a possibility that it, too, has been superseded. As with the other documents, it explains how law enforcement agenices can get information, and details what information is available.
There's a great deal of detail in the 35-page document, which describes what Internet, phone, and television information will be turned over. For example, here's the IP information it will make available:
Comcast currently maintains Internet Protocol address log files for a period of 180 days. If Comcast is asked to respond for information relating to an incident that occurred beyond this period, we will not have responsive information and can not fulfill a legal request. (Comcast can process and respond to preservation requests as outlined below in this Handbook.)
As expected, Comcast will also turn over the emails, including attachments, of those who use Comcast's email service, but "In cases involving another entity’s email service or account, Comcast would not have any access to or ability to access customer email in response to a legal request."
Information Comcast turns over to law enforcement agencies varies according to the request. For example, a grand jury subpoena will yield more information than a judicial summons, as you can see in the excerpt below. Comcast notes, though, that this is just a sample, and that "Each request is evaluated and reviewed on a case by case basis in light of any special procedural or legal requirements and applicable laws." So the examples "are for illustration only."
Grand Jury, Trial, or Statutorily Authorized Administrative Subpoena
Law enforcement agencies are eligible to receive subscriber identification including items (1)-(6) without notice to the subscriber:
1) Subscriber's name
2) Subscriber's address
3) Length of service including start date
4) Subscriber's telephone number, instrument number or other subscriber number or identity, including a temporarily assigned network address
5) Subscriber's email account names;
6) Means and source of payment for such service (including any credit card or bank account number); and
7) In certain instances, email communications older than 180 days with notice.
For those who worry about privacy, though, all of this information is small potatoes. The real worry is about the use of what are called pen registers or trap-and-trace devices, which essentially capture all of your Internet activity --- the Web sites you visits, the emails you send and receive, IM traffic, downloads, and so on. Here's what the document says about them:
Pen Register / Trap and Trace Device
Title 18 U.S.C. § 3123 provides a mechanism for authorizing and approving the installation and use of a pen register or a trap and trace device pursuant to court order. All orders must be coordinated prior to submission to Comcast. Law enforcement will be asked to agree to reimburse Comcast's reasonable costs incurred to purchase and/or install and monitor necessary equipment. See "Reimbursement," below.
Comcast also details how law enforcement agencies can get details about subscribers on an emergency basis:
Emergency Disclosure
18 U.S.C. § 2702(b)(8) and § 2702(c)(4) contain provisions for the expedited release of subscriber information in situations where there is an immediate danger of death or an immediate risk of serious physical injury. Law enforcement agencies need only to adequately complete Comcast’s Emergency Situation Disclosure Request form (Reference Attachment #1) and they will receive accelerated subscriber identification.
As for your voice calls made via Comcast, here's what the company will turn over:
Call Detail Records
- Comcast maintains two years of historical call detail records (records of local and long distance connections) for our Comcast Digital Voice telephone service. This includes local, local toll, and long distance records. Comcast also currently provides traditional circuit-switched telephone service branded Comcast Digital Phone. Call detail records for this service are collected by AT&T and are available for approximately two years as well. To determine which type of service is involved, contact the Legal Demands Center—Voice and Video at 800-871-6298.
Account Records
- Account records are generally stored for approximately two years after the termination of an account. If the account has an outstanding balance due, records may be retained for a longer period of time.
As with Internet information, what phone information will be turned over depends on the specific kind of legal request, and the examples "are for information only." Here's an excerpt:
Grand Jury, Trial or Administrative Subpoena
Law enforcement agencies can receive subscriber identification including:
1) Subscriber's name
2) Subscriber's address
3) Length of service including start date
4) Subscriber's telephone number, instrument number or other subscriber number or identity, including a temporarily assigned network address
5) Subscriber's social security number (if requested)
6) Means and source of payment for such service (including any credit card or bank account number)
7) Call Detail (records of local and long distance connections)
And, as you would expect, there is the same pen register/trap-and-trace device language as in the section about the Internet.
Oddly enough, it appears that when it comes to information about your television viewing habits, you have more privacy rights than you do when it comes to information about your Internet and voice use, because it can only be turned over in response to a court order, not a subpoena. Here's what the document has to say about TV information:
Subscriber Account Identification and Related Records
For subscribers to our cable television service, the Cable Act requires Comcast as a cable operator to disclose personally identifiable information to a governmental entity solely in response to a court order (and not, for example, a subpoena) or with the subscriber's express written consent. The Cable Act requires that the cable subscriber be afforded the opportunity to appear and contest in a court proceeding relevant to the court order any claims made in support of the court order. At the proceeding, the Cable Act requires the governmental entity to offer clear and convincing evidence that the subject of the information is reasonably suspected of engaging in criminal activity and that the information sought would be material evidence in the case. See 47 U.S.C. § 551(h).
Why does the law give you more privacy protection over your television viewing habits than your Internet or phone use? I haven't a clue --- ask your congressman.
Keep in mind that what the companies turn over to police and intelligence agencies is not illegal. The companies are all, in their own ways, following the law. Still, it's disconcerting to see all that's available about you, if the documents are real and to be trusted. Here's the rundown on each.
The "Facebook Subpoena/Search Warrant Guidelines" from the Cryptome site are dated 2008, so there's a chance they've been superseded. The document spells out how law enforcement and intelligence agenices should go about requesting information about Facebook users, and details what information is turned over.
Following is what Facebook will turn over about you, taken verbatim from the guide:
Types of Information Available
User Neoprint
The Neoprint is an expanded view of a given user profile. A request should specify that they are requesting a “Neoprint of used Id XXXXXX”.
User Photoprint
The Photoprint is a compilation of all photos uploaded by the user that have not been deleted, along with all photos uploaded by any user which have the requested user tagged in them. A request should specify that they are requesting a “Photoprint of user Id XXXXXX”.
User Contact Info
All user contact information input by the user and not subsequently deleted by the user is available, regardless of whether it is visible in their profile. This information may include the following:
Name
Birth date
Contact e-mail address(s)
Physical address
City
State
Zip
Phone
Cell
Work phone
Screen name (usually for AOL Messenger/iChat)
Website
With the exception of contact e-mail and activated mobile numbers, Facebook validates none of this information. A request should specify that they are requesting "Contact information of user specified by [some other piece of contact information]". No historical data is retained.
Group Contact Info
Where a group is known, we will provide a list of users currently registered in a group. We will also provide a PDF of the current status of the group profile page.
A request should specify that they are requesting "Contact information for group XXXXXX".
No historical data is retained.
IP Logs
IP logs can be produced for a given user ID or IP address. A request should specify that they are requesting the "IP log of user Id XXXXXX" or "IP log of IP address xxx.xxx.xxx.xxx".
The log contains the following information:
* Script – script executed. For instance, a profile view of the URL http://www.facebook.com/profile.php?id=29445421 would populate script with "profile.php"
* Scriptget – additional information passed to the script. In the above example, scriptget would contain "id=29445421"
* Userid – The Facebook user id of the account active for the request
* View time – date of execution in Pacific Time
* IP – source IP address
IP log data is generally retained for 90 days from present date. However, this data source is under active and major redevelopment and data may be retained for a longer or shorter period.
Special Requests
The Facebook Security Team may be able to retrieve specific information not addressed in the general categories above. Please contact Facebook if you have a specific investigative need prior to issuing a subpoena or warrant.
Comcast
The Comcast document is labeled "Comcast Cable Law Enforcement Handbook," and is dated 2007, so there's a possibility that it, too, has been superseded. As with the other documents, it explains how law enforcement agenices can get information, and details what information is available.
There's a great deal of detail in the 35-page document, which describes what Internet, phone, and television information will be turned over. For example, here's the IP information it will make available:
Comcast currently maintains Internet Protocol address log files for a period of 180 days. If Comcast is asked to respond for information relating to an incident that occurred beyond this period, we will not have responsive information and can not fulfill a legal request. (Comcast can process and respond to preservation requests as outlined below in this Handbook.)
As expected, Comcast will also turn over the emails, including attachments, of those who use Comcast's email service, but "In cases involving another entity’s email service or account, Comcast would not have any access to or ability to access customer email in response to a legal request."
Information Comcast turns over to law enforcement agencies varies according to the request. For example, a grand jury subpoena will yield more information than a judicial summons, as you can see in the excerpt below. Comcast notes, though, that this is just a sample, and that "Each request is evaluated and reviewed on a case by case basis in light of any special procedural or legal requirements and applicable laws." So the examples "are for illustration only."
Grand Jury, Trial, or Statutorily Authorized Administrative Subpoena
Law enforcement agencies are eligible to receive subscriber identification including items (1)-(6) without notice to the subscriber:
1) Subscriber's name
2) Subscriber's address
3) Length of service including start date
4) Subscriber's telephone number, instrument number or other subscriber number or identity, including a temporarily assigned network address
5) Subscriber's email account names;
6) Means and source of payment for such service (including any credit card or bank account number); and
7) In certain instances, email communications older than 180 days with notice.
For those who worry about privacy, though, all of this information is small potatoes. The real worry is about the use of what are called pen registers or trap-and-trace devices, which essentially capture all of your Internet activity --- the Web sites you visits, the emails you send and receive, IM traffic, downloads, and so on. Here's what the document says about them:
Pen Register / Trap and Trace Device
Title 18 U.S.C. § 3123 provides a mechanism for authorizing and approving the installation and use of a pen register or a trap and trace device pursuant to court order. All orders must be coordinated prior to submission to Comcast. Law enforcement will be asked to agree to reimburse Comcast's reasonable costs incurred to purchase and/or install and monitor necessary equipment. See "Reimbursement," below.
Comcast also details how law enforcement agencies can get details about subscribers on an emergency basis:
Emergency Disclosure
18 U.S.C. § 2702(b)(8) and § 2702(c)(4) contain provisions for the expedited release of subscriber information in situations where there is an immediate danger of death or an immediate risk of serious physical injury. Law enforcement agencies need only to adequately complete Comcast’s Emergency Situation Disclosure Request form (Reference Attachment #1) and they will receive accelerated subscriber identification.
As for your voice calls made via Comcast, here's what the company will turn over:
Call Detail Records
- Comcast maintains two years of historical call detail records (records of local and long distance connections) for our Comcast Digital Voice telephone service. This includes local, local toll, and long distance records. Comcast also currently provides traditional circuit-switched telephone service branded Comcast Digital Phone. Call detail records for this service are collected by AT&T and are available for approximately two years as well. To determine which type of service is involved, contact the Legal Demands Center—Voice and Video at 800-871-6298.
Account Records
- Account records are generally stored for approximately two years after the termination of an account. If the account has an outstanding balance due, records may be retained for a longer period of time.
As with Internet information, what phone information will be turned over depends on the specific kind of legal request, and the examples "are for information only." Here's an excerpt:
Grand Jury, Trial or Administrative Subpoena
Law enforcement agencies can receive subscriber identification including:
1) Subscriber's name
2) Subscriber's address
3) Length of service including start date
4) Subscriber's telephone number, instrument number or other subscriber number or identity, including a temporarily assigned network address
5) Subscriber's social security number (if requested)
6) Means and source of payment for such service (including any credit card or bank account number)
7) Call Detail (records of local and long distance connections)
And, as you would expect, there is the same pen register/trap-and-trace device language as in the section about the Internet.
Oddly enough, it appears that when it comes to information about your television viewing habits, you have more privacy rights than you do when it comes to information about your Internet and voice use, because it can only be turned over in response to a court order, not a subpoena. Here's what the document has to say about TV information:
Subscriber Account Identification and Related Records
For subscribers to our cable television service, the Cable Act requires Comcast as a cable operator to disclose personally identifiable information to a governmental entity solely in response to a court order (and not, for example, a subpoena) or with the subscriber's express written consent. The Cable Act requires that the cable subscriber be afforded the opportunity to appear and contest in a court proceeding relevant to the court order any claims made in support of the court order. At the proceeding, the Cable Act requires the governmental entity to offer clear and convincing evidence that the subject of the information is reasonably suspected of engaging in criminal activity and that the information sought would be material evidence in the case. See 47 U.S.C. § 551(h).
Why does the law give you more privacy protection over your television viewing habits than your Internet or phone use? I haven't a clue --- ask your congressman.
Watchdog Group Alleges Google Violates Own Privacy Policy With Buzz
A watchdog group that recently asked the Federal Trade Commission to investigate Google Buzz has supplemented its complaint with an allegation that the new service violates Google's own privacy policy.
"At the time that Google introduced Google Buzz, the personal information section of the Gmail privacy notice promised to its users that the company would only use their contact lists and other related data 'in order to provide the service to you,'" the Electronic Privacy Information Center alleges in new papers.
EPIC alleges that Google violated this policy by using contact lists for a purpose other than its email service. But one potential problem with this argument is that it isn't clear that Buzz is separate from email.
Google itself describes Buzz as "a new feature built into Gmail."
But EPIC attorney Jared Kaprove says that people don't expect email services to include the social networking elements that came with Buzz. "If Google was to make the argument that Buzz is part of Gmail, that would be fairly disingenuous," he says. "Users know what email is."
When Google rolled out Buzz last month, the service automatically transformed users' Gmail contacts into their followers -- and made that group public by default. Like Twitter and Facebook, Buzz enables users to broadcast their posts to a network of followers. Google clearly hoped to get a leg up on competitors by using Gmail data to create social networks, but critics say that the company didn't take into account that users don't necessarily want their email contacts to become publicized.
Google quickly revised Buzz in response to complaints. Among other changes, the company replaced a feature that automatically includes other users as followers with one that merely suggests followers.
But Kaprove says that the service shouldn't even automatically make suggestions unless people have affirmatively instructed Buzz to do so. "It should be an entirely separate service that you have to choose to activate," he says.
Google said in a statement that it intends to make more revisions to Buzz and is also open to suggestions about the service. "We've already made changes based on user feedback, and we have more improvements in the works," the company stated. "We also welcome dialogue with EPIC and appreciate hearing directly from them about their concerns."
"At the time that Google introduced Google Buzz, the personal information section of the Gmail privacy notice promised to its users that the company would only use their contact lists and other related data 'in order to provide the service to you,'" the Electronic Privacy Information Center alleges in new papers.
EPIC alleges that Google violated this policy by using contact lists for a purpose other than its email service. But one potential problem with this argument is that it isn't clear that Buzz is separate from email.
Google itself describes Buzz as "a new feature built into Gmail."
But EPIC attorney Jared Kaprove says that people don't expect email services to include the social networking elements that came with Buzz. "If Google was to make the argument that Buzz is part of Gmail, that would be fairly disingenuous," he says. "Users know what email is."
When Google rolled out Buzz last month, the service automatically transformed users' Gmail contacts into their followers -- and made that group public by default. Like Twitter and Facebook, Buzz enables users to broadcast their posts to a network of followers. Google clearly hoped to get a leg up on competitors by using Gmail data to create social networks, but critics say that the company didn't take into account that users don't necessarily want their email contacts to become publicized.
Google quickly revised Buzz in response to complaints. Among other changes, the company replaced a feature that automatically includes other users as followers with one that merely suggests followers.
But Kaprove says that the service shouldn't even automatically make suggestions unless people have affirmatively instructed Buzz to do so. "It should be an entirely separate service that you have to choose to activate," he says.
Google said in a statement that it intends to make more revisions to Buzz and is also open to suggestions about the service. "We've already made changes based on user feedback, and we have more improvements in the works," the company stated. "We also welcome dialogue with EPIC and appreciate hearing directly from them about their concerns."
Wednesday, March 3, 2010
AstraZeneca Suggests Message Guidelines To FDA
In response to the U.S. Food and Drug Administration's request for comments on new rules for online marketing and communications, AstraZeneca has outlined some ways that pharma company interactions with customers and potential customers might be governed.
The Wilmington, Del.-based drug maker suggests that certain online communications -- such as Facebook and Twitter posts -- should be judged not one by one, but as a group of individual comments. That would enable pharma companies to participate in those sorts of social-media sites without having to balance benefits and risks at every 140-character turn.
AstraZeneca also calls attention to the differences between content on Web sites a drug maker owns and controls, compared to sites where it provides content for sponsors to use as they see fit. Also figuring prominently in the discussion are social media sites, which would include real-time company communications. Different rules should apply in different contexts, the drug maker suggests.
The proposal is in response to the FDA's September 2009 Call for Comments on their public notice: Promotion of Food and Drug Administration-Regulated Medical Products Using the Internet and Social Media Tools.
"AstraZeneca understands the value of social media to engage key stakeholders in today's technology-driven world," says Bob Perkins, vice president, public policy and promotional affairs, in a statement. "While we have developed a corporate presence in the digital space, we believe it is increasingly important to participate in online channels to provide accurate and regulated information about our branded products in conversations with patients, caregivers, and health care providers."
AstraZeneca believes that five principles should be followed by any pharma company engaging in social media. First, companies should only present content that is accurate, balanced and not misleading. Second, companies must be respectful and encourage product sponsor participation that respects the interests of patients, caregivers and health care providers -- especially related to matters of privacy and the primacy of the patient/physician relationship.
Third, companies have a responsibility to protect and advance patient health by facilitating patient access to quality information for use with their physician to improve their health and protect patients through encouraging accurate and timely reporting on medicine safety. Fourth, companies should be transparent, meaning that any product sponsor participation should be accomplished in a manner that, at all times, is entirely transparent to other participants as to the role of product sponsors as participants in online discussion.
Finally, companies need to respect the views of others. They should acknowledge that patients, caregivers, clinicians and others who participate in social media have their own opinions and that when they differ from those of the product sponsor, it is not the role of a product sponsor to censor or limit these views, but to add the product sponsor's own views to the discussion.
In its comments to the FDA, AstraZeneca proposed a regulatory framework that is consistent with these principles and defines, distinguishes, and distinctly regulates three types of communications on the Internet and in social media that are company-controlled, hosted online communications; company-controlled communications and real-time, social media participation communications.
"Without guidance, our activities are limited in a manner that we believe is not in the best interests of informed health care decision making," the company told the FDA. "In our absence, consumers will turn to information sources that are not regulated and not always well informed."
The Wilmington, Del.-based drug maker suggests that certain online communications -- such as Facebook and Twitter posts -- should be judged not one by one, but as a group of individual comments. That would enable pharma companies to participate in those sorts of social-media sites without having to balance benefits and risks at every 140-character turn.
AstraZeneca also calls attention to the differences between content on Web sites a drug maker owns and controls, compared to sites where it provides content for sponsors to use as they see fit. Also figuring prominently in the discussion are social media sites, which would include real-time company communications. Different rules should apply in different contexts, the drug maker suggests.
The proposal is in response to the FDA's September 2009 Call for Comments on their public notice: Promotion of Food and Drug Administration-Regulated Medical Products Using the Internet and Social Media Tools.
"AstraZeneca understands the value of social media to engage key stakeholders in today's technology-driven world," says Bob Perkins, vice president, public policy and promotional affairs, in a statement. "While we have developed a corporate presence in the digital space, we believe it is increasingly important to participate in online channels to provide accurate and regulated information about our branded products in conversations with patients, caregivers, and health care providers."
AstraZeneca believes that five principles should be followed by any pharma company engaging in social media. First, companies should only present content that is accurate, balanced and not misleading. Second, companies must be respectful and encourage product sponsor participation that respects the interests of patients, caregivers and health care providers -- especially related to matters of privacy and the primacy of the patient/physician relationship.
Third, companies have a responsibility to protect and advance patient health by facilitating patient access to quality information for use with their physician to improve their health and protect patients through encouraging accurate and timely reporting on medicine safety. Fourth, companies should be transparent, meaning that any product sponsor participation should be accomplished in a manner that, at all times, is entirely transparent to other participants as to the role of product sponsors as participants in online discussion.
Finally, companies need to respect the views of others. They should acknowledge that patients, caregivers, clinicians and others who participate in social media have their own opinions and that when they differ from those of the product sponsor, it is not the role of a product sponsor to censor or limit these views, but to add the product sponsor's own views to the discussion.
In its comments to the FDA, AstraZeneca proposed a regulatory framework that is consistent with these principles and defines, distinguishes, and distinctly regulates three types of communications on the Internet and in social media that are company-controlled, hosted online communications; company-controlled communications and real-time, social media participation communications.
"Without guidance, our activities are limited in a manner that we believe is not in the best interests of informed health care decision making," the company told the FDA. "In our absence, consumers will turn to information sources that are not regulated and not always well informed."
Tuesday, March 2, 2010
FDA Asked To Probe Drug Companies' Use Of Behavioral Targeting
The watchdog group Center for Digital Democracy has asked the Food and Drug Administration to investigate whether pharmaceutical companies are unfairly using behavioral targeting techniques to market drugs online.
"Digital marketing applications for selling cars, food, and financial products have already raised privacy and related concerns at the FTC. When applied to digital pharmaceutical and health marketing, such practices call for an even higher level of scrutiny and policy intervention," the advocacy group says in a new FDA filing.
The privacy organization is asking the FDA to take a host of steps, including examining data collection practices by pharmaceutical advertisers, reviewing privacy policies of such marketers as well as publishers, and requiring companies that use behavioral targeting to spell out their methods. "Consumers need to know whether and how they are being tracked and targeted -- including via 'condition-specific' channels," the filing states.
Jeff Chester, executive director of the CDD, adds that a "highly targeted, purposely immersive and subconsciously guided digital marketing apparatus" can be unfair to consumers when it comes to health marketing. "We want the FDA to make some policies related to pharmaceutical marketing that reflect the distinct nature of interactive marketing," he says.
Ad executives also say that behavioral targeting -- or serving ads to people who have already demonstrated an interest in particular medical conditions by reading about them -- benefits readers by providing them with relevant information. "Behavioral targeting is used across all verticals online, whether travel, banking or health," says Debrianna Obara, vice president of media at RazorfishHealth. "Pharmaceutical companies, or wellness clients, are not trying to do anything underhanded. They're really just trying to give hand-raisers the information that they're looking for."
Obara adds that pharmaceutical marketers don't use behavioral targeting for products related to "sensitive" categories, including oncology, depression and sexual dysfunction.
The CDD's filing listed several publisher sites that focus on health, including HealthCentral, which says that marketers can advertise on 35 condition-specific categories.
HealthCentral President and Chief Operating Officer Jeremy Shane says the company runs contextually targeted ads on HealthCentral sites -- that is, ads that relate to the content on its pages -- but doesn't directly offer behaviorally targeted ads on its own sites. HealthCentral also runs some Google AdSense ads, which can be targeted based on behavior; users can opt out of that cookie-based behavioral targeting by Google.
In addition, HealthCentral has a deal with Microsoft allowing the company to serve behaviorally targeted ads to some users who go to its sites after previously visiting HealthCentral. Users can opt out of those ads as well. That deal doesn't allow users to be targeted based on anything they have read at HealthCentral relating to mental health or sexual health.
Marketing and publishing executives also say that behavioral targeting doesn't violate people's privacy because such targeting is anonymous. While companies track Web users via cookies on their computers, the companies are not also collecting users' names, email addresses or other so-called personally identifiable information.
But the Federal Trade Commission, which has been investigating behavioral targeting and privacy, said in a recent report that even non-personally identifiable information could be used to identify specific users.
The FDA currently is examining pharmaceutical marketers' use of online marketing and social media. Last year, the agency told more than a dozen pharmaceutical companies that their pay-per-click search ads were misleading because the ad copy touted the benefits of drugs without also informing consumers about risks and contraindications.
"Digital marketing applications for selling cars, food, and financial products have already raised privacy and related concerns at the FTC. When applied to digital pharmaceutical and health marketing, such practices call for an even higher level of scrutiny and policy intervention," the advocacy group says in a new FDA filing.
The privacy organization is asking the FDA to take a host of steps, including examining data collection practices by pharmaceutical advertisers, reviewing privacy policies of such marketers as well as publishers, and requiring companies that use behavioral targeting to spell out their methods. "Consumers need to know whether and how they are being tracked and targeted -- including via 'condition-specific' channels," the filing states.
Jeff Chester, executive director of the CDD, adds that a "highly targeted, purposely immersive and subconsciously guided digital marketing apparatus" can be unfair to consumers when it comes to health marketing. "We want the FDA to make some policies related to pharmaceutical marketing that reflect the distinct nature of interactive marketing," he says.
Ad executives also say that behavioral targeting -- or serving ads to people who have already demonstrated an interest in particular medical conditions by reading about them -- benefits readers by providing them with relevant information. "Behavioral targeting is used across all verticals online, whether travel, banking or health," says Debrianna Obara, vice president of media at RazorfishHealth. "Pharmaceutical companies, or wellness clients, are not trying to do anything underhanded. They're really just trying to give hand-raisers the information that they're looking for."
Obara adds that pharmaceutical marketers don't use behavioral targeting for products related to "sensitive" categories, including oncology, depression and sexual dysfunction.
The CDD's filing listed several publisher sites that focus on health, including HealthCentral, which says that marketers can advertise on 35 condition-specific categories.
HealthCentral President and Chief Operating Officer Jeremy Shane says the company runs contextually targeted ads on HealthCentral sites -- that is, ads that relate to the content on its pages -- but doesn't directly offer behaviorally targeted ads on its own sites. HealthCentral also runs some Google AdSense ads, which can be targeted based on behavior; users can opt out of that cookie-based behavioral targeting by Google.
In addition, HealthCentral has a deal with Microsoft allowing the company to serve behaviorally targeted ads to some users who go to its sites after previously visiting HealthCentral. Users can opt out of those ads as well. That deal doesn't allow users to be targeted based on anything they have read at HealthCentral relating to mental health or sexual health.
Marketing and publishing executives also say that behavioral targeting doesn't violate people's privacy because such targeting is anonymous. While companies track Web users via cookies on their computers, the companies are not also collecting users' names, email addresses or other so-called personally identifiable information.
But the Federal Trade Commission, which has been investigating behavioral targeting and privacy, said in a recent report that even non-personally identifiable information could be used to identify specific users.
The FDA currently is examining pharmaceutical marketers' use of online marketing and social media. Last year, the agency told more than a dozen pharmaceutical companies that their pay-per-click search ads were misleading because the ad copy touted the benefits of drugs without also informing consumers about risks and contraindications.
Subscribe to:
Posts (Atom)