Harris Interactive: Most U.S. Adults Uncomfortable With Web Sites That Customize Content Based On Visitors' Personal Profiles

If you have followed the prior posts on behavioral targeting (a/k/a behavioral advertising), then I think that you, too, will find the results of this recent Harris Interactive poll very interesting:

"A majority of U.S. adults are skeptical about the practice of websites using information about a person's online activity to customize website content. However, after being introduced to four potential recommendations for improving websites privacy and security polices, U.S. adults become somewhat more comfortable with the websites use of personal information."

The nationwide survey included 2,513 U.S. adults, and was performed between March 11 and 18, 2008 by Harris Interactive, in collaboration with Dr. Alan F. Westin, Professor of Public Law and Government Emeritus at Columbia University, Principal of the Privacy Consulting Group. Additional key findings:

"A six in ten majority (59%) are not comfortable when websites like Google, Yahoo! and Microsoft (MSN) use information about a person's online activity to tailor advertisements or content based on a person's hobbies or interests. A quarter (25%) is not at all comfortable and 34 percent are not very comfortable..."

Westin and the researchers reported:

"Websites pursuing customized or behavioral marketing maintain that the benefits to online users that advertising revenues make possible -- such as free emails or free searches and potential lessening of irrelevant ads -- should persuade most online users that this is a good tradeoff. Though our question flagged this position, 59 percent of current online users clearly do not accept it."

Ha! Good for consumers! The promise of free content and only relevant ads isn't the strong magnet that companies and advertisers would like to believe. Plus, after showing the survey participants a list of potential policy and security policies, based on self-regulatory guidelines by the FTC, the adults changed their opinions slightly:

• "By 55 to 45 percent, a majority of U.S. adults indicates that they would be more comfortable with companies using information about a person's online activities to provide customized advertising or content;
• Interestingly, once the privacy/security policies were presented the percentages of those who are very comfortable increases only very slightly to 9 percent from 7 percent. The percentage who are somewhat comfortable given the privacy/security policies increases more significantly to 46 percent from 34 percent;
• Similarly, those who are not at all comfortable decline to 19 percent from 25 percent, and those who are not very comfortable decline to 26 percent from 34 percent."

Adult consumers are beginning to place a higher value on their personal data, combined with an approach that companies must first earn their trust before sharing confidential personal data. I encourage you to read the complete Harris Interactive press release.

'Income Tax Return Identity Fraud' Scam Threatens Some Taxpayers' Refund And Stimulus Checks

Now that April 15 has passed and you have filed your income tax returns, you are probably thinking about how you are going to spend your tax refund checks and stimulus check. Well, most of you will receive your checks, but some may not.

Just when you thought that nothing else could go wrong with identity theft, Phuong Cat Le at the Seattle Post-Intelligencer blog reported about income tax return identity fraud:

"Earlier this week, one of my colleagues sat down at her computer to file her income tax return electronically using TurboTax. Twice, her return was rejected. The message she got back was startling: the IRS already had a tax return filed under her Social Security number. How could this be? She hadn't filed yet."

Phuong's colleague did what any of us would do, and called both the Social Security Administration and the Internal Revenue Service to resolve the problem and receive her checks. Apparently:

"A thief had filed a fraudulent tax return under her name, and would likely get her $1,000 refund, not to mention her $600 economic stimulus payment. Thus began her tedious task of clearing her name: filing a police report, filing a complaint with the Federal Trade Commission, putting a fraud alert on her credit report and mailing in her tax return with copies of her driver's license, police report and other documents to prove her identity."

More importantly, this scam appears to be on the rise:

"... complaints about this type of theft jumped 579 percent, from 3,000 to more than 20,000, between 2002 and 2007, according to an audit released this week by the Treasury Inspector General for Tax Administration. Not only are fraudulent returns on the rise, so are cases where thieves use another person's Social Security number to gain employment."

The IRS has promised a better response to identity theft/fraud, but seems to have started too late and from way behind:

"Finance Committee Chairman Max Baucus, D-Mont., said that on average it takes almost a year for the IRS to sort out who is the real taxpayer when there is an identity issue. "In the meantime the victim's tax accounts get frozen. The IRS issues no refund," he said. 'The taxpayer waits in tax limbo for months and months.' "

The Post-Intelligencer also reported:

"The IRS does not keep track of identity theft incidents and investigates and prosecutes identity theft cases only if they occur in conjunction with other criminal offenses having a large tax impact, according to a report this week from the Treasury Inspector General for Tax Administration."

This is great news for identity criminals, and very troubling news for consumers, especially if you are due a refund. It definitely reinforces the impression that the IRS is focused only on tax collections and not on data security, while it is entirely possible and appropriate to focus on both.

This situation infuriates me. If it infuriates you too, I encourage you to write to your elected officials today and demand that they act immediately to fix data security at the IRS. For those that are interested, read the full report of the audit of IRS tax collection.

Until the IRS fixes its data security holes, it may be a good idea to consult with a tax accountant to adjust your withholding to minimize the chances of a large refund check which could be stolen (and which gives the government an interest-free loan).

Thoughts on Privacy, The Constitution, 'Heavy-Handed' Government, And the Presidential Candidates

Like many people, I've done some research and soul-searching about whom to vote for in the 2008 presidential campaign. My preferred candidate, John Edwards, dropped out of the presidential race before the primary in my state. During the Massachusetts primary, I voted for Edwards anyway with the hope of giving him some clout to influence the party platform at the Democratic convention this summer.

Last year, i read Naomi Wolf's book ("The End of America: Letter of Warning To A Young Patriot"), which I believe should be required reading for all Americans; especially youth. Then, I read Wolf's recent article, "Why Barack Obama Got My Vote" which also resonated with me.

After doing some research, I can tell you that both NSPD-51 and HR 1955 scare the living daylights out of me. If you read about these two items, I think that they will scare you, too. These are not partisan issues, since politicians and citizens and both sides of the aisle find this legislation extremely troubling. I've written to my Congressional House representative, Stephen Lynch (D-MA), a couple times and so far he refuses to reply about why he voted for HR 1955.

I fully understand why the Bush administration would craft something like NSPD-51, and would this administration would love for the House and Senate to approve something like HR 1955. (The Senate version of HR 1955 -- S 1959 - is under discussion.) It's no surprise given the Vice President's interest in Executive Privilege. (If you want to learn more about HR 1955 -- or S 1959 --, Ronnie Bennett has written an excellent description in her Time Goes By blog.)

Regardless, I worry that our Congress is not functioning as a co-equal third branch of our federal government, while the Executive branch has co-opted the Judicial branch, which has lost its independence. To me, all of this combined spells bad times for a government that is supposed to be of-, by-, and for people -- not of-, by-, and for- the rich or corporations.

If you haven't read the United States Bill of Rights, and the Declaration of Independence, please take a moment to read them. They are wonderful documents.

What does all of this have to do with identity theft? Plenty. As government agencies collect more and more personal data bout citizens, that data must be stored someplace. And, government often contracts out many functions to private companies. Which means our personal data ends up in lots of places. We citizens have a right to expect our government to be responsible and to explains what it's doing (and not hide behind "we can't discuss that due to national security"). Many call this "transparency." For me, part of transparency is an explanation of where our personal data is collected, used, shared, and archived; plus adequate data security protections, and timely notice after a data breach.

A government that isn't open, honest, and transparent with the explanations it provides, basically treats its citizens like children... or slaves. I do not want to be treated like a child, or a slave.

To me, Barack Obama seems most trustworthy with balancing the needs of government, consumers, and corporations. Barack Obama seems to provide a healthy balance of trust and competence without going overboard with a hawkish, pro-war tendencies while returning our government to a government of-, by- and for the people. I feel that if we don't bring some order, sense, and accountability to our government now, we may lose the chance forever.

NSA's Domestic Spying Grows As The Agency Sweeps Up Data

For consumers to effectively protect their personal data, means knowing where your personal data is. Both companies and government agencies archive consumers' personal data. For consumers to judge the effectiveness of their government, requires knowledge of their government's data collection activities. The Wall Street Journal reported:

"Five years ago, Congress killed an experimental Pentagon anti-terrorism program meant to vacuum up electronic data about people in the U.S. to search for suspicious patterns... But the data-sifting effort didn't disappear. The National Security Agency, once confined to foreign surveillance, has been building essentially the same system. The central role the NSA has come to occupy in domestic intelligence gathering has never been publicly disclosed. But an inquiry reveals that its efforts have evolved to reach more broadly into data about people's communications, travel and finances in the U.S. than the domestic surveillance programs brought to light since the 2001 terrorist attacks."

An important point:

"Largely missing from the public discussion is the role of the highly secretive NSA in analyzing that data, collected through little-known arrangements that can blur the lines between domestic and foreign intelligence gathering. Supporters say the NSA is serving as a key bulwark against foreign terrorists and that it would be reckless to constrain the agency's mission. The NSA says it is scrupulously following all applicable laws and that it keeps Congress fully informed of its activities... the spy agency now monitors huge volumes of records of domestic emails and Internet searches..."

A cautionary note:

"A number of NSA employees have expressed concerns that the agency may be overstepping its authority by veering into domestic surveillance. And the constitutional question of whether the government can examine such a large array of information without violating an individual's reasonable expectation of privacy "has never really been resolved," said Suzanne Spaulding, a national-security lawyer who has worked for both parties on Capitol Hill. NSA officials say the agency's own investigations remain focused only on foreign threats, but it's increasingly difficult to distinguish between domestic and international communications..."

All of this rests on a legal foundation that:

"... relies largely on the government's interpretation of a 1979 Supreme Court ruling allowing records of phone calls -- but not actual conversations -- to be collected without a judge issuing a warrant. Multiple laws require a court order for so-called "transactional'" records of electronic communications, but the 2001 Patriot Act lowered the standard for such an order in some cases, and in others made records accessible using FBI administrative subpoenas called "national security letters." (Read the ruling.)

To learn more, you can read this analysis at DailyKos, which includes the ACLU's response to the Wall Street Journal article. As if all of this wasn't enough, last week we learned that at least three U.S. Senators' passport records were breached. If a U.S. Senator can't expect data privacy, what can citizens expect?

The question to ask yourself is: are you comfortable with your government's disclosures about its data collection activities? If you are uncomfortable, then ask the same of your elected officials. Oversight and transparency are critical.

Help Name The DHS Privacy Pig

The Wired Privacy, Security, Politics, and Crime Online blog seeks name suggestions for the Department of Homeland Security's new "Privacy Pig:"

"Homeland Security's Privacy Chief Hugo Teufel III likes THREAT LEVEL more than we could ever have imagined. On Wednesday, at a press conference at the 2008 National Fusion Center Conference Wednesday, Teufel gave us a pig. A pink, squishy pig with wings and sunglasses. We assume the Privacy Office created the flying pig as a way to publicize or remind people about  its Privacy Incident Handling Guidance booklet. PIHG, get it?"

Several people have already posted names. The new DHS Privacy Pig:

Is A Total Surveillance Society Inevitable?

Recently, ZD Net Australia reported about the Legal Futures Conference at Stanford University in California. Several technologists and legal experts attended the conference. Many legal experts have again raised concerns that Web 2.0 has come at the expense of individual privacy. The article quoted an IBM technologist at the conference who said:

" 'A total surveillance is not only inevitable and irreversible, but also irresistible,' Jeff Jonas, distinguished engineer and chief scientist at IBM Entity Analytics, said during a panel on surveillance at the conference on Saturday. For example, imagine how convenient it would be to have RFID chips embedded in sunglasses so you could find them easily, Jonas said."

Is he serious? Inevitable? Irresistible? Just so I can find my sunglasses? Consider this:

"Jennifer Granick, civil liberties director at the Electronic Frontier Foundation, acknowledged that she finds the location-based technology in her iPhone very convenient when she's trying to avoid traffic congestion but she doesn't want the government to be able to use that technology to track her down. The fact that all sorts of data about each of us is being gathered and is archived, searchable, and can be compiled to create profiles about each of us is what makes digital privacy intrusions so much scarier than pre-Internet life, she said."

Jeffrey Rosen, a law professor at George Washington University and legal affairs editor of The New Republic, warned of:

"... "privacy chernobyls," which he described as "new threats to privacy that have the potential to transform society in troubling ways". Examples include Facebook revealing more about its members than they care to have revealed and tracking their purchases without consent, as well as AOL inadvertently exposing search terms of 650,000 people in 2006."

Are attitudes in the USA unique?

"The perspective is different in other countries, Rosen said. Americans are, in general, concerned with preventing terrorism, while Europeans are concerned with protecting their individual privacy, he said. For example, the French will bare their breasts but not their salaries and mortgages, and the reverse is true in the US. "My fear is that the cultural differences will make thoughtful regulation difficult," Rosen said."

Probably the most important conclusion:

"Government regulation is necessary to ensure that consumers' privacy is adequately protected online, Granick and Rosen said. Orin Kerr, a professor at George Washington University Law School, said the Fourth Amendment can be applied to the online world in a way that balances individual rights with law enforcement  needs."

I find a total surveillance society easily resistible. Nor is it inevitable. We have a choice. What do you think?

Anti-Real ID Rebellion Spreads To California

On March 10, 2008, Wired magazine reported:

"Assemblyman Pedro Nava (D-35) introduced a non-binding resolution to that effect Monday afternoon in response to concerns about privacy, security and the high price of the federal mandate -- which the government's most recent estimate pegs at $4 billion nationally...Howard Posner, a policy consultant to the Transportation Committee, said that last year the committee contemplated moving legislation to accept Real ID, but reconsidered after 'looking at the cost, and the incredible inconvenience for driver's license holder and the privacy issues.' "

The Real ID Act and the proposed rules by DHS have important implications about how the federal government and states will manage, store, and update citizen's identification data -- and consumer privacy. How such an expensive, unfunded piece of federal legislation happened:

"Congressman James Sensenbrenner (R-WI) added the Real ID mandate to a must-pass defense spending bill in 2005, leaving the details to be determined by the Department of Homeland Security. After much delay, the final regulations were issued in February of 2008."

If the California legislature passes this resolution, then California would join a group of 17 states that have expressed opposition to the unfunded mandate:

"Three states have outright rejected Real ID, setting up a showdown on May 11, when the federal government says it will not allow residents of Montana, Maine, South Carolina and New Hampshire to use their state I.D. cards for federal purposes."

Consumers should notify their elected officials of any concerns you have with the Real ID Act. Learn more about the Real ID Act at this web site.

'Amazing Amount Of Sensitive Data' Stolen During Pentagon Data Breach

In case you have been distracted by what passes as news: Britney Spears, Lindsay Lohan, the Mills-McCartney divorce, which celebs' have a baby bump, American Idol, college basketball, and/or the Spitzer sex scandal -- you should know that the Pentagon, perhaps the most important U.S. military facility, suffered a data breach. On March 6, London-based The Register reported:

"A network intrusion at the Pentagon nine months ago resulted in the theft of an "amazing amount of data" that continues to pose a threat to national security, the CIO of the Defense Department said earlier this week... Over the course of two months leading up to the attack, malicious code infiltrated several systems belonging to the Pentagon's network and culminated in an exploit of a known Microsoft Windows vulnerability, Clem said. That allowed attackers to send spoofed emails that appeared to come from Pentagon personnel in Clem's division."

In the war on terror, the Pentagon is one facility you know our enemies will attack... repeatedly. And it's one facility you definitely don't want to have a data breach. So you plan on that. Dennis Clem, the CIO of the Office of the Secretary of Defense (OSD), said:

"This was a very bad day... "We don't know when they'll use the information they stole, [which was] an amazing amount."

The Government Executive publication reported:

"A June 2007 network intrusion at the Pentagon resulted in the theft of an "amazing amount" of data, and the incident remains a national security concern, a top Defense Department technology official said this week. The Office of the Secretary of Defense detected malicious code in various portions of its network infrastructure while consolidating information technology resources in the middle of last year. Over the course of two months, the code infiltrated multiple systems, culminating in an intrusion that created havoc by exploiting a vulnerability in Microsoft Windows... spoofed e-mails containing recognizable names were sent to OSD employees. When they opened the messages, user IDs and passwords that unlocked the entire network were stolen; as a result, sensitive data housed on Defense systems was accessed, copied and sent back to the intruder."

The government's response to the cyber attack:

"The portion of the network infrastructure under assault was shut down soon after the attack was detected. Recovery, which took three weeks and cost $4 million, involved the introduction of a new process of "checking out" temporary IDs and passwords for access to the network, stricter requirements about the use of common access cards for identity verification, and introduction of digital signatures to ensure that information comes from a valid source."

Interestingly, about a week later the Wall Street Journal reported:

"The top U.S. commander in charge of cyberspace said that American military networks are coming under increasing attack from hackers seeking to steal classified information, and that many of the incidents appear linked to China. Gen. Kevin Chilton, who heads the military's Strategic Command here, stopped short of formally accusing Beijing of responsibility for the attacks. But he said there was significant evidence to suggest that China was behind many of the incidents... In a report released earlier this month, the Pentagon said that the Chinese People's Liberation Army was expanding its military power from 'the land, air and sea dimensions of the traditional battlefield into the space and cyber-space domains.' "

Meanwhile, this ad has appeared on network television:

Behavioral Advertising: What Consumers Must Do (Part Four)

Monday's post discussed the benefits of behavioral advertising, and the proposed rules by the FTC. Tuesday's post listed the leading companies that collect consumer data for behavioral advertising. Wednesday's post discussed the growing role of ISPs in behavioral advertising and the new technologies being deployed.

So, what next?

For me, my first concern is data security. 2007 was a record year for corporate data breaches. The number of incidents rose 40% -- where companies either "lost" or had stolen records about their employees, former employees, retirees, contractors, and/or customers. And this includes data only from the data breach incidents we know about. It does not include incidents from companies in states that lack breach notification laws. It does not include incidents of identity fraud during a crime.

From InformationWeek:

"In its December 24 report, the ITRC said that there were publicly reported 443 breaches in the U.S. in 2007. In 2006, the ITRC identified 315 publicized breaches. Some 127 million data records were exposed during 2007. In 2006, nearly 20 million records were exposed. In 2005, there were 158 breaches reported involving about 65 million records."

And some of these data breaches have already included ISPs, like AOL; and major advertisers, like TJ Maxx, AIG Insurance, and IBM.

Given this lousy track record of data security, I fully expect companies to continue to "lose" -- and criminals to continue to steal -- confidential data via data breaches. Why? Nothing has changed to alter past history. There is a lack of government oversight. There are no substantial penalties. And many companies just don't provide good data security.

This means that many of the future data breaches will include consumers' sensitive data collected during behavioral advertising programs. Given this, it seems sensible for the FTC to craft behavioral advertising rules that acknowledge poor corporate data security:

• For behavioral advertising/targeting programs, companies (including advertisers and ISPs) should include the default as all consumers opted out. Consumers should be given the option to opt-in to a companies behavioral advertising program
• The behavioral advertising rules for companies, advertisers, and ISPs must specify an exhaustive list of consumer data that's collectible and sensitive personal data excluded
• Web sites designed for primarily for children (e.g., age 17 and under) should be excluded from any and all behavioral advertising. Children don't have the means to handle opt-in/out for behavioral advertising programs. Ideally, parental controls software should provide parents with the tools to prevent opt-in by their children at all children's web sites
• There must be clear, minimum standards for companies for data security of the personal data collected for behavioral advertising programs
• There must be specific time limits for how long companies can archive personal data collected for behavioral targeting. "Forever" is not an acceptable answer. Consumer data should be purged at three (3) year intervals
• There must be specific rules for ISPs, since ISPs have a unique position providing Internet access for consumers. ISPs must treat their members' IP Address as sensitive  personal data similar to a Social Security Number or e-mail address. ISPs should never match personal-identifying data (e.g., name, address, phone #, e-mail address, cell #, fax #, SS#, birth date, driver's license #, etc.) to behavioral advertising data
• The rules must include timely disclosure to consumers when a company, advertiser, and ISP: a) starts a behavioral advertising program; b) modifies an existing behavioral advertising program; c) trades behavioral advertising data with other companies; and d) merges or acquires other companies, within the USA or globally. These rules must apply to the entire company, not just its US-based divisions. It should also apply to business units, divisions, contractors, or outsourcing firms based outside the USA
• Medical data should be excluded from all behavioral advertising programs for a couple reasons. First, many consumers consider this highly sensitive data not to be shared under any circumstances. Second, let's "walk first before we run." That is, let's see how behavioral advertising performs with other types of available consumer data first, before deciding whether to extend it to medical information
• All advertisers, companies, and ISPs must disclose to consumer their behavioral advertising program in both their web site legal "Privacy" or "Terms and Conditions" pages, and via print materials (similar to the way companies today provide consumers with a revised Privacy Policy every time this document changes).
• The FTC must publish a clear, detailed plan about how it will implement oversight to monitor compliance and penalize violators
• The behavioral advertising rules must include clear, strong penalties for companies, ISPs, advertisers, and their senior executives for violators. I'd like to see fines starting at $10,000 per consumer record and jail time for fines exceeding $250k
• Violators (e.g., companies, ISPs, and advertisers) must provide consumers with ten (10) years of free credit monitoring and credit restoration after a data breach

Why these rule amendments? If you have read the I've Been Mugged blog, then you know about the issues related to data breaches, data security, and corporate responsibility. Unfortunately, the American business is heavily tilted towards companies making money with consumers' personal data, and tilted away from strong protections for consumers when companies suffer a data breach. I'm concerned that behavioral advertising will make this worse.

All of the above rule amendments address the corporate data breach problems I've experienced. The rule amendments allow companies to profit from behavioral advertising and hold these companies accountable when they don't provide the data security programs they should.

For me personally, the assumed benefits of behavioral advertising (e.g., free content, relevant ads, personalized ads, and a promised reduction in the number of ads) do not outweigh the privacy I would give up. Maybe the benefits are enough for you, but they aren't enough for me. Where I surf on the Internet is my business unless I decide explicitly to tell somebody else.

If you feel the same or different, share your comments below. I'd love to hear why you feel the way you do. If you have sent feedback to the FTC, share that too.

As I mentioned before, the FTC seeks comments from the public (that's us consumers!) about its proposed behavioral advertising rules. The FTC has extended the deadline for submissions to April 11, 2008. Comments can include any concerns you have, changes you fell are necessary to the FTC's proposed rules, the types of consumers' personal data you believe should be considered sensitive, and anything else you feel is relevant. See Monday's post for the specific types of feedback the FTC seeks.

You should send comments and feedback to the FTC at:
Secretary
Federal Trade Commission
Room H-135 (Annex N)
600 Pennsylvania Avenue, NW
Washington, DC 20580

Or, you can also submit comments and feedback to the FTC online via BehavioralMarketingPrinciples@ftc.gov. Some public comments are already available for viewing online at the FTC web site.

Behavioral Advertising: What It Is And The Proposed FTC Rules (Part One)

This is a subject I probably should have written about sooner. On November 1 and 2, 2007, the FTC hosted a conference entitled “Ehavioral Advertising: Tracking, Targeting, and Technology.” The event included consumer advocates, industry representatives, technology experts, and academics to address consumer protection issues.

In December 2007, the U.S. Federal Trade Commission (FTC) released its proposed rules document for companies who wish to engage in behavioral advertising (also called behavioral targeting). I am not discussing in this post whether or not behavioral advertising works. There are several case studies where companies have evaluated how best to perform behavioral advertising. Rather, this post explores some of the consumer privacy and data security issues.

When you visit web sites today, many companies display ads related to the content of the site pages you view. Some companies include software that saves information to the HTTP cookies file on your computer, which is used by your web browser software. We consumers have the choice about how we surf the web. You can set your web browser software to accept or prohibit web sites from accessing the HTTP cookie file. It's been this way for many years.

Behavioral advertising is not new. A few companies and newspapers have used behavioral targeting for years. Of course, there also are advertising networks which focus on behavioral targeting, including NebuAd's offering for ISPs. You can read several blogs about behavioral advertising.

Previously, companies have used behavioral advertising based on the pages you visit within a single web site. What's changing is that companies plan to use behavioral advertising based on both the pages you visit within a single web site (e.g., On-site targeting) and across several web sites (e.g., Network targeting), plus the search keywords you enter at search engine web sites.

So participants at the above conference discussed with the FTC possible rules to keep things manageable. In its proposed rules document, the FTC defined behavioral advertising as:

"... the tracking of a consumer’s activities online – including the searches the consumer has conducted, the web pages visited, and the content viewed – in order to deliver advertising targeted to the individual consumer’s interests."

In my opinion, the Decision Science News blog offers a better definition:

"Behavioral Targeting is the ability to deliver ads to consumers based upon their recent behavior viewing web pages, shopping online for products and services, typing keywords into a search engine or a combination of all three. 'Interest-Based Targeting allows large-brand advertisers… to target more precisely the audience they are trying to reach with the message they are trying to convey'..."

In its proposed rules document, the FTC described the benefits as:

"... behavioral advertising provides benefits to consumers in the form of free web content and personalized ads that many consumers value... The benefits include, for example, access to newspapers and information from around the world, provided free because it is subsidized by online advertising; tailored ads that facilitate comparison shopping for the specific products that consumers want; and, potentially, a reduction in ads that are irrelevant to consumers’ interests and that may therefore be unwelcome."

The FTC proposed several rules to solve several concerns:

Concern	Proposed FTC Rule
1. Transparency and consumer control: many criticize existing disclosures as difficult to understand, inaccessible, and overly technical and long. They also stated that, with clearer disclosures, consumers can make more informed decisions about whether or not they want personalized advertising or, alternatively, whether they would prefer not to do business at particular websites.	Every website where data is collected for behavioral advertising should provide a clear, concise, consumer-friendly, and prominent statement that (1) data about consumers’ activities online is being collected at the site for use in providing advertising about products and services tailored to individual consumers’ interests, and (2) consumers can choose whether or not to have their information collected for such purpose. The website should also provide consumers with a clear, easy-to-use, and accessible method for exercising this option.
2a. Reasonable security, and limited data retention, for consumer data: many expressed concerns that data collected for behavioral advertising may not be adequately secured and could find its way into the hands of criminals or other wrongdoers.	Any company that collects and/or stores consumer data for behavioral advertising should provide reasonable security for that data. Consistent with the data security laws and the FTC’s data security enforcement actions, such protections should be based on the sensitivity of the data, the nature of a company’s business operations, the types of risks a company faces, and the reasonable protections available to a company.
2b. Reasonable security, and limited data retention, for consumer data: many expressed concerns about the length of time that companies retain consumer data collected for behavioral advertising. The longer that data is stored in company databases, the greater the risks to the data.	Companies should retain data only as long as is necessary to fulfill a legitimate business or law enforcement need. FTC staff commends recent efforts by some industry members to reduce the time period for which they are retaining data. However, FTC staff seeks comment on whether companies can and should reduce their retention periods further.
3. Affirmative express consent for material changes to existing privacy promises: the privacy policy – a set of commitments about how information is handled – not only is an important tool for providing information to consumers, but also serves to promote accountability among businesses.	A company must keep any promises that it makes with respect to how it will handle or protect consumer data, even if it decides to change its policies at a later date. Therefore, before a company can use data in a manner materially different from promises the company made when it collected the data, it should obtain affirmative express consent from affected consumers. This principle would apply in a corporate merger situation to the extent that the merger creates material changes in the way the companies collect, use, and share data.
4. Affirmative express consent to (or prohibition against) using sensitive data for behavioral advertising: the use of sensitive data (for example, information about health conditions, sexual orientation, or children’s activities online) to target advertising, particularly when the data can be traced back to a particular individual. They state that consumers may not welcome such advertising even if the information is not personally identifiable; they may view it as invasive or, in a household where multiple users access one computer, it may reveal confidential information about an individual to other members.	Companies should only collect sensitive data for behavioral advertising if they obtain affirmative express consent from the consumer to receive such advertising. FTC staff seeks specific input on (1) what classes of information should be considered sensitive, and (2) whether using sensitive data for behavioral targeting should not be permitted, rather than subject to consumer choice.
Using tracking data for purposes other than behavioral advertising: consumer tracking data collected and stored for behavioral advertising could be used for other potentially harmful purposes. To the extent that the collection of data for behavioral advertising is invisible to consumers, such secondary uses of the data may be especially so.	FTC staff seeks additional information about the potential uses of tracking data beyond behavioral advertising and, in particular: (1) which secondary uses raise concerns, (2) whether companies are in fact using data for these secondary purposes, (3) whether the concerns about secondary uses are limited to the use of personally identifiable data or also extend to non-personally identifiable data, and (4) whether secondary uses, if they occur, merit some form of heightened protection.

The FTC has extended the deadline for submissions to April 11, 2008. Comments can include any concerns you have, changes you feel are necessary to the proposed FTC rules, the types of consumers' personal data you believe should be considered sensitive, and anything else you feel is relevant. Send your comments to the FTC at:
Secretary
Federal Trade Commission
Room H-135 (Annex N)
600 Pennsylvania Avenue, NW
Washington, DC 20580

You can also submit comments to the FTC online via BehavioralMarketingPrinciples@ftc.gov. Some public comments are already available online at the FTC web site.

2008 Consumer Fraud and Identity Theft Complaint Data (FTC)

Last week, I took the time to read the latest 90-page identity theft report from the U.S. Federal Trade Commission. The FTC issued the "Consumer Fraud and Identity Theft Complaint Data" report in February 2008. The report covers consumer complaints submitted to the Consumer Sentinel database during January through December 2007. Highlights:

• During 2007, the FTC received 813,899 consumer fraud and identity theft complaints; up 21% over 2006
• During 2007, consumers reported losses of $1.2 billion, slightly more than in 2006
• 3% of consumers lost more than $5,000. About 10% lost between $1,001 and $5,000
• The 5 leading complaint categories were Identity Theft (32%), Shop-at-home/Catalog Sales (8%), Internet Services (5%), Foreign Money Orders (4%), and Prizes/Sweepstakes/Lotteries (4%)
• The payment methods in these complaints included credit cards (33%), wire transfers (28%), bank account debit (17%), personal checks (10%), money orders (7%), and cash advances (3%)
• Total complaints by the age of the consumer: 40 - 49 (23%), 30 - 39 (21%), 50 - 59 (20%), and 20 - 29 (16%)
• Identity theft complaints by age of the consumer: 18-29 (28%), 30 - 39 (23%), 40 - 49 (19%), and 50 - 59 (13%)

It's important to emphasize that the above is based on actual complaints submitted by consumers, and not a survey. In my experience, most consumers do not file complaints with the FTC, so the above numbers are probably far higher.

Regardless, identity theft seems to be a growing problem since both the number of complaints and the amount of losses have increased.

Two really sad aspects to this report are a) the lack of involvement by consumers, and b) the lack of consistent response by law enforcement. 65% of victims did not file a police report. That is both sad and unacceptably high. 27% of victims did file a police report which was accepted by local law enforcement. 8% of victims tried to file a police report and it was not accepted.

Identity criminals probably feel encouraged by those results. Almost two-thirds of victims don't both filing a police report, which could aid inthe capture and prosecution of identity thieves. And, 8% of victims tried to get help from local loaw enforcement and couldn't get that help.

The report also provides statistics for identity theft victims by state:

1. Arizona - 137.1 (identity theft complaints per 100,000 population)
2. California - 120.1
3. Nevada - 114.2
4. Texas - 107.9
5. Florida - 105.6
6. New York - 100.1
7. Georgia - 91.6
8. Colorado - 89.0
9. New Mexico - 87.5
10. Maryland - 85.8

My state, Massachusetts, ranked #23  with 66.5 identity theft complaints per 100,000 population. North Dakota was #50 with 28.5 identity theft complaints per 100,000 population.

I'm not sure how relevant these numbers are since Internet-based identity thievery is largely geography independent

Why Real ID Is A Flawed Law

At the ZDNet News blog, Sophia Cohen wrote:

"The government claims that driver's license "reform" will help combat illegal immigration and generally protect national security, but it fails to acknowledge that the Real ID Act seriously threatens privacy and civil liberties on a national scale."

Why?

"The final regulations, released January 11, strongly support leveraging existing technology by expanding the central database for commercial drivers to include all drivers and state ID card holders--that is, virtually every American. Following this path of least resistance fails to acknowledge that the security risks of a central ID database are enormous, as is the potential for abuse by government and business. Security experts agree that creating a "one-stop shop" of highly sensitive personal information on millions of Americans, not just a relatively small pool of commercial drivers, is a bad idea. It would be an irresistible treasure trove for identity thieves, terrorists, and other criminals."

Moreover:

"The ostensible purpose for a centralized repository of ID information is to enable states to more easily check whether new applicants already have a driver's license from another jurisdiction, thereby ensuring "one driver, one license." But this can be achieved without creating a central ID database that puts Americans' privacy and civil liberties at risk. Building a distributed system that stores ID information in different locations, such as state motor vehicle databases, makes more sense."

And there's always the critical questions government rarely wants to answer:

• Who has access to this database?
• How are corrections made to the database?
• What rights do citizens have to challenge the accuracy of their record in the database?
• What portions of the law are unfunded?
• What are the costs to my state?
• What are the direct costs to me? (Higher fees, taxes, etc.)
• The federal government has a habit of subcontracting work to private companies. Which private companies, if any, should have access to this database?
• How does this protect us when not everyone has a drivers license today?

I grew up in New York City. While I got my drivers license at 18, many of my peers didn't until well into their late 20's. My mother didn't get her license until she was in her 60's. How does this database help us in these instances?

If you have already reviewed your credit report at any of the three national credit bureaus, then you know mistakes happen... mistakes which can directly affect your life and finances. All of these critical questions need to be resolved first, before this Real ID database is built, not on the fly afterwards.

I encourage you to ask yourself these questions and the answers you'd prefer for each question. Then discuss your concerns with your Congressional representative. There are too many unanswered and poorly answered questions as part of the Real ID Act.

Want to learn more? While you can always start at the DHS site, I advise you to read the analyses here, the NCSL site, and the Bruce Schneier blog.

CIA Monitors YouTube For Intelligence

Here's a most interesting news item from InformationWeek magazine:

U.S. spies, now under the Director of National Intelligence (DNI), are looking increasingly online for intelligence; they have become major consumers of social media. In keeping with its mandate to gather intelligence, the CIA is watching YouTube.

Is there that much intelligence at the YouTube site? Who knows. The Wall Street Journal also blogged about it and the Secrecy News post with a link to the CIA speech document. The WSJ article also highlighted the fact that other countries' intelligence agencies probably monitor phone and Internet communications, too.

There are a couple implications. First, it means that the intelligence community monitors other social networking sites, too. Second, it demonstrates that whatever information (e.g., blogs, journals, photos, etc.) consumers post online about themselves is online forever and may be analyzed in some country's government mainframe computer.

In an unrelated matter, a check of YouTube found that somebody posted a CIA recruitment video.

The Constitution, Privacy Rights, and FISA

Over at the FindLaw web site, Anthony Sebok has written an interesting article about it probably being unconstitutional for the Senate to retroactively immunize the telecommunications companies from civil liability. Sebok wrote:

"... throughout the recent history of federal responses to various liability crises, the pattern has been the same: The elimination of causes of action has always been linked to some kind of quid pro quo, whether it took the form of a guaranteed payment, such as for the 9/11 victims' families, or access to a special court, such as in the case of childhood vaccines.... Yet to read the newspaper reports of the debate in the Senate over the reauthorization of the Foreign Intelligence Surveillance Act (FISA), it is as if this familiar, long history of immunity-for-compensation has been forgotten. The Republicans want to add to FISA a provision that would simply wipe away the lawsuits that have already been filed without any compensation at all. The Democrats are crying foul, arguing that this would set a terrible precedent for the future. But it might be worse than that -- the Republicans' proposal might actually be unconstitutional."

In my opinion, no immunity -- retroactive or otherwise. FISA worked well and never needed changes.

The New U.S. Passports (RFID)

In a prior post, I discussed the new RFID technology and its data security and privacy issues. There is an excellent Los Angeles Times article which questions just how secure the U.S. State Department's new RFID passports are. Here's how the new U.S. passports work:

"The chip on your passport stores your name, gender, birth date and place; your passport number, its issue and expiration dates; and a digital version of your ID photo. It broadcasts this data when its antenna is activated by signals from a government reader at a border crossing. The security of this broadcast is the crux of the debate. The State Department says the chip's range is about 4 inches and that it cannot be read when the passport book is fully closed. But with the right equipment, early critics said, people several feet away or more could secretly access the data and use it to identify Americans, track their movements and steal their personal information. The chip could also be copied or altered to make phony passports..."

To respond to the threat, the State Department modified its new passports:

• "To block radio signals, it put metallic material in the passport's front cover and spine.
• To thwart eavesdropping, it placed a cryptographic key on the printed data page that must be read by an optical scanner to unlock the chip's data. (Officials note Social Security number and address are not on the chip.)
• To prevent tracking, it installed a "randomized unique identification" system that presents a different ID to a reader each time the chip is accessed.
• To counter fraud, it installed a digital signature that flags chips that have been altered."

Are the new passports 100% safe? Nobody knows. I hope that these identity protection measures work. There's an awful lot at stake.

Credit Card Truncation, Identity Theft, and Class Action Lawsuits

At the Credit Slips blog, contributing author Adam Levitin wrote an interesting post about retailers' responsibility to truncate credit card and debit card account numbers on consumers' bills:

"In 2003, Congress enacted the federal credit card truncation statute, 15 U.S.C. § 1681c(g), as part of the Fair and Accurate Credit Transaction Act (FACTA). This law, which was intended to help prevent identity theft, forbids anyone who accepts credit or debit cards from printing more than the last 5 digits of the card number or expiration date on any electronically printed receipt given to the cardholder at point of sale. The law became effective for all new cash registers as of Jan. 1, 2005, and for those registers already in use, as of Dec. 4, 2006."

Adam's post drives home the point about retailers' liability:

"If the merchant was negligent, then the merchant is liable for actual damages and attorneys’ fees/costs. But if the violation was willful—and this is key—meaning—meaning knowing or intentional, not malicious—then the merchant is subject to statutory damages of a minimum of $100 violates, plus punitive damages, and costs/attorneys fees. $100 doesn’t sound like a lot, but multiply that by every transaction made at that register since the truncation statute’s effective date and potential damages are huge."

The Clausen Miller law firm confirmed this in a November 2007 post to their corporate clients:

"Whether large or small, all businesses that are not in compliance with FACTA are potential targets of this litigation. The driving force behind this flurry of class action litigation is financial. Statutory damages for a willful violation of FACTA are between $100 and $1,000 per violation, regardless of whether any actual damages were incurred or whether an individual’s identity was stolen."

The Clausen Miller article also highlighted the resulting class-action lawsuits:

"Entities such as Victoria’s Secret, Toys “R” Us, The Gymboree Corporation, California Pizza Kitchen, In-N-Out Burgers, Adidas Promotional Retail Operators, El Pollo Loco, Costco, and IKEA have all been involved in this litigation."

Want to learn more? Similarly, the Jones Day law firm advises their corporate clients to comply with the FACTA.

So, the next time you go shopping, check to make sure that the retailer's receipts display only a portion of your credit card or debit card number. And, shred any unneeded receipts which contain your personal information.

Report: Warrantless Surveillance Legal

Regardless of your political party affiliation, I found the following United Press International (UPI) news story quite interesting:

"U.S. President George W. Bush's authority to conduct warrantless electronic surveillance comes from the Constitution, a partisan congressional report says. A Republican staff assessment of the revised Foreign Intelligence Surveillance Act said the president's controversial program is legal. The 13-page assessment comes as the Senate prepares to debate legislation as early as Tuesday on extending legislation governing electronic surveillance of suspected foreign terrorists and spies, The Washington Times reported Monday. The Protect America Act, passed in August, temporarily revised the 1978 Foreign Intelligence Surveillance Act to help authorities better monitor newer technologies. The law expires at the end of January."

We US citizens get to decide what type of government we want. It is not a given; it is not a "slam dunk" that there shouldn't be data privacy for consumers. We get to decide as a nation. We citizens get to decide via voting and via our Congressional reps what checks and balances should exist between the three branches of federal government. We get to decide what oversight exists.

Want to learn more about the Protect America Act? Read this ACLU fact sheet, this Wired analysis, or this San Francisco Chronicle analysis.

TSA Web Site Puts Travelers At Risk of Identity Theft

If you fly on commercial airlines, then you are aware of the constantly changing security rules. If you have a complaint about a travel  experience, you can submit it to the airline or to the Transportation Security Administration (TSA). According to the Washington Post newspaper:

"A government Web site designed to help travelers remove their names from aviation watch lists was so riddled with security holes that hackers could easily have stolen personal information from scores of passengers, a congressional report concluded yesterday. Thousands of people used the Web site, and as many as 247 submitted detailed personal information between October 2006 and last February, the report says."

And, it gets worse. It looks like the fix was in:

"Congressional investigators raised concerns about a conflict of interest in how the no-bid contract to create the Web site was awarded. The TSA employee who framed many of the contract's requirements and was in charge of overseeing the site was once employed by the firm that was awarded the contract -- Desyne Web Services, a small firm in Boston, Va. -- and socialized with members of the company... The TSA continues to use Desyne on various projects, the report said, and has awarded the company no-bid contracts worth about $500,000."

You can download the House Oversight report. I spent some time at Desyne's web site. I've seen better designed web sites with better designed navigation elements. I found the current TSA web site difficult to use and poorly organized. (Note: An an Information Designer in my day job, my role is to architect clients' web sites so they are easy to use from a user's point-of-view.)

The TSA has a history of producing less-than-optimal web sites. In his Surveillance State blog, Chris Soghoian described his experience with the TSA site:

"This site had a number of security vulnerabilities: it was not hosted on a government domain; its home page was not encrypted; one of its data submission pages was not encrypted; and its encrypted pages were not properly certified. Furthermore, the site was filled with typos and other errors, causing some to wonder whether TSA's site had been taken over by phishers... The site was only taken down after I discovered it in February 2007 and posted something to my blog. Shortly after, Wired and a number of other sites picked up the story, and TSA was shamed into pulling down the site."

No matter how the TSA representative tries to spin an answer, a no-bid contract isn't right. It doesn't smell right, either. We citizens aren't getting the best value for our dollars, either.

Social Here, Social There, Social Security Numbers Everywhere!

A friend , Catherine,sent me the link to this recent Washington Post newspaper article which highlighted a huge identity vulnerability in the USA. Frankly, there are millions of paper documents in federal, state, and local records which disclose consumers' Social Security numbers:

"Social Security numbers are readily available in many courthouses -- in land records and criminal and civil case files -- as well as on many government Web sites that serve up public documents with a few clicks of a mouse. From state to state, and even within states, there is little uniformity in how access to the private information in these records is controlled."

This is a very dangerous situation. I cannot over-emphasize the risk. The large number of documents containing Social Security numbers with accompanying names, addresses, and birth dates makes it very easy for identity thieves to visit a local courthouse or government office and collect personal data from paper (and online) records documents.

While the federal law was changed in 2001 to remove Social Security numbers from documents, the law doesn't include documents produced before then and documents in state and local government records files:

"A recent spot-check found the nine-digit numbers -- introduced in 1936 to track employee earnings and benefits -- on hundreds of land deeds, death certificates, traffic tickets, creditors' filings and other documents related to civil and criminal court cases. Federal courts have banned the numbers from appearing on public documents since 2001... However, millions of paper records were filed across the United States before the laws and rules took effect. Generally, such records are not covered by the prohibitions. And court clerks said it would be virtually impossible to redact all of the Social Security numbers in them."

The article also highlights central Virginia activist Betty "B.J." Ostergren, who pushes lawmakers and government agencies to take sensitive personal data off state-run Web sites. Ostergren operates the thevirginiawatchdog.com site, which lists examples of public figures whose Social Security numbers have appeared in public records.

One thing we consumers can do is press our state and local politicians and government to protect our personal data which resides in records documents. The best summary:

"It's alarming, because the government should be setting the example in really trying to protect people's private information," said state Sen. Jamie B. Raskin (D-Montgomery). "Look, there's a whole criminal underground now that thrives on stealing people's credit cards and usurping their identity for as long as they can."

USA Patriot Act Violates the 4th Amendment

I recently learned of the Ephemeral Law blog written by William Morriss and his colleagues. In prior posts, I've written about privacy issues for consumers. This post by the Ephemeral Law blog provides a good summary for non-lawyers about the Mayfield v. US case:

"In Mayfield v. U.S., a federal district judge ruled that the two provisions of the USA PATRIOT Act violate the Fourth Amendment of the United States Constitution because they allow surveillance without probable cause. This decision shows that six year after the Patriot Act passed, privacy concerns still exist regarding its use and scope. Indeed, privacy concerns were raised within a week of the act passing in 2001."

The debate will surely continue about whether consumers' personal data is private or not, and under what specific conditions.