89 posts categorized "Behavioral Advertising" Feed

Verizon Wireless Settles With The FCC Regarding 'Supercookies' And Online Tracking

Verizon logo Yesterday, the Federal Communications Commission (FCC) announced a settlement agreement with Verizon Wireless regarding the company's use of "Supercookies" to track mobile users. The FCC alleged that that Verizon Wireless inserted:

"... unique identifier headers or so-called “supercookies” into its customers’ mobile Internet traffic without their knowledge or consent. These unique, undeletable identifiers – referred to as UIDH – are inserted into web traffic and used to identify customers in order to deliver targeted ads from Verizon and other third parties."

Terms of the settlement agreement require Verizon Wireless to notify consumers about its targeted advertising programs, obtain customers’ opt-in consent before sharing UIDH with third-party companies and affiliates, and obtain customers’ opt-in (or opt-out) consent before sharing UIDH internally among Verizon's companies and business units. The settlement terms also require the company to pay a $1.35 million fine and adopt a three-year compliance plan.

Federal communications Commission logo The FCC's announcement also noted that the company was slow to update its privacy policy (bold added):

"It was not until late March 2015, over two years after Verizon Wireless first began inserting UIDH, that the company updated its privacy policy to disclose its use of UIDH and began to offer consumers the opportunity to opt-out of the insertion of unique identifier headers into their Internet traffic... Section 222 of the Communications Act imposes a duty on carriers to protect their customers’ proprietary information and use such information only for authorized purposes. It also expressly prohibits carriers that obtain proprietary information from other carriers for the provision of telecommunications services to use such information for any other purpose. Section 8.3 of the Commission’s rules, known as the Open Internet Transparency Rule, requires every fixed and mobile broadband Internet access provider to publicly disclose accurate information regarding the network management practices, performance, and commercial terms of its broadband Internet access services sufficient for consumers to make informed choices regarding use of such services and for content, application, service, and device providers to develop, market, and maintain Internet offerings."

The FCC began its investigation in December, 2014. At that time, the concern was:

"... whether Verizon Wireless failed to appropriately protect customer proprietary information and whether the company failed to disclose accurate and adequate information regarding its insertion of UIDH into consumer Internet traffic over its wireless network, in violation of the FCC’s 2010 Open Internet Transparency Rule and Section 222 of the Communications Act."

Verizon Wireless began inserting UIDH into consumer Internet traffic in December 2012, and didn't disclose this practice until October 2014. After acknowledging this practice, the company claimed that third-party advertising companies were unlikely to use their supercookies to build consumer profiles or other purposes. The Washington Post reported in November 2014:

"Verizon and AT&T have been quietly tracking the Internet activity of more than 100 million cellular customers with what critics have dubbed “supercookies”... The technology has allowed the companies to monitor which sites their customers visit, cataloging their tastes and interests. Consumers cannot erase these supercookies or evade them by using browser settings, such as the “private” or “incognito” modes that are popular among users wary of corporate or government surveillance.

Also in November 2014, the Electronic Frontier foundation (EFF) discovered the tracking, and asked Verizon to both notify users and get their consent before using supercookies:

"Verizon users might want to start looking for another provider. In an effort to better serve advertisers, Verizon Wireless has been silently modifying its users' web traffic on its network to inject a cookie-like tracker. This tracker, included in an HTTP header called X-UIDH, is sent to every unencrypted website a Verizon customer visits from a mobile device. It allows third-party advertisers and websites to assemble a deep, permanent profile of visitors' web browsing habits without their consent. Verizon apparently created this mechanism to expand their advertising programs, but it has privacy implications far beyond those programs."

The EFF said that the Verizon Wireless settlement agreement:

"... is a huge win for Internet privacy. ISPs are trusted carriers of our communications. They should be supporting individuals' privacy rights, not undermining them."

The EFF tempered its comments with a warning how ISPs can still secretly track consumers:

"... They can send tracking data only to selected web sites, hindering detection by third parties. ISPs can (and some very likely do) hide tracking data in a lower protocol layer, like TCP or IP, setting fields that are normally random based on an agreed-upon code. Or they could log all user browsing activity themselves and share it upon request. Detecting these more pernicious methods will require ongoing skilled technical work by the FCC and other watchdog organizations.."

This is why both a skilled oversight agency and watchdog groups are necessary. The average consumer cannot perform this technical analysis. FCC Enforcement Bureau Chief Travis LeBlanc said:

"Consumers care about privacy and should have a say in how their personal information is used, especially when it comes to who knows what they’re doing online... Privacy and innovation are not incompatible. This agreement shows that companies can offer meaningful transparency and consumer choice while at the same time continuing to innovate...”

Yes! Innovation and privacy are compatible. Yes, we consumers care... care greatly about privacy. Relevant advertising is not an excuse to do anything without notification and without consent. Kudos to the FCC. View the Verizon Wireless Order and Consent Decree (Adobe PDF).


Ad Blocking Software: What It Is, The Benefits, And How To Use It

Nobody wants their online experience cluttered with irrelevant advertisements. Recently, TechCrunch published a beginner's guide to ad blocking software. If you are unfamiliar with what the software is, does, and its benefits, then this primer is for you.

Basically, ad blocking software prevents your web browser from downloading and displaying unwanted advertisements. Consumers use it for several reasons, including performance, privacy, and security for a better online experience:

"Performance. The average page has dozens of ad tags, and ad providers are typically built with no regard to performance (loading hundreds of tags, images, megabytes of video, etc.), so preventing all of this from loading drastically speeds up the website."

"Privacy. Most ad networks and tracking systems (like Google Analytics) collect information about user behavior and pages visited, which can lead to privacy issues. Ad blockers stop all of this and make it easy to browse privately."

Security is a concern because some advertising networks (e.g., AOL, Yahoo, Huffington Post) have been compromised with computer viruses, or malware, onto unsuspecting consumers' devices. Some malware targeted mobile devices. It has occurred often enough that the term malvertising is now used. Malvertising is very bad because you don't have to click on annything in order for your computer to get infected.

During the last 7+ years, this blog covered a variety of technologies (e.g., cookies, “zombie cookies,” Flash cookies, “zombie e-tags,” super cookies, “zombie databases” on mobile devices, canvas fingerprinting, etc.) companies use to persistently track consumers online without their knowledge nor consent; and to circumvent consumers' efforts to maintain privacy online. So, you want to do what you can to avoid or minimize the tracking.

Consumers have plenty of choices for which ad-blocking software to use. As TechCrunch reported:

"Apple’s iOS has recently allowed for content blocking extensions in its Safari browser, so now it’s possible to block ads on mobile websites, as well. Both iOS and Android also allow for third-party browsers that can come with ad-blocking abilities built in."

You can't block ads that appear within a mobile (or desktop) app, so that maybe another reason to use your web browser instead of a mobile app (which is usually a piece of a website). I happen to use, with the Firefox web browser, the Privacy Badger tool from the Electronic Frontier Foundation. I am delighted with it. Yes, some websites won't display content when you block their ads, but most do.

For private online searches, I use the DuckDuckGo search engine instead of Google, Bing, and Yahoo. What ad-blocking software do you use? If not, do you plan to start using it?


Blocking The Ad Blockers

The digital advertising arms race is well underway. Since many consumers have installed ad blocking software on their computing devices for privacy and a better online experience, some publishers have responded by blocking those online users... or at least those users' web browsers.

While attempting to stream the latest episode of a popular television show, I encountered the message below, which is an extremely poor implementation. It suggested that i disable all ad blocking software. A better, responsible implementation would include messaging about the specific advertising mechanism:

Blocked ad blocker at CBS website. Click to view larger image

Have you encountered any similar messages at other sites?


You've Got Email Trackers: A Tool Marketers Use To Spy On Consumers

The New York Times told the story of an executive who received a call at 10:30 pm on his smartphone from a marketer, minutes after opening an e-mail message from the same marketer. Coincidence? The executive didn't think so, and after some investigation found that the marketer had planted a tracking mechanism in the e-mail message.

This marketer took e-mail marketing to the creepy zone. The marketer arrogantly assumed the executive, a) wouldn't mind the tracking and privacy invasion; and b) was agreeable to receiving a late-night phone call. Inappropriate. If the executive was driving his car, the late-night call could have created a distracted driving risk. Dangerous.

This marketer isn't alone. According to The New York Times:

"The trackers are traditionally offered by email marketing services like GetResponse and MailChimp. They have a legitimate use: to help commercial entities send messages tailored for specific types of customers. The New York Times, too, uses email trackers in its newsletters. The Electronic Frontier Foundation, a nonprofit that focuses on digital rights, estimates that practically every marketing email now contains some form of a tracker."

The e-mail tracking is possible because most users view HTML e-mail messages. One e-mail vendor's website home page highlights the industry's position:

Image of Sidekick home page. Click to view larger version.

Marketers want to know when, where, what device you use, and what link(s) you click on with their e-mails and advertisements. Yes, marketers should be able to evaluate their e-mail and marketing programs. At the same time, consumers have valid needs, often including privacy and the desire not to be tracked.

According to Pew Research, consumers perform a variety of tasks to thwart online tracking and data collection: delete browser cookies or browser history (59 percent), refuse to provide personal information irrelevant to the transaction (57 percent), set their browser to disable or turn off browser cookies (34 percent), and more. 86% of internet users have taken steps online to remove or mask their digital footprints. Plus, the growth in usage of ad-blockers by consumers highlights the desire not to be tracked (since many advertising networks contain tracking mechanisms):

"Between 15 to 17% of the U.S. population reportedly use ad blockers, and the number is double that for millennials. The numbers are even higher in Europe, and up to 80-90% in the case of specialty tech and gaming sites."

So, balance and respect are key. If marketers and advertisers are going to plant trackers in e-mail messages, then be honest and transparent: say so. Notify consumers. Provide opt-in mechanisms for consumers that don't mind the tracking.

Don't be that creepy marketer.

Will marketers act with respect and not go to the creepy, dark side? History suggests otherwise, given the litany of covert technologies marketers and advertisers have used to track consumers online: browser cookies, zombie cookies, zombie e-tags, Flash cookies to regenerate browser cookies users have deleted, super cookiescanvas finger-printing, and more recently cross-device tracking.

Aware consumers realize that surveillance isn't performed only by government spy agencies. Private-sector corporate marketers and advertisers do it, too. The New York Times article discussed one of the e-mail trackers used:

"... MailTrack, which is a plug-in for Google’s Chrome browser that can quickly insert a hidden tracking pixel into a message..."

Unfortunately, both the good guys and bad guys (e.g., spammers, phishers) use e-mail trackers. Experts advise consumers to expect trackers planted in messages, and:

"A basic method for thwarting some email trackers involves disabling emails from automatically loading images, including invisible tracking pixels. But that doesn’t defeat all trackers, which are also hiding in other places like fonts and web links."

Ugly Email and Trackbuster, are tools consumers can use to detect trackers embedded in e-mail messages. The former is a Gmail plug-in.

What are your opinions of e-mail trackers? What software do you use to detect e-mail trackers?

[Editor's Note: an earlier version of this post linked the "cross-device tracking" text to a CBS News article. That link was updated to a more descriptive article at Ars Technica.]


Online Ads: To Block Or Not To Block. And, Who Should Be In Control?

The New York Rimes reported on Friday about the fast adoption by consumers of ad blocking apps for their mobile devices:

"Just two days after Apple enabled ad-blocking apps through its new mobile operating system, iOS 9, users are embracing the new technology... In less than 48 hours, several ad-blocking apps with names like Peace, Purify and Crystal soared to the top of Apple’s App Store chart... About 16 percent of those who use the Internet in the United States, or 45 million people, have already installed an ad blocker, up 48 percent over the last 12 months, said Sean Blanchfield, who runs PageFair, an Irish start-up that tracks ad blocking. In a report last month, Adobe and PageFair calculated that blockers would cost publishers nearly $22 billion in revenue in 2015."

That's not surprising. The frequency of continual auto-play video ads at many websites has become a huge annoyance. At the same time, one app developer removed his ad-blocking app from sales, stating:

"Peace required that all ads be treated the same — all-or-nothing enforcement for decisions that aren’t black and white. This approach is too blunt, and Ghostery and I have both decided that it doesn’t serve our goals or beliefs well enough. If we’re going to effect positive change overall, a more nuanced, complex approach is required than what I can bring in a simple iOS app."

I agree. The ad-blocking apps should be robust and keep consumers in control. If a consumer wants to block everything, she should be able to. If a consumer wants to block all ads from a specific advertising network and/or ads at a specific website, then he should be able to. Keep consumers in control.

And, the ad blocking should be simpler. Blocking apps should cover a consumer's multiple devices: phone, tablet, laptop, desktop, automobile, and household appliances (e.g., refrigerators, etc.) in a "smart home."Otherwise, the burden on consumers becomes massive.

And, make it opt-in not opt-out. Opt-out puts a perpetual burden on consumers to constantly monitor advertising activities and techniques. Simplicity is always better.

A worse-case scenario wold be apps that block ads, but still allow the tracking and data collection by advertisers. Keep consumers in control. I use the EFF's Privacy Badger add-on for my Firefox web browser, to stop both the ads and the tracking technologies embedded in website pages by publishers and ad networks. Privacy Badger explained how it is different:

"Although we like Disconnect, Adblock Plus, Ghostery and similar products (in fact Privacy Badger is based on the ABP code!), none of them are exactly what we were looking for. In our testing, all of them required some custom configuration to block non-consensual trackers. Several of these extensions have business models that we weren't entirely comfortable with. And EFF hopes that by developing rigorous algorithmic and policy methods for detecting and preventing non-consensual tracking, we'll produce a codebase that could in fact be adopted by those other extensions, or by mainstream browsers, to give users maximal control over who does and doesn't get to know what they do online."

Whatever tools consumers use to block ads and tracking, it needs to be robust to account for newer techniques, like canvas fingerprinting. One blogger equated ad-blocking software with the deadly pesticide DDT. While it is tempting to equate the intrusive online ads with unwanted insects, I wouldn't go that far. DDT was banned, and ad-blocking software should be encouraged, not banned. Like any other software, there are well-designed products and poorly designed ones.

Sure, publishers and website operators should be able to make to make money via advertising. The issue is one of balance: balancing consumers' needs versus advertisers' needs. If consumers user ad-blocking apps and browser add-ons, then advertisers have only themselves to blame. They've largely brought this on themselves with ad networks tracking across websites.

what are your opinions of ad blocking software? Which apps and browser add-ons do you use?


Uber: Its Labor Ruling In California, Lawsuits, And Privacy Concerns

Uber logo During June, Uber, the ride-sharing company, has been in the news for a variety of reasons. Many consumers like the ride-sharing service as an alternative to tradition taxi-cabs. Uber is one of the largest ride-sharing services with about 8 million users worldwide and 160,000 drivers in the United States.

First, in March the State of California Labor Commission ruled that Uber drivers are employees and not independent contractors, as the company claimed. The ruling became public after the company appealed the original decision. In the original complaint, an Uber driver filed a claim for reimbursement of $4,152.00 of expenses.

The issues are worthy noting. Time reported:

"... the ruling is non-binding, has no legal bearing on any other drivers, and won’t force any money to change hands. But Uber’s decision to appeal will now move the fight to California’s court system where — along with several similar lawsuits pending in the state..."

One of several pending lawsuits:

"Uber has essentially shifted to its workers all the costs of running a business, the costs of owning a car, maintaining a car, paying for gas,” says Shannon Liss-Riordan, a Boston-based attorney who has a class-action case pending against Uber in California federal court. “Uber has saved massive amounts …. It’s important that the labor laws be enforced so that the companies can’t take advantage of workers that way. Uber’s a $50-billion company and I think it can afford to bear the responsibilities of an employer...”

Second, a new Uber policy bans firearms in its vehicles. KRJH in Tulsa, Oklahoma reported:

"Uber drivers and passengers have to follow a new company policy. Uber has banned all firearms from any vehicle used for its service. The policy comes two months after an Uber driver shot a man who was firing into a crowd of people in a Chicago neighborhood. The Uber driver had a concealed carry license and was not charged with a crime, but it raised the question of safety and comfort for its drivers and riders."

Third, the Electronic Privacy Rights Center (EPIC) has filed a complaint with the U.S. Federal Trade Commission (FTC) about Uber's upcoming privacy policy amendments to both collect more data about its customers and to track customers. Uber's new Privacy Policy goes into effect on July 15:

Location Information: When you use the Services for transportation or delivery, we collect precise location data about the trip from the Uber app used by the Driver. If you permit the Uber app to access location services through the permission system used by your mobile operating system (“platform”), we may also collect the precise location of your device when the app is running in the foreground or background. We may also derive your approximate location from your IP address."

"Contacts Information: If you permit the Uber app to access the address book on your device through the permission system used by your mobile platform, we may access and store names and contact information from your address book to facilitate social interactions through our Services and for other purposes described in this Statement or at the time of consent or collection."

The sharing of customers' information by Uber seems extensive:

"We may share your information: With Uber subsidiaries and affiliated entities that provide services or conduct data processing on our behalf, or for data centralization and / or logistics purposes; With vendors, consultants, marketing partners, and other service providers who need access to such information to carry out work on our behalf; In response to a request for information by a competent authority if we believe disclosure is in accordance with, or is otherwise required by, any applicable law, regulation, or legal process; With law enforcement officials, government authorities, or other third parties if we believe your actions are inconsistent with our User agreements, Terms of Service, or policies, or to protect the rights, property, or safety of Uber or others; In connection with, or during negotiations of, any merger, sale of company assets, consolidation or restructuring, financing, or acquisition of all or a portion of our business by or into another company..."

Words to focus upon include vendors, consultants, marketing partners, and other service providers. That can include a lot of companies anywhere. Note: that sharing is in addition to any sharing you may perform with social networking sites.

You may remember that ethics and privacy issues surfaced after news reports in 2014 about Uber allegedly using customer and tracking data it collected to target journalists critical of the service.

The EPIC complaint filed with the FTC (Adobe PDF) stated:

"19. Uber will also collect precise location information if the app is operating in the background. On phones running iOS, this means that Uber may be able collect location data even after an app has been terminated by the user."

"20. Even if a user disables the GPS location services on their phone, the company may still derive approximate location from riders’ IP addresses."

"21. This collection of user’s information far exceeds what customers expect from the transportation service. Users would not expect the company to collect location information when customers are not actively using the app, or have turned off their GPS location finder (as Uber can still collect location information through the phones’ IP addresses)..."

"24. Uber claims that it will allow users to opt-out of these features. However, this change in business practices places an unreasonable burden on consumers and is not easy to exercise: while iOS users can later disable the contact syncing option by changing the contacts setting on their mobile devices, the Android platform does not provide any such setting..."

"31. Job interviewees have been granted provisional access all the customer location data available to full-time employees, allowing non-Uber employees to temporarily track any customer. One such interviewee was granted this access for an entire day, even after the job interview ended. He admitted using the database to search records of people he knew, including politician’s relatives."

Based upon the new privacy policy, the tracking and data collection seems very invasive since it will also occur when customers aren't using the service. It seems invasive because the address book collection includes people who aren't Uber customers, didn't agree to the data collection, can't opt out of the collection, and have no control over how their contact information is used. Based upon the company's history, Uber executives seem to play fast and loose with consumers' personal private information.

If you don't like the privacy invasion, there are several resources online about how to cancel and delete your Uber account: C/Net, Reddit, and wikiHow.

What are your opinions of Uber's new privacy policy?


Epic Facebook Privacy Fail

A friend, who shall remain anonymous, posted the following photo on their Facebook timeline:

Facebook ad requesting your household income

Click on the image to view a larger version. Along with the image, my friend posted this status message:

"So this appeared in my right-hand rail. Seriously Facebook, are you tripping? Why would I give you information about my household income? Because I'm so sure you won't abuse the information?"

This is highly confidential information. Does Facebook need to know it? Does Facebook deserve to know it? I wouldn't share this data with them, and nor should you.

After a long, hearty laugh, there wasn't much I could add to this status message. Lots of businesses, including credit reporting agencies, want access to your Facebook timeline (for applications you never intended). In its rush to make money, Facebook has had so many privacy intrusions, snafus, data collection tools masquerading as fitness apps, and failures, that my friend summarized it all concisely.

I did post this comment:

"Epic Facebook privacy fail."


Pew Research Reviews Key Statistics From 2014

Pew Reviewed published 14 statistics from 2014 that it views as noteworthy. I found several items from the list particularly interesting.

First, privacy is still a problem. A clear majority of American adult consumers -- 91 percent responded agree or strongly agree -- believe that they have lost control of how their personal information is collected and used by private companies:

Second, a clear majority -- 80% said they agree or strongly agree -- that Americans should be concerned about government monitoring of e-mail messages and Internet usage.

Third, since 2006 more Americans value highly Internet access and their mobile phones, compared to other devices:

You can bet that Internet service providers are aware of this, and will prices their services accordingly.


Digital Advertising Firm Pays $750K To Settle Online Privacy Abuses

Pointroll logo Six states, including Illinois Attorney General Lisa Madigan, announced a $750,000 settlement with Pointroll, a digital advertising firm, after investigations for privacy violations. The Illinois AG announced:

"... Madigan and her counterparts from five other states alleged that PointRoll unlawfully deployed a browser circumvention technique that allowed it to place browser cookies on consumers’ Safari web browsers despite privacy settings configured to “block cookies from third-parties and advertisers” or alternatively set to “accept cookies” from “visited sites” (for Safari browsers on Apple iPhones and iPads) between December 13, 2011, and February 15, 2012."

Browser cookie files, often referred to as "cookies," are small text files web browsers create, update, and save to users' computers. These files allow advertisers to gather information about users online habits often including the sites you visit online. Pointroll is owned by the Gannett Corporation.

The settlement agreement requires Pointroll to respect and comply with consumers' cookie-blocking choices, provide prominent Privacy Policy buttons with links to complete policies on any websites it operates, and to implement a privacy program within six months that trains its employees about consumer privacy and how to maintain it. That program must include yearly assessments and make ongoing changes as needed. Additional terms of the settlement:

  • "Never misrepresent or omit material facts concerning the purposes for which it collects and uses consumer information, or the extent to which consumers may exercise control over the collection, disclosure or use of such information.
  • Ensure that its servers are configured to instruct Safari web browsers to expire any cookie placed by PointRoll using its browser circumvention technique, if those systems encounter such a cookie, for a period of two years.
  • Cooperate with compliance monitoring by the participating states, including providing a written report that describes PointRoll’s compliance with the privacy program requirement and allowing the inspection and copying of all records that may be required to verify compliance."

Besides Illinois, the states involved in the settlement include Connecticut ($110,000), Florida, Maryland ($110,000), New Jersey ($200,000), and New York ($110,000). The Connecticut Attorney General's announcement included a statement by the state's Consumer Protection Commissioner, William M. Rubenstein:

"Brazenly disregarding consumer preferences is an unwise business practice that borders on unethical conduct... We applaud New Jersey’s leadership in the investigation and negotiation with PointRoll and we will continue to uphold Connecticut consumers’ right to choose.”

Borders on unethical conduct? The settlement terms are pretty standard stuff (e.g., requires Pointroll to respect and comply with users' browser settings to block cookies, train employees, submit to annual assessments, and prominently display buttons with links to privacy-policies on its websites). That the firm had to be forced to do this makes one wonder what Pointroll's internal company culture is regarding ethics and privacy. It makes one wonder how trustworthy, or not, the executives at Pointroll are. Are executives at Gannett paying attention?

Readers of this blog know that advertisers have used a variety of technologies (e.g., browser cookies, "zombie cookies," Flash cookies ("super cookies," etags) to ignore and circumvent  consumers' explicit decisions and web browser settings not to be tracked online. I congratulate the six attorneys general and their staff for protecting and enforcing consumers' privacy.

What are your opinions of this settlement agreement?


I Stopped "Liking" Things For Two Weeks. How My Facebook Experience Changed

Facebook logo In August, Matt Honan wrote an interesting article in Wired about his social networking experiment. He clicked on all Facebook's "Like" buttons everywhere for two days. It ruined his life. Then, Elan Morgan wrote in Medium about a similar experiment. He didn't click on any Facebook "Like" buttons for two straight weeks. Being curious, I decided to perform my own experiment.

Like Morgan, I decided not to click on any Facebook "Like" buttons for two weeks. That meant avoiding both buttons on posts and links in comments. It also meant not clicking on any "Like" buttons on Websites around the Internet that displayed them.

I use Facebook for personal posts, and to supplement this blog since many readers use Facebook. So, for my experiment I also decided not to click on any "Like" buttons nor links on the I've Been Mugged page on Facebook.

To start, I announced my experiment to my Facebook "friends," which includes friends, acquaintances, family, coworkers, former classmates, and former coworkers. An announcement seemed wise since some of them pursue "Likes" passionately. Many of those former coworkers also work in the digital advertising industry. I asked for their understanding and patience during my informal week-long experiment. My August 17 status message on Facebook:

"Notice for all my Facebook friends: during the next week, I will perform an experiment on Facebook by NOT clicking on any "Like" buttons on posts ,comments, photos, videos, and pages. I want to see how this changes my experience with Facebook. You'll probably see me write comments more. So, you have been warned. Please don't feel offended."

Nobody complained. Several wrote comments,  which included predictions:

"You will most likely not be bombarded with advertisements or "links you may like". Good!"

Their curiosity:

"Love to hear your methodology. Are you studying adds to your feed by the hour? something else?"

And, some shared tips about how they deal with advertising on Facebook (link added):

"I don't see ads because I use adblock. So I really don't know what they'd be trying to sell me."

Background

I used the Web version of Facebook. For a couple years, I used the mobile version on a Windows phone until I accidentally broke the screen. The mobile version was fun for a while, but the novelty soon wore thin. Spending $10 to $15 monthly for a data plan mostly for Facebook, Twitter, e-mail, and IMDB searches seemed an expensive indulgence. So, when the phone broke, I took that as a sign, ditched the mobile apps, and returned to the fuller Web version. While mobile apps are convenient, they are still pieces of a site. I prefer the entire experience, not pieces. About the only pieces I enjoy are Reese's Pieces. Maybe Facebook should have named its app "Facebook Pieces," but that is a discussion for another time.

I use Facebook to post and view articles, status messages, photos, and videos. I have family members who post plenty of photos. Plenty. For privacy and security, I don't play Facebook games nor apps, having years ago disabled all Facebook apps in my account settings. (To learn about how to use Facebook securely, there are plenty of posts in this blog. Follow any of the links in this post. In the right column, enter "Facebook"  in the search mechanism, or select "Social Networking" in the tag cloud.) Facebook has made some stunning privacy missteps and reversals about how much of your data apps harvest. And, there's more about apps privacy here.

Test Goals and Methodology

I performed this test to see how my experience with Facebook might change. Would Facebook display different content? If so, what might that different content be? Posts by friends, ads, the pages I follow, or what?

My hypothesis going in was that my news feed would probably change. I wasn't sure how. Would I see different ads? Fewer ads? More ads? I didn't expect ads to disappear because that's how Facebook makes money. I knew that Facebook performs behavioral targeting, in order to present relevant ads to its users.

My hope was that my news feed would change because my new behavior would influence Facebook's display algorithm. Ideally, I might see more status messages by friends that it previously hadn't shown. If you didn't know, Facebook uses an algorithm to selectively display about 12 percent of the total status messages by all of your friends. Simply, you don't see everything. You never did; and probably never will. Similarly, your friends don't see everything you post. This 12 percent delivery rate makes "frictionless sharing" claims sound like a bunch of BS.

For my experiment, I decided not to change my profile by "un-Liking" any Facebook pages (e.g., newspapers, magazines, celebrities, television shows, musicians, comedians, pundits, etc.) I had previously "Liked." Frankly, I wanted to continue reading content from these news and entertainment sources; and not live in a virtual cave.

Results Overview

For the first two or three days, not clicking on "Like" buttons felt like a burden. I was used to the convenience. It took little effort or thought to click "Like" buttons and links. Maybe, I was going through "Like" withdrawal. After a couple days, it became easy to not click "Like" buttons. I noticed several things. The first thing I noticed was that I had to change. I had to decide what to type instead.

Use Your Words

When my son was 10 to 20 months old, he often greeted a parent by extending his arms upward and grunting. That was his preferred way to ask a parent or adult to pick him up. My wife and I constantly reminded him to use his words. As soon I stopped clicking "Like" buttons, I realized that I had to change: use my words.

What to type? It had been so easy before to simply click "Like" buttons and links. Like many Facebook users, I often clicked only the "Like" button without entering any comments. Now, I had to give Facebook more thought and effort.

What words did I use? I went through predictable variations: "Ha," "LOL," "ROTFL," "WTH," "WTF," "Great photo," "I agree," "Awesome," "Nice," and several more. Had Facebook made me lazy? Perhaps. Probably. Typing the word "Like" seemed stupid with so many "Like" button and links nearby. For a couple days, I used "Likey" in a feeble attempt to merge liking and humor. I quickly abandoned that.

Nobody asked why I was only entering comments and not clicking "Like" buttons nor links.

Life Without Likes

The first week of my experiment flew by. I posted on my personal news feed on August 25:

"A week has passed and I haven't clicked on a single "Like" button. None. Anywhere. Was easier than I thought it would be."

For me, it felt like cable TV or the Major League Baseball strike during 1995. Once you learn to live without it, you soon find it's easy to live without it. You find other things to do instead; often, more enjoyable things to do. So, I decided to extend my experiment to two weeks. I'm glad I did.

One friend suggested a reason why I found it easy to not click "Like" buttons:

"Of course it's easy. You are not young enough to really be stricken with FOMO...."

If you don't know: Fear Of Missing Out. Convenience and fear seem to drive so much of our social media usage. We love the convenience being able to post/read/watch anywhere and anytime. When you and everyone act this way, you quickly fall into the FOMO trap: if you stop acting this way, you'll miss out. You may or may not actually miss anything. It's the fear that you might. During my experiment, I didn't have any feelings of fear. None.

How My Facebook Experience Changed

With a two-week experiment, I noticed several changes. First, before starting my experiment, I often clicked on "Like" buttons for artices from news and entertainment sources. When I did, Facebook dutifully displayed related ads in the right column about the brand or company I just "Liked." Example: after "Liking" a news article about Comcast customer service, Facebook dutifully presented in the right column area ads by Comcast or by other cable/TV/Internet service providers. Now, Facebook seemed to have to work harder to determine what I "liked."

During the first week of my experiment, the links to related articles disappeared. You've probably seen the three related articles the Facebook interface displays when you "Like" an article. During the first week of my experiment, they went away. During the second week, those related articles re-appeared only when I entered a comment. That's good or bad depending upon whether you consider those related articles relevant or not. In my experience, the relevancy is hit or miss. Before my experiment, I rarely clicked on a related-article link. That didn't change during my experiment.

Second, Facebook seemed to work harder by focus on the content I entered into comments. If I mentioned a brand in a comment or status message, then an ad for that brand soon appeared in the right column ad area. Example; while answering a friend's post for advice about leasing automobiles, I mentioned in a comment my experience with leasing a Honda Civic hatchback. Bingo! Facebook soon displayed a Honda ad, assuming I wanted to buy or lease a Honda car. Maybe Facebook did this all along and I just never noticed before. I can say is this: in a life without "Liking" anything, it is more easily noticed. Mention brand names in your comments and Facebook will most likely display ads by those brands.

Third, Facebook seemed to work harder by using my profile data to display ads. I live in Boston and before the experiment had specified Boston in my profile. I noticed ads by Facebook for free movies at the Prudential Mall ( a local shopping area), dentists, and other local services. Those of you who know me, know that I don't like to shop. And, I already have a dentist I am satisfied with. So, irrelevant ads.

In a life without "Likes," it seems that Facebook will dig deeper into your profile and use data from it to display targeted ads. This seems consistent with the targeting options Facebook provides advertisers:

"You can choose the location, gender, age, likes and interests, relationship status, workplace and education of your target audience. If you have a Facebook Page, event or app, you can also target your ad to people who are already connected to you."

The targeting of some of those ads was dubious. I never entered any comments about shopping, dentists, or dental hygiene, but Facebook showed ads anyway.

Fourth, I saw more generic ads, or what seemed to me to be generic ads. I say generic because the ads were for brands I had not "Liked" at all: Verizon Wireless phone service, 1-800-Flowers, customized pen writing instruments, and such.

During my experiment, I did not click on any ads. None. Why? I hadn't clicked on any ads before.

In his experiment, Morgan concluded:

"Now that I am commenting more on Facebook and not clicking Like on anything at all, my feed has relaxed and become more conversational. It’s like all the shouty attention-getters were ushered out of the room as soon as I stopped incidentally asking for those kinds of updates by using the Like function. I have not seen a single repugnant image of animal torture, been exposed to much political wingnuttery, or continued to drown under the influx of über-cuteness that liking kitten posters can bring on."

My experience was similar in some ways and different in other ways. Consistent with Morgan's "conversational" conclusion, I saw more posts by "friends" and fewer posts with news articles in my news feed. It also had implications.

Since  I wasn't clicking "Like" buttons for news articles, Facebook's algorithm concluded I must not like them  -- and it showed fewer in my news feed. So, to read news content I had to go to my Pages Feed. This behavior change by Facebook makes it a less-than-ideal tool to read news, since I had clearly "Liked" previously several agencies (e.g., CFPB, FTC, FDIC, CUNA, NCUA, advocacy (e.g., CSIPA, ACLU, EFF, Stanford CIS), and news sources (e.g., Mashable, FactCheck, ProPublica, Dorchester Reporter, Bill Moyers). I conclude that Twitter is a better source of news because it doesn't have a filtering algorithm. I see all tweets from the news sources I follow there, making Twitter more reliable and relevant -- for me.

In contrast to Morgan's conclusion, I still saw posts (often articles) by Facebook "friends" who are passionate about animal cruelty. Those posts never bothered me. That didn't change. I still saw posts by friends with photos and video of cute animals. That didn't change, either. I still saw article posts by friends who are passionate about politics. Heck, I post a lot about politics. That didn't change, either.

Conclusions

Given the ease at not "Liking" things on Facebook, I extended my experiment from one to two weeks. I was generally happy with my new experience on Facebook. (Yes, I will admit that there is a part of me that felt glee with thwarting Facebook's algorithm.) I had to work a little harder to view and read articles by the entities I followed. Facebook is still a less-than-optimal way to read news.

Also, I learned a little about how Facebook displays targeted ads. It'll dig deeper into your profile data to do so. And, it'll use your comments text more. I had wanted to see what ads appeared. I saw lots of Verizon Wireless ads -- every day, all day long. I still haven't bought a single thing from that store.

My experiment reinforced my view that Facebook isn't really a social networking service. Why? First, there is the 12-percent delivery rate of your friends' status messages. So, you can't assume you've seen everything by your friends, nor that your friends have seen all of your posts. Not very social. Second, in a life without "Liking" things, as Facebook digs deeper into your profile to target ads, it becomes clear that the service is really a gigantic, worldwide advertising delivery and distribution system.

Will I resume clicking "Like" buttons and links? I haven't decided, yet. I may. I may not. If you want to reduce your use of Facebook without deleting your account, not "Liking" things is an attractive option. A more conversational Facebook is a good thing.

Opinions? Could you use Facebook without clicking "Like" buttons? Would you? Have you? Why or why not?


Canvas Fingerprinting: What It Is, How Entities Use It To Track You Online, And The Privacy Concerns

"Canvas fingerprinting" is the latest technique entities use to identify and track consumers' online habits and movements. I use the word "entities" since both private-sector corporations and public-sector government agencies use the technique in their websites. The BBC described it well:

"This technique forces a web browser to create a hidden image. Subtle differences in the set-up of a computer mean almost every machine will render the image in a different way enabling that device to be identified consistently."

Those subtle differences include the many features that distinguish your computer's configuration from others: clock setting, default font, software installed, operating system brand and version, browser brand and version, and more. Researchers at Princeton University in the United States and at the University of Leuven in Belgium analyzed tracking techniques at 100,000 websites. They announced their findings in a draft report dated July 1, 2014:

"We present the first large-scale studies of three advanced web tracking mechanisms -- canvas fingerprinting, evercookies, and use of cookie syncing" in conjunction with evercookies. Canvas fingerprinting, a recently developed form of browser fingerprinting, has not previously been reported in the wild; our results show that over 5% of the top 100,000 websites employ it... The tracking mechanisms studied in this paper can be differentiated from their conventional counterparts by their potential to circumvent users' tracking preferences, being hard to discover and resilient to removal."

The researchers emphasized the extremely difficulty confronting consumers:

"Canvas fingerprinting uses the browser's Canvas API to draw invisible images and extract a persistent, long-term fingerprint without the user's knowledge. There doesn't appear to be a way to automatically block canvas fingerprinting without false positives that block legitimate functionality; even a partial fix requires a browser source-code patch. Evercookies actively circumvent users' deliberate attempts to start with a fresh profile by abusing different browser storage mechanisms to store removed cookies. Cookie syncing... allows different trackers to share user identifiers with each other. Besides being hard to detect, cookie syncing enables back-end server-to-server data merges hidden from public view."

Why the researchers produced this report:

"Our goal is to improve transparency of web tracking in general and advanced tracking techniques in particular.We hope that our techniques and results will lead to better defenses, increased accountability for companies deploying exotic tracking techniques and an invigorated and informed public and regulatory debate on increasingly persistent tracking techniques."

The researchers concluded the following about consumers' ability to maintain their privacy online:

"Current options for users to mitigate these threats are limited, in part due to the difficulty of distinguishing unwanted tracking from benign behavior. In the long run, a viable approach to online privacy must go beyond add-ons and browser extensions. These technical efforts can be buttressed by regulatory oversight. In addition, privacy-friendly browser vendors who have hitherto attempted to take a neutral stance should consider integrating defenses more deeply into the browser."

ProPublica reported:

"The researchers found canvas fingerprinting computer code, primarily written by a company called AddThis, on 5 percent of the top 100,000 websites. Most of the code was on websites that use AddThis’ social media sharing tools. Other fingerprinters include the German digital marketer Ligatus and the Canadian dating site Plentyoffish."

I strongly encourage consumers to read the ProPublica article, since it includes an interview with an executive from AddThis. The article also lists five recommendations consumers can do to minimize the online tracking. However, some of the recommendations require technical knowledge and skills beyond what many consumers have.

One recommendation includes using Chameleon with the Google Chrome browser. A reader, who asked me not to mention their name, shared this opinion:

"... Chameleon, it does not appear to be available for Firefox, and I won't run Chrome because of Google's outrageous privacy policy, which is really a disclosure policy that let's Google do pretty much what it wishes with the personal information that its browser, Chrome, collects... putting Chameleon on Chrome just effectively gives Google a monopoly... as it blocks other domains' fingerprinting while leaving Google's collection techniques in Chrome unmolested."

Is this an over-reaction? Consider... earlier this year, Google changed its policy to reflect its continued scanning of all inbound e-mails from non-Gmail users. About the scanning, a United Kingdom newspaper wrote this headline, "Google: Don't Expect Privacy When Sending to Gmail." A simple online search found this review of Google Chrome privacy. Several news organizations reported in December 2013 about how spy agencies in the U.S. and U.K. use Google's proprietary cookie technology.

Plus, MediaPost reported yesterday:

"Back in March of 2012, Google made international headlines with its controversial decision to revise its privacy policy in a way that allowed it to consolidate information about users. Ever since, a group of consumers have been trying to sue the company for allegedly violating users' privacy. This week, a federal judge ruled that the consumers could proceed with a lawsuit -- but not based on their original claims. Instead, U.S. Magistrate Judge Paul Grewal in San Jose, Calif. said that users could continue with allegations that Google wrongly transfers users' names and contact information to app developers."

So, there seems to be enough happening that some consumers understandably might try to minimize or avoid interactions with any Google products and services.

Several news organizations have reported about the high-profile websites that use canvas fingerprinting, including several porn sites and WhiteHouse.gov. Interested readers can browse this list of websites the researchers found that perform canvas fingerprinting.

I would like to thank the researchers for this report. It is greatly appreciated and very valuable. Consumers need to be informed and the websites (e.g., marketers and advertisers) aren't doing it. Tracking methods need to be disclosed and opt-in based.

During the last 7+ years, this blog has covered stories about several technologies (e.g., cookies, “zombie cookies,” Flash cookies, “zombie e-tags,” super cookies, “zombie databases” on mobile devices, etc.) entities have used to persistently track consumers online without their knowledge nor consent; and circumvent consumers' efforts to maintain privacy online. Proponents usually justify the tracking as needed for consumers interested in seeing relevant, target advertisements online (a/k/a "behavioral advertising). Given this history of repeated privacy abuses, sadly I am not surprised about canvas fingerprinting. Frustrated, yes. Surprised, no.

Many of these tracking technologies have resulted in class-action lawsuits, which has been good because the speed of technological change is far faster than both the laws and legislators’ abilities to understand the emerging technologies. I fear that class-actions, as a protection tool for consumers and/or a method to hold privacy abusers accountable, will be more difficult in the future as many banks, telephone, Internet service providers, consumer electronics, software, nursing, and health care companies have added binding arbitration clauses to agreements with their customers.

This persistent tracking raises other issues. Consumers need new browser features to stop this persistent online tracking, as companies user creative ways to restore browser cookies that users have deleted to maintain privacy online. For consumers, help may be on the way in the form of the Privacy Badger tool from the Electronic Frontier Foundation.

A prior blog post discussed the DuckDuckGo search engine as an alternative to traditional search engines (e.g., Google, Bing, Yahoo) for privacy-conscious users. While there was a discussion on one DuckDuckGo community board about canvas fingerprinting, a DuckDuckGo provided the this explanation:

"We removed the canvas check when we launched our reimagined/redesigned version earlier this year. This is no longer a concern. On the old DuckDuckGo, it's function was to detect if anti-aliasing was turned on, because our old default font (Segoe UI) broke when anti-aliasing was off."

So, the revised DuckDuckGo maintains privacy by design. Consumers can continue using the search engine with confidence for privacy.

Some consumers may conclude that using apps on their mobile devices instead of a web browser is an effective way to avoid the online tracking. Assuming this would be foolish given the Google lawsuit mentioned above. Plus, the unique device ID numbers (UDID) on all mobile devices are simply a very tempting identifier and tracking mechanism. It is one reason why so many apps want access to consumers' entire address books and other files on their mobile devices.

Download the researchers' report, "The Web Never Forgets: Persistent Tracking In The Wild" (Adobe PDF, 903 K bytes).

What are your opinions of the researchers' report? Of canvas fingerprinting? Of AddThis? Of Google? Of the failure of websites to inform consumers of the online tracking methods used? If you operate a blog or website using technologies from known canvas fingerprinters, please share your thoughts and/or whether you continue to use these technologies.

[Correction: an earlier version of this blog post mentioned a possible privacy problem with the DuckDuckGo.com search engine. The revised blog post above includes an explanation from DuckDuckGo about how their search engines maintains privacy and avoids canvas fingerprinting.]


Facebook Announced A New Feature Where It Listens And Identifies Music And TV Content

Facebook logo Before and during the Memorial Day holiday, I was busy with work and family events. Perhaps, you were busy too and missed this. Just before the holiday, Facebook announced a new, optional feature where it will listen and identify whatever you are listening to while typing status messages.

If you have used mobile apps like Shazam, then you know how technology can easily identify the name and artist of music. Facebook wants to take the technology further by identifying the background content (e.g., music you are listening to, movies or television show you are watching) while posting messages to Facebook. Facebook's announcement pitched the new feature as:

"You may have seen a friend post a photo after a tough workout with a “feeling proud” icon. Or you’ve seen your friend check in at a coffee shop “drinking an iced coffee.” In the last year, people shared more than 5 billion status updates... we’re making those conversations quicker and easier by introducing a new way to share and discover music, TV and movies. When writing a status update – if you choose to turn the feature on – you’ll have the option to use your phone’s microphone to identify what song is playing or what show or movie is on TV."

Unlike the Shazzam app (which the user initiates), once you turn on the "Identify TV and Music" feature, it will operate quietly and identify whatever is playing in the background when you post messages:

"If you leave the feature on, you will see the audio icon move and attempt to detect a match when you’re writing a status update. No sound is stored and you’ll always get to choose whether you post to your friends... if you choose to turn this feature on, it will only use your microphone (for 15 seconds) when you’re actually writing a status update to try and match music and TV... when you write a status update, the app converts any sound into an audio fingerprint on your phone. This fingerprint is sent to our servers to try and match it against our database of audio and TV fingerprints. By design, we do not store fingerprints from your device for any amount of time."

It's important to read Facebook's words closely. It says it won't store the music, TV show, or movie you are watching or listening to. It does store the status message you authorize about the background content. That means, the feature will record the name or title of the show/music, the artists, along with the date, time, your geolocation (e.g., GPS) data, and probably other relevant metadata. It needs these metadata elements to create a status message for you to post to your Timeline.

Based upon its matching algorithm, the message includes an excerpt of the music or show, since Facebook assumes that your friends may want to purchase the music or video item. In this way, Facebook can sell more advertising to its corporate sponsors; where once again Facebook members are the product. The feature allows Facebook to analyze its members' actions and build a a more robust activity profile. For example, people with certain demographic characteristics (e.g., age, sex, students, rural residents, etc.) or in certain locations, listen to XYZ music and/or watch a certain genre of television shows while posting status messages. And, Facebook can associate certain moods or feelings in your posts to the moods or feelings in the background content (e.g., music, movie, or TV shows).

The Naked Security blog by Sophos reported:

"When it initially announced the eavesdroppish new service, Facebook didn't say anything about listening in on background noise, including private conversations. But this week, Facebook's security head honcho, Gregg Stefancik, filled in that gap. Stefancik, head of security infrastructure for the very-data-rich, o-so-good-at-data-mining social network, explicitly told journalists that the new audio feature does not snoop on users and does not record conversations... The raw audio never leaves the phone, Stefancik said, while the data about the match is only stored if a user opts to post it:.. The app can't identify background noise and conversation before the feature is enabled."

I guess that this new feature will be a benefit to consumers who want to share easily, quickly, and automatically without having to do anything. You literally won't need to lift a finger. It seems wise for consumers to give a new feature like this a lot of thought and consideration before turning it on. Why? The background content (via the authorized status messages) will be associated with your profile.

Maybe, the background content is the television you've left on because you're home alone, not really watching it, and want some noise in your home. Maybe you are simply in the same room with a family member or friend who is watching TV, movies, or listening to music. Their selections identify their choices, not necessarily yours. Maybe you are in a shopping mall and muzak is playing in the background. Maybe the music playing is from an advertisement on television. Maybe Facebook's matching algorithm was incorrect.

My point: the background content may have nothing to do with your profile, but it gets recorded and associated with your profile anyway. The background content may be items you'd ever select nor buy, but Facebook would assume so. Then, who is right? Who knows more about you and your habits: you or Facebook?

I see this new feature as extremely invasive and problematic. I know my profile better than any social networking service, and remaining in control is important to me. Facebook addressed the issue of control in its announcement:

"... this feature is completely optional. If you don’t turn it on, we won’t use your microphone to try and match TV or music when you write a status update. If you do choose to turn it on and later decide it’s not for you, you can easily turn it off at any time."

This implies, if you want to delete any background content from your Timeline, then you would do so consistent with the capabilities and limitations of the current Timeline system. Does a user really have effective control? I don't see how any consumer can verify that Facebook uses the new feature to comply with its promises (e.g., don't record conversations, 15 seconds, identify only TV/music, etc.). The announcement did not specify how accurate the feature is. If it incorrectly identifies some background content, and you authorize that status message then an error has been introduced to your profile. Facebook member may not know the background content identified.

I'd like to see Facebook explain more about its matching algorithm. How accurate is it? Does it match any song or music? Does that include music in TV advertisements? If so, then, the matching algorithm could identify what commercials you have viewed. What about radio? The announcement didn't say anything about radio. People listen to traditional radio and satellite radio. What matching is done then?

This technology confirms what a lot of people have been worried about with surveillance by government spy agencies: the ability to remotely control the microphone in your smart phone or mobile device, and monitor what you are doing, listening to, and watching. Since Facebook already records and archives everything (including deletions) you type into the status message box, the two features combined provide the social networking site with very strong capabilities to determine what you are  thinking, feeling, and considering -- not just what you typed in the status message. That is very strong personal content.

It's also very creepy stuff, in my opinion. Spy agencies must be looking at this and wondering: if Facebook can do this, we should be able to do this, too. If I operated a Web design service that was a front for a spy agency, I'd want to use an app like this.

I wouldn't want any mobile device in my pocket running an app like this. Nor would I want to be around people using an app like this; especially in business meetings. Yes, this upcoming Facebook feature reminds me a lot of Google Glass. Very invasive for people who value their privacy.

What's your opinion of the upcoming Facebook feature? Is this more or less invasive than government spy programs?


California AG Issues Privacy Recommendations To Better Protect Consumers

Late last month, the Office of the Attorney General for the State of California issued a guide with privacy recommendations for companies about how to present privacy policies and do-not-track disclosures to consumers. The recommendations are based upon changes in California law (emphasis added):

"...in 2003, California established the landmark California Online Privacy Protection Act, which was the first law in the nation to require operators of commercial websites, including mobile apps, to conspicuously post a privacy policy if they collect personally identifiable information from Californians. In 2013, the Act was amended by Assembly Bill 370, which requires privacy policies to include information on how the operator responds to Do Not Track signals or similar mechanisms. The law also requires privacy policies to state whether third parties can collect personally identifiable information about the site’s users."

Previously, many mobile app developers failed to include usage term and privacy policies with their apps, both before and after purchase. Most Web browsers have Do Not Track (DNT) features, but the effectiveness of that feature depends upon the website operator's compliance, which is not mandatory. The California AG's guide included a summary of Do Not Track and web browsers (emphasis added):

"... the [U.S. Federal Trade Commission] staff in 2010 proposed a Do Not Track (DNT) browser signal as a uniform and comprehensive way for consumers to choose whether to allow the collection and use of data regarding their online searching and browsing activities. The Commission noted in its 2012 final report that a number of browser vendors had announced that their latest versions permitted consumers “to instruct websites not to track their activities across websites.” In a 2012 paper on consumer privacy, the White House noted that “privacy-enhancing technologies such as the ‘Do Not Track’ mechanism allow consumers to exercise some control over how third parties use personal data or whether they receive it at all.” By 2013, the major browser companies had all implemented a DNT mechanism in their browsers. In May 2014, the White House once again commented that consumers “have a valid interest in ‘Do Not Track’ tools that help them control when and how their data is collected. There is no legal requirement for how operators of web sites or online services must respond to a browser’s DNT signal. The World Wide Web Consortium (W3C), which facilitates collaborative efforts to develop web standards, created a Tracking Protection Working Group, which has been working since 2011 to develop standards for the technology and meaning of Do Not Track. As of the end of 2013, the W3C group had not agreed upon what an operator or an advertising network should do when they receive a DNT browser header."

The guide includes the following key recommendations:

"Readability
- Use plain, straightforward language. Avoid technical or legal jargon.
- Use a format that makes the policy readable, such as a layered format.

Online Tracking/Do Not Track
- Make it easy for a consumer to find the section in which you describe your policy regarding online tracking by labeling it, for example: “How We Respond to Do Not Track Signals,” “Online Tracking,” or “California Do Not Track Disclosures.”
- Describe how you respond to a browser’s Do Not Track signal or to other such mechanisms. This is more transparent than linking to a “choice program."
- State whether other parties are or may be collecting personally identifiable information of consumers while they are on your site or service.

Data Use and Sharing
- Explain your uses of personally identifiable information beyond what is necessary for fulfilling a customer transaction or for the basic functionality of an online service.
- Whenever possible, provide a link to the privacy policies of third parties with whom you share personally identifiable information.

Individual Choice and Access
- Describe the choices a consumer has regarding the collection, use and sharing of his or her personal information.

Accountability
- Tell your customers whom they can contact with questions or concerns about your privacy policies and practices"

Personally identifiable information (PII) includes the following data elements:

  • Your name: first, middle, last
  • Your residential or home address, including the street name, town, and ZIP Code
  • Your e-mail address
  • Your telephone number (mobile or land-line)
  • Your Social Security number
  • Any other identifier that enables somebody to contact you online or offline in the physical world
  • "Information concerning a user that the web site or online service collects online from the user and maintains in personally identifiable form in combination with an identifier..."

The last two items are critical because they includes several things that can be used to identify only you, such as a user name, user ID, license number, member number, policy number, record number, the IP address assigned to your computer device, and so forth. The last item probably includes your physical movements (e.g., GPS coordinates with time stamps from your mobile device or car), since this data could be used to uniquely identify and track you.

Download the "Making Your Privacy Practices Public" guide (Adobe PDF) by the California Attorney General's Office. It includes detailed recommendations, which are a good start. Assembly Bill 370 makes it clearer for consumers to understand what a website and mobile app operator promises to do about privacy and handling consumers' sensitive personal information. Obviously, there needs to be a standard about how advertising networks respond to DNT signals from a browser.

I look forward to seeing more privacy improvements in California and in other states. What are your opinions of the "Making Your Privacy Practices Public" guide? Is it good? Does it go far enough?


Your Car Is The Next Advertising And Data Collection Frontier

Advertisers view your personal auto as the next frontier to display targeted, relevant advertisements based upon when and where you drive, plus how long you park at certain locations. All of this is possible as manufacturers equip cars with computing technology similar to what's in your smart phone and tablet computer. Think of you car as simply another mobile device.

Business Insider explained advertisers' interest:

"Americans spend an average of 1.2 hours a day traveling between locations and American commuters spend an average of 38 hours a year stuck in traffic. If mobile apps and Internet-based services can shoehorn their way into the in-car environment, that means a great opportunity to expand their ability to engage consumers, absorb their attention, and gather data."

It really doesn't matter whether you drive your car, or you use the Google self-driving car. The data collection will be massive and advertisers plan to capitalize on the opportunity. Say Media reported:

"... the McKinsey Global Institute estimates that the automotive industry will be the second largest generator of data by 2015. Gartner reports that, by 2018, one in five cars on the road will be "self-aware" and able to discern and share information on their mechanical health, their global position and status of their surroundings."

The data collected is not only GPS location and engine performance from sensors embedded throughout the car. The data collected is not only your travel directions and map information. It also includes your music selections and interactions with other mobile devices, since cars are Internet connected, access files in cloud services, and often operate as WiFi hotspots.

Then, there is the coming practice of "geo-fencing," the dynamic, real-time display of location-specific advertisements:

"According to the Placecast Blog, they and Aha™ by HARMAN have begun testing new in-car advertising that delivers relevant, real-time promotional offers to consumers based on the vehicle's locations. Quiznos is the first brand to activate promotional offers using the new service. When your vehicle enters a geo-fenced area, a Quiznos audio ad is inserted into the stream. A tap on the interface emails a coupon to your mobile device for use in the store..."

So, if you are driving near a particular fast-food restaurant chain, you will likely see advertisements and/or coupons displayed in your car (and/or on your mobile device connected to your car) about nearby restaurants and stores. Say Media posed some more relevant questions:

"... how much access advertisers will actually have to proprietary in-vehicle systems. Should auto manufacturers act as a gatekeeper, shielding their car's drivers from unwanted messages? Or should auto brands open-source their code for in-vehicle modules like the Ford Motor Company? Ford's strategy is to provide a link allowing apps on Android phones or iPhones to be controlled through the car's electronic units."

Proprietary in-vehicle systems includes the myriad of sensors embedded throughout your car that monitor and report information about specific components (e.g., engine, brakes, cameras, speed, road conditions, etc.). For me, consumers should be in control. And, there are many more questions:

  • Who stores the data collected by your car, and how long is it retained?
  • Who owns the data collected by your car (e.g., driver, auto manufacturer, operating system software developer, mobile app developer, advertiser, advertising network, mobile device manufacturer, insurance company, etc.)?
  • What other companies is the data collection shared with (especially auto maintenance, repair, and sensor information)?
  • Who controls the data sharing?
  • When and where are relevant policies (e.g., privacy, terms of use) displayed?
  • Are programs opt-in or opt-out based for consumers? Hopefully, the former.
  • What privacy tools will be available for drivers?
  • What anti-virus options to prevent malware, spam and bot nets using your car?
  • Will cars include embedded coded by the NSA and other intelligence agencies?
  • Supposedly, targeted and relevant advertisements are a convenience for consumers. How much convenience is enough?

If current Internet practices win out, then your car will likely operate similar to your Web browser, with a race by advertisers and companies to collect as much as possible via a variety of technologies (e.g., not just browser cookies) that track you and your movements.

What are your views about smart cars? About advertisements via geo-fencing? About privacy options for drivers?


How To Opt Out Of Tracking Programs And Keep As Much Privacy As Possible

Your online activity is tracked by a wide variety of technologies, not just web sites. For example, all of the major search engines (e.g., Google, Bing, Yahoo) track your search history. If you use one of the major search engines, then you will need to opt-out of the search engine history tracking at each search engine. This Mashable article contains instructions plus links to the opt-out mechanisms for each search engine.

Me? I use the DuckDuckGo search engine instead. There is nothing to opt-out of because DuckDuckGo doesn't collect anything.

Simiilarly, the social networking websites you use track your online activity and will use your name and photo in their online advertisements if you let them. To avoid this, you'll need to opt-out of the advertisement features at each social networking website you use. For example: sign in to Twitter and navigate to Settings, and then Security and Privacy. On that page, uncheck the boxes next to Promoted Content and Tweet Location. For Facebook, navigate to General Account Settings, and then to Ads. Clcik Edit and select "No one" for Third Party Sites. Click Edit and select "No one" for "Ads and Friends."

This Masahable article contains instructions for how to opt out of advertisements on Google services.

The web browser you use also tracks your online activity. So, the steps you must take to deactivate HTTP cookie tracking depends upon which web browser you use. According to Masahable, to opt out of cookie tracking Mozilla Firefox users must:

"In Firefox's Privacy panel, click on the area next to Firefox will: and select Use custom settings for history. Once selected, remove the checkmark in the Accept Cookies box."

See the Masahable article for instructons for Google Chrome users. I also use the Better Privacy add-on for Firefox to regularly delete HTTP and other Locally Shared Objects (LSO) cookies.

Also, there may be settings on your mobile device to turn off any sharing with your mobile device manaufacturer, mobile operating system manufacturer, and/or telecommunications provider. None of the above methods will stop sharing of your purchases with your bank, credit-card, debit-card, and/or prepaid card provider.

Remember, all of these services and technologies, including your mobile device (e.g., tablet, smart phone), that collect data also collect metadata. All of this online data collection can make the Internet a pretty frustrating tool at times. In response to the perceived (and real) lack of online privacy, more and more users in Australia provide fake information while online to blunt companies' data collection and tracking. And, if infected with the appropriate computer virus, your smart phone may continue to track you even when turned off.


Are You Walking Blindly In The 'Big Data' Revolution?

There is a good article in the BBC News website about the trends and impacts of technology -- namely about how "big data" is transforming the entire planet. "Big data" refers to information companies and governments collect about consumers. They collect this information from a variety of sources:

"... not only from posts to social media sites, mobile signals and purchase transactions but increasingly from sensors on objects from lamp-posts to skyscrapers...In Birmingham, lamp-posts are being fitted with sensors that can transmit information about cloud cover to offer hyper-local weather forecasting. In Norway, more than 40,000 bus stops are tweeting, allowing passengers to leave messages about their experiences... At MIT's Senseable City Lab, 5,000 pieces of rubbish in Seattle were geo-tagged and tracked around the country for three months to find out whether recycling was really efficient..."

You've probably noticed video surveillance cameras on street lights across the country. That's another source. This blog has reported about many other sources:

All of these types of devices will be used more and more in what people call a "smart city:"

"The core functionality of a smart city requires a vast amount data to be collected on every aspect of our lives every minute of every day. The question is how does that data get used? And it doesn't require a huge amount of imagination to see how it could be used to monitor people... the control of information is being taken away from citizens, and companies providing services are rushing to find ways of generating revenue from the data they hold. The danger is... individuals will not be able to control the ways they are monitored or what happens to the information, which is exactly the opposite of how it should be."

It seems to me, you can distill all of this into a single issue about consumers:

"... People have clicked "yes" to those terms but don't realise that everything you share can be collected. We could be walking blindly into a 24/7 surveillance society..."

We have traded privacy for convenience.

Are you walking blindly? Are you willing to continue trading convenience for privacy? Are you willing to question online processes, privacy disclosures, and website terms of usage? Are you willing to push back and say: enough? Are you willing to demand that your elected officials place consumer protections before privacy abuses happen, and not minor, ineffective protections afterwards? Are you willing to support any of the consumer advocacy groups that look out for your privacy?


FTC Reminds The Search Engine Inudstry To Continue To Distinguish Between Paid Ads and Natural Search Results

U.S. Federal Trade Commission logo Earlier this week, the U.S. Federal Trade Commission (FTC) announced that it had sent letters to all search engine operators reminding them to continue to distinguish between paid advertisements and natural search results. The letters reinforce guidance and rules established in 2002. The letters said, in part:

"...After the 2002 Search Engine Letter was issued, search engines embraced the letter’s guidance and distinguished any paid search results or other advertising on their websites. Since then, however, we have observed a decline in compliance with the letter’s guidance. Although the ways in which search engines retrieve and present results, and the devices on which consumers view these results, are constantly evolving, the principles underlying the 2002 Search Engine letter remain the same: consumers ordinarily expect that natural search results are included and ranked based on relevance to a search query, not based on payment from a third party. Including or ranking a search result in whole or in part based on payment is a form of advertising. To avoid the potential for deception, consumers should be able to easily distinguish a natural search result from advertising that a search engine delivers..."

The letters cited results from a 2005 Pew Research Center survey about search engine users:

"Some 45% of searchers said they would stop using a search engine if they didn’t make it clear that some results were paid or sponsored."

There are many more interesting results from that same 2005 survey:

"... some 38% of those who have used a search engine are aware that there are two different kinds of search results, some that are paid or sponsored and some that are not. The remaining 62% are not aware of this practice. Data from this survey show identical numbers from those collected two and a half years earlier; that is, there has been no overall change in users’ understanding of how search systems work."

And, perhaps more importantly -- the users that are aware can't always tell the differences between paid and natural search results:

"... Among the 38% of internet users who are aware of the practice, some 47% of searchers say they can always tell which results are paid or sponsored and which are not. This represents about one in six of all internet searchers. An almost equal number, 45%, say they are not always able to tell."

The letters also discuss ways, such as labels and visual design, the search engines can distinguish between paid and natural search results.

Kudos to the FTC for looking out for the interests of consumers. It is sad that the search engine industry chooses to operate in a manner where such a warning is needed. It says a lot about the desire to bend or ignore the rules during its rush for profits.

The 2012 Pew Internet survey about search engine users found interesting results about privacy:

"73% of search users supported a statement that they would not be okay with a search engine keeping track of their searches and using that information to personalize future search results because they feel it is an invasion of privacy... 65% of search users supported a statement that it’s a bad thing if a search engine collected information about their searches and then used it to rank future search results... 68% of internet users agree with a statement that they are not okay with targeted advertising because they don’t like having their online behavior tracked and analyzed... 66% of search engine users say search engines are a fair and unbiased source of information..."

If you don't like being tracked or your searches collected by search engines, there is an alternative.


The Companies Involved In Payment Transactions When Consumers Buy Items

When consumers pay for products and services, today they have a wide variety of options. To make these options work, a variety of companies are involved behind the scenes in the payment transactions: the companies money and information flow through after a consumer purchases something at the checkout register. Consumers may not realize the wide variety of different companies involved.

Companies involved in the payment transactions flow often have their onw privacy policy, and data collection of consumers' sensitive information -- driven by their agreement with the retailer or bank. And, each company involved may experience data breaches where consumers' sensitive information is exposed or stolen:

  Payment Method
Company Type
CashCredit CardDebit CardRetailer's Prepaid Card (1)
Bank Prepaid Card (2)
Prepaid Card: FSA (3)
Smart Phone
Brick-&-mortar retail store No Yes Yes Yes Yes Yes Yes
Online retail website n/a Yes Yes Yes Yes Yes n/a
Retailer's partners &/or affiliates (4)
n/a Yes Yes Yes Yes Yes Yes
Your bank n/a Yes Yes n/a Yes Yes Yes
Retailer's bank n/a Yes Yes Yes Yes Yes Yes
Payments Processor (5) No Yes Yes Yes Yes (6)
Yes Yes
Your Employer n/a n/a n/a n/a Yes Yes Yes
Healthcare Vendor (7)
n/a n/a n/a n/a No Yes n/a
Wireless Provider n/a n/a n/a n/a n/a n/a Yes
Mobile Device Manufacturer n/a n/a n/a n/a n/a n/a Yes
Mobile Device Operating System Developer (8) n/a n/a n/a n/a n/a n/a Yes
Mobile App Developer (8) n/a n/a n/a n/a n/a n/a Yes
App Store
n/a n/a n/a n/a n/a n/a Yes

Footnotes:

  1. Includes gift cards offered by retailers that are good only at that retailer's stores.
  2. Includes general-purpose prepaid cards usually offered by banks
  3. Includes prepaid cards used by employers to adminster healthcare Flexible Spending Accounts
  4. Includes outsourced vendors that administer a retailer's email marketing programs, cloud-based storage services, customer relationship management databases, mobile marketing services, product fulfillment, and/or data mining services; plus companies that perform co-marketing campaigns
  5. The bank and/or company that processes the debit/credit card transactions
  6. Applies to employers that pay employees via a payroll debit cards
  7. Some employers outsource the administration of their healthcare Flexible Spending Account (FSA) program to an external vendor, and issue participating employees a special prepaid card
  8. The company that develops and maintains this software mobile devices

What do you think about the above chart?


FTC Amends Rules Regarding Data Collection Of Personal Information Of Minors

Last month, the U.S. Federal Trade Commission (FTC) clarified and strengthened its rules regarding the collection of personal data of minors under the age of 13. In its announcement, the FTC stated:

"1. Modify the list of “personal information” that cannot be collected without parental notice and consent, clarifying that this category includes geolocation information, photographs, and videos;
2. Offer companies a streamlined, voluntary and transparent approval process for new ways of getting parental consent;
3. close a loophole that allowed kid-directed apps and websites to permit third parties to collect personal information from children through plug-ins without parental notice and consent;
4. Extend coverage in some of those cases so that the third parties doing the additional collection also have to comply with COPPA;
5. Extend the COPPA Rule to cover persistent identifiers that can recognize users over time and across different websites or online services, such as IP addresses and mobile device IDs;
6. Strengthen data security protections by requiring that covered website operators and online service providers take reasonable steps to release children’s personal information only to companies that are capable of keeping it secure and confidential
7. Require that covered website operators adopt reasonable procedures for data retention and deletion; and
8. Strengthen the FTC’s oversight of self-regulatory safe harbor programs.

The new rules become effective July 1, 2013. The rules are part of the Children's Online Privacy Protection Act (COPPA) enacted in 1998. The COPPA rules include personal information elements such as the child's full name, home address, email address, telephone number, or any other information that would allow someone to identify or contact the child. As they should, the new rules add more data elements. The FTC stated in its blog:

"The definition of personal information now includes geolocation information, as well as photos, videos, and audio files that contain a child’s image or voice. Also covered: persistent identifiers that can be used to recognize a user over time and across different websites or online services. But there’s a notable exception: COPPA’s parental notice and consent requirements don’t kick in if the identifier is used solely to support the internal operations of the site or service."

It strikes me that the above exception, or loophole, could be used to avoid and abuse consumer information. Those "persistent identifiers" are key since they are used by the online advertising networks, and enable both online tracking and behavioral advertising. Plus, there is a long history of repeated abuse of consumers' sensitive personal information by companies using zombie cookies, Flash cookies, zombie e-tags, search hijacking, and leaky apps on mobile devices. In September 2012, the FTC issued guidelines for mobile app developers.

Companies are advised to watch the FTC Children's Privacy page for additional updates.

In an ideal world, COPPA rules would not stop at age 13, but extend to age 18, the usual age of majority. It would have been better if the amended COPPA rules explicitly mentioned facial recognition.


Twitter's Tailored Suggestions Program And Online Tracking

In May 2012, Twitter.com introduced a new program called Tailored Suggestions, which recommends other Twitter members to follow based upon your online usage:

"How tailored suggestions work: We determine the people you might enjoy following based on your recent visits to websites in the Twitter ecosystem (sites that have integrated Twitter buttons or widgets). Specifically, our feature works by suggesting people who are frequently followed by other Twitter users that visit the same websites."

The use of buttons or widgets to track social networking website users around the web  is not new. Facebook, LinkedIn, and Youtube have similar programs. Twitter users can easily opt out of this tracking by un-clicking the box next to "Personalization" in your Twitter Profile Settings page. (See image below.) Or, you can adjust the Do Not Track settings on your web browser.

Twitter Personalization setting on the Account Settings page

Last month, Forbes magazine reported about Twitter's expansion plans with its Tailored Suggestions program.

For me, Twitter is a wonderful resource, which I use primarily with this blog and to network with other privacy advocates and bloggers. I like and trust Twitter far, far more than Facebook. Twitter hasn't had the repeated privacy snafus which have happened at Facebook. As of January 1, 2013 about 560 people follow this blog via Twitter compared to about 120 via Facebook.