This May 1, 2008 BBC News video is short, clear, and informative for both current Facebook members and consumers considering Facebook. I strongly recommend that you view the BBC video. Be an informed user of social networking sites.
You may also find these prior I've Been Mugged posts helpful:
You may also want to browse this MoveOn petition.
If all of the above has scared the daylights out of you, then you might want to view this YouTube video:
If you have followed the prior posts on behavioral targeting (a/k/a behavioral advertising), then I think that you, too, will find the results of this recent Harris Interactive poll very interesting:
"A majority of U.S. adults are skeptical about the practice of websites using information about a person's online activity to customize website content. However, after being introduced to four potential recommendations for improving websites privacy and security polices, U.S. adults become somewhat more comfortable with the websites use of personal information."
The nationwide survey included 2,513 U.S. adults, and was performed between March 11 and 18, 2008 by Harris Interactive, in collaboration with Dr. Alan F. Westin, Professor of Public Law and Government Emeritus at Columbia University, Principal of the Privacy Consulting Group. Additional key findings:
"A six in ten majority (59%) are not comfortable when websites like Google, Yahoo! and Microsoft (MSN) use information about a person's online activity to tailor advertisements or content based on a person's hobbies or interests. A quarter (25%) is not at all comfortable and 34 percent are not very comfortable..."
Westin and the researchers reported:
"Websites pursuing customized or behavioral marketing maintain that the benefits to online users that advertising revenues make possible -- such as free emails or free searches and potential lessening of irrelevant ads -- should persuade most online users that this is a good tradeoff. Though our question flagged this position, 59 percent of current online users clearly do not accept it."
Ha! Good for consumers! The promise of free content and only relevant ads isn't the strong magnet that companies and advertisers would like to believe. Plus, after showing the survey participants a list of potential policy and security policies, based on self-regulatory guidelines by the FTC, the adults changed their opinions slightly:
Adult consumers are beginning to place a higher value on their personal data, combined with an approach that companies must first earn their trust before sharing confidential personal data. I encourage you to read the complete Harris Interactive press release.
On Saturday January 26, 2008, I attended the first ACLU Massachusetts conference on Reclaiming Our Civil Liberties. The conference was a real treat for me, since I'd only read about Daniel Ellsberg, the keynote speaker. It was great to hear him live and hear his experiences about the Pentagon Papers. (See also the National Security Archive at GWU.) Ellsberg also discussed his views on the Bush administration, U.S. foreign policy, the Iraq war, the "Blue Dog Coalition" (for perspectives, see C-Span, Common Dreams , and the New York Times), and the oath of government officials to the Constitution (and not a personal oath to the President). Much of today's policies of expansive Executive privilege by the Bush administration are rooted in VP Cheney's tenure in President Nixon's administration.
I attended the conference both as a member and as a panelist. There were over 400 attendees, by my rough count. I spoke at a workshop titled, "Blogging for Civil Liberties." Christopher Ott, the Communications Manager of the ACLU of Massachusetts, chaired the panel. The other panelist was Charles Blandy, Co-Founder and Co-Editor of BlueMassGroup.com.
The workshop went smoothly. About 35 people attended this workshop. Charles spoke first and reviewed many of the well-known sites political blogs (such as Daily Kos and TPMmuckraker) consumers can use to learn about civil liberties and to participate in the blogosphere. My talk focused more narrowly on Ive Been Mugged as an example of citizen journalism, consumers' rights about identity protection, and notification laws after a corporate data breach. About 30 people attended this workshop and at least 400 attended the conference.
If you missed the conference, you can listen to the "Blogging For Civil Liberties" podcast (52 minutes, MP3 file, 23 MBytes). You can list to the podcast on any MP3 player, including the iPod. I'd like to thank Christopher Ott and the Massachusetts ACLU for making the podcast available. Thanks to Marilyn Humphries for the photograph.
[Note to readers: Sorry for the delay publishing this post. I would have published it sooner, but the podcast was only recently available.]
Like many people, I've done some research and soul-searching about whom to vote for in the 2008 presidential campaign. My preferred candidate, John Edwards, dropped out of the presidential race before the primary in my state. During the Massachusetts primary, I voted for Edwards anyway with the hope of giving him some clout to influence the party platform at the Democratic convention this summer.
Last year, i read Naomi Wolf's book ("The End of America: Letter of Warning To A Young Patriot"), which I believe should be required reading for all Americans; especially youth. Then, I read Wolf's recent article, "Why Barack Obama Got My Vote" which also resonated with me.
After doing some research, I can tell you that both NSPD-51 and HR 1955 scare the living daylights out of me. If you read about these two items, I think that they will scare you, too. These are not partisan issues, since politicians and citizens and both sides of the aisle find this legislation extremely troubling. I've written to my Congressional House representative, Stephen Lynch (D-MA), a couple times and so far he refuses to reply about why he voted for HR 1955.
I fully understand why the Bush administration would craft something like NSPD-51, and would this administration would love for the House and Senate to approve something like HR 1955. (The Senate version of HR 1955 -- S 1959 - is under discussion.) It's no surprise given the Vice President's interest in Executive Privilege. (If you want to learn more about HR 1955 -- or S 1959 --, Ronnie Bennett has written an excellent description in her Time Goes By blog.)
Regardless, I worry that our Congress is not functioning as a co-equal third branch of our federal government, while the Executive branch has co-opted the Judicial branch, which has lost its independence. To me, all of this combined spells bad times for a government that is supposed to be of-, by-, and for people -- not of-, by-, and for- the rich or corporations.
If you haven't read the United States Bill of Rights, and the Declaration of Independence, please take a moment to read them. They are wonderful documents.
What does all of this have to do with identity theft? Plenty. As government agencies collect more and more personal data bout citizens, that data must be stored someplace. And, government often contracts out many functions to private companies. Which means our personal data ends up in lots of places. We citizens have a right to expect our government to be responsible and to explains what it's doing (and not hide behind "we can't discuss that due to national security"). Many call this "transparency." For me, part of transparency is an explanation of where our personal data is collected, used, shared, and archived; plus adequate data security protections, and timely notice after a data breach.
A government that isn't open, honest, and transparent with the explanations it provides, basically treats its citizens like children... or slaves. I do not want to be treated like a child, or a slave.
To me, Barack Obama seems most trustworthy with balancing the needs of government, consumers, and corporations. Barack Obama seems to provide a healthy balance of trust and competence without going overboard with a hawkish, pro-war tendencies while returning our government to a government of-, by- and for the people. I feel that if we don't bring some order, sense, and accountability to our government now, we may lose the chance forever.
For consumers to effectively protect their personal data, means knowing where your personal data is. Both companies and government agencies archive consumers' personal data. For consumers to judge the effectiveness of their government, requires knowledge of their government's data collection activities. The Wall Street Journal reported:
"Five years ago, Congress killed an experimental Pentagon anti-terrorism program meant to vacuum up electronic data about people in the U.S. to search for suspicious patterns... But the data-sifting effort didn't disappear. The National Security Agency, once confined to foreign surveillance, has been building essentially the same system. The central role the NSA has come to occupy in domestic intelligence gathering has never been publicly disclosed. But an inquiry reveals that its efforts have evolved to reach more broadly into data about people's communications, travel and finances in the U.S. than the domestic surveillance programs brought to light since the 2001 terrorist attacks."
An important point:
"Largely missing from the public discussion is the role of the highly secretive NSA in analyzing that data, collected through little-known arrangements that can blur the lines between domestic and foreign intelligence gathering. Supporters say the NSA is serving as a key bulwark against foreign terrorists and that it would be reckless to constrain the agency's mission. The NSA says it is scrupulously following all applicable laws and that it keeps Congress fully informed of its activities... the spy agency now monitors huge volumes of records of domestic emails and Internet searches..."
A cautionary note:
"A number of NSA employees have expressed concerns that the agency may be overstepping its authority by veering into domestic surveillance. And the constitutional question of whether the government can examine such a large array of information without violating an individual's reasonable expectation of privacy "has never really been resolved," said Suzanne Spaulding, a national-security lawyer who has worked for both parties on Capitol Hill. NSA officials say the agency's own investigations remain focused only on foreign threats, but it's increasingly difficult to distinguish between domestic and international communications..."
All of this rests on a legal foundation that:
"... relies largely on the government's interpretation of a 1979 Supreme Court ruling allowing records of phone calls -- but not actual conversations -- to be collected without a judge issuing a warrant. Multiple laws require a court order for so-called "transactional'" records of electronic communications, but the 2001 Patriot Act lowered the standard for such an order in some cases, and in others made records accessible using FBI administrative subpoenas called "national security letters." (Read the ruling.)
To learn more, you can read this analysis at DailyKos, which includes the ACLU's response to the Wall Street Journal article. As if all of this wasn't enough, last week we learned that at least three U.S. Senators' passport records were breached. If a U.S. Senator can't expect data privacy, what can citizens expect?
The question to ask yourself is: are you comfortable with your government's disclosures about its data collection activities? If you are uncomfortable, then ask the same of your elected officials. Oversight and transparency are critical.
About a week ago, the I've been Mugged blog explored the consumer data security issues with behavioral advertising: companies want to serve online ads by tracking all of the web sites you have visited and the keywords you entered at search engine web sites. The NewTeeVee blog reported this new service idea from Comcast:
"At the Digital Living Room conference today, Gerard Kunkel, Comcast’s senior VP of user experience, told me the cable company is experimenting with different camera technologies built into devices so it can know who’s in your living room. The idea being that if you turn on your cable box, it recognizes you and pulls up shows already in your profile or makes recommendations. If parents are watching TV with their children, for example, parental controls could appear to block certain content from appearing on the screen. Kunkel also said this type of monitoring is the “holy grail” because it could help serve up specifically tailored ads. Yikes."
Comcast claims that the cable box camera won't actually use facial recognition and take a picture of you. Instead it would just take a picture of the "form" of viewers: one, several, and their relative sizes.
Yeah, right.
Yikes, indeed! This is a really bad idea... a stupid one, too. I see "mission creep" as any cable box camera might start with the viewers' "form" and migrate to actual photos using facial recognition. This invasion of privacy is not worth any amount of convenient, free, or relevant ads promised by any network/cable television provider.
My impression... Comcast executives have concluded that since the NSA, FBI, and phone companies already spy on citizens by tracking the web sites consumers visit, e-mails and text messages sent, and phone calls made, then Comcast can make more money by tracking viewers sitting in the privacy of their living room and charge advertisers more for this new service.
And this new idea from Comcast was preceded by a comment from an IBM executive that a total surveillance society is inevitable. Seems to me like many corporations are ready to make money by exploiting our country's focus on security after 9-11.
What do you think? Share your comments below. I hope that you will also write to your elected officials today and tell them your privacy concerns.
The Wired Privacy, Security, Politics, and Crime Online blog seeks name suggestions for the Department of Homeland Security's new "Privacy Pig:"
"Homeland Security's Privacy Chief Hugo Teufel III likes THREAT LEVEL more than we could ever have imagined. On Wednesday, at a press conference at the 2008 National Fusion Center Conference Wednesday, Teufel gave us a pig. A pink, squishy pig with wings and sunglasses. We assume the Privacy Office created the flying pig as a way to publicize or remind people about its Privacy Incident Handling Guidance booklet. PIHG, get it?"
Several people have already posted names. The new DHS Privacy Pig:
Recently, ZD Net Australia reported about the Legal Futures Conference at Stanford University in California. Several technologists and legal experts attended the conference. Many legal experts have again raised concerns that Web 2.0 has come at the expense of individual privacy. The article quoted an IBM technologist at the conference who said:
" 'A total surveillance is not only inevitable and irreversible, but also irresistible,' Jeff Jonas, distinguished engineer and chief scientist at IBM Entity Analytics, said during a panel on surveillance at the conference on Saturday. For example, imagine how convenient it would be to have RFID chips embedded in sunglasses so you could find them easily, Jonas said."
Is he serious? Inevitable? Irresistible? Just so I can find my sunglasses? Consider this:
"Jennifer Granick, civil liberties director at the Electronic Frontier Foundation, acknowledged that she finds the location-based technology in her iPhone very convenient when she's trying to avoid traffic congestion but she doesn't want the government to be able to use that technology to track her down. The fact that all sorts of data about each of us is being gathered and is archived, searchable, and can be compiled to create profiles about each of us is what makes digital privacy intrusions so much scarier than pre-Internet life, she said."
Jeffrey Rosen, a law professor at George Washington University and legal affairs editor of The New Republic, warned of:
"... "privacy chernobyls," which he described as "new threats to privacy that have the potential to transform society in troubling ways". Examples include Facebook revealing more about its members than they care to have revealed and tracking their purchases without consent, as well as AOL inadvertently exposing search terms of 650,000 people in 2006."
Are attitudes in the USA unique?
"The perspective is different in other countries, Rosen said. Americans are, in general, concerned with preventing terrorism, while Europeans are concerned with protecting their individual privacy, he said. For example, the French will bare their breasts but not their salaries and mortgages, and the reverse is true in the US. "My fear is that the cultural differences will make thoughtful regulation difficult," Rosen said."
Probably the most important conclusion:
"Government regulation is necessary to ensure that consumers' privacy is adequately protected online, Granick and Rosen said. Orin Kerr, a professor at George Washington University Law School, said the Fourth Amendment can be applied to the online world in a way that balances individual rights with law enforcement needs."
I find a total surveillance society easily resistible. Nor is it inevitable. We have a choice. What do you think?
On March 10, 2008, Wired magazine reported:
"Assemblyman Pedro Nava (D-35) introduced a non-binding resolution to that effect Monday afternoon in response to concerns about privacy, security and the high price of the federal mandate -- which the government's most recent estimate pegs at $4 billion nationally...Howard Posner, a policy consultant to the Transportation Committee, said that last year the committee contemplated moving legislation to accept Real ID, but reconsidered after 'looking at the cost, and the incredible inconvenience for driver's license holder and the privacy issues.' "
The Real ID Act and the proposed rules by DHS have important implications about how the federal government and states will manage, store, and update citizen's identification data -- and consumer privacy. How such an expensive, unfunded piece of federal legislation happened:
"Congressman James Sensenbrenner (R-WI) added the Real ID mandate to a must-pass defense spending bill in 2005, leaving the details to be determined by the Department of Homeland Security. After much delay, the final regulations were issued in February of 2008."
If the California legislature passes this resolution, then California would join a group of 17 states that have expressed opposition to the unfunded mandate:
"Three states have outright rejected Real ID, setting up a showdown on May 11, when the federal government says it will not allow residents of Montana, Maine, South Carolina and New Hampshire to use their state I.D. cards for federal purposes."
Consumers should notify their elected officials of any concerns you have with the Real ID Act. Learn more about the Real ID Act at this web site.
Monday's post discussed the benefits of behavioral advertising, and the proposed rules by the FTC. Tuesday's post listed the leading companies that collect consumer data for behavioral advertising. Wednesday's post discussed the growing role of ISPs in behavioral advertising and the new technologies being deployed.
So, what next?
For me, my first concern is data security. 2007 was a record year for corporate data breaches. The number of incidents rose 40% -- where companies either "lost" or had stolen records about their employees, former employees, retirees, contractors, and/or customers. And this includes data only from the data breach incidents we know about. It does not include incidents from companies in states that lack breach notification laws. It does not include incidents of identity fraud during a crime.
From InformationWeek:
"In its December 24 report, the ITRC said that there were publicly reported 443 breaches in the U.S. in 2007. In 2006, the ITRC identified 315 publicized breaches. Some 127 million data records were exposed during 2007. In 2006, nearly 20 million records were exposed. In 2005, there were 158 breaches reported involving about 65 million records."
And some of these data breaches have already included ISPs, like AOL; and major advertisers, like TJ Maxx, AIG Insurance, and IBM.
Given this lousy track record of data security, I fully expect companies to continue to "lose" -- and criminals to continue to steal -- confidential data via data breaches. Why? Nothing has changed to alter past history. There is a lack of government oversight. There are no substantial penalties. And many companies just don't provide good data security.
This means that many of the future data breaches will include consumers' sensitive data collected during behavioral advertising programs. Given this, it seems sensible for the FTC to craft behavioral advertising rules that acknowledge poor corporate data security:
Why these rule amendments? If you have read the I've Been Mugged blog, then you know about the issues related to data breaches, data security, and corporate responsibility. Unfortunately, the American business is heavily tilted towards companies making money with consumers' personal data, and tilted away from strong protections for consumers when companies suffer a data breach. I'm concerned that behavioral advertising will make this worse.
All of the above rule amendments address the corporate data breach problems I've experienced. The rule amendments allow companies to profit from behavioral advertising and hold these companies accountable when they don't provide the data security programs they should.
For me personally, the assumed benefits of behavioral advertising (e.g., free content, relevant ads, personalized ads, and a promised reduction in the number of ads) do not outweigh the privacy I would give up. Maybe the benefits are enough for you, but they aren't enough for me. Where I surf on the Internet is my business unless I decide explicitly to tell somebody else.
If you feel the same or different, share your comments below. I'd love to hear why you feel the way you do. If you have sent feedback to the FTC, share that too.
As I mentioned before, the FTC seeks comments from the public (that's us consumers!) about its proposed behavioral advertising rules. The FTC has extended the deadline for submissions to April 11, 2008. Comments can include any concerns you have, changes you fell are necessary to the FTC's proposed rules, the types of consumers' personal data you believe should be considered sensitive, and anything else you feel is relevant. See Monday's post for the specific types of feedback the FTC seeks.
You should send comments and feedback to the FTC at:
Secretary
Federal Trade Commission
Room H-135 (Annex N)
600 Pennsylvania Avenue, NW
Washington, DC 20580
Or, you can also submit comments and feedback to the FTC online via BehavioralMarketingPrinciples@ftc.gov. Some public comments are already available for viewing online at the FTC web site.
Monday's post discussed the benefits of behavioral advertising, and the proposed rules by the FTC. Tuesday's post listed the leading companies that collect consumer data for behavioral advertising.
In December 2007, the Wall Street Journal profiled CenturyTel Inc., a Louisiana phone company, and its attempt to enter the Internet Service Provider (ISP) business. Along the way, CenturyTel decided to also enter the online advertising business:
"The technology it's using could change the way the $16.9 billion Internet ad market works, bringing in a host of new players -- and giving consumers fresh concerns about their privacy. CenturyTel's system allows it to observe and analyze the online activities of its Internet customers, keeping tabs on every Web site they visit. The equipment is made by a Silicon Valley start-up called NebuAd Inc. and installed right into the phone company's network."
Pretty soon, advertisers will no longer need to install software or use the HTTPs cookies file on consumers' computers to perform behavioral advertising (a/k/a behavioral targeting). Instead, they can get all the consumer data they'd ever want from ISPs -- who are happy to install the behavioral targeting software and equipment on their servers for a piece of the new revenue stream. How it will work:
"NebuAd takes the information it collects and offers advertisers the chance to place online ads targeted to individual consumers. NebuAd and CenturyTel get paid whenever a consumer clicks on an ad."
The description of the new server software and equipment:
"The newer form of behavioral targeting involves placing gear called "deep-packet inspection boxes" inside an Internet provider's network of pipes and wires. Instead of observing only a select number of Web sites, these boxes can track all of the sites a consumer visits, and deliver far more detailed information to potential advertisers."
Companies already see the new revenue opportunity:
"... new companies are rushing in. Both wireless and wireline Internet-access providers such as CenturyTel, Rochester Telecom Systems Inc. and Embarq Communications Inc., among others, have entered the advertising gold rush. And they've tapped Internet equipment companies like NebuAd, Front Porch Inc., and Phorm Inc. to provide the gear to help them along."
Well, this is just peachy. Every ISP knows a lot about its subscribers... personally identifiable information such as name, address, birth date, phone, credit card, e-mail address, IP address, and in some cases Social Security Number. It doesn't take much effort to match this personally-identifiable data to a subscriber's web surfing activity.
This new technology fundamentally changes the relationship between ISPs and their subscribers. As ISPs get more or most of their revenue from advertising, and a decreasing amount from subscribers' fees, it logical to question whether ISPs will continue to operate in the best interests of consumers. In a weird way, ISPs can now make (a lot of) money through surveillance.
This makes it more important now for consumers to express their privacy and data security concerns. It is reasonable for consumers to demand legislation requiring ISPs to provide clear, easy, free, opt-in mechanisms for consumers who wish to participate in that ISP's behavioral advertising program.
Now is also an opportunity for consumers to specify the data they consider sensitive and should be excluded from any ISP behavioral advertising programs. See these prior posts about why consumers' IP addresses should be considered sensitive personal data, and why consumers' personal data should be treated (and protected) like nuclear fuel.
Yesterday's post was the first in a series. Today's post looks at how much data selected companies already collect about consumers. From yesterday's New York Times:
This is a subject I probably should have written about sooner. On November 1 and 2, 2007, the FTC hosted a conference entitled “Ehavioral Advertising: Tracking, Targeting, and Technology.” The event included consumer advocates, industry representatives, technology experts, and academics to address consumer protection issues.
In December 2007, the U.S. Federal Trade Commission (FTC) released its proposed rules document for companies who wish to engage in behavioral advertising (also called behavioral targeting). I am not discussing in this post whether or not behavioral advertising works. There are several case studies where companies have evaluated how best to perform behavioral advertising. Rather, this post explores some of the consumer privacy and data security issues.
When you visit web sites today, many companies display ads related to the content of the site pages you view. Some companies include software that saves information to the HTTP cookies file on your computer, which is used by your web browser software. We consumers have the choice about how we surf the web. You can set your web browser software to accept or prohibit web sites from accessing the HTTP cookie file. It's been this way for many years.
Behavioral advertising is not new. A few companies and newspapers have used behavioral targeting for years. Of course, there also are advertising networks which focus on behavioral targeting, including NebuAd's offering for ISPs. You can read several blogs about behavioral advertising.
Previously, companies have used behavioral advertising based on the pages you visit within a single web site. What's changing is that companies plan to use behavioral advertising based on both the pages you visit within a single web site (e.g., On-site targeting) and across several web sites (e.g., Network targeting), plus the search keywords you enter at search engine web sites.
So participants at the above conference discussed with the FTC possible rules to keep things manageable. In its proposed rules document, the FTC defined behavioral advertising as:
"... the tracking of a consumer’s activities online – including the searches the consumer has conducted, the web pages visited, and the content viewed – in order to deliver advertising targeted to the individual consumer’s interests."
In my opinion, the Decision Science News blog offers a better definition:
"Behavioral Targeting is the ability to deliver ads to consumers based upon their recent behavior viewing web pages, shopping online for products and services, typing keywords into a search engine or a combination of all three. 'Interest-Based Targeting allows large-brand advertisers… to target more precisely the audience they are trying to reach with the message they are trying to convey'..."
In its proposed rules document, the FTC described the benefits as:
"... behavioral advertising provides benefits to consumers in the form of free web content and personalized ads that many consumers value... The benefits include, for example, access to newspapers and information from around the world, provided free because it is subsidized by online advertising; tailored ads that facilitate comparison shopping for the specific products that consumers want; and, potentially, a reduction in ads that are irrelevant to consumers’ interests and that may therefore be unwelcome."
The FTC proposed several rules to solve several concerns:
| Concern | Proposed FTC Rule |
|---|---|
| 1. Transparency and consumer control: many criticize existing disclosures as difficult to understand, inaccessible, and overly technical and long. They also stated that, with clearer disclosures, consumers can make more informed decisions about whether or not they want personalized advertising or, alternatively, whether they would prefer not to do business at particular websites. | Every website where data is collected for behavioral advertising should provide a clear, concise, consumer-friendly, and prominent statement that (1) data about consumers’ activities online is being collected at the site for use in providing advertising about products and services tailored to individual consumers’ interests, and (2) consumers can choose whether or not to have their information collected for such purpose. The website should also provide consumers with a clear, easy-to-use, and accessible method for exercising this option. |
| 2a. Reasonable security, and limited data retention, for consumer data: many expressed concerns that data collected for behavioral advertising may not be adequately secured and could find its way into the hands of criminals or other wrongdoers. | Any company that collects and/or stores consumer data for behavioral advertising should provide reasonable security for that data. Consistent with the data security laws and the FTC’s data security enforcement actions, such protections should be based on the sensitivity of the data, the nature of a company’s business operations, the types of risks a company faces, and the reasonable protections available to a company. |
| 2b. Reasonable security, and limited data retention, for consumer data: many expressed concerns about the length of time that companies retain consumer data collected for behavioral advertising. The longer that data is stored in company databases, the greater the risks to the data. | Companies should retain data only as long as is necessary to fulfill a legitimate business or law enforcement need. FTC staff commends recent efforts by some industry members to reduce the time period for which they are retaining data. However, FTC staff seeks comment on whether companies can and should reduce their retention periods further. |
| 3. Affirmative express consent for material changes to existing privacy promises: the privacy policy – a set of commitments about how information is handled – not only is an important tool for providing information to consumers, but also serves to promote accountability among businesses. | A company must keep any promises that it makes with respect to how it will handle or protect consumer data, even if it decides to change its policies at a later date. Therefore, before a company can use data in a manner materially different from promises the company made when it collected the data, it should obtain affirmative express consent from affected consumers. This principle would apply in a corporate merger situation to the extent that the merger creates material changes in the way the companies collect, use, and share data. |
| 4. Affirmative express consent to (or prohibition against) using sensitive data for behavioral advertising: the use of sensitive data (for example, information about health conditions, sexual orientation, or children’s activities online) to target advertising, particularly when the data can be traced back to a particular individual. They state that consumers may not welcome such advertising even if the information is not personally identifiable; they may view it as invasive or, in a household where multiple users access one computer, it may reveal confidential information about an individual to other members. | Companies should only collect sensitive data for behavioral advertising if they obtain affirmative express consent from the consumer to receive such advertising. FTC staff seeks specific input on (1) what classes of information should be considered sensitive, and (2) whether using sensitive data for behavioral targeting should not be permitted, rather than subject to consumer choice. |
| Using tracking data for purposes other than behavioral advertising: consumer tracking data collected and stored for behavioral advertising could be used for other potentially harmful purposes. To the extent that the collection of data for behavioral advertising is invisible to consumers, such secondary uses of the data may be especially so. | FTC staff seeks additional information about the potential uses of tracking data beyond behavioral advertising and, in particular: (1) which secondary uses raise concerns, (2) whether companies are in fact using data for these secondary purposes, (3) whether the concerns about secondary uses are limited to the use of personally identifiable data or also extend to non-personally identifiable data, and (4) whether secondary uses, if they occur, merit some form of heightened protection. |
The FTC has extended the deadline for submissions to April 11, 2008. Comments can include any concerns you have, changes you feel are necessary to the proposed FTC rules, the types of consumers' personal data you believe should be considered sensitive, and anything else you feel is relevant. Send your comments to the FTC at:
Secretary
Federal Trade Commission
Room H-135 (Annex N)
600 Pennsylvania Avenue, NW
Washington, DC 20580
You can also submit comments to the FTC online via BehavioralMarketingPrinciples@ftc.gov. Some public comments are already available online at the FTC web site.
Over at the ZDNet Security blog, Aaron Greenspan has written a very interesting commentary including his experiences with the Facebook.com site:
"Facebook was originally successful in part because it restricted the flow of information between students at different schools. No, what has manifested itself in Facebook today is directly the result of its leadership's conscious decision to put privacy on the back burner. The key turning point in Facebook's history came in September 2006 when the site switched from being a closed community of students to a global destination for everyone on the Internet. To maintain its high growth rate, the company decided that it had to widen its scope, and in doing so, it tossed user authentication out the window."
What I found most interesting was this conclusion by Greenspan:
Simply put, there's no way that social networks will put security and privacy first when their very business model gives them incentive to do just the opposite.
While sharing several of his experiences with the Facebook.com site, Greenspan wrote:
"Third, when I refused to provide Facebook with my date of birth due to the above privacy concerns, not to mention a sense of fundamental injustice, the company suspended my account indefinitely."
Well, that pretty much guarantees that I won't be using Facebook.
How would you feel if every time you accessed your account profile from your Internet Service Provider, you saw somebody else's sensitive personal data? And how would you feel if that person saw your sensitive personal data, at the same time?
The Consumerist blog reported that this happened with a Verizon FiOS customer. FiOS is Verizon's new fiber high-speed Internet service:
"Andru had this problem where whenever he logged into his Verizon FiOS account, he saw the personal information on some other guy's account. When he contacted the guy, the other guy said he saw Andru's info as well. Over eight months of broken promises by Verizon and the problem wasn't solved. So Andru blogged it. Once it started getting internet attention, Andru got two calls and several emails from Verizon people and a Verizon exec ended up having a tech stay on the line with Andru for an hour getting it fixed."
Wow! What sloppy and shoddy customer service! Events like this reinforce the perception that companies don't take consumers' data security seriously enough. Yes, Verizon finally fixed the problem, but it took them eight (8) months. Yeah, you read that correctly. 8 months, not 8 weeks, and definitely not 8 days.
Yes, Verizon finally compensated Andru for his troubles with 10 months of free FiOS service (worth about $1,500), but a consumer should not have to go to this much effort to get a company to fix a data security problem.
The Boston Globe newspaper reported that TJX, the parent company of TJ Maxx and Marshalls retail stores, has created a new senior executive position for consumers' data privacy. Apparently, TJX has:
"... given the title of "chief privacy officer" to one of its senior executives and is looking to fill the position of "privacy director," according to a memo circulated by its search firm, Heidrick & Struggles. TJX spokeswoman Sherry Lang declined to provide more details yesterday except to note that senior executive vice president for administration and business development Jeffrey Naylor also gained the title of chief privacy officer within the past year."
TJX is recently known for its massive data breach where identity thieves stole millions of consumer credit cards and sensitive data facilitated by lax data security measures by the company. Want to learn more about the TJX data breach debacle? Click on "TJX / TJ Maxx" in the topic section in the column on the right.
File this organizational move under the "too little way too late" category.
At the ZDNet News blog, Sophia Cohen wrote:
"The government claims that driver's license "reform" will help combat illegal immigration and generally protect national security, but it fails to acknowledge that the Real ID Act seriously threatens privacy and civil liberties on a national scale."
Why?
"The final regulations, released January 11, strongly support leveraging existing technology by expanding the central database for commercial drivers to include all drivers and state ID card holders--that is, virtually every American. Following this path of least resistance fails to acknowledge that the security risks of a central ID database are enormous, as is the potential for abuse by government and business. Security experts agree that creating a "one-stop shop" of highly sensitive personal information on millions of Americans, not just a relatively small pool of commercial drivers, is a bad idea. It would be an irresistible treasure trove for identity thieves, terrorists, and other criminals."
Moreover:
"The ostensible purpose for a centralized repository of ID information is to enable states to more easily check whether new applicants already have a driver's license from another jurisdiction, thereby ensuring "one driver, one license." But this can be achieved without creating a central ID database that puts Americans' privacy and civil liberties at risk. Building a distributed system that stores ID information in different locations, such as state motor vehicle databases, makes more sense."
And there's always the critical questions government rarely wants to answer:
I grew up in New York City. While I got my drivers license at 18, many of my peers didn't until well into their late 20's. My mother didn't get her license until she was in her 60's. How does this database help us in these instances?
If you have already reviewed your credit report at any of the three national credit bureaus, then you know mistakes happen... mistakes which can directly affect your life and finances. All of these critical questions need to be resolved first, before this Real ID database is built, not on the fly afterwards.
I encourage you to ask yourself these questions and the answers you'd prefer for each question. Then discuss your concerns with your Congressional representative. There are too many unanswered and poorly answered questions as part of the Real ID Act.
Want to learn more? While you can always start at the DHS site, I advise you to read the analyses here, the NCSL site, and the Bruce Schneier blog.
Here's a most interesting news item from InformationWeek magazine:
U.S. spies, now under the Director of National Intelligence (DNI), are looking increasingly online for intelligence; they have become major consumers of social media. In keeping with its mandate to gather intelligence, the CIA is watching YouTube.
Is there that much intelligence at the YouTube site? Who knows. The Wall Street Journal also blogged about it and the Secrecy News post with a link to the CIA speech document. The WSJ article also highlighted the fact that other countries' intelligence agencies probably monitor phone and Internet communications, too.
There are a couple implications. First, it means that the intelligence community monitors other social networking sites, too. Second, it demonstrates that whatever information (e.g., blogs, journals, photos, etc.) consumers post online about themselves is online forever and may be analyzed in some country's government mainframe computer.
In an unrelated matter, a check of YouTube found that somebody posted a CIA recruitment video.
Over at the FindLaw web site, Anthony Sebok has written an interesting article about it probably being unconstitutional for the Senate to retroactively immunize the telecommunications companies from civil liability. Sebok wrote:
"... throughout the recent history of federal responses to various liability crises, the pattern has been the same: The elimination of causes of action has always been linked to some kind of quid pro quo, whether it took the form of a guaranteed payment, such as for the 9/11 victims' families, or access to a special court, such as in the case of childhood vaccines.... Yet to read the newspaper reports of the debate in the Senate over the reauthorization of the Foreign Intelligence Surveillance Act (FISA), it is as if this familiar, long history of immunity-for-compensation has been forgotten. The Republicans want to add to FISA a provision that would simply wipe away the lawsuits that have already been filed without any compensation at all. The Democrats are crying foul, arguing that this would set a terrible precedent for the future. But it might be worse than that -- the Republicans' proposal might actually be unconstitutional."
In my opinion, no immunity -- retroactive or otherwise. FISA worked well and never needed changes.
[Pardon the interruption: as the NFL Super Bowl approaches, I found this InformationWeek article fascinating about the video technology which the coaches and players use to prepare.]
Most people dislike junk snail-mail. It can also create an identity theft risk when junk mail contains pre-approved credit offers, which dumpster-diving identity thieves love to steal. Wouldn't it be great if you could stop junk snail-mail, have less to shred, reduce your identity theft risk, and help the environment - all at the same time? The Michigan-based 41pounds.org non-profit company believes that it has the solution:
"Our service stops most common junk mail such as credit card offers, coupon mailers, sweepstakes entries, magazine offers and insurance promotions, as well as any catalogs you specify. You will see a noticeable improvement within 6-8 weeks. After four months, your junk mail should be eliminated by 80 to 95%... Based on the information you provide, we contact 20 to 35 direct marketing companies and catalog companies and instruct them to remove your name from their distribution lists. This includes almost all credit card offers, coupon mailers, sweepstakes entries, magazine offers and insurance promotions, as well as any catalogs you specify."
The fee for their service is $41 which includes stoppage of junk mail for 5 years. One-third of this fee is donated to an environmental or community group at each subscriber's choice. According to an April 2007 press release, 41pounds.org has over 2,000 subscribers.
The company says their junk mail stoppage applies even when you move, but you have to provide 41pounds.org with your new address so they can re-notify the bulk mailers. There's no fee for moves during the first 4 years of your agreement with 41pounds.org.
To stop junk mail, the company collects your name, address, phone number, and e-mail address. The company does not collect your birthdate, SS#, or other sensitive information. 41pounds.org advises its subscribers to also use optoutprescreen.com to stop pre-screened credit offers:
"But one organization has started to require personal information (social security number, birthdates, etc…) that we do not feel comfortable collecting from our customers. To stop these credit card and insurance mailings we highly recommend that you contact www.optoutprescreen.com OR call 888.567.8688."
So, it would seem that 41pounds.org can't do everything for consumers, since some user action is still required to stop all pre-screened credit offers. There have been several news reports about 41pounds.org, but I haven't seen any statistics published about the company's performance at stopping junk mail. There is this brief review at the Piers Fawkes blog:
"Although we believe in their cause, there’s something odd about the site... It seems a little too slick and there’s no transparency. There’s no information on the people behind the site."
I discussed in a prior post the web sites consumers can use (for free) to stop junk snail-mail, e-mail spam, and telemarketing calls. The optoutprescreen.com site is very important since it stops junk snail-mail that includes pre-approved credit offers which identity thieves love to steal from unsecured snail-mail mail boxes.
I have used optoutprescreen.com, but I have not subscribed to 41pounds.org. So I can't state how well 41pounds.org operates. If you subscribe to 41pounds.org, please post a review or comment below.
There are other "green" opt-out resources, which I will discuss in future posts. Like anything else the various "green" services have slightly different options. So, shop around and compare services before buying.
