Harris Interactive: Most U.S. Adults Uncomfortable With Web Sites That Customize Content Based On Visitors' Personal Profiles

If you have followed the prior posts on behavioral targeting (a/k/a behavioral advertising), then I think that you, too, will find the results of this recent Harris Interactive poll very interesting:

"A majority of U.S. adults are skeptical about the practice of websites using information about a person's online activity to customize website content. However, after being introduced to four potential recommendations for improving websites privacy and security polices, U.S. adults become somewhat more comfortable with the websites use of personal information."

The nationwide survey included 2,513 U.S. adults, and was performed between March 11 and 18, 2008 by Harris Interactive, in collaboration with Dr. Alan F. Westin, Professor of Public Law and Government Emeritus at Columbia University, Principal of the Privacy Consulting Group. Additional key findings:

"A six in ten majority (59%) are not comfortable when websites like Google, Yahoo! and Microsoft (MSN) use information about a person's online activity to tailor advertisements or content based on a person's hobbies or interests. A quarter (25%) is not at all comfortable and 34 percent are not very comfortable..."

Westin and the researchers reported:

"Websites pursuing customized or behavioral marketing maintain that the benefits to online users that advertising revenues make possible -- such as free emails or free searches and potential lessening of irrelevant ads -- should persuade most online users that this is a good tradeoff. Though our question flagged this position, 59 percent of current online users clearly do not accept it."

Ha! Good for consumers! The promise of free content and only relevant ads isn't the strong magnet that companies and advertisers would like to believe. Plus, after showing the survey participants a list of potential policy and security policies, based on self-regulatory guidelines by the FTC, the adults changed their opinions slightly:

• "By 55 to 45 percent, a majority of U.S. adults indicates that they would be more comfortable with companies using information about a person's online activities to provide customized advertising or content;
• Interestingly, once the privacy/security policies were presented the percentages of those who are very comfortable increases only very slightly to 9 percent from 7 percent. The percentage who are somewhat comfortable given the privacy/security policies increases more significantly to 46 percent from 34 percent;
• Similarly, those who are not at all comfortable decline to 19 percent from 25 percent, and those who are not very comfortable decline to 26 percent from 34 percent."

Adult consumers are beginning to place a higher value on their personal data, combined with an approach that companies must first earn their trust before sharing confidential personal data. I encourage you to read the complete Harris Interactive press release.

Behavioral Advertising: What Consumers Must Do (Part Four)

Monday's post discussed the benefits of behavioral advertising, and the proposed rules by the FTC. Tuesday's post listed the leading companies that collect consumer data for behavioral advertising. Wednesday's post discussed the growing role of ISPs in behavioral advertising and the new technologies being deployed.

So, what next?

For me, my first concern is data security. 2007 was a record year for corporate data breaches. The number of incidents rose 40% -- where companies either "lost" or had stolen records about their employees, former employees, retirees, contractors, and/or customers. And this includes data only from the data breach incidents we know about. It does not include incidents from companies in states that lack breach notification laws. It does not include incidents of identity fraud during a crime.

From InformationWeek:

"In its December 24 report, the ITRC said that there were publicly reported 443 breaches in the U.S. in 2007. In 2006, the ITRC identified 315 publicized breaches. Some 127 million data records were exposed during 2007. In 2006, nearly 20 million records were exposed. In 2005, there were 158 breaches reported involving about 65 million records."

And some of these data breaches have already included ISPs, like AOL; and major advertisers, like TJ Maxx, AIG Insurance, and IBM.

Given this lousy track record of data security, I fully expect companies to continue to "lose" -- and criminals to continue to steal -- confidential data via data breaches. Why? Nothing has changed to alter past history. There is a lack of government oversight. There are no substantial penalties. And many companies just don't provide good data security.

This means that many of the future data breaches will include consumers' sensitive data collected during behavioral advertising programs. Given this, it seems sensible for the FTC to craft behavioral advertising rules that acknowledge poor corporate data security:

• For behavioral advertising/targeting programs, companies (including advertisers and ISPs) should include the default as all consumers opted out. Consumers should be given the option to opt-in to a companies behavioral advertising program
• The behavioral advertising rules for companies, advertisers, and ISPs must specify an exhaustive list of consumer data that's collectible and sensitive personal data excluded
• Web sites designed for primarily for children (e.g., age 17 and under) should be excluded from any and all behavioral advertising. Children don't have the means to handle opt-in/out for behavioral advertising programs. Ideally, parental controls software should provide parents with the tools to prevent opt-in by their children at all children's web sites
• There must be clear, minimum standards for companies for data security of the personal data collected for behavioral advertising programs
• There must be specific time limits for how long companies can archive personal data collected for behavioral targeting. "Forever" is not an acceptable answer. Consumer data should be purged at three (3) year intervals
• There must be specific rules for ISPs, since ISPs have a unique position providing Internet access for consumers. ISPs must treat their members' IP Address as sensitive  personal data similar to a Social Security Number or e-mail address. ISPs should never match personal-identifying data (e.g., name, address, phone #, e-mail address, cell #, fax #, SS#, birth date, driver's license #, etc.) to behavioral advertising data
• The rules must include timely disclosure to consumers when a company, advertiser, and ISP: a) starts a behavioral advertising program; b) modifies an existing behavioral advertising program; c) trades behavioral advertising data with other companies; and d) merges or acquires other companies, within the USA or globally. These rules must apply to the entire company, not just its US-based divisions. It should also apply to business units, divisions, contractors, or outsourcing firms based outside the USA
• Medical data should be excluded from all behavioral advertising programs for a couple reasons. First, many consumers consider this highly sensitive data not to be shared under any circumstances. Second, let's "walk first before we run." That is, let's see how behavioral advertising performs with other types of available consumer data first, before deciding whether to extend it to medical information
• All advertisers, companies, and ISPs must disclose to consumer their behavioral advertising program in both their web site legal "Privacy" or "Terms and Conditions" pages, and via print materials (similar to the way companies today provide consumers with a revised Privacy Policy every time this document changes).
• The FTC must publish a clear, detailed plan about how it will implement oversight to monitor compliance and penalize violators
• The behavioral advertising rules must include clear, strong penalties for companies, ISPs, advertisers, and their senior executives for violators. I'd like to see fines starting at $10,000 per consumer record and jail time for fines exceeding $250k
• Violators (e.g., companies, ISPs, and advertisers) must provide consumers with ten (10) years of free credit monitoring and credit restoration after a data breach

Why these rule amendments? If you have read the I've Been Mugged blog, then you know about the issues related to data breaches, data security, and corporate responsibility. Unfortunately, the American business is heavily tilted towards companies making money with consumers' personal data, and tilted away from strong protections for consumers when companies suffer a data breach. I'm concerned that behavioral advertising will make this worse.

All of the above rule amendments address the corporate data breach problems I've experienced. The rule amendments allow companies to profit from behavioral advertising and hold these companies accountable when they don't provide the data security programs they should.

For me personally, the assumed benefits of behavioral advertising (e.g., free content, relevant ads, personalized ads, and a promised reduction in the number of ads) do not outweigh the privacy I would give up. Maybe the benefits are enough for you, but they aren't enough for me. Where I surf on the Internet is my business unless I decide explicitly to tell somebody else.

If you feel the same or different, share your comments below. I'd love to hear why you feel the way you do. If you have sent feedback to the FTC, share that too.

As I mentioned before, the FTC seeks comments from the public (that's us consumers!) about its proposed behavioral advertising rules. The FTC has extended the deadline for submissions to April 11, 2008. Comments can include any concerns you have, changes you fell are necessary to the FTC's proposed rules, the types of consumers' personal data you believe should be considered sensitive, and anything else you feel is relevant. See Monday's post for the specific types of feedback the FTC seeks.

You should send comments and feedback to the FTC at:
Secretary
Federal Trade Commission
Room H-135 (Annex N)
600 Pennsylvania Avenue, NW
Washington, DC 20580

Or, you can also submit comments and feedback to the FTC online via BehavioralMarketingPrinciples@ftc.gov. Some public comments are already available for viewing online at the FTC web site.

Behavioral Advertising: The Role Of Internet Service Providers (Part Three)

Monday's post discussed the benefits of behavioral advertising, and the proposed rules by the FTC. Tuesday's post listed the leading companies that collect consumer data for behavioral advertising.

In December 2007, the Wall Street Journal profiled CenturyTel Inc., a Louisiana phone company, and its attempt to enter the Internet Service Provider (ISP) business. Along the way, CenturyTel decided to also enter the online advertising business:

"The technology it's using could change the way the $16.9 billion Internet ad market works, bringing in a host of new players -- and giving consumers fresh concerns about their privacy. CenturyTel's system allows it to observe and analyze the online activities of its Internet customers, keeping tabs on every Web site they visit. The equipment is made by a Silicon Valley start-up called NebuAd Inc. and installed right into the phone company's network."

Pretty soon, advertisers will no longer need to install software or use the HTTPs cookies file on consumers' computers to perform behavioral advertising (a/k/a behavioral targeting). Instead, they can get all the consumer data they'd ever want from ISPs -- who are happy to install the behavioral targeting software and equipment on their servers for a piece of the new revenue stream. How it will work:

"NebuAd takes the information it collects and offers advertisers the chance to place online ads targeted to individual consumers. NebuAd and CenturyTel get paid whenever a consumer clicks on an ad."

The description of the new server software and equipment:

"The newer form of behavioral targeting involves placing gear called "deep-packet inspection boxes" inside an Internet provider's network of pipes and wires. Instead of observing only a select number of Web sites, these boxes can track all of the sites a consumer visits, and deliver far more detailed information to potential advertisers."

Companies already see the new revenue opportunity:

"... new companies are rushing in. Both wireless and wireline Internet-access providers such as CenturyTel, Rochester Telecom Systems Inc. and Embarq Communications Inc., among others, have entered the advertising gold rush. And they've tapped Internet equipment companies like NebuAd, Front Porch Inc., and Phorm Inc. to provide the gear to help them along."

Well, this is just peachy. Every ISP knows a lot about its subscribers... personally identifiable information such as name, address, birth date, phone, credit card, e-mail address, IP address, and in some cases Social Security Number. It doesn't take much effort to match this personally-identifiable data to a subscriber's web surfing activity.

This new technology fundamentally changes the relationship between ISPs and their subscribers. As ISPs get more or most of their revenue from advertising, and a decreasing amount from subscribers' fees, it logical to question whether ISPs will continue to operate in the best interests of consumers. In a weird way, ISPs can now make (a lot of) money through surveillance.

This makes it more important now for consumers to express their privacy and data security concerns. It is reasonable for consumers to demand legislation requiring ISPs to provide clear, easy, free, opt-in mechanisms for consumers who wish to participate in that ISP's behavioral advertising program.

Now is also an opportunity for consumers to specify the data they consider sensitive and should be excluded from any ISP behavioral advertising programs. See these prior posts about why consumers' IP addresses should be considered sensitive personal data, and why consumers' personal data should be treated (and protected) like nuclear fuel.

Behavioral Advertising: Leading Collectors of Consumer Data (Part Two)

Yesterday's post was the first in a series. Today's post looks at how much data selected companies already collect about consumers. From yesterday's New York Times:

Behavioral Advertising: What It Is And The Proposed FTC Rules (Part One)

This is a subject I probably should have written about sooner. On November 1 and 2, 2007, the FTC hosted a conference entitled “Ehavioral Advertising: Tracking, Targeting, and Technology.” The event included consumer advocates, industry representatives, technology experts, and academics to address consumer protection issues.

In December 2007, the U.S. Federal Trade Commission (FTC) released its proposed rules document for companies who wish to engage in behavioral advertising (also called behavioral targeting). I am not discussing in this post whether or not behavioral advertising works. There are several case studies where companies have evaluated how best to perform behavioral advertising. Rather, this post explores some of the consumer privacy and data security issues.

When you visit web sites today, many companies display ads related to the content of the site pages you view. Some companies include software that saves information to the HTTP cookies file on your computer, which is used by your web browser software. We consumers have the choice about how we surf the web. You can set your web browser software to accept or prohibit web sites from accessing the HTTP cookie file. It's been this way for many years.

Behavioral advertising is not new. A few companies and newspapers have used behavioral targeting for years. Of course, there also are advertising networks which focus on behavioral targeting, including NebuAd's offering for ISPs. You can read several blogs about behavioral advertising.

Previously, companies have used behavioral advertising based on the pages you visit within a single web site. What's changing is that companies plan to use behavioral advertising based on both the pages you visit within a single web site (e.g., On-site targeting) and across several web sites (e.g., Network targeting), plus the search keywords you enter at search engine web sites.

So participants at the above conference discussed with the FTC possible rules to keep things manageable. In its proposed rules document, the FTC defined behavioral advertising as:

"... the tracking of a consumer’s activities online – including the searches the consumer has conducted, the web pages visited, and the content viewed – in order to deliver advertising targeted to the individual consumer’s interests."

In my opinion, the Decision Science News blog offers a better definition:

"Behavioral Targeting is the ability to deliver ads to consumers based upon their recent behavior viewing web pages, shopping online for products and services, typing keywords into a search engine or a combination of all three. 'Interest-Based Targeting allows large-brand advertisers… to target more precisely the audience they are trying to reach with the message they are trying to convey'..."

In its proposed rules document, the FTC described the benefits as:

"... behavioral advertising provides benefits to consumers in the form of free web content and personalized ads that many consumers value... The benefits include, for example, access to newspapers and information from around the world, provided free because it is subsidized by online advertising; tailored ads that facilitate comparison shopping for the specific products that consumers want; and, potentially, a reduction in ads that are irrelevant to consumers’ interests and that may therefore be unwelcome."

The FTC proposed several rules to solve several concerns:

Concern	Proposed FTC Rule
1. Transparency and consumer control: many criticize existing disclosures as difficult to understand, inaccessible, and overly technical and long. They also stated that, with clearer disclosures, consumers can make more informed decisions about whether or not they want personalized advertising or, alternatively, whether they would prefer not to do business at particular websites.	Every website where data is collected for behavioral advertising should provide a clear, concise, consumer-friendly, and prominent statement that (1) data about consumers’ activities online is being collected at the site for use in providing advertising about products and services tailored to individual consumers’ interests, and (2) consumers can choose whether or not to have their information collected for such purpose. The website should also provide consumers with a clear, easy-to-use, and accessible method for exercising this option.
2a. Reasonable security, and limited data retention, for consumer data: many expressed concerns that data collected for behavioral advertising may not be adequately secured and could find its way into the hands of criminals or other wrongdoers.	Any company that collects and/or stores consumer data for behavioral advertising should provide reasonable security for that data. Consistent with the data security laws and the FTC’s data security enforcement actions, such protections should be based on the sensitivity of the data, the nature of a company’s business operations, the types of risks a company faces, and the reasonable protections available to a company.
2b. Reasonable security, and limited data retention, for consumer data: many expressed concerns about the length of time that companies retain consumer data collected for behavioral advertising. The longer that data is stored in company databases, the greater the risks to the data.	Companies should retain data only as long as is necessary to fulfill a legitimate business or law enforcement need. FTC staff commends recent efforts by some industry members to reduce the time period for which they are retaining data. However, FTC staff seeks comment on whether companies can and should reduce their retention periods further.
3. Affirmative express consent for material changes to existing privacy promises: the privacy policy – a set of commitments about how information is handled – not only is an important tool for providing information to consumers, but also serves to promote accountability among businesses.	A company must keep any promises that it makes with respect to how it will handle or protect consumer data, even if it decides to change its policies at a later date. Therefore, before a company can use data in a manner materially different from promises the company made when it collected the data, it should obtain affirmative express consent from affected consumers. This principle would apply in a corporate merger situation to the extent that the merger creates material changes in the way the companies collect, use, and share data.
4. Affirmative express consent to (or prohibition against) using sensitive data for behavioral advertising: the use of sensitive data (for example, information about health conditions, sexual orientation, or children’s activities online) to target advertising, particularly when the data can be traced back to a particular individual. They state that consumers may not welcome such advertising even if the information is not personally identifiable; they may view it as invasive or, in a household where multiple users access one computer, it may reveal confidential information about an individual to other members.	Companies should only collect sensitive data for behavioral advertising if they obtain affirmative express consent from the consumer to receive such advertising. FTC staff seeks specific input on (1) what classes of information should be considered sensitive, and (2) whether using sensitive data for behavioral targeting should not be permitted, rather than subject to consumer choice.
Using tracking data for purposes other than behavioral advertising: consumer tracking data collected and stored for behavioral advertising could be used for other potentially harmful purposes. To the extent that the collection of data for behavioral advertising is invisible to consumers, such secondary uses of the data may be especially so.	FTC staff seeks additional information about the potential uses of tracking data beyond behavioral advertising and, in particular: (1) which secondary uses raise concerns, (2) whether companies are in fact using data for these secondary purposes, (3) whether the concerns about secondary uses are limited to the use of personally identifiable data or also extend to non-personally identifiable data, and (4) whether secondary uses, if they occur, merit some form of heightened protection.

The FTC has extended the deadline for submissions to April 11, 2008. Comments can include any concerns you have, changes you feel are necessary to the proposed FTC rules, the types of consumers' personal data you believe should be considered sensitive, and anything else you feel is relevant. Send your comments to the FTC at:
Secretary
Federal Trade Commission
Room H-135 (Annex N)
600 Pennsylvania Avenue, NW
Washington, DC 20580

You can also submit comments to the FTC online via BehavioralMarketingPrinciples@ftc.gov. Some public comments are already available online at the FTC web site.