BT WEEK POST 2 - PRIVACY

COOKIES, BT, PII, AND PRIVACY

Before we go on, it’s important to take a little detour into the topic of privacy online. The Internet was never designed to be an extremely anonymous or information secure environment. It is a medium of information sharing.

The Federal Trade Commission of the US Government has made it crystal clear that the owner of a PC or other connected device is the controller of what information is shared by that device with marketers and other organizations. Web sites essentially need your “permission” to place a cookie on the machine or extract cookie data or other information from you.

It is relatively easy to refuse to accept any cookies on your machine. It’s a simple setting change.
But here’s where the plot thickens. Most websites require that the information sharing between you and them be a two-way street. In order to view all of the content or use all of the functionality of a site, your PC must be set to accept cookies. The sites require it. If your PC refuses to accept cookies, then you will be refused some or all experiences and information on that site.

You must be willing to share SOME, BUT NOT ALL, information in order to use the web. Reputable comapnies that use cookies generally agree not to collect or store “personally identifiable information” (PII) about you in their data collection and usage efforts unless they get your permission. Your name, address, social security info, and other highly personal info are not fair game without your explicit permission. Anything that uniquely identifies you as a person is off limits. To a BT platform, you are simply an anonymous individual that clicked on a Lincoln Navigator ad. Among other things.

According to Wikipedia, the following types of info are PII, and cannot be collected or shared without permission:

• Full name (if not common)
• National identification number
• Telephone number
• Street address
• E-mail address
• IP address (in some cases)
• Vehicle registration plate number
• Driver's license number
• Face, fingerprints, or handwriting
• Credit card numbers
• Digital identity

Personal info that is generally NOT considered PII include:

• First or last name (if common)
• Country, state, or city of residence
• Age, especially if non-specific
• Gender or race
• Name of the school they attend or workplace
• Grades, salary, or job position
• Criminal record

Reputable sites don’t take your PII. Disreputable parties might. This is one way that identity theft occurs. A cookie sent by a reputable company (for example, a major ad network) is generally acceptable to PC protection software from McAfee and others. A program designed to take other information is blocked. Or usually is. ;-(

But of course the water here is a bit murky because if you collect enough non-PII, you can probably identify a single individual if you want to. For example, I am a single, Scion XB-driving, homeowning Oakland CA resident that buys 4 books per week online, generally buys green, travels 12 times a year for business and 6 for personal (tickets purchased online.) I use Colgate, have a Sonicare I bought online, prefer foreign language films and buy my tickets online, and have a penchant for purchasing DVDs of sit-coms from the 70s and 80s. I send flowers online about 8 times a year. I have a Facebook profile, a MySpace profile, and a Linked In connected to hundreds of people. That, I am guessing, describes exactly one person in the US.

But truth be told, if someone really wanted my identity, there are far easier ways to get it than exhaustive analysis of online behavior.

And companies active in BT ARE NOT collecting PII. In fact, the Network Advertising Initiative (NAI) has just proposed a set of voluntary guidelines that govern what can and cannot be collected. They are currently seeking public comment on these standards.

There are a few other issues to consider:

1. How long do companies keep my data? Does the consumer have the right to expect that their data expire after a reasonable space of time?
2. How well protected is my data? Can it be easily stolen? Again, not such a major problem if there is no PII
3. Is the privacy policy of sites that collect (or allow others to collect on their pages) BT data written in a manner that is compliant with FTC standards?
4. BT can be argued to be a customer service when it increases the relevance of advertising on a page. But what if the BT is used to vary prices, so that, for example, a person making $65,000 a year is charged more for a book than a person making $45,000 a year. Few would consider that a beneficial service.
5. What dangers are there in collecting certain kinds of BT, like health info? Can this info later be used to deny the consumer insurance? Or eliminate him from consideration for a job? Of course, given that PII is not being collected, these worries are probably unwarranted. But some people still have them, and that is an issue for the BT industry.
6. Are the BT data stored in your cookies correct? If I search for a cancer site on your computer, it’s not MY cookie that is getting credited with this search. Again, in a world where PII are not collected it won't make any difference to the consumer -- but it does point out a limitation of BT.

At the risk of passing the buck, it should be noted that these BT privacy questions are really part of a larger issue of privacy in America, and the extent to which Americans have a legal right to privacy. Do we? Jurists disagree strongly on the extent to which we do. The Fourth Amendment states:

The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.

But privacy rights are going to be THE defining issue for the next several decades in US Courts given the rise of digital media and the ability of the government and other organizations to easily collect, analyze and use information about us.

In the EU, a single difference in the way BT is regulated creates a far different degree of privacy concern. In the EU, users must OPT-IN for BT, whereas in the US they must OPT-OUT of many forms of it. The new NAI standards actually change that a little -- some kinds of BT data are considered sensitive enough to warrant requiring consumers to opt-in. The rationale for the US decision is that the OPT-OUT method results in far higher potential ad revenues for US content providers, meaning that consumers get access to more and better content supported by this higher level of revenue. US sources argue that EU residents are disserved by the OPT-IN policy there because less content is available to them. Naturally many other US sources and EU sources disagree. But so far the FTC has stated that OPT-OUT is the right policy for the US.

I agree with that decision. Consumers have "free" access to trillions of pages of info. Somehow that needs to get paid for, and so long as there is a strong wall built around PII, I think any technique that improves online revenue is a good thing.

Let the flame mail begin!

Thanks for reading, and don't forget to write.

NEXT: THE PROPOSED NAI STANDARDS