Behavioral Exchanges: Where Your Web Browser Cookies Are Bought And Sold

Who knew that when you opted into getting online ads from an advertising network that you were also agreeing to allow firms to sell the contents of your browser cookie file. From the New York Times:

"BlueKai and eXelate work in similar ways. They both track who is interested in what through a cookie, an invisible bit of code on a Web page. When someone does a search, for example, on Kayak.com for first-class flights to Paris in September, that information can be captured by a cookie, and Kayak.com can sell that cookie using eXelate or BlueKai."

How it works:

"Once the [corporate advertising] buyers log in to the exchange, they select the criteria they want, and the exchange tells them how many cookies are for sale. BlueKai has about three million cookies for in-market sedan buyers, for instance, and nine million for cellphones and P.D.A.’s. The advertisers specify how recent they want the cookie to be — they may want only people who have looked for their product in the last day — and bid on a price. The challenge for eXelate and BlueKai is to get publishers and commerce sites interested in selling information about their visitors."

It's unclear if this applies to Adobe Flash cookies, which also collect and share data about consumers.

Consumer notification, control, and opt-in (not opt-out) mechanisms need to be really clear about this. And, I believe behavioral exchanges should exclude medical information. It'd be great if the FTC actually did its job and set some guidelines for behavioral exchanges.

Targeted Advertising Programs Integrate Your Offline And Online Habits

Things are moving quickly in the behavioral advertising industry, and we consumers had better pay attention. In her Behavioral Insider blog, Laurie Sullivan summarized some important developments from the OMMA Behavioral conference in San Francisco:

"... the trend became apparent from the start of the show when Exelate provided a pre-conference presentation focusing on integrating shopping data. Later in the day, MediaPost Senior Writer Wendy Davis led a panel where Fran Maier, CEO at Truste, confirmed that all the information gathered from online and POS transactions can be aggregated to create a "very detailed profile." She said consumers do know they are being tracked online, but they are not given enough information about the information collected. Execs from the analytics firm Webtrends provided some further insight. Webtrends is working with Dotomi, which retargets ads to consumers, to integrate Analytics 9..."

How it works:

"Webtrends built a data collection applications programming interface that will allow marketers to integrate data into Webtrends's analysis engine. Marketers can feed the POS data from in-store cash registers into a central repository database. Marketers can extract part, or all, of the data and feed it into the analytic engine and correlate the data to transactions on the Web site. Analytics treats it as a conversion event -- just as if the customer bought the products or services online."

Want to learn more? Follow any of the above links, or read the Behavioral Advertising section of this blog.

The New York Times Interview of David Vladeck of the F.T.C.

If you follow this blog, then you know that I've covered the U.S. Federal Trade Commission (FTC), especially about behavioral advertising. My opinion of the FTC has been far less than stellar, due to the commission's tendency toward self-regulation and its support of wacky things like basing insurance rates on credit reports.

I worry that that the FTC will become the next Securities & Exchange Commission (SEC), where online advertising becomes so complicated that the FTC becomes unable to keep up -- as many argued that the SEC was unable to keep up with Wall Street's financial practices. One area where the FTC seems to be lagging is with RFID technologies.

With that in mind, I read the New York Times interview of David Vladeck, the new head of the Bureau of Consumer Protection at the FTC. Maybe this interview is damage-control by the FTC. Or maybe it's a frank discussion of some particularly gnarly issues:

"The infrastructure for doing work on privacy is in very good shape. It was time for the agency to reconceptualize its privacy mission and to look for a new framework to approach privacy issues in this incredibly dynamic environment. One thing that was needed was someone in a position of authority to basically say, the frameworks that we’ve been using historically for privacy are no longer sufficient in this incredibly dynamic marketing."

When asked how the FTC will keep up with the advertising industry's rapid pace of change, Vladeck's comments are disappointing:

"We’re hoping that if we have candid conversations with them they’ll be more forthcoming, and this is not our first option, but we can make people talk to us. I would like to think that just by force of my charm and personality they’ll do that but if not there are all sorts of other ways we can get information. We’d prefer to persuade industry it’s in their best interests to cooperate on these sorts of things. If not, we’ll be forced to imagine the worst, and that doesn’t help anybody."

Is he serious? Force of his charm? Behavioral advertising techniques to collect consumers' data are moving at light speed. There are browser cookie based approaches, deep-packet inspection approaches, and lately online behavioral advertising networks are moving towards integrating both  consumers' offline and online habits into the online ads served. There are even more ways to provide opt-out (or opt-in) mechanisms and policy statements online. I'm hoping for leadership from Vladeck, not consensus-building.

About today's online disclosures and privacy statements, Vladeck said:

"Disclosures are now written by lawyers, they’re 17 pages long. I don’t think they’re written principally to communicate information; they’re written defensively. I’m a lawyer, I’ve been practicing law for 33 years. I can’t figure out what the hell these consents mean anymore. And I don’t believe that most consumers either read them, or, if they read them, really understand it. Second of all, consent in the face of these kinds of quote disclosures, I’m not sure that consent really reflects a volitional, knowing act."

No kidding. It has become increasing difficult for consumers to effectively make choices, since so many advertising programs use opt-out instead of opt-in, many have made the opt-out mechanism difficult to find and to use, and few programs provide open, honestly and transparent information about how consumers' data is shared among specific third-party companies and partners. Sites like TOSBack are trying to hlp consumers keep up with the complicated and fast-changing online privacy and web site policies.

One of the more positive comments by Vladeck that shows that the FTC is paying attention to consumers' needs:

"The empirical evidence we’re seeing is that disclosures on their own don’t work, particularly disclosures that are long, they’re written by lawyers, and they’re written largely as a defense to liability cases. Maybe we’re moving into a post-disclosure environment. But there has to be greater transparency about what’s going on. Until I see evidence otherwise, we have to presume that most people don’t understand, and the burden is going to be on industry to persuade us that people really are well informed about this."

The Sears settlement with the FTC was a thread throughout the interview, but Vladeck seemed reluctant to use that case as the basis for future rule-making. When asked about whether privacy policies and/or web site terms and conditions statements alone constituted effect consent for consumers, Vladeck replied:

"You’re trying to get me to revert back to these frameworks. I’m going to resist doing that until we have a better sense of whether there are other ways of making sure consumers are adequately informed that when they go on the Times website all of these different transactions are either happening or possible. And it may be that bubble disclosures or pop-up disclosures or anti-cookie devices, there may be all sorts of way to do this, that substitute for the lengthy, form-written privacy policy disclosures that are written by risk-averse lawyers rather than communication experts."

That sounds like a non-answer to me. The FTC wants to leave it open about how companies' web sites provide consumers with consent and notice, but is reluctant to present specific guidelines or rules.

Yeah, the interview was probably an attempt at damage control. I hope (for all our sakes) that the FTC can and does keep up.

Documenting Opt-out Driven Ad Network Failures

Over at his blog, Christopher Soghoian has documented some major failures of advertising networks that employ the opt-out method. These are targeted advertising programs that automatically include consumers, and place the burden on consumers who don't want to be tracked to opt-out of the program. Some of Chris' findings:

"In the 100+ online advertising firms whose opt-outs I have requested, this is the only one that I've found that requires a CAPTCHA in order to opt-out. By itself, this would merely be an annoyance. However, the CAPTCHA code on their opt-out page is broken, and thus even correctly entered answers are rejected as invalid. Thus, it is impossible to ever successfully receive an opt-out cookie from their site."

And there is another gem:

"Their privacy page makes all kinds of bold promises, such as the fact that their cookies comply with the Platform for Privacy Preferences (P3P). The buttons to opt-in and opt-out are fairly easy to discover, and clearly labeled. Unfortunately, both the opt-in and opt-out buttons link to non-existent pages on their website. Anyone wishing to opt-out is thus met with a 404 error."

Excellent analysis Chris! He rightly concludes:

"... the industry is not doing a good job of policing itself, companies are not performing the most basic form of quality assurance and testing, and it is clear that they are not hiring outside auditors to independently verify that the opt-outs are working properly. This industry is big enough, and profitable enough to not need to depend upon a single motivated graduate student to discover and police its broken opt-outs."

The NAI Behavioral Advertising Opt-out Mechanism: Good or Bad?

Thanks to rcalo for alerting me to this site. If you have read this blog over the past year, then you know that I have written a lot about behavioral advertising (BA). My interest in BA is partly because some Internet Service Providers (ISPs) have attempt to use a form of BA with the Deep packet Inspection (DPI) technology, which goes far beyond the older tracking technologies, like Web browser cookies, which advertisers have traditionally used.

Congress and consumers are right to take a long, hard look at firms using DPI. And, however favorable the FTC's proposed behavioral advertising guidelines are for corporations, those guidelines are not finalized. My interest in BA is not just the consumer privacy concerns, but the data security concerns due to the fact that company data breaches soared in 2008 compared to prior years. Too many companies don't take data security seriously enough. DPI allows companies to collect a lot of inormation more quickly -- and lose it later in a data breach, regardless of their claims about anonymizing the data.

Plus, ISPs play a key role in providing consumers with trustworthy access to the Internet. Even though NebuAd closed last month, Phorm is part of a larger situation where ISPs rush for advertising revenues and abuse consumer privacy.

With all of that as a backdrop, I have mixed feelings about the Network Advertising Iniative (NAI) opt-out site below, since it is predicated on a business model where all consumers are, by default, included. This places the burden on consumers to become BA experts and track which sites they visit use BA with, in order to opt-out effectively. And, opting out is no guarantee since companies can easily include users back in BA with a change in web site privacy and terms of use policies. The whole model should be based with a default where consumers aren't included until they opt-in.

When you use the NAI site to opt-out of BA, it provides a status of the advertiser networks that have already placed a BA Web browser cookie on your computer. For me, I learned that I had active BA cookies from:

• Advertising.com
• Atlas
• AudienceScience
• BlueLithium
• Burst Media
• Collective Media
• Mindset Media
• Undertone Netowkrs
• Yahoo Ad Network, and
• TACODA Audience Networks

That was far more BA cookies than I thought I had. A thorough check would be to see if any of the sites I have visited regularly mentioned any of these advertiser networks in their privacy and terms policies. I doubt it.

The NAI's BA opt-out mechanism has limitations. First, it won't protect a consumer against DPI. Second, consumers will have to use the BA opt-out mechanism again if you delete the cookies on your computer, change Web browsers, or get a new computer. Given this, the NAI's BA opt-out mechanism is not a true opt-out. Too much burden is still on the consumer, and it is too easy for a consumer to get sucked back into BA again.

If you have used the NAI site below to opt-out of BA, I'd love to hear your experiences. How did you tell if the opt-out worked? Did you see a change in the online ads display at the sites you visited?

When I opted out of pre-screened credit offers and telemarketing calls, it was easy to see the change. The number of pre-screened credit card and loan offers I received via postal surface mail stopped -- period. So too for telemarketing calls; those dropped to zero, too.

So, it's easy for consumers to see and evaluate the effectiveness of opting out of postal surface mail offers. But what about BA? How can a consumer tell if this BA opt-out mechanism works?

Anyway, here's the NAI video:

Phorm Raises Money

I've written extensively about behavioral advertising. It is important to track the actions of companies that promote and enable behavioral advertising, particularly the Deep packet Inspection (DPI) technology. Revolution Magazine reported:

"Phorm has raised £15 million through a stock sale to fund expansion plans in Britain and Korea. The company said the capital will be used ‘to continue the implementation of its service in the UK and Korean markets, and for general working capital purposes, as it continues partnership discussions with ISPs both in the UK and internationally."

Phorm developed DPI technology that allows Internet Service Providers (ISPs) to track everything their customers do online. The data is sold to media companies and advertisers so ISPs can supposedly serve up more relevant ads and make more money.

"Last year Phorm sold 1.61 million shares for £20 each - more than four times the value of the latest offering... Kent Ertugrul, chief executive of Phorm said the 3.3 million shares sold for £4.50 each, account for 19.4 per cent of the company, and were bought up by existing shareholders and new financial institute investors."

DPI goes far beyond the older tracking technologies, like Web browser cookies, which advertisers have traditionally used. Congress and consumers are right to take a long, hard look at firms using DPI. And, however favorable the FTC's proposed behavioral advertising guidelines are for corporations, those guidelines are not finalized.

My interest in this is not just the consumer privacy concerns, but the data security concerns due to the fact that company data breaches soared in 2008 compared to prior years. Too many companies don't take data security seriously enough.

Plus, ISPs play a key role in providing consumers with trustworthy access to the Internet. Even though NebuAd closed last month, Phorm is part of a larger situation where ISPs rush for advertising revenues and abuse consumer privacy.

Sears Settles With The FTC About Consumer Privacy Abuses With Undisclosed Tracking Software

I've Been Mugged discussed consumer privacy abuses by Sears in 2008. On June 4, 2009, ComputerWorld reported Sears Holdings Management settled with the U.S. Federal Trade Commission about a complaint where Sears failed to inform "My SHC Community" customers about the large amount of sensitive personal data it collected with a downloadable software application:

"Sears Holdings, owner of the Sears and Kmart retail chains, invited some visitors of Sears.com and Kmart.com to become members of the "My SHC Community," paying them $10 if they agreed to download "research" software that would confidentially track their online browsing... the software not only tracked browsing, but also monitored customers' online secure sessions, including sessions on third-party Web sites... The Sears software collected the contents of shopping carts, online bank statements, drug prescription records, video rental records, library borrowing histories, and the sender, recipient, subject, and size of Web-based e-mail messages... The software would also track some computer activities that were unrelated to the Internet..."

From now through July 6, interested consumers can submit comments to the FTC about this Sears settlement. Before submitting a comment, consumers should read:

• How To File Public Comments by the FTC
• FTC press release about the Sears settlement
• The FTC Complaint and proposed settlement agreement

Based on comments received, the FTC will decide whether or not to proceed with the proposed settlement agreement. I encourage readers to review the proposed settlement. You may feel it is not strong enough, especialy about the sensitive consumer data Sears already collected.

Exploring The Online Tracking Of Consumers: A Look At Equifax And Experian

Yesterday's post discussed research about how retailers extensively track consumers online. Today, I wanted to explore this further.

So, I secured my Microsoft Internet Explorer browser and its Privacy settings to prompt me every time a Web site or page attempted to place or edit a Web cookie on my computer. This prompt would allow me to note the site requesting the cookie, and either accept or reject that cookie request.

I am not a computer expert, and this is not a formal, academic test. And it doesn't cover Web Beacons. This informal test is limited in that it won't indicate the contents of each Web cookie request; only that a cookie request occurred. I am sure that there are plenty of computer experts that can design a sufficiently rigorous test. Regardless, I felt the need to start somewhere.

For test web sites, I chose two of the credit reporting agencies' sites (Equifax.com and Experian.com) since I use these sites, have discussed them previously, and since these sites contain sensitive personal data about consumers.

It didn't take long for the results to show. When trying to access the Equifax.com home page, I noticed that the site placed a multitude of Web cookies on my computer. The list of companies writing to my Web browser cookie file went far beyond just Equifax:

• 12 Web cookies requests by Equifax.com, plus
• Advertising.com
• Doubleclick.com (2 requests)
• Quantserve.com (2 requests)
• Atdmt.com (2 requests)
• Eloqua.com
• Hitbox.com (2 requests)

If you are counting, that was about 22 cookies requests before the home page fully loaded. To me, that seemed like a lot of Web cookie requests. And, who are these companies? Some of the names (e.g., HitBox, Doubleclick) I recognize since I work in the Internet industry. I know some of these are tracking services for advertisements.

I couldn't help but wonder what most consumers would think of this. I couldn't help but wonder what most consumers, who don't have the benefit of working in the Internet industry, would think of this -- if they took the time and knew how to configure their Web browser. This would probably make any consumer pause, and wonder what exactly is going on.

Now, I don't mean to imply that all Web cookies are bad. Some are good and useful. I use a few Web cookies to manage this blog. My first point is this: all of the above cookies requests happened before the Equifax.com home page loaded in my browser. So, consumers don't really have a choice because all of this tracking and data collection happens before consumers can read the home page, and read the Equifax Privacy Policy to make an informed decision about their online privacy.

Sure, we all want to be informed consumers, but things seem stacked against consumers. The online tracking at Web sites starts sooner than many consumer probably would expect.

Next, I read the Equifax.com Privacy Policy to see what it says about Web cookies and the company names I encountered:

"We use session and persistent cookie technology for several purposes. For example, cookies: Allow you to order more than once during a visit without your having to re-enter your information each time you place an order for a Personal Solutions product; Allow us to gather aggregated statistical data about the use of our website for research purposes; Help us improve your navigation of our web site(s); Enable us to store your preferences for certain kinds of information and marketing offers; Help us to provide features such as personalized greetings; If you're a Member of Personal Solutions, allow us to store your user name and encrypted customer identification number so that we recognize you when you return to our web site; Help us combat identity theft and fraud with more reliable identity verification and authentication data."

All of that sounds good, but it'd be more reliable if Equifax.com didn't perform this extensive tracking and collection data before the home page fully loaded and before consumers had a chance to read the Equifax.com Privacy Policy. There is more:

"Cookies set by us or our agents are not interpreted or shared with any other third party. We may combine cookie data with personally identifiable information or business organization identifiable information you provide to us... We may sometimes use outside technology companies to set cookies on our web site and collect cookie information for us. We use the cookie information collected by these companies in the same manner as stated above in this section. Those companies may not use these cookies for their own internal purposes or share the information collected with any party other than Equifax."

A, "sometimes use outside technology companies?" 22+ cookie reqests at the home page tells seems far beyond "sometimes use."

And, who are Equifax's "agents" and "outside technology companies?" Who are these "third parties" that are not agents? Are they the list of companies I encountered or some other companies?

The Privacy Policy clearly indicates that Equifax works with other companies, but the policy does not disclose the companies by name. Why the secrecy? If all of this cookie usage by Equifax is so good for consumers, why not disclose it?

This secrecy leaves consumers to guess about what is going on. If everything Equifax is doing is really that good, then it shouldn't be an issue to list the technology companies, agents, and third parties.

For transparency and full disclosure, the Equifax Privacy Policy should list these companies, but it doesn't. It would help so consumers could make an informed choice.

Given this, what choice do consumers really have? I say, not much of a choice really. If you decide to secure your Web browser and reject every cookie request, then the Equifax.com site seems to quickly becomes unusable. The Privacy Policy should but doesn't state exactly which site features or mechanisms become unusable when Web cookies are rejected.

The situation was little better at the Experian.com home page. I experienced fewer Web cookie requests from fewer companies:

• 11 cookie requests by Experian.com
• statse.webtrendslive.com (2 cookie requests)
• wa.marketingsolutions.yahoo.com

If this lack of transparency bothers you (and I sincerely hope that it does), learn more about targeted advertising (a/k/a behavioral targeting). Then, write to your favorite retailers and demand more disclosure in their Web site Terms of Service and Privacy policies. If that doesn't work, write to your elected officials in Congress and demand legislation for more disclosure.

Exposing The Online Tracking Of Consumers By Retailers

This MediaPost article really caught my attention. It seems that Cathy Dwyer, a professor at Pace University's Seidenberg School of Computer Science and Information Systems, sat students in front a computer and showed them all of the ways companies track their online usage. After witnessing this tracking the students' complacency turned to outrage:

"I do this with 18-, 19- and 20-year-olds, and once they find out this is going on they go ballistic. A few of them in one of my classes canceled their Facebook accounts..."

This online tracking includes a multitude of browser cookies and Web beacons which companies rarely or never disclose in their Web site Terms of Conditions and Privacy policies. To better understand this, Dwyer studied the Levis.com site:

"... Dwyer discovered, for instance, that a JavaScript downloaded to the browser came from Atlas and contained seven one by one image files from a range of behavioral networks. In all, Dwyer detected nine Web beacons dropped on the client machine, and one Omniture cookie that passed back a list of installed software on the machine."

This is important because, a) of the secrecy -- consumers are not informed of both the tracking activity and the wide range of companies involved, and b) it happens without the consumer's consent:

"None of the companies linked to these nine Web beacons are mentioned in Levi's privacy policy... The only third party mentioned is the digital advertising provider Avenue A, but none of these Web beacons link to Avenue A... this study shows the amount of data collected and shared with third parties is much higher than what is described in the Levi's privacy policy. Levi's customers are not asked to consent to these practices, and the partners that Levi's shares information with are not identified."

This secret targeted advertising without consent is also important because:

"...anonymity does not equal privacy. Privacy is not just a matter of controlling what information about oneself is disclosed to or by a third party. Dwyer and others contend that undisclosed behavioral tracking compromises our autonomy in the market."

In other words, consumers can't make informed choices about the products and services we buy, when our online experience is shaped and affected without our knowledge. Reportedly, Dwyer will present her research findings at the 15th Americas Conference on Information Systems in a paper titled, "Behavioral Targeting: a Case Study of Consumer Tracking on Levis.com."

If this bothers you (and I hope that it does), learn more about targeted advertising (a/k/a behavioral targeting). Then, write to your favorite retailers and demand more disclosure in their Web site Terms of Service and Privacy policies. If that doesn't work, write to your elected officials in Congress and demand legislation for more disclosure.

NebuAd Closes After Lost Clients And Lawsuit. The Full Story.

Previously, I wrote about the class-action lawsuit filed against NebuAd. From the Associated Press:

"In court filings this week, NebuAd said it has been winding down its business since last year. It laid off virtually all its employees in July and August, closing its office in Redwood City, Calif..."

NebuAd's clients had been phone companies and ISPs (Internet service providers) who wanted a larger share of advertising revenues. According to the same Associated Press report:

"Among the cable and phone operators that abandoned interest in NebuAd were Charter Communications Inc., Bresnan Communications LLC, The Washington Post Co.'s Cable One Inc. and Embarq Corp."

If you want to read a copy of NebuAd's dissolution filing, it is available at the Wall Street Journal Venture Capital Dispatch blog. That's part of the story. There's a lot more.

In his blog, John Linko wrote a good summary about the NebuAd situation. His post included a response from an executive at Bresnan:

"I think it is important to note that when Bresnan performed the limited test of the NebuAd platform in one market, we strictly adhered to the existing FTC rules whereby we notified all of our customers involved in that test and gave them a choice of opting in or out of the trial. With Congressional scrutiny however, the environment in which we began that trial changed and Bresnan quickly suspended the test."

That may be, but on both sides of the Atlantic Ocean consumers are starting to understand the nature and implications of of data collection by behavioral targeting programs. I think that it's important to remember that NebuAd was promoting a service that included Deep Packet Inspection (DPI) technology, that enables an Internet Service Provider (ISP) to collect everything its subscribers send (e.g., e-mail, web activity, search keywords, instant messages, tweets, etc.) through their ISP connection.

DPI goes far beyond the older tracking technologies, like Web browser cookies, which advertisers have traditionally used. Congress and consumers are right to take a long, hard look at firms using DPI. And, however favorable the FTC's proposed behavioral advertising guidelines are for corporations, those guidelines are not finalized.

My interest in this is not just the consumer privacy concerns, but the data security concerns due to the fact that company data breaches soared in 2008 compared to prior years. Too many companies don't take data security seriously enough.

Plus, ISPs play a key role in providing consumers with trustworthy access to the Internet. In the NebuAd and other instances, the ISPs never addressed to my satisfaction the data security concerns when using DPI to collect so much more consumer data. Last summer's Congressional hearings brought to light several behavioral advertising programs by ISPs who performed secret behavioral advertising programs; the ISPs didn't inform their customers and didn't provide consumers with opt-in choices.

The NebuAd closure is part of a larger situation where ISPs rushing for advertising revenues have trampled over and abuse consumer privacy. So, thanks are due to the U.S. Congress and to the Privacy Crusaders --  Alan Himmelfarb, Scott Kamber, and Joseph Malley -- for the pressure applied.

Companies beware! If you abuse consumers' privacy, fail to inform consumers or provide adequate opt-in mechanisms, the Privacy Crusaders will get you.

Meanwhile, there's more work to be done. Some of the former executives at NebuAd have started up another behavioral advertising company. In the U.K., The Register reported:

"Insight Ready Limited was incorporated on March 25 by Paul Goad, the man who had been NebuAd's UK boss... Goad started Insight Ready with the blessing of what remained of NebuAd US, but the two firms have no business or technical relationship beyond having some of the same personnel. Unlike NebuAd, Insight Ready will not seek to collect data from inside ISP networks. Instead, when it launches "in several weeks", it will aim to collect behavioural data in partnership with website owners..."

Want to learn more? Try these sources:

• I've Been Mugged: Behavioral Advertising
• NoDPI.org
• BadPhorm.co.uk
• Facebook pages and groups: Stop ISPs From Breaching Customers Privacy, Fight Back Against Phorm, Really Bad Phorm, Facebook & Google: Tell Phorm to Eph Off

And, as the U.S. FTC releases updates about behavioral advertising guidelines, you can expect the I've Been Mugged blog to cover it.

Is AT&T Honoring Its Promise To Do Behavioral Advertising 'The Right Way'?

Back in September 2008, AT&T promised in writing in response to a Congressional inquiry to do behavioral advertising "the right way." The right way meant getting consumers explicit consent before conducting behavioral advertising (also known as, "targeted advertising" or "behavioral targeting"). With that factual history, I found this MediaPost news item very interesting:

"AT&T has spent much time in this last year criticizing behavioral targeting companies for their privacy policies. But in contrast to its public stance, the telecom's marketing department has apparently been working with behavioral targeting company Audience Science to sell AT&T products and services..."

To be clear, behavioral advertising in and of itself is not evil. My concern is that companies communicate with transparency: tell consumers clearly and upfront what they are doing, and provide users with the opportunity to opt-in to any behavioral advertising programs. Consumers that don't opt-in don't get tracked.

I'm concerned because data breaches happen and companies collect vast amounts of sensitive consumers' personal data with behavioral advertising programs.

Providing consumers with an opt-out mechanism after the behavioral advertising program has already started is insufficient. The consumers' sensitive personal data has already been collected, and it doesn't give consumers real choice. Previously, ISPs conducted behavioral advertising without consumers' explicit consent, used the opt-out approach, made it difficult for consumers to find the opt-out mechanism, and made it nearly impossible to opt-out (e.g., the consumer had to opt-out repeatedly as the advertiser included new companies in its advertising network).

As I see it, companies prefer the opt-out approach because they hope that consumers will forget or won't bother to opt-out and they'll get more consumers in their program than otherwise. Opt-out is dishonest.

Based on this news report, AT&T seems to be doing the opposite of what it preached others should do:

"Yesterday, at a House Energy and Commerce subcommittee hearing, Rep. Anna Eshoo (D-Calif.) attempted to question AT&T Chief Privacy Officer Dorothy Attwood about the company's use of behavioral targeting. But Attwood misunderstood the question and said that AT&T doesn't use deep packet inspection technology to power behavioral targeting."

Not using deep packet inspection technology is a partial answer. Eshoo's question is about whether AT&T provides consumers with an opt-in choice before starting any behavioral advertising program:

"Audience Science, like many companies that track people online and then serve ads based on sites visited, allows people to opt out of targeting. But the company does not first seek consumers' explicit consent. That model remains legal -- and AT&T's relationship with Audience Science would not be an issue, except that AT&T has so publicly criticized the opt-out approach."

So, is AT&T going to practice what it preaches? Or is AT&T practicing do-as-I-say-but-not-as-I-do?

If you want to learn more about behavioral advertising, start with this prior post or select "Behavioral Advertising" in the tag cloud in the right column.

U.K. Parliament Debates ISP-Based Targeted Advertising

This ClickZ news story caught my attention:

"... in the House of Commons, Members of Parliament, Lords, and industry experts met to discuss the privacy implications concerning ISP-level behavioral targeting from companies such as Phorm and NebuAd. The intention of the session, which was hosted by Liberal Democrat Home Affairs spokesperson, Baroness Sue Miller, was to "inform parliamentarians" on the issues surrounding the controversial practice... the majority of conversation focused on ad-targeting technology firm Phorm, which is currently the most advanced U.K. player in the ISP-based behavioral ad space. The company announced in February 2008 that it would partner with three of the U.K.'s largest ISPs in order to sell and target ads based on user's online interaction data. Although a number of Phorm executives were present at the event, the company was refused a place on the panel, according to CEO Kent Ertugrul."

This has implications for the USA. If targeted advertising (a/k/a behavioral advertising) gains acceptance in the United Kingdom, it could make acceptance more likely here in the USA. I have written extensively about behavioral advertising, including the role of ISPs, abuses by ISPs of consumers' privacy, the class-action lawsuit against NebuAd, and AT&T's promise to do behavioral advertising "the right way."

Can ISPs be trusted to do behavioral advertising the right way? In my opinion, no. A few might, but the industry as a whole: no. In the USA, their collective historical actions speak far louder than their collective words and promises.

My position: ISPs should not be allowed to perform behavioral advertising. Period. Why? Behavioral advertising would allow ISPs to collect (and potentially share with vendors) massive amounts of the most sensitive consumer data: every site and web page a consumer visits on the Internet, the amount of time spent at that site and at each page, keywords entered at search engine sites, instant message contents, email contents, and so forth.

The monthly tsunami of data breaches proves that corporations, including ISPs, don't take data security seriously. It seems foolish to allow ISPs to collect and archive more personal data, only for them to later lose it or have it stolen, while consumers bare the credit monitoring and recovery costs. ISPs claim that they will anonymize the data to protect consumers' privacy, but don't offer any guarantees or methods for independent verification. There is no oversight planned, so there is no way for consumers to verify that ISPs would actually live up to their promises. And, there are no penalties for abuses.

ISP-based behavioral advertising would be a train wreck.

Sir Tim Berners-Lee, director of the World Wide Web Consortium, said this about ISPs and behavioral advertising:

"There should be no snooping on the Internet; it's the equivalent of wire tapping, or opening a person's mail... I'm here today to defend the integrity of the Internet."

The article covered the comments by other experts:

"Richard Clayton, treasurer for the Foundation for Information Policy Research, agreed that ISPs had no business in intercepting user communications, stating, "Providing better ads is not the role of the ISP. It's not lawful." Meanwhile, Jim Killock, executive director of the Open Rights Group, argued the practice would "undermine our confidence in governments to preserve our basic human rights..."

According to PCPro News, Berners-Lee's comments drew this response from Phorm's CEO:

"There have been a number of things said that patently misrepresent what we do," he argued. "We have the strongest privacy protection of everyone on the internet." He then went on to claim that the media wouldn't survive without the increased targeted-advertising revenue provided by services such as Phorm... Ertugrul then accused Berners-Lee of speaking from a position of ignorance, claiming the company had invited him to inspect its technology on several occasions, which he had declined."

A position of ignorance? Pleeze! Berners-Lee invented the Internet, without which Ertugrul wouldn't have a company. Ertugrul's response to Berners-Lee was just plain rude. What's is insulting is Ertugrul's claim that the media can't survive without behavioral advertising. Where's the proof? If anything, it is ISPs clamoring for behavioral advertising, not media companies.

The strongest privacy protection? Better than banks? I doubt it. If Phorm's privacy protection is so great, they should sell it to banks and financial services companies; both of whom have already experienced numerous data breaches here in the USA.

If ISP-based behavioral advertising concerns you (and I surely hope that it does), I encourage you to write to your elected officials in the USA and tell them, "no behavioral advertising for ISPs." Plus, there is two global Facebook groups you should join:

• Stop ISPs From Breaching Customers' Privacy!
• Facebook: Tell Phorm to Eph Off and Leave My Facebook Data Alone

Consumers Should Care What Personal Data Search Engines Collect

Prior posts covered behavioral advertising: opt-in versus opt-out system structure and notification issues, and the role of Internet Service Providers (ISPs). If you are new to the topic (or new to the Internet), there is a good primer article by CNN Money which highlights the issues consumers should know about search engines:

"Alone with just your computer screen, these searches can feel very private. But Google & Co. gather a lot of information about you as you surf, including the date and time for your search, your search terms, and your IP address, which is an 11-digit number that identifies your computer and, more important as far as advertisers are concerned, your location."

Internet users as young as teenagers need to know that:

"There are many free online tools, but they're not really free," explained Greg Conti, a professor of computer science at West Point and the author of Googling Security: How Much Does Google Know About You? "We end up paying for them with micro-payments of personal information..."

This is important because data breaches happen. Companies participating in targeted advertising will have consumers' data stolen or lost. It's important because consumers' privacy needs to by adequately protected:

"... Yahoo said it would keep personally-identifiable information in its database for no more than 90 days, down from 13 months previously... Google said it would keep your data for nine months instead of 18 months. Microsoft retains your information for 18 months... There are big differences, however, in the way that companies make user information anonymous. Google and Yahoo, for instance, block the last three digits, known in tech circles as the "last octet," of your IP address. Microsoft says it deletes the entire address."

Who knows what is really going on? The problem is: there isn't oversight. There isn't an independent audit. There is no way for consumers to know if the companies are honoring their data security as promised. This is critically important also because so much of consumers' sensitive personal data is outsourced overseas.

I am not saying that more government is the solution. Perhaps an an audit group partially funded by the search engine industry is the answer. Perhaps state and federal ID-theft legislation should be amended to require proper anonymizing of consumer data by search engines and other companies participating in targeted advertising. Perhaps amended FTC guidelines is the answer.

Whatever the solution, companies must protect consumers' personal data like nuclear fuel. What do you think?

FTC Revises Guidelines For Online Targeted Advertising

In February, the U.S. Federal Trade Commission (FTC) revised its guidelines for companies that wish to perform targeted advertising (a/k/a behavioral advertising or behavioral targeting) programs:

"... a report describing its ongoing examination of online behavioral advertising and setting forth revisions to proposed principles to govern self-regulatory efforts in this area. The key issue concerns how online advertisers can best protect consumers’ privacy while collecting information about their online activities."

In 2008, I wrote a series of blog posts about targeted advertising, the FTC's request for feedback from consumers, the role of ISPs, and associated privacy and data breach concerns. Since then, the FTC has modified slightly its guidelines in this latest report. I am following the FTC's actions on this topic because it must balance the needs of businesses against the data security needs of consumers. It's not just a privacy issue, but also a data security issue.

In its press release, the FTC said:

"... most of the public comments the FTC received concern the scope of the proposed principles. For example, commenters discussed whether it is necessary to provide privacy protections for data that is not personally identifiable. In response, the report states that privacy protections should cover any data that reasonably can be associated with a particular consumer or computer or other device."

So far, okay. There's more:

"... commenters questioned the need to apply the principles to (1) “first party” behavioral advertising, in which a Web site collects consumer information to deliver targeted advertising at its site, but does not share any of that information with third parties, and (2) contextual advertising, which targets advertisements based on the Web page a consumer is viewing or a search query the consumer has made, and involves little or no data storage. The report concludes that fewer privacy concerns may be associated with “first-party” and “contextual” advertising than with other behavioral advertising, and concludes that it is not necessary to include such advertising within the scope of the principles... however... companies must still comply with all applicable privacy laws..."

So far, okay. There's more:

"The report also provides additional guidance regarding each of the four principles and sets forth revised principles reflecting this guidance. The first principle – transparency and consumer control – remains unchanged... Web sites are expected to provide clear and prominent notice regarding behavioral advertising, as well as an easily accessible way for consumers to choose whether to have their information collected... privacy policies posted on companies’ Web sites often are long and difficult to understand, the report encourages firms to design creative and effective disclosure mechanisms... the report continues to urge companies to provide reasonable security for any data they collect for behavioral advertising and to retain data only as long as it is needed to fulfill a legitimate business or law enforcement need."

So far, okay. The guidelines that changed:

"... the report clarifies that its focus is on retroactive changes – for example, material changes to a privacy policy that affect information a company collected prior to the changes... some form of prominent notice and opt-out choice may be sufficient. Finally, due to the heightened privacy concerns raised by the collection and use of consumers’ sensitive data, the report continues to urge companies to obtain affirmative express consent before collecting such data for behavioral advertising."

The FTC is urging companies to use opt-in mechanisms and not opt-out mechanisms. That is, consumers only participate in a company's targeted advertising program after expressly opting into the program. Prior attempts by ISPs and others were automatic inclusion forcing consumers to opt-out. Opt-in is more consumer friendly and compatible. I wish that the FTC was stronger in its language. "Urge" does not seem compelling enoough. "Require" would have been far better.

Consumers interested in details should download the FTC report (PDF, 412k bytes).

SIMON Says... DON'T SPY!

On behalf of Susan Simon and other VisiNet customers, on February 27, 2009 two law firms have filed a class-action lawsuit against behavioral advertising (a/k/a targeted advertising) vendor Adzilla, Conducive Corporation (its parent company), CoreTel (a local telephone service), and several Internet Service Providers (ISPs) including Continental VisiNet Broadband. The lawsuit, brought in U.S. District Court in Northern California alleges that Adzilla violated consumers' privacy and data security rights:

"... by the undisclosed and unconsented to interception, Deep Packet Inspection and copying and/or alteration of their internet communications."

The suit also alledges that the above companies, acting as marketing affiliates,:

"... jointly and severally, engaged in a scheme to spy-for-profit on the internet communications of unwitting internet users."

This is particularly troubling since Adzilla couldn't have conducted this behavioral advertising program alone. It needed the detailed cooperation and collaboration with a local phone company and one or several ISPs:

"Deep Packet Inspection of internet communications accesses, acquires, and discloses sensitive information personal identifying information, personal information, and non-personal identifying information. The Deep Packet Inspection... was made possible through the utilization of an Adzilla device referred to as a “Zillacaster,” installed at either the ISP infrastructure, or at the Competitive Local Exchange Carrier infrastructure. All of this was accomplished without any notice to and without any consent obtained from the plaintiff or any ISP subscribers.

To me, Simon and the other affected VisiNet ISP customers must have felt like there were "mugged" by their ISPs. When Conducive bought Adzilla in 2006, Mediapost reported Adzilla's penetration into ISPs and advertisers as:

"... Conducive has signed up 16 ISPs to use the device, including regional ISPs like Champion and Millennium. Sixteen of the top 30 publishers by ad traffic have also been signed..."

To learn more, download a copy of the Adzilla complaint filed with the court. Late in 2008, Adzilla reportedly withdrew from marketing behavioral advertising programs in the U.S. due to the threat of legislation. Adzilla continues to market its services to companies in Asia.

ISPs occupy a unique position in the marketplace. Consumers need ISPs to access the Internet. An ISP with Deep Packet Inspection installed on its servers can monitor the following about its customers:

• Every web site visited
• Every page visited within a web site
• The time, date, and duration of the visits
• The search terms entered at search engines (e.g., Yahoo, Google, etc.)
• The text of e-mail, instant message, and Twitter messages consumers send

Consider the web sites you visit. Would you be comfortable knowing that other companies know ever site and web page you read online? That can include highly sensitive web sites for your doctor, your dentist, your child's school, medical resources (e.g., WebMD), health insurance, and so forth.

In my view (and hopefully your view, too), ISPs and advertisers do not have an automatic right to collect consumers' sensitive personal data. Companies need to know that they should and must gain consumers' express consent before they can collect and use this sensitive consumer data. This is based on trust, and a company that collects it without obtaining consumers' consent first is clearly untrustworthy.

I've blogged previously about behavioral advertising, and one thing that bothers me: companies and advertisers refuse to make the effort to prove to consumers first the benefit of contextual ads. Companies and advertisers can easily modify their web sites to provide a clear demonstration or tutorial about their targeted advertising program. This demo could show consumers what their online experience would be with and without contextual ads.

Why don't companies offer these demos? The race for revenues and profits. Maybe also laziness, or a feeling they can do it and get away with it. Instead, advertisers seem to take the easy way and install secretive targeted advertising programs. Maybe they fear that consumers won't agree to a targeted advertising program.

To me, it's important to hold ISPs, advertisers, and companies accountable when they abuse consumers' privacy and sensitive personal data. In this case, Adzilla and its affiliated ISPs weren't transparent. They allegedly conducted a behavioral advertising program without notifying consumers, without obtaining consumers' express consent, and without providing consumers with a mechanism to decline the program.

I watch the actions of ISPs and behavioral advertising companies also because data breaches happen. Companies must also make extra efforts to protect the sensitive consumer data collected in behavioral advertising programs. This sensitive data would be like gold in the hands of spammers, scammers, and identity thieves.

Thanks to Privacy Crusaders for acting again to protect the rights and interests of consumers!

Privacy Crusaders. What A Great Name!

Last year, I wrote a detailed series about targeted advertising (a/k/a behavioral advertising or behavioral targeting) programs and secret tests by Internet Service Providers (ISPs) who didn't inform their customers.

In a blog post earlier this month, the Online Communication blog discussed the class-action lawsuit against NebuAd and several ISPs, and called the plaintiffs and their attorneys "Privacy Crusaders." What a great name! And its a pretty accurate description, too.

I look forward to future actions by the Privacy Crusaders. If you want to learn more about the class-action lawsuit against NebuAd and several ISPs, read the complaint online.

Consumers Beware! Your ISP May Be Paid To Spy On You

The C/Net Digital Media blog reported:

"Jerry Scroggin, the owner of a Louisiana Internet Service Provider, says he's skeptical of a service that proposes to pay ISPs to police their networks for pirated music and movies... Scroggin argued that the Recording Industry Association of America (RIAA) should help pay the costs incurred when they ask ISPs to chase down suspected music pirates. Days after the story was published, antipiracy firm Nexicon contacted Scroggin about a plan to share money collected from accused file sharers with ISPs."

Previously, small mom-and-pop operated ISPS argued that they couldn't afford to perform the file-sharing policing work requested by the RIAA -- work which large ISPs could afford. So far, any policing work by ISPs has been free of charge. If the RIAA pays ISPs for this policing work, then that could represent a fundamental shift in getting ISPs to participate.

"Film studios and the major music labels frequently ask ISPs to crack down on copyright violators... Under the RIAA's new plan, ISPs would also be asked to suspend the accounts of chronic offenders. That means an ISP might be forced to wave bye-bye to paying customers without receiving any compensation. If ISPs could somehow be compensated, it might encourage them to become copyright enforcers."

For consumers who are wondering who Nexicon is and what they do:

"... tracks those people who infringe on intellectual property and sends take-down notices to their ISPs... As part of Nexicon's "Get Amnesty" service, the company tries to obtain fees from those it claims are guilty of violating copyright law. Nexicon sends e-mails to those accused notifying them that they must "settle" with the copyright owners, which typically means paying a fee. After opening the email, the infringer clicks a link to visit GetAmnesty.com, where they can settle their infringement to avoid legal action and receive a legal release from the copyright owner"... Nexicon then offers to help ISPs manage the take-down notices they receive from, well, Nexicon and competitors."

Well, this is just peachy. This represents another way for ISPs to make money besides monthly fees from their Internet subscribers. Last year, Congress uncovered behavioral advertising programs by ISPs who both didn't inform their customers and didn't provide their customers with opt-out mechanisms. And the near future may include money-making optons for ISPs by enforcing music copyright protection.

All of this is enough to make consumers wonder if their ISPs operate in their best interest. Consumers pay a monthly fee and expect, in return, that their ISP will meet their Internet-access and data security needs. If ISPs begin to make more money from file-sharing policing and behavioral advertising programs than from monthly Internet-access subscriptions, then the situation seems ripe for ISPs to stop meeting the needs of their paying consumer customers.

It's pretty clear that many ISPs want a share of the advertising dollars they seeing going to Google and to other advertising networks. Will this growth come at the expense of consumers' personal data? Some ISPs vow to do better, but will they?

Class-Action Lawsuit Filed Against Behavioral Advertising Vendor NebuAd

MediaPost reported this week:

"A group of 15 Web users filed a lawsuit Monday against behavioral targeting company NebuAd and six Internet service providers that tested the company's platform. The lawsuit, brought in federal district court in San Jose, Calif., alleges that NebuAd's platform violated Web users' privacy."

If you have been reading this blog, then you are aware of the problems and privacy violations with behavioral advertising (a/k/a behavioral targeting). Several Internet Service Providers (ISPs) have tested this new technology without informing their customers or getting their permission. Some of this was revealed during testimony before Congress. And, the FTC seems to advocate more for companies than for consumers' privacy concerns. Earlier this year, a survey found many adults uncomfortable with behavioral advertising.

The new technology, Deep Packet Inspection, is installed on the ISP vendor's computers and literally tracks every site, every site page, and every search the consumer visits or performs:

"The collection of data by the NebuAd device was wholesale and all-encompassing," the lawsuit alleges. "Like a vacuum cleaner, everything passing through the pipe of the consumer's internet connection was sucked up, copied, and forwarded to the California processing center. Regardless of any representations to the contrary--all data--whether sensitive, financial, personal, private, complete with all identifying information, and all personally identifying information, was recorded and transmitted to the California NebuAd facility."

All of this sensitive data any ISP -- intentionally or accidentally -- can easily match to a user's IP address (e.g., the string of unique digits that define each user's computer location on the Internet). ISPs view behavioral advertising as a new and lucrative revenue stream, which they desperately want a piece of.

Some ISPs have already tested the new technology without their customers' explicit consent:

"Congress held hearings this summer after learning of NebuAd's platform. As part of its investigation, the House Energy and Commerce Committee sent letters to 29 Internet service providers, asking if they had worked with the company. The six Internet service providers named in the lawsuit all answered that they had tested NebuAd's platform. One of the companies, the Washington Post Company's Cable One, acknowledged that it did not notify customers about the NebuAd test or allow them to opt out."

As a result, in their rush to make money NebuAd, Bresnan Communications, Cable One, CenturyTel, Embarq, Knology, and ISPs have already earned consumers' mistrust... and this resulting class-action lawsuit. Moreover, this sensitive personal data can be hacked or stolen like any other data. So far, ISPs and NebuAd haven't given any reassurances about effective data security methods.

If this abuse of privacy bothers you (and I sincerely hope that it does), I encourage you to write to your elected Congressional representatives and demand strict legislation regarding behavioral advertising: an opt-in basis, explicit consent, easily understandable opt-in and consent, data security, notification to consumers of data shared to specific vendors.

AT&T Promises To Do ISP-Based Behavioral Advertising 'The Right Way'

The Congressional Committee on Energy and Consumer Privacy began investigating the behavioral advertising activities of Internet Service Providers (ISPs) after reports surfaced that ISPs were selling consumers' data to third-party tracking companies. The Committee sent letters to 33 telecommunications companies inquiring about ISP-based behavioral advertising programs.

I've focused on the letter from AT&T for several reasons. First, I have local, long distance, and wireless phone service with AT&T. Second, AT&T is a major player in the telecommunications sector. Third, when I worked at Digitas LLC, AT&T was one of the clients I performed online web site project work for over several years.

I encourage consumers to read the response letter from the company you do business with. At some future date, it may be appropriate to switch service providers if they implement behavioral advertising in an inappropriate or consumer-unfriendly way.

The response from AT&T about ISP-based behavioral advertising, included the following:

"AT&T does not engage in the behavioral advertising that is the focus of your inquiry, specifically the tracking of a consumer's overall web search and web browsing activities -- by tracking either the person or a particular computer -- to create a distinct profile of the consumer's online behavior... We are aware that certain companies have conducted trials of next-generation behavioral advertising technologies and techniques. AT&T has not conducted any such trials."

More importantly:

"But because Overall Behavioral Targeted Advertising goes beyond the simple practice of "targeting" limited to a consumer's use of individual or related web sites,and involves the more invisible practice of tracking consumer activity across countless unrelated web sites, it has unique implications for consumer privacy. For these reasons, if AT&T deploys these technologies and processes, and we have yet to do so, it will do so in the right way, after full and careful consideration of the relevant issues, and with a particular focus on what we believe are the pillars of any business practices that involve customer information:

(1) give consumers control over the use of their information;

(2) ensure transparency;

(3) protect consumers' privacy; and

(4) give consumers value."

These four principles are an excellent start for ISP-based behavioral advertising (and apply to web browser cookie-based behavioral advertising). They are consumer-friendly and provide a good foundation. I wish that AT&T's statement included principles about data security, and the company's arrangements with third-party vendors and outsourcing. Then, it would habe been a complete list of principles.

I was curious about AT&T's reply letter since AT&T operates ISP services through multiple entities depending upon where in the USA the consumer lives: DSL service, dial-up Internet services, satellite Internet service, and fiber-to-the-home Internet and TV service. The service AT&T provides varies based on whether the consumer lives within a state that historically was served by BellSouth or SBC, since AT&T acquired both companies during the past decade. AT&T's response would have been more transparent and accurate if its response letter had disclosed these multiple ISP entities. Given this patchwork-quilt of services, any behavioral advertising opt-in (or opt-out) mechanism for consumers is even more critical.

We shall see if AT&T honors its promise and all four of the above principles. I hope so and expect them to. I hope that other companies and the FTC follow AT&T's lead.

ISPs Begin To Spy And Abuse Consumer Privacy

Do you see the emerging trend in consumer privacy abuses?

Last month, I reported about how the Internet Service Provider (ISP) Embarq secretly spied upon and never notified its Kansas customers during a test of its behavioral advertising program. Consumers never had a chance to opt out of the behavioral advertising program.

Now, it appears that another ISP in the USA has made the same consumer privacy mistake, and probably broke several laws. According to the Silicon Valley Insider, the Washington Post's Cable One service secretly spied on its customers:

"In a response to a House query, [Washington Post] unit Cable One admitted it collected data on 14,000 subscribers in Anniston, Ala. for 180 days in order to serve targeted advertising. And no, they didn't ask for consent, but argued that customers "opted in to our monitoring of their Internet usage ... when they agreed to our Acceptable Use Policy." In other words, when they signed up for service."

How slimy and dishonest! Cable One didn't bother to offer consumers either opt-in or opt-out mechanisms. Instead, Cable One tries to hide behind the lame excuse that signing up for their service is consent enough. According to Media Post:

"Cable One justified the failure to let users opt out by saying that subscribers knew the company might spy on their Web activity when they signed up for broadband because the acceptable use policy mentions that the company may occasionally monitor "bandwidth, usage, and content." Of course, even if it's true that subscribers read the fine print in the acceptable use agreement and knew that Cable One might be watching them online, they still didn't know that Cable One would sell their clickstream data to NebuAd. And, even more important, they had no way to opt out of it."

Company executives need to go to jail when they do this. Fines are not enough. Sadly, the Silicon Valley Insider reported that this may be the tip of the iceberg:

"Congressmen John Dingell (D-Mich), Joe Barton (R-Tex) and Cliff Stearns (R-Fla.) and Ed Markey (D-Mass.) sent letters to 33 broadband providers last month asking about their ad-targeting techniques. So far, Charter Communications (CHTR) and former Sprint (S) unit Embarq (EQ) have copped to using NebuAd."

You can read here the replies the Congressional committee has received.

What is it that allows companies to arrogantly treat consumers' personal data like they own it... without giving consumers any notices? Is a general attitude among executives within telecommunications companies? Is it an assessment that they can likely get away with it? Or, is this a result of the spying immunity Congress gave phone companies earlier this year?

Notification of the test and an "opt-in" system default would have been appropriate for these behavioral advertising tests. If behavioral advertising delivers the promised benefits to consumers (e.g., relelvant advertising), then tell consumers! Otherwise, it is just a rush by ISPs to make money and ignore consumer privacy.

An opt-in approach is convenient, since consumers are already trained to remember which web sites they have registered (or opted in) at. This is not difficult. Consumers have been registering at web sites since the mid-1990's.

Why the fuss about behavioral advertising? First, there is the abuse of consumer privacy. Companies have to tell consumers when they perform behavioral advertising and provide an opt-in mechanism, regardless of the indefensible position the FTC has taken to facilitate this rush.

Second, the steady monthly volume of corporate data breaches, which are driven by corporate carelessness and incompetence, mean that companies will lose or have stolen behavioral advertising data. Data that is lost, stolen, or hacked can be abused. Behavioral advertising data includes the sites you visit, the keyword searches you submit at search engine web sites, and the specific site pages you visit at sites that are members of the advertising network -- all highly personal data. Companies must state to consumers how they will protect data collected by behavioral advertising programs.

These behavioral advertising program tests without notifying consumers and without providing consumers with opt-in mechanism, are examples of the current imbalance or "tilt in the playing field" in U.S. commerce, which I wish more consumers recognized. A better balance can and must be achieved between the needs of corporations and the needs of consumers.

In the soon-to-be-released book, Age of Conversation 2008, I wrote a chapter about behavioral advertising as one of the key emerging issues and challenges this year. It appears that ISPs are proving me correct.

Thanks to Congressional representatives for investigating this so far. I encourage you to write to your Congressional representatives today. Demand investigations by Congress and enforcement of consumer privacy laws. Demand that any data collected already from behavioral advertising tests be destroyed.