Commentary

The Week That Was: Privacy Potpourri

The Federal Trade Commission succeeded in rattling everyone's cage this week. Not only did the lengthy new report on "Protecting Consumer Privacy" move beyond offering guidance to industry for self-regulation, but it laid a roadmap that legislators (or the FTC's own regulators) could take up to start government-level enforcement.  And of course, the mere mention of establishing a "Do Not Track" mechanism is sending shivers down industry spines. Just about everyone started scurrying for postures and positions.

The Interactive Advertising Bureau was quick to respond with, on the one hand, assurances it would cooperate with the Commission's request for comments - and, on the other, derided the notion of a Do Not Track List. "To create a Do Not Track program would require reengineering the Internet's architecture," the IAB said. Moreover it likened the FTC suggestion of offering a universal choice mechanism of controlling what ads a consumer receives to a "government-sponsored, and poorly managed, ad-blocking program - something inimical to the First Amendment."

advertisement

advertisement

One of the most helpful posts I have read of late about the Do Not Track mechanism comes from Jim Brock at PrivacyChoice.org. Writing the day before the FTC report and announcements dropped, Jim walked through the technical challenges of a Do Not Track implementation.

Jim discusses whether a browser-based solution would be sufficient. The FTC and others are starting to recognize that as privacy watchdogs, there is a difference between opting out of targeted advertising and actually stopping the transmission of behavioral data to a vendor.  Jim also raises the very good question that the FTC actually punts: What to do about mobile? Jim's full post is a good starting point in the real discussion over how a Do Not Track list actually would function and how consumers would interact with it. The FTC is calling for simplicity and streamlining in these processes. But given the native complexity of online data collection and the technologies involved, it seems hard to imagine that at some point consumers will need to get into the weeds of managing their own privacy.

Also helpful in getting a grip on what the FTC is aiming for, Alex Howard's blog post at O'Reilly Radar recounts some Q&A with FTC officials on a conference call the other day.

 

This, and a recount of the first FTC Privacy Twitter Chat, are instructive.  

I get the impression from these exchanges that the FTC is earlier along in this process than some may be supposing. In response to the Twitter questions, the FTC says it is looking for more research from the industry on the costs involved in implementation and the potential of lost revenue. Curiously, the Commission is pressing for quick implementation of solutions -- but some of its responses indicate it has no idea yet what the economic impact will be.  

 Meanwhile, yesterday we saw some signs of the ad network ecosystem finding its way into the issue from another direction. Trying to get ahead of the prospect of a Do Not Track tool, BetterAdvertising announced the new Open Data Partnership, which promises to let consumers see more precisely how they are being profiled by data collectors -- and in some cases, allows them to manage their preferences.  

Outlined at the BetterAdvertising site, the ODP looks as if it takes the NAI's opt-out mechanism to another level of granularity. Consumers can get a quick take on the companies tracking their browser and collecting information. They can then click through to their own profile with a particular data vendor and check themselves in or out of specific segments, or just opt out altogether. BetterAdvertising is going to make the portal available from the icons they will be embedding on ads and publishers will put on their own pages. In the first iteration of the "Power I" icon, the consumer would see information about the advertiser specific to an ad. I gather from this outline that now any ad in the system can lead the user back to a more general profile that encompasses other data providers. For now the ODP has only eight inaugural members, including bluekai, exelate and Turn. Missing from the roster are the most important players, Google and Yahoo!

Attendees at the November Ad Nets conference may recall a good deal of discussion about what granularity of control consumers want in managing their online profiles. This ODP system (at least in the screenshots) shows how thorny it could get for a consumer. Every data vendor has its own segmentation. Even if the effort is centralized, it still means that a consumer would have to manage profiles from vendors they never heard of, across countless networks that affect ad delivery to no-one-knows-where.

The cacophony of voices on all sides of this issue -- and the relentless posturing -- has only begun. It seems clear that the FTC is calling for a more unified and simplified approach to an online ad system that has been defined in recent years by its obtuseness, complexity and fragmentation. What should be the industry's next steps? 

2 comments about "The Week That Was: Privacy Potpourri ".
Check to receive email when comments are posted.
  1. Andre Szykier from maps capital management, December 3, 2010 at 5:16 p.m.

    Websites want tracking metrics from ad metric vendors as well as Google, Yahoo and others as a service. These should simply reflect unique visitor metrics along with time stamp for RFM analysis.

    When you start to collect things like context of a page, cross site visits and ad response it becomes murky.

    A browser should be able to detect if a cookie or a beacon code is on the page and block the port 80 inbound/outbound transaction for these types of requests if the add-on is set to deny such events.
    All other port requests should report if they are going to be used.

    As for compliance, any vendor that works with a website or the site itself and uses beacons or rich media that performs cookie/beacon events should be registered with a reputable party.

    Asking the browser user to allow or not these events seems a bit onerous and probably most people would not go to the effort of blocking them unless it was part of the browser's privacy control settings.

    As it is, if you disable cookies for a browser session, some sites refuse to run unless they can set a cookie. One should have the ability to use an plug in that creates anonymous cookies that get purged at the end of a session.

    The problem of persistent cookies (Flash) is a major problem because of Adobe's intransigence to allow browsers to delete them. Today you have to go to their site to control Flash privacy and security permissions. Give me a break! Video flash ads are notorious abusers.

    As for mobile, the problem is simple to fix as the user id is static (phone number) for SMS/MMS and web services. However, the author is right in that the mobile OS needs some changes to allow the device to block in/out communications for cookies and beacons. Simply substitute the mobile device identifier with an anonymous proxie.

    Same goes for GPS location based services. Right now, you can disable GPS on your device setting. A similar approach should be done for mobile device identifiers.

  2. Bruce May from Bizperity, December 3, 2010 at 6:14 p.m.

    We have not yet reached the point where the consumer experience will determine what is and what is not acceptable. Currently, ad tracking seems to be nearly non-existent based on my own experience. Perhaps I just don't engage in enough consumer spending for my behavior to matter. Yet you would think that by now, ad networks would at least recognize that I am a middle aged man. Obviously they don't since I see ads aimed at women all the time (please resist the temptation to insert your own snide remark here). The no-call list works because people hate, and I mean hate, marketing calls. Few are upset about online tracking because they can't even tell that it's working and the truth is that it's not working very well. That will change. When it does consumers will get upset only to the extent that it is perceived as being "creepy". For example, if you feed me an add based on a comment I make on a social network, I would indeed feel like someone was creeping around my personal life. The point is that online tracking can be spared the full brunt of consumer push back to the extent that it can avoid the "creep" factor.

    The government will extend as much protection as necessary in reaction to that push back, regardless of what the industry thinks is reasonable. The economic impact argument can only stand when their are no "creeped out" consumers demanding protection. A blanket, no-track solution is not technically difficult but as long as consumers feel comfortable in their online space they will not be clicking on the no-track option. They will not embrace any solution that requires them to make complex decisions about what their options are, especially not on a daily basis. The reaction to the Facebook privacy battle this year make that clear. So industry solutions can create complex options only as long as the consumer doesn't feel like they are needed in the first place.

Next story loading loading..
About the Author

Steve Smith is Editorial Director of Events for MediaPost