ISPs Begin To Spy And Abuse Consumer Privacy
Monday, August 18, 2008
Do you see the emerging trend in consumer privacy abuses?
Last month, I reported about how the Internet Service Provider (ISP) Embarq secretly spied upon and never notified its Kansas customers during a test of its behavioral advertising program. Consumers never had a chance to opt out of the behavioral advertising program.
Now, it appears that another ISP in the USA has made the same consumer privacy mistake, and probably broke several laws. According to the Silicon Valley Insider, the Washington Post's Cable One service secretly spied on its customers:
"In a response to a House query, [Washington Post] unit Cable One admitted it collected data on 14,000 subscribers in Anniston, Ala. for 180 days in order to serve targeted advertising. And no, they didn't ask for consent, but argued that customers "opted in to our monitoring of their Internet usage ... when they agreed to our Acceptable Use Policy." In other words, when they signed up for service."
How slimy and dishonest! Cable One didn't bother to offer consumers either opt-in or opt-out mechanisms. Instead, Cable One tries to hide behind the lame excuse that signing up for their service is consent enough. According to Media Post:
"Cable One justified the failure to let users opt out by saying that subscribers knew the company might spy on their Web activity when they signed up for broadband because the acceptable use policy mentions that the company may occasionally monitor "bandwidth, usage, and content." Of course, even if it's true that subscribers read the fine print in the acceptable use agreement and knew that Cable One might be watching them online, they still didn't know that Cable One would sell their clickstream data to NebuAd. And, even more important, they had no way to opt out of it."
Company executives need to go to jail when they do this. Fines are not enough. Sadly, the Silicon Valley Insider reported that this may be the tip of the iceberg:
"Congressmen John Dingell (D-Mich), Joe Barton (R-Tex) and Cliff Stearns (R-Fla.) and Ed Markey (D-Mass.) sent letters to 33 broadband providers last month asking about their ad-targeting techniques. So far, Charter Communications (CHTR) and former Sprint (S) unit Embarq (EQ) have copped to using NebuAd."
You can read here the replies the Congressional committee has received.
What is it that allows companies to arrogantly treat consumers' personal data like they own it... without giving consumers any notices? Is a general attitude among executives within telecommunications companies? Is it an assessment that they can likely get away with it? Or, is this a result of the spying immunity Congress gave phone companies earlier this year?
Notification of the test and an "opt-in" system default would have been appropriate for these behavioral advertising tests. If behavioral advertising delivers the promised benefits to consumers (e.g., relelvant advertising), then tell consumers! Otherwise, it is just a rush by ISPs to make money and ignore consumer privacy.
An opt-in approach is convenient, since consumers are already trained to remember which web sites they have registered (or opted in) at. This is not difficult. Consumers have been registering at web sites since the mid-1990's.
Why the fuss about behavioral advertising? First, there is the abuse of consumer privacy. Companies have to tell consumers when they perform behavioral advertising and provide an opt-in mechanism, regardless of the indefensible position the FTC has taken to facilitate this rush.
Second, the steady monthly volume of corporate data breaches, which are driven by corporate carelessness and incompetence, mean that companies will lose or have stolen behavioral advertising data. Data that is lost, stolen, or hacked can be abused. Behavioral advertising data includes the sites you visit, the keyword searches you submit at search engine web sites, and the specific site pages you visit at sites that are members of the advertising network -- all highly personal data. Companies must state to consumers how they will protect data collected by behavioral advertising programs.
These behavioral advertising program tests without notifying consumers and without providing consumers with opt-in mechanism, are examples of the current imbalance or "tilt in the playing field" in U.S. commerce, which I wish more consumers recognized. A better balance can and must be achieved between the needs of corporations and the needs of consumers.
In the soon-to-be-released book, Age of Conversation 2008, I wrote a chapter about behavioral advertising as one of the key emerging issues and challenges this year. It appears that ISPs are proving me correct.
Thanks to Congressional representatives for investigating this so far. I encourage you to write to your Congressional representatives today. Demand investigations by Congress and enforcement of consumer privacy laws. Demand that any data collected already from behavioral advertising tests be destroyed.
I'm looking forward to the book George. Every step we take in the personal data integrity vs. data convenience struggle is increasingly critical. Folks need to know and fully understand the trade-offs that always come with convenience. While I am fully on board with technology and the advantages of quick information accesses, I see that for as long as the data has value there is an increasing risk of misuse. Thank you for staying on point and keeping us aware of these developmants.
John
Posted by: John Taylor | Monday, August 18, 2008 at 11:46 AM
Great article George. Here are some issues for you and your readers.
In review of the congressional responses,which indirectly involved a "select group",I don't understand the following:
1)Which entity anonymized the ip address, the isp or the "select group"?
2) why discuss "non-cookie opt out" vs opt out, when we should be discussing opt in?
3) What is the extent of privacy issues when we are dealing with wireless ISP's
4) If the isp of the user is not associated with the "select group of interest", what occurs when the user's search query reaches a website that is associated with the 'select group of interest" as it relates to advertisements and tracking?
Thanks for your opinions and comments;
Posted by: anonymous | Monday, August 18, 2008 at 05:56 PM