84 posts categorized "Behavioral Advertising" Feed

Uber: Its Labor Ruling In California, Lawsuits, And Privacy Concerns

Uber logo During June, Uber, the ride-sharing company, has been in the news for a variety of reasons. Many consumers like the ride-sharing service as an alternative to tradition taxi-cabs. Uber is one of the largest ride-sharing services with about 8 million users worldwide and 160,000 drivers in the United States.

First, in March the State of California Labor Commission ruled that Uber drivers are employees and not independent contractors, as the company claimed. The ruling became public after the company appealed the original decision. In the original complaint, an Uber driver filed a claim for reimbursement of $4,152.00 of expenses.

The issues are worthy noting. Time reported:

"... the ruling is non-binding, has no legal bearing on any other drivers, and won’t force any money to change hands. But Uber’s decision to appeal will now move the fight to California’s court system where — along with several similar lawsuits pending in the state..."

One of several pending lawsuits:

"Uber has essentially shifted to its workers all the costs of running a business, the costs of owning a car, maintaining a car, paying for gas,” says Shannon Liss-Riordan, a Boston-based attorney who has a class-action case pending against Uber in California federal court. “Uber has saved massive amounts …. It’s important that the labor laws be enforced so that the companies can’t take advantage of workers that way. Uber’s a $50-billion company and I think it can afford to bear the responsibilities of an employer...”

Second, a new Uber policy bans firearms in its vehicles. KRJH in Tulsa, Oklahoma reported:

"Uber drivers and passengers have to follow a new company policy. Uber has banned all firearms from any vehicle used for its service. The policy comes two months after an Uber driver shot a man who was firing into a crowd of people in a Chicago neighborhood. The Uber driver had a concealed carry license and was not charged with a crime, but it raised the question of safety and comfort for its drivers and riders."

Third, the Electronic Privacy Rights Center (EPIC) has filed a complaint with the U.S. Federal Trade Commission (FTC) about Uber's upcoming privacy policy amendments to both collect more data about its customers and to track customers. Uber's new Privacy Policy goes into effect on July 15:

Location Information: When you use the Services for transportation or delivery, we collect precise location data about the trip from the Uber app used by the Driver. If you permit the Uber app to access location services through the permission system used by your mobile operating system (“platform”), we may also collect the precise location of your device when the app is running in the foreground or background. We may also derive your approximate location from your IP address."

"Contacts Information: If you permit the Uber app to access the address book on your device through the permission system used by your mobile platform, we may access and store names and contact information from your address book to facilitate social interactions through our Services and for other purposes described in this Statement or at the time of consent or collection."

The sharing of customers' information by Uber seems extensive:

"We may share your information: With Uber subsidiaries and affiliated entities that provide services or conduct data processing on our behalf, or for data centralization and / or logistics purposes; With vendors, consultants, marketing partners, and other service providers who need access to such information to carry out work on our behalf; In response to a request for information by a competent authority if we believe disclosure is in accordance with, or is otherwise required by, any applicable law, regulation, or legal process; With law enforcement officials, government authorities, or other third parties if we believe your actions are inconsistent with our User agreements, Terms of Service, or policies, or to protect the rights, property, or safety of Uber or others; In connection with, or during negotiations of, any merger, sale of company assets, consolidation or restructuring, financing, or acquisition of all or a portion of our business by or into another company..."

Words to focus upon include vendors, consultants, marketing partners, and other service providers. That can include a lot of companies anywhere. Note: that sharing is in addition to any sharing you may perform with social networking sites.

You may remember that ethics and privacy issues surfaced after news reports in 2014 about Uber allegedly using customer and tracking data it collected to target journalists critical of the service.

The EPIC complaint filed with the FTC (Adobe PDF) stated:

"19. Uber will also collect precise location information if the app is operating in the background. On phones running iOS, this means that Uber may be able collect location data even after an app has been terminated by the user."

"20. Even if a user disables the GPS location services on their phone, the company may still derive approximate location from riders’ IP addresses."

"21. This collection of user’s information far exceeds what customers expect from the transportation service. Users would not expect the company to collect location information when customers are not actively using the app, or have turned off their GPS location finder (as Uber can still collect location information through the phones’ IP addresses)..."

"24. Uber claims that it will allow users to opt-out of these features. However, this change in business practices places an unreasonable burden on consumers and is not easy to exercise: while iOS users can later disable the contact syncing option by changing the contacts setting on their mobile devices, the Android platform does not provide any such setting..."

"31. Job interviewees have been granted provisional access all the customer location data available to full-time employees, allowing non-Uber employees to temporarily track any customer. One such interviewee was granted this access for an entire day, even after the job interview ended. He admitted using the database to search records of people he knew, including politician’s relatives."

Based upon the new privacy policy, the tracking and data collection seems very invasive since it will also occur when customers aren't using the service. It seems invasive because the address book collection includes people who aren't Uber customers, didn't agree to the data collection, can't opt out of the collection, and have no control over how their contact information is used. Based upon the company's history, Uber executives seem to play fast and loose with consumers' personal private information.

If you don't like the privacy invasion, there are several resources online about how to cancel and delete your Uber account: C/Net, Reddit, and wikiHow.

What are your opinions of Uber's new privacy policy?


Epic Facebook Privacy Fail

A friend, who shall remain anonymous, posted the following photo on their Facebook timeline:

Facebook ad requesting your household income

Click on the image to view a larger version. Along with the image, my friend posted this status message:

"So this appeared in my right-hand rail. Seriously Facebook, are you tripping? Why would I give you information about my household income? Because I'm so sure you won't abuse the information?"

This is highly confidential information. Does Facebook need to know it? Does Facebook deserve to know it? I wouldn't share this data with them, and nor should you.

After a long, hearty laugh, there wasn't much I could add to this status message. Lots of businesses, including credit reporting agencies, want access to your Facebook timeline (for applications you never intended). In its rush to make money, Facebook has had so many privacy intrusions, snafus, data collection tools masquerading as fitness apps, and failures, that my friend summarized it all concisely.

I did post this comment:

"Epic Facebook privacy fail."


Pew Research Reviews Key Statistics From 2014

Pew Reviewed published 14 statistics from 2014 that it views as noteworthy. I found several items from the list particularly interesting.

First, privacy is still a problem. A clear majority of American adult consumers -- 91 percent responded agree or strongly agree -- believe that they have lost control of how their personal information is collected and used by private companies:

Second, a clear majority -- 80% said they agree or strongly agree -- that Americans should be concerned about government monitoring of e-mail messages and Internet usage.

Third, since 2006 more Americans value highly Internet access and their mobile phones, compared to other devices:

You can bet that Internet service providers are aware of this, and will prices their services accordingly.


Digital Advertising Firm Pays $750K To Settle Online Privacy Abuses

Pointroll logo Six states, including Illinois Attorney General Lisa Madigan, announced a $750,000 settlement with Pointroll, a digital advertising firm, after investigations for privacy violations. The Illinois AG announced:

"... Madigan and her counterparts from five other states alleged that PointRoll unlawfully deployed a browser circumvention technique that allowed it to place browser cookies on consumers’ Safari web browsers despite privacy settings configured to “block cookies from third-parties and advertisers” or alternatively set to “accept cookies” from “visited sites” (for Safari browsers on Apple iPhones and iPads) between December 13, 2011, and February 15, 2012."

Browser cookie files, often referred to as "cookies," are small text files web browsers create, update, and save to users' computers. These files allow advertisers to gather information about users online habits often including the sites you visit online. Pointroll is owned by the Gannett Corporation.

The settlement agreement requires Pointroll to respect and comply with consumers' cookie-blocking choices, provide prominent Privacy Policy buttons with links to complete policies on any websites it operates, and to implement a privacy program within six months that trains its employees about consumer privacy and how to maintain it. That program must include yearly assessments and make ongoing changes as needed. Additional terms of the settlement:

  • "Never misrepresent or omit material facts concerning the purposes for which it collects and uses consumer information, or the extent to which consumers may exercise control over the collection, disclosure or use of such information.
  • Ensure that its servers are configured to instruct Safari web browsers to expire any cookie placed by PointRoll using its browser circumvention technique, if those systems encounter such a cookie, for a period of two years.
  • Cooperate with compliance monitoring by the participating states, including providing a written report that describes PointRoll’s compliance with the privacy program requirement and allowing the inspection and copying of all records that may be required to verify compliance."

Besides Illinois, the states involved in the settlement include Connecticut ($110,000), Florida, Maryland ($110,000), New Jersey ($200,000), and New York ($110,000). The Connecticut Attorney General's announcement included a statement by the state's Consumer Protection Commissioner, William M. Rubenstein:

"Brazenly disregarding consumer preferences is an unwise business practice that borders on unethical conduct... We applaud New Jersey’s leadership in the investigation and negotiation with PointRoll and we will continue to uphold Connecticut consumers’ right to choose.”

Borders on unethical conduct? The settlement terms are pretty standard stuff (e.g., requires Pointroll to respect and comply with users' browser settings to block cookies, train employees, submit to annual assessments, and prominently display buttons with links to privacy-policies on its websites). That the firm had to be forced to do this makes one wonder what Pointroll's internal company culture is regarding ethics and privacy. It makes one wonder how trustworthy, or not, the executives at Pointroll are. Are executives at Gannett paying attention?

Readers of this blog know that advertisers have used a variety of technologies (e.g., browser cookies, "zombie cookies," Flash cookies ("super cookies," etags) to ignore and circumvent  consumers' explicit decisions and web browser settings not to be tracked online. I congratulate the six attorneys general and their staff for protecting and enforcing consumers' privacy.

What are your opinions of this settlement agreement?


I Stopped "Liking" Things For Two Weeks. How My Facebook Experience Changed

Facebook logo In August, Matt Honan wrote an interesting article in Wired about his social networking experiment. He clicked on all Facebook's "Like" buttons everywhere for two days. It ruined his life. Then, Elan Morgan wrote in Medium about a similar experiment. He didn't click on any Facebook "Like" buttons for two straight weeks. Being curious, I decided to perform my own experiment.

Like Morgan, I decided not to click on any Facebook "Like" buttons for two weeks. That meant avoiding both buttons on posts and links in comments. It also meant not clicking on any "Like" buttons on Websites around the Internet that displayed them.

I use Facebook for personal posts, and to supplement this blog since many readers use Facebook. So, for my experiment I also decided not to click on any "Like" buttons nor links on the I've Been Mugged page on Facebook.

To start, I announced my experiment to my Facebook "friends," which includes friends, acquaintances, family, coworkers, former classmates, and former coworkers. An announcement seemed wise since some of them pursue "Likes" passionately. Many of those former coworkers also work in the digital advertising industry. I asked for their understanding and patience during my informal week-long experiment. My August 17 status message on Facebook:

"Notice for all my Facebook friends: during the next week, I will perform an experiment on Facebook by NOT clicking on any "Like" buttons on posts ,comments, photos, videos, and pages. I want to see how this changes my experience with Facebook. You'll probably see me write comments more. So, you have been warned. Please don't feel offended."

Nobody complained. Several wrote comments,  which included predictions:

"You will most likely not be bombarded with advertisements or "links you may like". Good!"

Their curiosity:

"Love to hear your methodology. Are you studying adds to your feed by the hour? something else?"

And, some shared tips about how they deal with advertising on Facebook (link added):

"I don't see ads because I use adblock. So I really don't know what they'd be trying to sell me."

Background

I used the Web version of Facebook. For a couple years, I used the mobile version on a Windows phone until I accidentally broke the screen. The mobile version was fun for a while, but the novelty soon wore thin. Spending $10 to $15 monthly for a data plan mostly for Facebook, Twitter, e-mail, and IMDB searches seemed an expensive indulgence. So, when the phone broke, I took that as a sign, ditched the mobile apps, and returned to the fuller Web version. While mobile apps are convenient, they are still pieces of a site. I prefer the entire experience, not pieces. About the only pieces I enjoy are Reese's Pieces. Maybe Facebook should have named its app "Facebook Pieces," but that is a discussion for another time.

I use Facebook to post and view articles, status messages, photos, and videos. I have family members who post plenty of photos. Plenty. For privacy and security, I don't play Facebook games nor apps, having years ago disabled all Facebook apps in my account settings. (To learn about how to use Facebook securely, there are plenty of posts in this blog. Follow any of the links in this post. In the right column, enter "Facebook"  in the search mechanism, or select "Social Networking" in the tag cloud.) Facebook has made some stunning privacy missteps and reversals about how much of your data apps harvest. And, there's more about apps privacy here.

Test Goals and Methodology

I performed this test to see how my experience with Facebook might change. Would Facebook display different content? If so, what might that different content be? Posts by friends, ads, the pages I follow, or what?

My hypothesis going in was that my news feed would probably change. I wasn't sure how. Would I see different ads? Fewer ads? More ads? I didn't expect ads to disappear because that's how Facebook makes money. I knew that Facebook performs behavioral targeting, in order to present relevant ads to its users.

My hope was that my news feed would change because my new behavior would influence Facebook's display algorithm. Ideally, I might see more status messages by friends that it previously hadn't shown. If you didn't know, Facebook uses an algorithm to selectively display about 12 percent of the total status messages by all of your friends. Simply, you don't see everything. You never did; and probably never will. Similarly, your friends don't see everything you post. This 12 percent delivery rate makes "frictionless sharing" claims sound like a bunch of BS.

For my experiment, I decided not to change my profile by "un-Liking" any Facebook pages (e.g., newspapers, magazines, celebrities, television shows, musicians, comedians, pundits, etc.) I had previously "Liked." Frankly, I wanted to continue reading content from these news and entertainment sources; and not live in a virtual cave.

Results Overview

For the first two or three days, not clicking on "Like" buttons felt like a burden. I was used to the convenience. It took little effort or thought to click "Like" buttons and links. Maybe, I was going through "Like" withdrawal. After a couple days, it became easy to not click "Like" buttons. I noticed several things. The first thing I noticed was that I had to change. I had to decide what to type instead.

Use Your Words

When my son was 10 to 20 months old, he often greeted a parent by extending his arms upward and grunting. That was his preferred way to ask a parent or adult to pick him up. My wife and I constantly reminded him to use his words. As soon I stopped clicking "Like" buttons, I realized that I had to change: use my words.

What to type? It had been so easy before to simply click "Like" buttons and links. Like many Facebook users, I often clicked only the "Like" button without entering any comments. Now, I had to give Facebook more thought and effort.

What words did I use? I went through predictable variations: "Ha," "LOL," "ROTFL," "WTH," "WTF," "Great photo," "I agree," "Awesome," "Nice," and several more. Had Facebook made me lazy? Perhaps. Probably. Typing the word "Like" seemed stupid with so many "Like" button and links nearby. For a couple days, I used "Likey" in a feeble attempt to merge liking and humor. I quickly abandoned that.

Nobody asked why I was only entering comments and not clicking "Like" buttons nor links.

Life Without Likes

The first week of my experiment flew by. I posted on my personal news feed on August 25:

"A week has passed and I haven't clicked on a single "Like" button. None. Anywhere. Was easier than I thought it would be."

For me, it felt like cable TV or the Major League Baseball strike during 1995. Once you learn to live without it, you soon find it's easy to live without it. You find other things to do instead; often, more enjoyable things to do. So, I decided to extend my experiment to two weeks. I'm glad I did.

One friend suggested a reason why I found it easy to not click "Like" buttons:

"Of course it's easy. You are not young enough to really be stricken with FOMO...."

If you don't know: Fear Of Missing Out. Convenience and fear seem to drive so much of our social media usage. We love the convenience being able to post/read/watch anywhere and anytime. When you and everyone act this way, you quickly fall into the FOMO trap: if you stop acting this way, you'll miss out. You may or may not actually miss anything. It's the fear that you might. During my experiment, I didn't have any feelings of fear. None.

How My Facebook Experience Changed

With a two-week experiment, I noticed several changes. First, before starting my experiment, I often clicked on "Like" buttons for artices from news and entertainment sources. When I did, Facebook dutifully displayed related ads in the right column about the brand or company I just "Liked." Example: after "Liking" a news article about Comcast customer service, Facebook dutifully presented in the right column area ads by Comcast or by other cable/TV/Internet service providers. Now, Facebook seemed to have to work harder to determine what I "liked."

During the first week of my experiment, the links to related articles disappeared. You've probably seen the three related articles the Facebook interface displays when you "Like" an article. During the first week of my experiment, they went away. During the second week, those related articles re-appeared only when I entered a comment. That's good or bad depending upon whether you consider those related articles relevant or not. In my experience, the relevancy is hit or miss. Before my experiment, I rarely clicked on a related-article link. That didn't change during my experiment.

Second, Facebook seemed to work harder by focus on the content I entered into comments. If I mentioned a brand in a comment or status message, then an ad for that brand soon appeared in the right column ad area. Example; while answering a friend's post for advice about leasing automobiles, I mentioned in a comment my experience with leasing a Honda Civic hatchback. Bingo! Facebook soon displayed a Honda ad, assuming I wanted to buy or lease a Honda car. Maybe Facebook did this all along and I just never noticed before. I can say is this: in a life without "Liking" anything, it is more easily noticed. Mention brand names in your comments and Facebook will most likely display ads by those brands.

Third, Facebook seemed to work harder by using my profile data to display ads. I live in Boston and before the experiment had specified Boston in my profile. I noticed ads by Facebook for free movies at the Prudential Mall ( a local shopping area), dentists, and other local services. Those of you who know me, know that I don't like to shop. And, I already have a dentist I am satisfied with. So, irrelevant ads.

In a life without "Likes," it seems that Facebook will dig deeper into your profile and use data from it to display targeted ads. This seems consistent with the targeting options Facebook provides advertisers:

"You can choose the location, gender, age, likes and interests, relationship status, workplace and education of your target audience. If you have a Facebook Page, event or app, you can also target your ad to people who are already connected to you."

The targeting of some of those ads was dubious. I never entered any comments about shopping, dentists, or dental hygiene, but Facebook showed ads anyway.

Fourth, I saw more generic ads, or what seemed to me to be generic ads. I say generic because the ads were for brands I had not "Liked" at all: Verizon Wireless phone service, 1-800-Flowers, customized pen writing instruments, and such.

During my experiment, I did not click on any ads. None. Why? I hadn't clicked on any ads before.

In his experiment, Morgan concluded:

"Now that I am commenting more on Facebook and not clicking Like on anything at all, my feed has relaxed and become more conversational. It’s like all the shouty attention-getters were ushered out of the room as soon as I stopped incidentally asking for those kinds of updates by using the Like function. I have not seen a single repugnant image of animal torture, been exposed to much political wingnuttery, or continued to drown under the influx of über-cuteness that liking kitten posters can bring on."

My experience was similar in some ways and different in other ways. Consistent with Morgan's "conversational" conclusion, I saw more posts by "friends" and fewer posts with news articles in my news feed. It also had implications.

Since  I wasn't clicking "Like" buttons for news articles, Facebook's algorithm concluded I must not like them  -- and it showed fewer in my news feed. So, to read news content I had to go to my Pages Feed. This behavior change by Facebook makes it a less-than-ideal tool to read news, since I had clearly "Liked" previously several agencies (e.g., CFPB, FTC, FDIC, CUNA, NCUA, advocacy (e.g., CSIPA, ACLU, EFF, Stanford CIS), and news sources (e.g., Mashable, FactCheck, ProPublica, Dorchester Reporter, Bill Moyers). I conclude that Twitter is a better source of news because it doesn't have a filtering algorithm. I see all tweets from the news sources I follow there, making Twitter more reliable and relevant -- for me.

In contrast to Morgan's conclusion, I still saw posts (often articles) by Facebook "friends" who are passionate about animal cruelty. Those posts never bothered me. That didn't change. I still saw posts by friends with photos and video of cute animals. That didn't change, either. I still saw article posts by friends who are passionate about politics. Heck, I post a lot about politics. That didn't change, either.

Conclusions

Given the ease at not "Liking" things on Facebook, I extended my experiment from one to two weeks. I was generally happy with my new experience on Facebook. (Yes, I will admit that there is a part of me that felt glee with thwarting Facebook's algorithm.) I had to work a little harder to view and read articles by the entities I followed. Facebook is still a less-than-optimal way to read news.

Also, I learned a little about how Facebook displays targeted ads. It'll dig deeper into your profile data to do so. And, it'll use your comments text more. I had wanted to see what ads appeared. I saw lots of Verizon Wireless ads -- every day, all day long. I still haven't bought a single thing from that store.

My experiment reinforced my view that Facebook isn't really a social networking service. Why? First, there is the 12-percent delivery rate of your friends' status messages. So, you can't assume you've seen everything by your friends, nor that your friends have seen all of your posts. Not very social. Second, in a life without "Liking" things, as Facebook digs deeper into your profile to target ads, it becomes clear that the service is really a gigantic, worldwide advertising delivery and distribution system.

Will I resume clicking "Like" buttons and links? I haven't decided, yet. I may. I may not. If you want to reduce your use of Facebook without deleting your account, not "Liking" things is an attractive option. A more conversational Facebook is a good thing.

Opinions? Could you use Facebook without clicking "Like" buttons? Would you? Have you? Why or why not?


Canvas Fingerprinting: What It Is, How Entities Use It To Track You Online, And The Privacy Concerns

"Canvas fingerprinting" is the latest technique entities use to identify and track consumers' online habits and movements. I use the word "entities" since both private-sector corporations and public-sector government agencies use the technique in their websites. The BBC described it well:

"This technique forces a web browser to create a hidden image. Subtle differences in the set-up of a computer mean almost every machine will render the image in a different way enabling that device to be identified consistently."

Those subtle differences include the many features that distinguish your computer's configuration from others: clock setting, default font, software installed, operating system brand and version, browser brand and version, and more. Researchers at Princeton University in the United States and at the University of Leuven in Belgium analyzed tracking techniques at 100,000 websites. They announced their findings in a draft report dated July 1, 2014:

"We present the first large-scale studies of three advanced web tracking mechanisms -- canvas fingerprinting, evercookies, and use of cookie syncing" in conjunction with evercookies. Canvas fingerprinting, a recently developed form of browser fingerprinting, has not previously been reported in the wild; our results show that over 5% of the top 100,000 websites employ it... The tracking mechanisms studied in this paper can be differentiated from their conventional counterparts by their potential to circumvent users' tracking preferences, being hard to discover and resilient to removal."

The researchers emphasized the extremely difficulty confronting consumers:

"Canvas fingerprinting uses the browser's Canvas API to draw invisible images and extract a persistent, long-term fingerprint without the user's knowledge. There doesn't appear to be a way to automatically block canvas fingerprinting without false positives that block legitimate functionality; even a partial fix requires a browser source-code patch. Evercookies actively circumvent users' deliberate attempts to start with a fresh profile by abusing different browser storage mechanisms to store removed cookies. Cookie syncing... allows different trackers to share user identifiers with each other. Besides being hard to detect, cookie syncing enables back-end server-to-server data merges hidden from public view."

Why the researchers produced this report:

"Our goal is to improve transparency of web tracking in general and advanced tracking techniques in particular.We hope that our techniques and results will lead to better defenses, increased accountability for companies deploying exotic tracking techniques and an invigorated and informed public and regulatory debate on increasingly persistent tracking techniques."

The researchers concluded the following about consumers' ability to maintain their privacy online:

"Current options for users to mitigate these threats are limited, in part due to the difficulty of distinguishing unwanted tracking from benign behavior. In the long run, a viable approach to online privacy must go beyond add-ons and browser extensions. These technical efforts can be buttressed by regulatory oversight. In addition, privacy-friendly browser vendors who have hitherto attempted to take a neutral stance should consider integrating defenses more deeply into the browser."

ProPublica reported:

"The researchers found canvas fingerprinting computer code, primarily written by a company called AddThis, on 5 percent of the top 100,000 websites. Most of the code was on websites that use AddThis’ social media sharing tools. Other fingerprinters include the German digital marketer Ligatus and the Canadian dating site Plentyoffish."

I strongly encourage consumers to read the ProPublica article, since it includes an interview with an executive from AddThis. The article also lists five recommendations consumers can do to minimize the online tracking. However, some of the recommendations require technical knowledge and skills beyond what many consumers have.

One recommendation includes using Chameleon with the Google Chrome browser. A reader, who asked me not to mention their name, shared this opinion:

"... Chameleon, it does not appear to be available for Firefox, and I won't run Chrome because of Google's outrageous privacy policy, which is really a disclosure policy that let's Google do pretty much what it wishes with the personal information that its browser, Chrome, collects... putting Chameleon on Chrome just effectively gives Google a monopoly... as it blocks other domains' fingerprinting while leaving Google's collection techniques in Chrome unmolested."

Is this an over-reaction? Consider... earlier this year, Google changed its policy to reflect its continued scanning of all inbound e-mails from non-Gmail users. About the scanning, a United Kingdom newspaper wrote this headline, "Google: Don't Expect Privacy When Sending to Gmail." A simple online search found this review of Google Chrome privacy. Several news organizations reported in December 2013 about how spy agencies in the U.S. and U.K. use Google's proprietary cookie technology.

Plus, MediaPost reported yesterday:

"Back in March of 2012, Google made international headlines with its controversial decision to revise its privacy policy in a way that allowed it to consolidate information about users. Ever since, a group of consumers have been trying to sue the company for allegedly violating users' privacy. This week, a federal judge ruled that the consumers could proceed with a lawsuit -- but not based on their original claims. Instead, U.S. Magistrate Judge Paul Grewal in San Jose, Calif. said that users could continue with allegations that Google wrongly transfers users' names and contact information to app developers."

So, there seems to be enough happening that some consumers understandably might try to minimize or avoid interactions with any Google products and services.

Several news organizations have reported about the high-profile websites that use canvas fingerprinting, including several porn sites and WhiteHouse.gov. Interested readers can browse this list of websites the researchers found that perform canvas fingerprinting.

I would like to thank the researchers for this report. It is greatly appreciated and very valuable. Consumers need to be informed and the websites (e.g., marketers and advertisers) aren't doing it. Tracking methods need to be disclosed and opt-in based.

During the last 7+ years, this blog has covered stories about several technologies (e.g., cookies, “zombie cookies,” Flash cookies, “zombie e-tags,” super cookies, “zombie databases” on mobile devices, etc.) entities have used to persistently track consumers online without their knowledge nor consent; and circumvent consumers' efforts to maintain privacy online. Proponents usually justify the tracking as needed for consumers interested in seeing relevant, target advertisements online (a/k/a "behavioral advertising). Given this history of repeated privacy abuses, sadly I am not surprised about canvas fingerprinting. Frustrated, yes. Surprised, no.

Many of these tracking technologies have resulted in class-action lawsuits, which has been good because the speed of technological change is far faster than both the laws and legislators’ abilities to understand the emerging technologies. I fear that class-actions, as a protection tool for consumers and/or a method to hold privacy abusers accountable, will be more difficult in the future as many banks, telephone, Internet service providers, consumer electronics, software, nursing, and health care companies have added binding arbitration clauses to agreements with their customers.

This persistent tracking raises other issues. Consumers need new browser features to stop this persistent online tracking, as companies user creative ways to restore browser cookies that users have deleted to maintain privacy online. For consumers, help may be on the way in the form of the Privacy Badger tool from the Electronic Frontier Foundation.

A prior blog post discussed the DuckDuckGo search engine as an alternative to traditional search engines (e.g., Google, Bing, Yahoo) for privacy-conscious users. While there was a discussion on one DuckDuckGo community board about canvas fingerprinting, a DuckDuckGo provided the this explanation:

"We removed the canvas check when we launched our reimagined/redesigned version earlier this year. This is no longer a concern. On the old DuckDuckGo, it's function was to detect if anti-aliasing was turned on, because our old default font (Segoe UI) broke when anti-aliasing was off."

So, the revised DuckDuckGo maintains privacy by design. Consumers can continue using the search engine with confidence for privacy.

Some consumers may conclude that using apps on their mobile devices instead of a web browser is an effective way to avoid the online tracking. Assuming this would be foolish given the Google lawsuit mentioned above. Plus, the unique device ID numbers (UDID) on all mobile devices are simply a very tempting identifier and tracking mechanism. It is one reason why so many apps want access to consumers' entire address books and other files on their mobile devices.

Download the researchers' report, "The Web Never Forgets: Persistent Tracking In The Wild" (Adobe PDF, 903 K bytes).

What are your opinions of the researchers' report? Of canvas fingerprinting? Of AddThis? Of Google? Of the failure of websites to inform consumers of the online tracking methods used? If you operate a blog or website using technologies from known canvas fingerprinters, please share your thoughts and/or whether you continue to use these technologies.

[Correction: an earlier version of this blog post mentioned a possible privacy problem with the DuckDuckGo.com search engine. The revised blog post above includes an explanation from DuckDuckGo about how their search engines maintains privacy and avoids canvas fingerprinting.]


Facebook Announced A New Feature Where It Listens And Identifies Music And TV Content

Facebook logo Before and during the Memorial Day holiday, I was busy with work and family events. Perhaps, you were busy too and missed this. Just before the holiday, Facebook announced a new, optional feature where it will listen and identify whatever you are listening to while typing status messages.

If you have used mobile apps like Shazam, then you know how technology can easily identify the name and artist of music. Facebook wants to take the technology further by identifying the background content (e.g., music you are listening to, movies or television show you are watching) while posting messages to Facebook. Facebook's announcement pitched the new feature as:

"You may have seen a friend post a photo after a tough workout with a “feeling proud” icon. Or you’ve seen your friend check in at a coffee shop “drinking an iced coffee.” In the last year, people shared more than 5 billion status updates... we’re making those conversations quicker and easier by introducing a new way to share and discover music, TV and movies. When writing a status update – if you choose to turn the feature on – you’ll have the option to use your phone’s microphone to identify what song is playing or what show or movie is on TV."

Unlike the Shazzam app (which the user initiates), once you turn on the "Identify TV and Music" feature, it will operate quietly and identify whatever is playing in the background when you post messages:

"If you leave the feature on, you will see the audio icon move and attempt to detect a match when you’re writing a status update. No sound is stored and you’ll always get to choose whether you post to your friends... if you choose to turn this feature on, it will only use your microphone (for 15 seconds) when you’re actually writing a status update to try and match music and TV... when you write a status update, the app converts any sound into an audio fingerprint on your phone. This fingerprint is sent to our servers to try and match it against our database of audio and TV fingerprints. By design, we do not store fingerprints from your device for any amount of time."

It's important to read Facebook's words closely. It says it won't store the music, TV show, or movie you are watching or listening to. It does store the status message you authorize about the background content. That means, the feature will record the name or title of the show/music, the artists, along with the date, time, your geolocation (e.g., GPS) data, and probably other relevant metadata. It needs these metadata elements to create a status message for you to post to your Timeline.

Based upon its matching algorithm, the message includes an excerpt of the music or show, since Facebook assumes that your friends may want to purchase the music or video item. In this way, Facebook can sell more advertising to its corporate sponsors; where once again Facebook members are the product. The feature allows Facebook to analyze its members' actions and build a a more robust activity profile. For example, people with certain demographic characteristics (e.g., age, sex, students, rural residents, etc.) or in certain locations, listen to XYZ music and/or watch a certain genre of television shows while posting status messages. And, Facebook can associate certain moods or feelings in your posts to the moods or feelings in the background content (e.g., music, movie, or TV shows).

The Naked Security blog by Sophos reported:

"When it initially announced the eavesdroppish new service, Facebook didn't say anything about listening in on background noise, including private conversations. But this week, Facebook's security head honcho, Gregg Stefancik, filled in that gap. Stefancik, head of security infrastructure for the very-data-rich, o-so-good-at-data-mining social network, explicitly told journalists that the new audio feature does not snoop on users and does not record conversations... The raw audio never leaves the phone, Stefancik said, while the data about the match is only stored if a user opts to post it:.. The app can't identify background noise and conversation before the feature is enabled."

I guess that this new feature will be a benefit to consumers who want to share easily, quickly, and automatically without having to do anything. You literally won't need to lift a finger. It seems wise for consumers to give a new feature like this a lot of thought and consideration before turning it on. Why? The background content (via the authorized status messages) will be associated with your profile.

Maybe, the background content is the television you've left on because you're home alone, not really watching it, and want some noise in your home. Maybe you are simply in the same room with a family member or friend who is watching TV, movies, or listening to music. Their selections identify their choices, not necessarily yours. Maybe you are in a shopping mall and muzak is playing in the background. Maybe the music playing is from an advertisement on television. Maybe Facebook's matching algorithm was incorrect.

My point: the background content may have nothing to do with your profile, but it gets recorded and associated with your profile anyway. The background content may be items you'd ever select nor buy, but Facebook would assume so. Then, who is right? Who knows more about you and your habits: you or Facebook?

I see this new feature as extremely invasive and problematic. I know my profile better than any social networking service, and remaining in control is important to me. Facebook addressed the issue of control in its announcement:

"... this feature is completely optional. If you don’t turn it on, we won’t use your microphone to try and match TV or music when you write a status update. If you do choose to turn it on and later decide it’s not for you, you can easily turn it off at any time."

This implies, if you want to delete any background content from your Timeline, then you would do so consistent with the capabilities and limitations of the current Timeline system. Does a user really have effective control? I don't see how any consumer can verify that Facebook uses the new feature to comply with its promises (e.g., don't record conversations, 15 seconds, identify only TV/music, etc.). The announcement did not specify how accurate the feature is. If it incorrectly identifies some background content, and you authorize that status message then an error has been introduced to your profile. Facebook member may not know the background content identified.

I'd like to see Facebook explain more about its matching algorithm. How accurate is it? Does it match any song or music? Does that include music in TV advertisements? If so, then, the matching algorithm could identify what commercials you have viewed. What about radio? The announcement didn't say anything about radio. People listen to traditional radio and satellite radio. What matching is done then?

This technology confirms what a lot of people have been worried about with surveillance by government spy agencies: the ability to remotely control the microphone in your smart phone or mobile device, and monitor what you are doing, listening to, and watching. Since Facebook already records and archives everything (including deletions) you type into the status message box, the two features combined provide the social networking site with very strong capabilities to determine what you are  thinking, feeling, and considering -- not just what you typed in the status message. That is very strong personal content.

It's also very creepy stuff, in my opinion. Spy agencies must be looking at this and wondering: if Facebook can do this, we should be able to do this, too. If I operated a Web design service that was a front for a spy agency, I'd want to use an app like this.

I wouldn't want any mobile device in my pocket running an app like this. Nor would I want to be around people using an app like this; especially in business meetings. Yes, this upcoming Facebook feature reminds me a lot of Google Glass. Very invasive for people who value their privacy.

What's your opinion of the upcoming Facebook feature? Is this more or less invasive than government spy programs?


California AG Issues Privacy Recommendations To Better Protect Consumers

Late last month, the Office of the Attorney General for the State of California issued a guide with privacy recommendations for companies about how to present privacy policies and do-not-track disclosures to consumers. The recommendations are based upon changes in California law (emphasis added):

"...in 2003, California established the landmark California Online Privacy Protection Act, which was the first law in the nation to require operators of commercial websites, including mobile apps, to conspicuously post a privacy policy if they collect personally identifiable information from Californians. In 2013, the Act was amended by Assembly Bill 370, which requires privacy policies to include information on how the operator responds to Do Not Track signals or similar mechanisms. The law also requires privacy policies to state whether third parties can collect personally identifiable information about the site’s users."

Previously, many mobile app developers failed to include usage term and privacy policies with their apps, both before and after purchase. Most Web browsers have Do Not Track (DNT) features, but the effectiveness of that feature depends upon the website operator's compliance, which is not mandatory. The California AG's guide included a summary of Do Not Track and web browsers (emphasis added):

"... the [U.S. Federal Trade Commission] staff in 2010 proposed a Do Not Track (DNT) browser signal as a uniform and comprehensive way for consumers to choose whether to allow the collection and use of data regarding their online searching and browsing activities. The Commission noted in its 2012 final report that a number of browser vendors had announced that their latest versions permitted consumers “to instruct websites not to track their activities across websites.” In a 2012 paper on consumer privacy, the White House noted that “privacy-enhancing technologies such as the ‘Do Not Track’ mechanism allow consumers to exercise some control over how third parties use personal data or whether they receive it at all.” By 2013, the major browser companies had all implemented a DNT mechanism in their browsers. In May 2014, the White House once again commented that consumers “have a valid interest in ‘Do Not Track’ tools that help them control when and how their data is collected. There is no legal requirement for how operators of web sites or online services must respond to a browser’s DNT signal. The World Wide Web Consortium (W3C), which facilitates collaborative efforts to develop web standards, created a Tracking Protection Working Group, which has been working since 2011 to develop standards for the technology and meaning of Do Not Track. As of the end of 2013, the W3C group had not agreed upon what an operator or an advertising network should do when they receive a DNT browser header."

The guide includes the following key recommendations:

"Readability
- Use plain, straightforward language. Avoid technical or legal jargon.
- Use a format that makes the policy readable, such as a layered format.

Online Tracking/Do Not Track
- Make it easy for a consumer to find the section in which you describe your policy regarding online tracking by labeling it, for example: “How We Respond to Do Not Track Signals,” “Online Tracking,” or “California Do Not Track Disclosures.”
- Describe how you respond to a browser’s Do Not Track signal or to other such mechanisms. This is more transparent than linking to a “choice program."
- State whether other parties are or may be collecting personally identifiable information of consumers while they are on your site or service.

Data Use and Sharing
- Explain your uses of personally identifiable information beyond what is necessary for fulfilling a customer transaction or for the basic functionality of an online service.
- Whenever possible, provide a link to the privacy policies of third parties with whom you share personally identifiable information.

Individual Choice and Access
- Describe the choices a consumer has regarding the collection, use and sharing of his or her personal information.

Accountability
- Tell your customers whom they can contact with questions or concerns about your privacy policies and practices"

Personally identifiable information (PII) includes the following data elements:

  • Your name: first, middle, last
  • Your residential or home address, including the street name, town, and ZIP Code
  • Your e-mail address
  • Your telephone number (mobile or land-line)
  • Your Social Security number
  • Any other identifier that enables somebody to contact you online or offline in the physical world
  • "Information concerning a user that the web site or online service collects online from the user and maintains in personally identifiable form in combination with an identifier..."

The last two items are critical because they includes several things that can be used to identify only you, such as a user name, user ID, license number, member number, policy number, record number, the IP address assigned to your computer device, and so forth. The last item probably includes your physical movements (e.g., GPS coordinates with time stamps from your mobile device or car), since this data could be used to uniquely identify and track you.

Download the "Making Your Privacy Practices Public" guide (Adobe PDF) by the California Attorney General's Office. It includes detailed recommendations, which are a good start. Assembly Bill 370 makes it clearer for consumers to understand what a website and mobile app operator promises to do about privacy and handling consumers' sensitive personal information. Obviously, there needs to be a standard about how advertising networks respond to DNT signals from a browser.

I look forward to seeing more privacy improvements in California and in other states. What are your opinions of the "Making Your Privacy Practices Public" guide? Is it good? Does it go far enough?


Your Car Is The Next Advertising And Data Collection Frontier

Advertisers view your personal auto as the next frontier to display targeted, relevant advertisements based upon when and where you drive, plus how long you park at certain locations. All of this is possible as manufacturers equip cars with computing technology similar to what's in your smart phone and tablet computer. Think of you car as simply another mobile device.

Business Insider explained advertisers' interest:

"Americans spend an average of 1.2 hours a day traveling between locations and American commuters spend an average of 38 hours a year stuck in traffic. If mobile apps and Internet-based services can shoehorn their way into the in-car environment, that means a great opportunity to expand their ability to engage consumers, absorb their attention, and gather data."

It really doesn't matter whether you drive your car, or you use the Google self-driving car. The data collection will be massive and advertisers plan to capitalize on the opportunity. Say Media reported:

"... the McKinsey Global Institute estimates that the automotive industry will be the second largest generator of data by 2015. Gartner reports that, by 2018, one in five cars on the road will be "self-aware" and able to discern and share information on their mechanical health, their global position and status of their surroundings."

The data collected is not only GPS location and engine performance from sensors embedded throughout the car. The data collected is not only your travel directions and map information. It also includes your music selections and interactions with other mobile devices, since cars are Internet connected, access files in cloud services, and often operate as WiFi hotspots.

Then, there is the coming practice of "geo-fencing," the dynamic, real-time display of location-specific advertisements:

"According to the Placecast Blog, they and Aha™ by HARMAN have begun testing new in-car advertising that delivers relevant, real-time promotional offers to consumers based on the vehicle's locations. Quiznos is the first brand to activate promotional offers using the new service. When your vehicle enters a geo-fenced area, a Quiznos audio ad is inserted into the stream. A tap on the interface emails a coupon to your mobile device for use in the store..."

So, if you are driving near a particular fast-food restaurant chain, you will likely see advertisements and/or coupons displayed in your car (and/or on your mobile device connected to your car) about nearby restaurants and stores. Say Media posed some more relevant questions:

"... how much access advertisers will actually have to proprietary in-vehicle systems. Should auto manufacturers act as a gatekeeper, shielding their car's drivers from unwanted messages? Or should auto brands open-source their code for in-vehicle modules like the Ford Motor Company? Ford's strategy is to provide a link allowing apps on Android phones or iPhones to be controlled through the car's electronic units."

Proprietary in-vehicle systems includes the myriad of sensors embedded throughout your car that monitor and report information about specific components (e.g., engine, brakes, cameras, speed, road conditions, etc.). For me, consumers should be in control. And, there are many more questions:

  • Who stores the data collected by your car, and how long is it retained?
  • Who owns the data collected by your car (e.g., driver, auto manufacturer, operating system software developer, mobile app developer, advertiser, advertising network, mobile device manufacturer, insurance company, etc.)?
  • What other companies is the data collection shared with (especially auto maintenance, repair, and sensor information)?
  • Who controls the data sharing?
  • When and where are relevant policies (e.g., privacy, terms of use) displayed?
  • Are programs opt-in or opt-out based for consumers? Hopefully, the former.
  • What privacy tools will be available for drivers?
  • What anti-virus options to prevent malware, spam and bot nets using your car?
  • Will cars include embedded coded by the NSA and other intelligence agencies?
  • Supposedly, targeted and relevant advertisements are a convenience for consumers. How much convenience is enough?

If current Internet practices win out, then your car will likely operate similar to your Web browser, with a race by advertisers and companies to collect as much as possible via a variety of technologies (e.g., not just browser cookies) that track you and your movements.

What are your views about smart cars? About advertisements via geo-fencing? About privacy options for drivers?


How To Opt Out Of Tracking Programs And Keep As Much Privacy As Possible

Your online activity is tracked by a wide variety of technologies, not just web sites. For example, all of the major search engines (e.g., Google, Bing, Yahoo) track your search history. If you use one of the major search engines, then you will need to opt-out of the search engine history tracking at each search engine. This Mashable article contains instructions plus links to the opt-out mechanisms for each search engine.

Me? I use the DuckDuckGo search engine instead. There is nothing to opt-out of because DuckDuckGo doesn't collect anything.

Simiilarly, the social networking websites you use track your online activity and will use your name and photo in their online advertisements if you let them. To avoid this, you'll need to opt-out of the advertisement features at each social networking website you use. For example: sign in to Twitter and navigate to Settings, and then Security and Privacy. On that page, uncheck the boxes next to Promoted Content and Tweet Location. For Facebook, navigate to General Account Settings, and then to Ads. Clcik Edit and select "No one" for Third Party Sites. Click Edit and select "No one" for "Ads and Friends."

This Masahable article contains instructions for how to opt out of advertisements on Google services.

The web browser you use also tracks your online activity. So, the steps you must take to deactivate HTTP cookie tracking depends upon which web browser you use. According to Masahable, to opt out of cookie tracking Mozilla Firefox users must:

"In Firefox's Privacy panel, click on the area next to Firefox will: and select Use custom settings for history. Once selected, remove the checkmark in the Accept Cookies box."

See the Masahable article for instructons for Google Chrome users. I also use the Better Privacy add-on for Firefox to regularly delete HTTP and other Locally Shared Objects (LSO) cookies.

Also, there may be settings on your mobile device to turn off any sharing with your mobile device manaufacturer, mobile operating system manufacturer, and/or telecommunications provider. None of the above methods will stop sharing of your purchases with your bank, credit-card, debit-card, and/or prepaid card provider.

Remember, all of these services and technologies, including your mobile device (e.g., tablet, smart phone), that collect data also collect metadata. All of this online data collection can make the Internet a pretty frustrating tool at times. In response to the perceived (and real) lack of online privacy, more and more users in Australia provide fake information while online to blunt companies' data collection and tracking. And, if infected with the appropriate computer virus, your smart phone may continue to track you even when turned off.


Are You Walking Blindly In The 'Big Data' Revolution?

There is a good article in the BBC News website about the trends and impacts of technology -- namely about how "big data" is transforming the entire planet. "Big data" refers to information companies and governments collect about consumers. They collect this information from a variety of sources:

"... not only from posts to social media sites, mobile signals and purchase transactions but increasingly from sensors on objects from lamp-posts to skyscrapers...In Birmingham, lamp-posts are being fitted with sensors that can transmit information about cloud cover to offer hyper-local weather forecasting. In Norway, more than 40,000 bus stops are tweeting, allowing passengers to leave messages about their experiences... At MIT's Senseable City Lab, 5,000 pieces of rubbish in Seattle were geo-tagged and tracked around the country for three months to find out whether recycling was really efficient..."

You've probably noticed video surveillance cameras on street lights across the country. That's another source. This blog has reported about many other sources:

All of these types of devices will be used more and more in what people call a "smart city:"

"The core functionality of a smart city requires a vast amount data to be collected on every aspect of our lives every minute of every day. The question is how does that data get used? And it doesn't require a huge amount of imagination to see how it could be used to monitor people... the control of information is being taken away from citizens, and companies providing services are rushing to find ways of generating revenue from the data they hold. The danger is... individuals will not be able to control the ways they are monitored or what happens to the information, which is exactly the opposite of how it should be."

It seems to me, you can distill all of this into a single issue about consumers:

"... People have clicked "yes" to those terms but don't realise that everything you share can be collected. We could be walking blindly into a 24/7 surveillance society..."

We have traded privacy for convenience.

Are you walking blindly? Are you willing to continue trading convenience for privacy? Are you willing to question online processes, privacy disclosures, and website terms of usage? Are you willing to push back and say: enough? Are you willing to demand that your elected officials place consumer protections before privacy abuses happen, and not minor, ineffective protections afterwards? Are you willing to support any of the consumer advocacy groups that look out for your privacy?


FTC Reminds The Search Engine Inudstry To Continue To Distinguish Between Paid Ads and Natural Search Results

U.S. Federal Trade Commission logo Earlier this week, the U.S. Federal Trade Commission (FTC) announced that it had sent letters to all search engine operators reminding them to continue to distinguish between paid advertisements and natural search results. The letters reinforce guidance and rules established in 2002. The letters said, in part:

"...After the 2002 Search Engine Letter was issued, search engines embraced the letter’s guidance and distinguished any paid search results or other advertising on their websites. Since then, however, we have observed a decline in compliance with the letter’s guidance. Although the ways in which search engines retrieve and present results, and the devices on which consumers view these results, are constantly evolving, the principles underlying the 2002 Search Engine letter remain the same: consumers ordinarily expect that natural search results are included and ranked based on relevance to a search query, not based on payment from a third party. Including or ranking a search result in whole or in part based on payment is a form of advertising. To avoid the potential for deception, consumers should be able to easily distinguish a natural search result from advertising that a search engine delivers..."

The letters cited results from a 2005 Pew Research Center survey about search engine users:

"Some 45% of searchers said they would stop using a search engine if they didn’t make it clear that some results were paid or sponsored."

There are many more interesting results from that same 2005 survey:

"... some 38% of those who have used a search engine are aware that there are two different kinds of search results, some that are paid or sponsored and some that are not. The remaining 62% are not aware of this practice. Data from this survey show identical numbers from those collected two and a half years earlier; that is, there has been no overall change in users’ understanding of how search systems work."

And, perhaps more importantly -- the users that are aware can't always tell the differences between paid and natural search results:

"... Among the 38% of internet users who are aware of the practice, some 47% of searchers say they can always tell which results are paid or sponsored and which are not. This represents about one in six of all internet searchers. An almost equal number, 45%, say they are not always able to tell."

The letters also discuss ways, such as labels and visual design, the search engines can distinguish between paid and natural search results.

Kudos to the FTC for looking out for the interests of consumers. It is sad that the search engine industry chooses to operate in a manner where such a warning is needed. It says a lot about the desire to bend or ignore the rules during its rush for profits.

The 2012 Pew Internet survey about search engine users found interesting results about privacy:

"73% of search users supported a statement that they would not be okay with a search engine keeping track of their searches and using that information to personalize future search results because they feel it is an invasion of privacy... 65% of search users supported a statement that it’s a bad thing if a search engine collected information about their searches and then used it to rank future search results... 68% of internet users agree with a statement that they are not okay with targeted advertising because they don’t like having their online behavior tracked and analyzed... 66% of search engine users say search engines are a fair and unbiased source of information..."

If you don't like being tracked or your searches collected by search engines, there is an alternative.


The Companies Involved In Payment Transactions When Consumers Buy Items

When consumers pay for products and services, today they have a wide variety of options. To make these options work, a variety of companies are involved behind the scenes in the payment transactions: the companies money and information flow through after a consumer purchases something at the checkout register. Consumers may not realize the wide variety of different companies involved.

Companies involved in the payment transactions flow often have their onw privacy policy, and data collection of consumers' sensitive information -- driven by their agreement with the retailer or bank. And, each company involved may experience data breaches where consumers' sensitive information is exposed or stolen:

  Payment Method
Company Type
CashCredit CardDebit CardRetailer's Prepaid Card (1)
Bank Prepaid Card (2)
Prepaid Card: FSA (3)
Smart Phone
Brick-&-mortar retail store No Yes Yes Yes Yes Yes Yes
Online retail website n/a Yes Yes Yes Yes Yes n/a
Retailer's partners &/or affiliates (4)
n/a Yes Yes Yes Yes Yes Yes
Your bank n/a Yes Yes n/a Yes Yes Yes
Retailer's bank n/a Yes Yes Yes Yes Yes Yes
Payments Processor (5) No Yes Yes Yes Yes (6)
Yes Yes
Your Employer n/a n/a n/a n/a Yes Yes Yes
Healthcare Vendor (7)
n/a n/a n/a n/a No Yes n/a
Wireless Provider n/a n/a n/a n/a n/a n/a Yes
Mobile Device Manufacturer n/a n/a n/a n/a n/a n/a Yes
Mobile Device Operating System Developer (8) n/a n/a n/a n/a n/a n/a Yes
Mobile App Developer (8) n/a n/a n/a n/a n/a n/a Yes
App Store
n/a n/a n/a n/a n/a n/a Yes

Footnotes:

  1. Includes gift cards offered by retailers that are good only at that retailer's stores.
  2. Includes general-purpose prepaid cards usually offered by banks
  3. Includes prepaid cards used by employers to adminster healthcare Flexible Spending Accounts
  4. Includes outsourced vendors that administer a retailer's email marketing programs, cloud-based storage services, customer relationship management databases, mobile marketing services, product fulfillment, and/or data mining services; plus companies that perform co-marketing campaigns
  5. The bank and/or company that processes the debit/credit card transactions
  6. Applies to employers that pay employees via a payroll debit cards
  7. Some employers outsource the administration of their healthcare Flexible Spending Account (FSA) program to an external vendor, and issue participating employees a special prepaid card
  8. The company that develops and maintains this software mobile devices

What do you think about the above chart?


FTC Amends Rules Regarding Data Collection Of Personal Information Of Minors

Last month, the U.S. Federal Trade Commission (FTC) clarified and strengthened its rules regarding the collection of personal data of minors under the age of 13. In its announcement, the FTC stated:

"1. Modify the list of “personal information” that cannot be collected without parental notice and consent, clarifying that this category includes geolocation information, photographs, and videos;
2. Offer companies a streamlined, voluntary and transparent approval process for new ways of getting parental consent;
3. close a loophole that allowed kid-directed apps and websites to permit third parties to collect personal information from children through plug-ins without parental notice and consent;
4. Extend coverage in some of those cases so that the third parties doing the additional collection also have to comply with COPPA;
5. Extend the COPPA Rule to cover persistent identifiers that can recognize users over time and across different websites or online services, such as IP addresses and mobile device IDs;
6. Strengthen data security protections by requiring that covered website operators and online service providers take reasonable steps to release children’s personal information only to companies that are capable of keeping it secure and confidential
7. Require that covered website operators adopt reasonable procedures for data retention and deletion; and
8. Strengthen the FTC’s oversight of self-regulatory safe harbor programs.

The new rules become effective July 1, 2013. The rules are part of the Children's Online Privacy Protection Act (COPPA) enacted in 1998. The COPPA rules include personal information elements such as the child's full name, home address, email address, telephone number, or any other information that would allow someone to identify or contact the child. As they should, the new rules add more data elements. The FTC stated in its blog:

"The definition of personal information now includes geolocation information, as well as photos, videos, and audio files that contain a child’s image or voice. Also covered: persistent identifiers that can be used to recognize a user over time and across different websites or online services. But there’s a notable exception: COPPA’s parental notice and consent requirements don’t kick in if the identifier is used solely to support the internal operations of the site or service."

It strikes me that the above exception, or loophole, could be used to avoid and abuse consumer information. Those "persistent identifiers" are key since they are used by the online advertising networks, and enable both online tracking and behavioral advertising. Plus, there is a long history of repeated abuse of consumers' sensitive personal information by companies using zombie cookies, Flash cookies, zombie e-tags, search hijacking, and leaky apps on mobile devices. In September 2012, the FTC issued guidelines for mobile app developers.

Companies are advised to watch the FTC Children's Privacy page for additional updates.

In an ideal world, COPPA rules would not stop at age 13, but extend to age 18, the usual age of majority. It would have been better if the amended COPPA rules explicitly mentioned facial recognition.


Twitter's Tailored Suggestions Program And Online Tracking

In May 2012, Twitter.com introduced a new program called Tailored Suggestions, which recommends other Twitter members to follow based upon your online usage:

"How tailored suggestions work: We determine the people you might enjoy following based on your recent visits to websites in the Twitter ecosystem (sites that have integrated Twitter buttons or widgets). Specifically, our feature works by suggesting people who are frequently followed by other Twitter users that visit the same websites."

The use of buttons or widgets to track social networking website users around the web  is not new. Facebook, LinkedIn, and Youtube have similar programs. Twitter users can easily opt out of this tracking by un-clicking the box next to "Personalization" in your Twitter Profile Settings page. (See image below.) Or, you can adjust the Do Not Track settings on your web browser.

Twitter Personalization setting on the Account Settings page

Last month, Forbes magazine reported about Twitter's expansion plans with its Tailored Suggestions program.

For me, Twitter is a wonderful resource, which I use primarily with this blog and to network with other privacy advocates and bloggers. I like and trust Twitter far, far more than Facebook. Twitter hasn't had the repeated privacy snafus which have happened at Facebook. As of January 1, 2013 about 560 people follow this blog via Twitter compared to about 120 via Facebook.


What You Need To Know About Facial Recognition Software And Best Practices Recommended By The FTC

If you use a social networking website like Facebook, then this applies to you. In October, the U.S. Federal Trade Commission (FTC) released a report that included best practices for companies that use facial recognition software with consumer information. Besides the best practices, the report, "Face Facts: Best Practices For Common Uses Of Facial Recognition Technologies" also includes reviews of the facial recognition technologies and sample application.

If you are a Facebook.com member, then you may be aware of how that social networking service uses facial recognition software. Facebook uses the software to help its users identify their friends in photographs, and to encourage its members to "tag" or verify their friends in those photographs.

While traveling recently, I experienced another way Facebook uses facial recognition software. While signing in from a different location in another state, the Facebook.com software challenged my sign-in. I could sign in using a code (since I had both Log-in Approvals and Log-in Notifications enabled), or identify my friends in several photographs. I chose the latter to see how the software works.

The FTC developed its report from a December 8, 2011 workshop and from comments submitted by the public and stakeholders about both the technologies and privacy concerns. The report described several ways the facial recognition software can be used:

"... Facial recognition technologies currently operate across a spectrum ranging from facial detection, which simply means detecting a face in an image, to individual identification, in which an image of an individual is matched with another image of the same individual... In between these two divergent uses are a range of possibilities that include determining the demographic characteristics of a face, such as age range and gender, and recognizing emotions from facial expressions... One company – called SceneTap – has also leveraged the ability to capture age range and gender to determine the demographics of the clientele of bars and nightclubs"

Given this, companies can (and do) use the software to compile from photographs personal data about individuals such gender, age, emotions, location, economic status and connections with other persons. Consider that group photo at a friend's wedding at a private golf course which you posted online, or a group photo at a college reunion. Consider video games like Xbox 360 Kinect that can "see" you. The gaming software can easily be modified to also capture and anlyze your face. Or, consider digital signs or kiosks that are located everywhere from malls to stores to schools to sports arenas:

"... technologies that can determine the gender and age range of the person standing in front of a camera can be placed into digital signs or kiosks, allowing advertisers to deliver an advertisement in real-time based on the demographic of the viewer... Unless these signs are labeled, they often look no different to consumers than digital signs that are not equipped with cameras. Panelists representing companies that currently use facial recognition technologies similarly acknowledged that there are privacy concerns surrounding the use of these technologies..."

It was good to read that a couple industry groups have developed guidelines for the use of digital signs (links added):

"... Point of Purchase Advertising International’s Digital Signage Group (“POPAI”) has developed a code of conduct containing recommendations for marketers to follow in order to maintain ethical data collection practices in retail settings. Similarly, the Digital Signage Federation worked with the Center for Democracy and Technology to craft a voluntary set of privacy guidelines for their members, which include advertisers and digital sign operators..."

I have not reviewed (yet) the documents from these two groups. I hope that it covers both usage and data security to prevent hacked digital signs used by identity criminals. The best practices recommended by the FTC:

"1. Privacy by Design: Companies should build in privacy at every stage of product development.

2. Simplified Consumer Choice: For practices that are not consistent with the context of a transaction or a consumer’s relationship with a business, companies should provide consumers with choices at a relevant time and context.

3. Transparency: Companies should make information collection and use practices transparent."

This list is a good start. However, there are many questions related about the appropriate use of facial recognition technology. Connecticut Senator Richard Blumenthal asked some good questions (bold emphasis added):

"Will a social networking site that uses facial recognition technology to tag friends in photos allow third-party apps to access this face data or create its own data sets from your pictures? Will a store that uses facial recognition technology to identify shoppers check that information against other consumer data to predict customers’ income levels and direct them toward or away from certain products?"

And, should facial recognition be used on children and minors? Should digital signs scan and archive children's facial data? If so, beginning at what age: 13, 14, 18, or all starting at birth? What about facial injuries and medical conditions?

The above recommended best practices lists the items consumers should look for in the privacy policy and/or terms of conditions policy for a website or mobile app. I wish that it had said more about mobile apps, and had attempted to resolve situations where there are several, competing privacy policies (e.g., smart phone users have privacy policies by the mobile device manufacturer, the developer of the operating system for that device, the telecommunications provider, the app developer, and the app store operator). I found the following section of the FTC report particularly important, since it helps consumers evaluate companies that adequately protect your sensitive personal data and privacy:

"... there are at least two scenarios in which companies should obtain consumers’ affirmative express consent before collecting or using biometric data from facial images. First, they should obtain a consumer’s affirmative express consent before using a consumer’s image or any biometric data derived from that image in a materially different manner than they represented when they collected the data. Second, companies should not use facial recognition to identify anonymous images of a consumer to someone who could not otherwise identify him or her, without obtaining the consumer’s affirmative express consent... increased consumer education about the use of facial recognition technologies is of paramount importance and that all stakeholders – including industry, trade associations, consumer and privacy groups, and government entities – should engage in consumer education efforts..."

For privacy reasons, some of my Facebook friends have told me it's okay to post photos about them, but do not tag them in photos. I have my Facebook privacy controls set to review all tags of me in photographs by my friends, which I can either approve or reject.

Download the FTC "Face Facts" report (Adobe PDF). Learn more about the POPAI Digital Signage Group.


How Companies Analyze Your Spending And Habits

Two really good news article explain how companies analyze consumers spending and social networking activity. I highly recommend that you read both articles.

The Forbes magazine article, "How Target Figured Out a Teen Girl Was Pregnant Before Her Father Did," summarized very well the problematic behavior of many corporations and retailers. To get a jump on its competitors, Target extensively analyzed -- perhaps better than most retailers -- its customers' purchases and attached undisclosed demographic data to each customer's identification number to mathematically predict what customers might by.

The prediction formulas were so good, Target was able to mathematically deduce from past purchases that this teen girl was pregnant and send coupons to her home -- all before the teen told her parent of the pregnancy:

"What Target discovered fairly quickly is that it creeped people out that the company knew about their pregnancies in advance... So Target got sneakier about sending the coupons. The company can create personalized booklets..."

These personalized coupon books were an attempt to hide the fact that Target knew so much, and disguise that knowledge by presenting both coupons not related to pregnancy with coupons that were related:

"... we learned that some women react badly... Then we started mixing in all these ads for things we knew pregnant women would never buy, so the baby ads looked random... we found out that as long as a pregnant woman thinks she hasn’t been spied on, she’ll use the coupons. She just assumes that everyone else on her block got the same mailer..."

One of my friends called Target's behavior "untethered stupidity" to market pregancy products to a teenager. Yes, that was incredibly stupid, and was likely enabled by its rush to make money. Some of my friends were surprised at the content of the above Forbes article. I wasn't surprised because of the amount of personal information shared:

  • Consumers share on social networking websites the items (e.g., products, services, television/cable shows, music) products we like or prefer,
  • Banks regularly collect and resell both debit-card and credit-card purchases,
  • Consumers share on social networking websites a wide variety of sensitive personal data (e.g., birth date, children's names and ages, list of relatives). The full birth date makes it easy for data brokers and advertisers to distinguish several people with the same name,
  • Consumers share product preferences and travel vacation habits through loyalty program memberships,
  • State motor vehicle registries regularly sell drivers' data to companies and data brokers. That includes the car, from which marketers can deduce your wealth, favorite color, and when to pitch extended auto warranty service plans,
  • Data brokers like Spokeo and Acxiom compile consumers' demographic data from public records and social networking websites, which retailers can purchase,
  • Leaky entertainment, quiz, and gaming apps on social networking websites regularly collect consumers sensitive personal data,
  • Leaky smartphone apps regularly collect consumers' sensitive personal data, they often shouldn't. The lack of privacy policies with these apps mean the app developers are free to sell the personal data collected.

What might that undisclosed demographic data be? It's pretty easy to deduce or infer:

  • Name, address, age from the store loyalty program registration
  • Income from any store credit cards, loyalty program registrations, surveys, or average purchase history over time (e.g., wealthy people spend more, less wealthy purchase more with coupons)
  • Favorite colors from the colors of clothes purchased
  • Left-handed preference from types of products purchased
  • Personal preferences from any product comments at the retailer's web site or products "liked" at social networking websites (purchased from data brokers)
  • Type of vision from purchases (e.g., non-prescription sunglasses indicate good vision)
  • Health issues (e.g., eczema, dry skin, dandruff) from the types of lotions and shampoos purchased
  • Health issues (e.g., over-weight) by the size of clothes purchased or from retailers offering pharmacies and in-store clinics
  • Durable goods (e.g., dishwasher, washing machine, gas or electric oven) used at home from purchases
  • Auto and electronics owned from purchases, either the item or related accessories purchased
  • Approximate ages of children by types of toys purchased or from photographs at social networking websites
  • Where else you shop, based on GPS coordinates collected from any apps installed on your smartphone, or data purchased from mobile service providers
  • Retail stores that use facial recognition cameras can track your shopping patterns (e.g., when where, duration), even when you pay with cash and left your GPS-enabled cell phone at home, and supplement this with demographic data from photos you are tagged in at social networking websites
  • Any gaps in the above demographic data can easily be filled by data purchased from data brokers like Acxiom and/or ads run on social networking websites

The New York Times article, "How Companies Learn Your Secrets," includes a more detailed analysis, with how marketers look for "chunks" in consumers' behaviors to predict future purchases:

"This process, in which the brain converts a sequence of actions into an automatic routine, is called “chunking.” There are dozens, if not hundreds, of behavioral chunks we rely on every day. Some are simple: you automatically put toothpaste on your toothbrush before sticking it in your mouth..."

Some chunks are more complex; consider the series of behaviors women will perform to prepare for a pregnancy: purchase different clothes, lotions, and/or personal hygiene items. Now, think more broadly, because everyone's behaviors can be chunked. Not just women. The researchers found:

"... when some customers were going through a major life event, like graduating from college or getting a new job or moving to a new town, their shopping habits became flexible in ways that were both predictable and potential gold mines for retailers. The study found that when someone marries, he or she is more likely to start buying a new type of coffee. When a couple move into a new house, they’re more apt to purchase a different kind of cereal. When they divorce, there’s an increased chance they’ll start buying different brands of beer. Consumers going through major life events often don’t notice, or care, that their shopping habits have shifted, but retailers notice..."

And a baby definitely qualifies as a major life event.

Now, consider your past purchases. Advertisers value that so they can serve up different products at these major life events. Coombine this with your GPS location in the physical world, and it is a marketers dream: to know you shop every Saturday morning and then serve up ads on your smartphone before you arrive at the supermarket; or to serve up childrens toy and food ads before you shop for their birthday parties.

Maybe all of this doesn't bother you, or maybe it does. The bottom line: where you go in the world, what you purchase, and how much you consume are all pretty personal facts. Consumers should have control over when and with whom this personal data gets shared. If you choose to share everything, fine. Some of us feel and act differently.


ScanScout Settles With FTC About Flash Cookies Used For Tracking Consumers

ScanScout has agreed to settle with the U.S. Federal Trade Commission (FTC) about charges the company used deceptive marketing with a website privacy policy that claimed consumers could opt-out of online tracking, when they couldn't opt-out because the company's website used the Flash cookie technology to collect data which browser settings couldn't block. An FTC press release summarized the terms of the proposed settlement:

"... bars misrepresentations about the company’s data-collection practices and consumers’ ability to control collection of their data. It also requires that ScanScout take steps to improve disclosure of their data collection practices and to provide a user-friendly mechanism that allows consumers to opt out of being tracked."

During the lawsuit and before the settlement agreement, ScanScout merged with Tremor Video. The consent order (PDF), which applies to the merged company and its subsidiaries, stated:

"... officers, agents, representatives, and employees and all other persons in active concert or participation with any of them, who receive actual notice of this Order by personal service or otherwise, whether acting directly or through any entity, in connection with the online advertising, marketing, promotion, offering for sale, sale, or dissemination of any product or service, in or affecting commerce, shall not misrepresent in any manner, expressly or by implication: (A) the extent to which data from or about a particular user or the user’s online activities is collected, used, disclosed, or shared; or (B) the extent to which users may exercise control over the collection, use, disclosure, or sharing of data collected from or about them, their computers or devices, or their online activities."

The consent order also stated that within 30 days of the approved consent order, the company:

"... place a clear and prominent notice, including a hyperlink, on the homepage(s) of its website(s), which states, “We collect information about your activities on certain websites to send you targeted ads. To opt out of our targeted advertisements click here.” When selected, the hyperlink shall take consumers directly to the mechanism... that enables users to prevent respondent: from collecting data that can be associated with a particular user, or that contains any unique identifier, including user ID or Internet Protocol (IP) address; from redirecting users’ browsers to third parties that collect data, absent a click or other affirmative action by such user; and from associating any previously collected data with the user..."

For five years after the approved consent order, the companies must save and forward to the FTC both complaints from consumers and all company documentation proving compliance with the consent order.

During the summer of 2011, a class-action lawsuit was filed against AOL, Brightcove, and ScanScout about the use of the Flash cookies technology to secretly track consumers' online usage.

The proposed settlement agreement is open for comment by the public until December 8, 2011, after which the FTC will decide whether to make it final. To submit comments, follow the online comment instructions at this website. Comments submitted via postal mail should be sent to: Federal Trade Commission, Office of the Secretary, Room H-113 (Annex D), 600 Pennsylvania Avenue, N.W., Washington, DC 20580.

To learn more about the various tracking technologies, browse posts in this blog about browser cookies, "zombie cookies," Flash cookies, "super cookies," and etags. The FTC OnGuard Online website also contains a section about the various online cookies technologies.


Lawsuit Alleges Hulu.com and KISSmetrics Used "Zombie E-Tags" To Track Consumers Without Notice And Consent

Last month, a lawsuit was filed in Central California District Court against Space Pencil and Hulu.com, alleging that the companies tracked consumers online usage without notice or consent using "Zombie Etags," a newer Internet technology. According to the complaint, consumers:

"... that accessed Hulu's website had HTTP cookies respawn via Flash shared objects, HTML 5 Local Storage, and/or cache/ETags after they had been deleted."

"Zombie ETags" refers to the latest combination of Internet technologies used to track online usage: HTML 5 local storage, and/or cached Etags. The Zombie Etags allegedly regenerate any HTML cookies the user has deleted, removing control from the user and preventing privacy. Entity Tags, also known as "Etags," are a mechanism to verify that the page components a web browser displays match the components on the web server hosting the URL or original web page.

According to the complaint (PDF - 6.3 MBytes), Space Pencil is the company doing business as KISSmetrics. Hulu.com is a popular website that streams video of television shows from ABC, CBS, Fox, NBC, and other networks and studios. This is at least the second class-action lawsuit filed against both companies.

This class-action lawsuit (Couch et al versus Space Pencil et al) was filed, in part, because the consumers:

"... accessed the Hulu website, relying on the Hulu's Terms of Service and Privacy Policy which provided assurances against unauthorized tracking..."

What makes this lawsuit a little different from prior lawsuits (e.g., "zombie cookies), is the technology and hacking allegations:

"... Internet users who accessed Hulu's website, and knowingly, without the user's knowledge or consent, "Hacked" the Plaintiffs' and Class Member's Computing Devices in order to conduct covert surveillance of Plaintiffs and Class Members online activities, using web analytics to collect and de-anonymize Plaintiffs' and Class members' online data, providing the mechanism for Hulu to conduct perpetual online tracking of its users and a method to use cross domain tracking..."

This alleged tracking technology allowed Hulu and KISSmetrics to track Hulu.com users' online usage across the Internet and beyond the Hulu.com website. The complaint referenced several working papers about tracking technologies:

The 2009 working paper documented the extent of company websites using Flash cookies to regenerate HTTP cookies. The 2011 working paper documented the regenerated HTTP cookies practice:

"In our follow-up study, we found that Hulu was still respawning deleted user cookies using homegrown Flash and Javascript code present on the Hulu.com site. Additionally, Hulu, Spotify, and many others were also respawning using code provided by analytics firm KISSmetrics. Hitten Shah, the founder of KISSmetrics, initially confirmed that the research surrounding respawning was correct in an interview with Ryan Singel although he later criticized the findings after a lawsuit was filed."

Both companies supposedly stopped their Zombie Etag tracking on July 29, 2011. KISSmetrics published this response to the July 2011 lawsuit. The class-action plaintiffs want the tracking software and data files removed from their computers. The sensitive personal information:

"... compiled and misappropriated included sensitive information, such as users' video viewing choices revealing personal interests, his/her sexual preference, political views, and even more specific information like health conditions, such as DEPRESSION..."

The attorneys representing the plaintiffs in this class-action lawsuit include Strange & Carpenter, and a name I recognize: the law office of Joseph Malley.

If you want to learn more, I recommend reading this Wired story.


Several Internet Service Providers Hijack And Replace Consumers' Search Results

Paxfire logo When you use a search engine like Google, Yahoo, or Bing you expect it to reliably deliver the search results the search engine was built to deliver, and not a replacement set of links from an intermediary -- without notice and without your consent. New Scientist reported that several internet service providers (ISPs) have modified and redirected these search results:

"The hijacking seems to target searches for certain well-known brand names only. Users entering the term "apple" into their browser's search bar, for example, would normally get a page of results from their search engine of choice. The ISPs involved in the scheme intercept such requests before they reach a search engine, however. They pass the search to an online marketing company, which directs the user straight to Apple's online retail website."

Commission Junction logo Last week, the New York-based law firm of Reese Richman filed a class-action lawsuit against one of the ISPs, its marketing firms, and Paxfire, the technology company which reportedly provides the equipment used to redirect and replace searches. Experts believe that the redirect process violates several statutes, including wiretapping laws. One of the marketing firms identified with the alleged serch redirection is Commission Junction. The ISP identified in the lawsuit is RCN.

Researchers at the International Computer Science Institute in Berkeley, California discovered the redirection and have monitored it for several months. Reportedly, a total of ten (10) ISPs were found to perform search results hijacking and replacement.

"The redirection can also produce unwanted results. A user wanting to read an article in The Wall Street Journal, for instance, might search for "wsj"; the redirection system would take them to a page offering subscription deals for the paper..."

If you want to learn more, there is a good article at the Electronic Frontier Foundation website:

"Major users of the Paxfire system include Cavalier, Cogent, Frontier, Fuse, DirecPC, RCN, and Wide Open West. Charter also used Paxfire in the past, but appears to have discontinued this practice."

It would seem that once again greed trumps common sense. The search results hijacking and replacement alters a basic function of how the Internet operates. You could say that users were "mugged" for their searches.

About three years ago, in an attempt to increase their revenues several ISPs installed deep-packet inspection software on their servers to server display targeted ads while tracking without notice and consent all of their subscribers Internet activity (e.g., e-mail, text, searches, web browsing). Consumers and privacy advocates protested strongly; both in both the United States and Europe.

Several ISPs testified in hearings before the U.S. Congress, and at least one ISP admitted to the secret spying on its subscribers. In their rush to make money, ISPs abused their subscribers' privacy and trust.  Several technology companies, like Adzilla and Phorm, were sued and either settled class-action suits against them or went out of business.

It would seem that we are about to repeat another round of privacy abuses by ISPs with their technology and marketing partners. Executives at these companies are either ignorant of or ope that consumers have forgotten the lessons of three years ago. Well, we have not forgetten. Privacy, disclosure, and consent still matter.

I predict several more class-action lawsuits will emerge, plus an updated list of ISPs to avoid doing business with because of privacy abuses. Not matter how they might spin it, it is not right to replace the standard search results from search engines with garbage for an ISP to build its revenues. Consumers' needs matter.