The Internet's Greatest Marketing Bloopers

Everyone loves a good blooper -- until your own brand becomes the butt of the joke. Let's examine some digital flubs and what we should take away from them.

Who doesn't love a TV blooper? They are fun to watch -- flubbed pronunciation, forgotten lines, double entendres. You don't even need to be a mean person to enjoy them because bloopers are mistakes, but not deadly ones.

In an environment as dynamic and ever changing as digital, it's natural that even the smartest in the digerati make bloopers in judgment or execution. Many such online marketing bloopers are the result of the changing reality brought on by the advent of digital, and as such are quite understandable. But that doesn't mean we can't learn from them.

If the definition of insanity is doing the same thing and expecting different results, then perhaps this article can help us avoid straightjackets by pointing out a few digital bloopers and what we should take away from them.

1) Don't assume you can isolate messages

The web provides enormous opportunities to segment and tailor creative messages. But it also breaks down demographic, geographic, and other boundaries. Segmentation and tailoring does not prevent some segments from hearing and seeing what you are saying to others.



Remember this ad from Absolut, which depicted the pre-1848 Mexican and U.S. borders? Run only in Mexico, the ad was designed to be a funny nod to Mexican pride. The brand surely felt it had found a powerful visual to help la gente identify with the brand. Unfortunately, right-wing American bloggers got hold of the ad, and within hours were lined up to ban Absolut, call it reverse racist, and on and on. Former CNN personality Lou Dobbs switched to Grey Goose over it.

Now, in large part due to income disparities and population, Americans drink more Absolut than Mexicans. So the company had to scramble to apologize to Americans who might have been offended. Here's what the brand issued:

"This particular ad, which ran in Mexico, was based upon historical perspectives and was created with a Mexican sensibility. In no way was this meant to offend or disparage, nor does it advocate an altering of borders, nor does it lend support to any anti-American sentiment, nor does it reflect immigration issues. Instead, it hearkens to a time which the population of Mexico may feel was more ideal."
-- Paula Eriksson, VP of corporate communications, V&S Absolut Spirits

But from a digital perspective, the key takeaway is that you need to assume that everyone can see everything.

2) Avoid building the branded destination website

Most of us have created a digital something in the misguided hope that significant numbers of people care about it and our products as much as we do. If you're like me, there's a $500,000-plus error in your past that reflects this sort of "Field of Dreams" mentality.

It wasn't so long ago that lots of brands were building massive websites in hopes that consumers would spend half their online time interacting with branded games, participating in brand chats, talking to brand experts, etc. While less common these days, the branded "destination" site still appears periodically in the digisphere.

It's fairly unlikely that you can attract and hold the sort of audience you are dreaming of. Why? Because just as The New York Times shouldn't go into the chewing gum business, you probably shouldn't go into the content business. It's not what most of us do. Better to stick to what you know.



The classic example of this is Bud.tv, a $30-million experiment that folded in 2009. Now, hold the phone. I am not ragging on Bud here. If any brand could develop a compelling content destination, it'd probably be these guys. After all, the company "gets" its customer and knows how to bring the funny in a 30-second spot.

But even Bud couldn't define and deliver a place where its customers would want to "live" online. The hype and anticipation of Bud.tv were ultimately met with lukewarm consumer response -- despite a broad range of decent-to-good video, activities, and game content on the site.

The hard, cold reality: Bud makes beer, not movies and games. And you make pine-scented air fresheners or electronics or weekend getaways or whatever it is that you make. Not entertainment.

3) Don't field social media programs just before the weekend

Arguably, no one is better at marketing to moms than Johnson & Johnson, so its misstep on Motrin was a bit surprising. Motrin developed a tongue-in-cheek ad that poked fun at moms who love baby slings -- fabric baby carriers that keep your child right next to your body. Motrin suggested that moms who wear them cry more than moms who don't, presumably due to back and neck strain. Here's the ad:



The video went up late on a Friday. While of course social media is a 24/7/365 proposition, most marketing and PR people are at home on Saturdays, and probably not monitoring the social sphere for consumer reaction. But as Motrin soon learned, mommy bloggers and mommy Twitterers do not take Saturdays off.

The maelstrom of negative reactions was fierce , and it built throughout the weekend. By the time Monday came along, Motrin faced a tsunami of angry moms.

Motrin responded quickly. Down the ad came, and with its disappearance the controversy more or less ended.

We could dissect the ad and try to take creative lessons. But hindsight is 20/20. I think its best that we remember that we live in a connected world, and individual opinions matter. And when we don't participate in the dialogue about our brand, bad things happen. So never field campaigns or social media on the weekend. Because listening to early reactions is critical to ensuring success. Had the campaign gone out on a Monday, J&J could have addressed the concerns in near real time, provided it was using one of the many social insights platforms currently available. Nothing good comes from not being around at launch time.

4) Never claim "hackproof"

When a medium reaches more than a billion people, it's safe to say that there is someone out there who can hack whatever you can make. How long does it take before Microsoft launches its latest security update before the next virus hits?

It's not just software that has been hacked as well as shamed online. The people who make Kryptonite bicycle locks found themselves in a whole mess of negative publicity http://www.engadget.com/2004/09/14/kryptonite-evolution-2000-u-lock-hacked-by-a-bic-pen/ way back in 2004 when Engadget was able to pick its signature high-end lock using only a ballpoint pen.



And of course there's LifeLock http://www.lifelock.com/, which famously posted its CEO's social security number everywhere to prove how protected its members are. While said CEO was able to use the service to avoid damage to his credit, his identity was stolen many times. Meaning people used his social security number in a variety of ways, but none had material impact on his credit. Because LifeLock had stated or implied (tomato-tomahto) absolute security, it lost the PR battle, even if its CEO can still easily get a new mortgage.

In short, claiming hackproof is like waving a red flag in front of 6.5 billion bulls. You might be able to outrun the pack, but at least one is getting its horn into your gut.

5) Don't "wing" it without a social media policy

It seems that many companies have recognized the importance of social, and the value of a "live" company presence in social media. Unfortunately, some jumped straight to social media execution without first developing a sound social media policy.

Hospital nurses cell-photoing an embarrassing X-ray and posting it on a social net . Earnest social media managers making statements that are inappropriate. The number of examples in which companies would have been helped by offering explicit and well-considered social media policies is legion.

Fortunately for those who made or are making this misstep, many organizations have made their social media policies public, and reviewing these can help companies understand, anticipate, and address potential issues before they arise. With all these examples publicly available, there's no reason or excuse to wing it anymore. Naturally, companies need to strike a balance between natural and genuine thoughts and opinions with the need for strong corporate controls. Fortunately, more and more companies are succeeding.

6) Don't ignore privacy concerns

Most industry participants are certain that advanced targeting technologies pose no threat to consumer privacy. That doesn't matter anymore. What matters is that consumers and the government think that they pose a threat. The WSJ article last July was just one of the stories that are slowly rousing public concern about online privacy.

You can say people are confused. You can say people are being paranoid. Or moronic. But you are in the people-pleasing business, not the people-judging business.

"Judge not lest ye be booted out on your snotty arrogant a*s, you self righteous b*stard."
(Book of Jim 1:1).

Ask Phorm if privacy concerns matter. Or now defunct Gator/Claria/JellyCloud http. Or better yet, ask Jon Leibowitz, FTC chairman .

The self-regulation efforts from a cross-industry coalition, encapsulated in the "Power i" program, have created a great means of informing the public and enabling cool, rational decisions about advanced targeting. Get on board.

Many thanks to the fine people at iMedia Connection for publishing this first.

Baby U Wanna Go Private?

I thought I'd use a come-on headline simulating the start of a steamy private chat session to catch your attention. Sorry, I know it's a dirty deception. No pun intended. But I did it because I'm on a personal mission to get our industry to care about privacy and to embrace the Cross Industry Coalition's Power i program. At ad:tech SF I jumped up and down on a stage saying "You have to care about this." That's how important I think it is.

Yes, privacy. You hate talking and reading about it. Five will get you ten that you've already stopped reading and found some link on this page to click on to get away from the p word. For ten years our industry has been more or less dodging this issue because it's complicated and makes everyone feel a little dirty.

But the FTC is demanding that we care, especially (but not exclusively) as regards BT. They're doing this in part because about 2/3 of consumers say that a perceived lack of online privacy troubles them.

Here's the ultimatum: care or risk BT and other forms of targeting getting heavily regulated. Or maybe shut down.

BTW, a BT shutdown would decimate more than a few pubs that depend on higher CPMS from BT inventory to keep the lights on. It would also kill off one of the biggest growth engines of digital spending. DR would suffer big time. And branding too, because finding in-market eyeballs for brand messages is pretty darned important in some of our biggest categories.

Our industry gets it. The CBBB, IAB, AAAAs, DMA, and ANA have gotten together to develop the Power i program that notifies consumers when BT is used to deliver an ad to them, gives them information about BT, and gives them choice.

You put a small Power i on your BT ads. And the consumer has the option to click on it and find out about the data and companies used to put the ad in front of her. She can read it, and do nothing. Or click again and read more. Or she can opt out of some or all targeting.

You as a BT advertiser use the i to extend the same level of trust to the consumer that she extends to you when she buys your brand.

By using the Power i, you are saying to her, 'I respect you. I know that your data and interests are yours, not mine. I ask that you allow me to use anonymous information to find you and put things in front of you that you'll probably be interested in. I won't force you to let me do this. Because I value our relationship.'

A CSF client makes this discovery and choice process easy and clear and decidedly unscary. Called Better Advertising (AdAge's analysis here,) it makes the post click experience easy, straightforward and clear. Their technology is also vigilant in ensuring that her wishes are respected. BA even makes sure that your brand gets the credit for this transparency and choice.

I'll take bets that the people who click on the i will like you more for being straight up with them. And that very few people will actually opt out.

Now, there's no law that says you have to use Power i-s. You can trust her and demonstrate your concern for her wishes. Or you can do nothing and give her a reason to question your methods and fundamentally your regard for her dignity as a free person.

Personally, I prefer to do business with people and institutions that treat me with dignity. How about you?

New Site And Messaging For NebuAd...

There's a pretty new site and some changes to the model at NebuAd. Their new model aggregates data from ISPs, publishers, and emerging media channels to provide behavior clusters. So more data sources.



More data sources is relevant because some ISPs are gonna wanna piece of them for a bit. But they can expand their footprint with publisher and emerging media data, to get scale.

They've done some more explicit naming and graphicing, like the "privacy protection layer."

It's still opt out, so that won't make the super privacy advocates happy. But then so is every other BT offering that I know of, anyway.

Here's their constituency messaging:

Insight for Marketers
- Rich, multi-dimensional insights based on anonymous, online user activity and multiple interest triggers.
- More precise targeting / re-targeting of defined audiences based on demonstrated likelihood of buying a product or service.
- Audience & campaign intelligence reports with insights into who your audience is and what their interests are enabling audience specific messaging.
- Minimized waste through precise and effective matching of qualified audiences to each specific campaign.

Insight for Media Companies
- Most effective solution for boosting RPM and monetizing all of your inventory.
- Comprehensive aggregate reports with industry-leading visitor intelligence based on actual visitor activity.
- Turnkey deployment to get up and running quickly with minimal effort and disruption.
- Flexibility to automatically accommodate changes to your site.

Insight for Communication Providers
- Most effective solution for achieving stronger revenue growth via market-leading advertising system, while preserving and enhancing the interests of advertisers, publishers and consumers.
- Deliver built-in, industry-leading consumer privacy and data protection with Privacy by Design approach.
- Transparent technologies and wire-speed performance ensure an optimal user experience.
- Turnkey deployment to get up and running quickly with minimal effort and disruption to your existing network.

They are outlining the following privacy protections:

As a team of Internet security and online advertising veterans, we hold the highest standards in consumer privacy protection. Our unique Privacy by Design approach ensures that we safeguard consumer privacy and consumer data while empowering consumers with proper control.

- We do not collect or use personally identifiable information.
- We have no knowledge of any web user's identity since we exclusively employ anonymous segmentation processes.
- We do not store the original raw data about a web user's online activities, such as websites visited, in association with anonymous individual segmentation.
- We use the data exclusively to map interests to market segment categories.
- We require our partners to provide consumer notice and offer informed choice in a manner appropriate to the partnership type and channel.
- We make available on-going disclosure and informed choice.

Honestly, I don't see a lot of difference in the privacy message there versus what they said before. But there is a de facto difference in that no one in their right mind would work with them without sending emails in 44 point bold type informing people. And that, my friends, was the bulk of the rub before.

There was another issue, if I understand it correctly, and that is the undisclosed redirection of the browser. I'm guessing that that has been addressed as well, though I dunno for sure. Whether that is addressed through a change in process or will be disclosed in the...disclosure...I would imagine that they have a solution there as well. Without addressing that, I would imagine they would face ISP acceptance problems. That, I understand, is NOT an essential process for ISP targeting.

I didn't see any mention of the issue in the privacy policy, but I ain't no lawya.

Thanks for reading, and don't forget to write.

Spying On The President Elect: Not A Good Idea, Verizon...

A variety of media sources have reported that unauthorized Verizon employees had accessed Barack Obama's celly account to see what they could see. The account they scrounged was not current, and was for an old flip phone, not his beloved BlackBerry.

Hmm. In an environment in which privacy is under increased scrutiny, I cannot imagine the lads and lasses at Verizon PR were pleased to have all this go down.

I was not pleased with their lame public response, taken from Adotas:

“This week we learned that a number of Verizon Wireless employees have, without authorization, accessed and viewed President-Elect Barack Obama’s personal cell phone account. The account has been inactive for several months.”
“All employees who have accessed the account – whether authorized or not – have been put on immediate leave, with pay. As the circumstances of each individual employee’s access to the account are determined, the company will take appropriate actions. Employees with legitimate business needs for access will be returned to their positions, while employees who have accessed the account improperly and without legitimate business justification will face appropriate disciplinary action.”

Suspended with pay? I call that a paid vacation reward.

Thanks for reading, and don't forget to write.

POV Thursdays: Q&A With Robb Topolski

It’s difficult to know where to begin in providing a short intro to this Q&A exchange with Robb Topolski. Unless you’ve been living under a rock, I am sure you know the name. Robb was the citizen who exposed Comcast’s secret blocking of BitTorrent traffic to its customers. He is also the man who produced the study that questioned both the processes and policies of NebuAd and the ISPs that worked with it (or planned to work with them.

Robb is an unlikely celebrity. His background is highly technical, and he doesn’t live in a key news media market. The research he does doesn’t sound bite well. Yet somehow he causes tremendous change in the digital arena.

What I think makes him so compelling is his passion and his sincerity. Robb does what he does because he believes it is the right thing to do. Whether or not you agree with his POV, it’s important that we in the digital marketing industry really listen to the issues he raises. I say that because digital marketing techniques are a new world in terms of the technological sophistication required to entirely understand them.

So with that intro, here are Robb’s answers to the questions I thought might interest you. I am grateful to him for his willingness to participate. He often talks to national media, but I am pleased that he was willing to share his views on this, the digital marketing industry’s version of The Golden Girls’ Shady Pines Retirement Home.

Can you tell us a bit about your background – what makes you adept at sleuthing business practices like those of Comcast and NebuAd?

I don’t know if this would be cause or effect, but I learned to read music before I learned to read anything else. I was picking out tunes on a Hammond organ when my Mom and a music teacher bartered lessons for – I think – dog grooming! I’ve always had an eye and ear for algorithms, protocols, and other transactional sequences and an insatiable curiosity and enthusiasm for technology. In the early 70s, I was programming screen-less computers using paper tape for input and teletype for output.

Even with that geeky foundation, I’ve always had an inclination to service. My Dad was a veteran, a volunteer firefighter and a Little-League umpire. I would have defiantly denied it at the time, but he taught me the rewards of service. I was a Boy Scout, and later an Explorer Scout Leader, community sports coach, I did my own stint in the military, and I’ve been a music leader both in church and the Barbershop Harmony society.

I’ve followed your advocacy efforts for years, from the beginnings of the Comcast/BitTorrent issue on through your more recent activities re NebuAd. And the first thing that strikes me is that you spend A LOT of time and energy pursuing these issues. What drives you to do so?

The Internet allows everyday individuals to issue their unique perspectives, showcase their art, offer their products, or follow their interests. In a sense, that’s what I’m doing. But I’m especially motivated because, in the history of mankind, there are only a few moments in human expression that rival this one – perhaps the invention of the printing press, the radio, or the postal system comes closest.

The Internet itself is the ultimate people-helping-people Open Source project. The protocols and standards that allow it to work are given and maintained for free by people who have poured their best into it. That’s worth enabling others to participate in it. If threatened by a bad actor, it’s worth defending.

How do you choose what you research and expose?

I don’t choose. If it’s important and relevant and I’ve spent some time on it, I just put it out there. Who knows, it might save someone time and aggravation months or years later.

I put out my findings about Comcast in May 2007 and they sat, mostly dormant, until August when a major blogger picked up on them. My approach to the Comcast case was, “Hey, here’s something that’s not supposed to be happening!” It essentially was a simple complaint that I made publicly because it was being denied by Comcast and it was reproducible.

At first, I figured that someone at Comcast made a boneheaded decision and, once I explained why an ISP ought not to do that, they’d just say, “Hey, you’re right, we’ll fix that.” I just thought someone at Comcast made a well-intended, poorly-executed goof. But things started to pile up. Sandvine’s use was unknown among Comcast’s own tech-support people – so if any customers had any complaints about it, they were ignored. Comcast then issued flat denials about it, even to go as far to suggest that my testing didn’t amount to anything (not that they ever asked me to demonstrate it to them). I then knew this was going to be one for the long haul.

As it turns out, I wasn’t the first person to notice the strange things that happened when users tried to upload using Comcast – I was the first person (outside of their inner circle) to figure out what was causing the disconnections.

Similarly, my being very familiar with how the Internet and its technologies work was what led me to look at NebuAd. Customers were reporting that cookies were mysteriously appearing on their platforms. I knew that something very unusual had to be causing that, since browsers will only accept cookies under limited circumstances. I found the injected JavaScript nearly immediately, but I spent many hours over many days trying to make it happen in a scenario where I controlled both the browser and the server (so that I could isolate it). Apparently NebuAd had this thing wired down to the IP addresses of Google and Yahoo because I couldn’t fake it out. So I had to raise the issue with Google, and they were very helpful and appreciative and confirmed that they weren’t responsible for the injected script. Case proven.

One of the questions I hear a lot from marketers relates to how ISP-based BT differs from what I am going to call “regular BT”, meaning the approach used by most ad networks in which they track activities on the pages where they serve ads. Can you tell me about why the ISP based approach is more troubling to you? Or isn’t it?

Let me start by saying that my objection is not about the advertising. My objection is having an ISP be complicit in “tapping” the line. We don’t let people listen in on non-broadcast radio signals and disclose the contents of those communications, we don’t accept that behavior on our telephone lines, why would we accept that on our Internet connections? And it’s not like the ISPs and NebuAd didn’t know that users would object -- that’s why they disclosed “under the radar” by quietly changing the legalese that nobody regularly scans for changes.

Secondly, an Internet Service Provider is selling access to a brand – Internet. It is a set of standards that are open and agreed-on and interoperable protocols. Just like a fast-food joint can’t sell Kool-Aid as Cola, an ISP can’t sell something as “the Internet” when it has changed the formula. On the heels of Comcast screwing with the TCP protocol to tear down connections, we had NebuAd doing the same thing to inject a script. NebuAd did this to fake-out the browser into doing things that its security precautions would normally prevent.

In both cases, the issue was that the ISP did something it ought not to be doing. It’s not an objection about how a website or an ad network does Behavioral Targeting across a variety of sites.

How is what NebuAd did different from how the portals collect our online travels using a toolbar like Google Toolbar?

Users who are extremely sensitive about their privacy would never install those toolbars. But some people do, and I have. The Google toolbar, the Alexa toolbar, or Compete’s toolbar – all these things are applications that “spy” in plain sight. You invite them onto your computer, and you can remove them. They exist in a frictionless environment – if the user doesn’t like the intrusion, they’re gone in one moment. Users can disable or uninstall the unwanted application and their surfing information is no longer being shared. The user remains in control and loses essentially nothing for revoking his permission to be tracked.

Embedding the spying device into the ISP changes everything. Most homes in the United States are served by one or two broadband providers. If your only broadband provider is letting a third-party tap your line, the only choice is to do without. (Under the NebuAd model, opting-out only stops the targeted ads – NebuAd is still presented with all of your data – opting completely out was impossible.)

Many people have focused on the idea of robust notice as the key issue with NebuAd and the ISPs, but it doesn’t seem to me that they did anything different in that regard than millions of web sites are already doing when they work with an ad network. Is there a difference in your view, or is it all problematic?

Up to this point, I think that most ad networks worked in a way where a user retained control in a normal way. Users could turn off scripting, block hosts, erase cookies – and for the most part, privacy-conscious users acting like normal privacy-conscious users can successfully avoid tracking (or avoid building a significant profile).

The NebuAd model was not avoidable by privacy-conscious users. It tracked users regardless of their desire. The opt-out didn’t protect them and the opt-out cookie went away when users cleared their cookies (which privacy-conscious users do).

Just a word about “Robust” notice -- Remember that NebuAd claimed that it required robust notice, but the only ISP that I know of which actually provided prior and assertive notice was that big NebuAd ISP that never got started – Charter! The rest of them slipped NebuAd in under the radar or notified their users after the investigation began.

Boiling it all down, how much do the privacy issues you see online relate to our use of opt-out versus opt-in models?

I think that “Opt-In” is the argument winner for your industry. How can anyone object on grounds of “illegal,” or “unethical,” or “non-standard” when the user has specifically and truly optionally requested to do whatever it is you’re doing? Embrace truly informed “opt-in” and all these regulatory or lawsuit risks go away. Now, it’s not a true “opt-in” if you’re not clear. Don’t tell me boldly that you’re a “security” application when you’re also quietly selling the click stream out the back door. Opt-in means I’m fully informed and completely free to decline without losing something that I already have.

Opt-Out as implemented today just won’t work. It’s a “sounds-good, does-nothing” solution. It’s the kind of non-solution that causes users just to reject all advertising.

What are your views on the proposed NAI guidelines for BT?

I think that industry best-practices are very useful and that membership and participation in such groups is part of being an active part of your community. I think that calling for “Opt-In” use of DPI is the right call. The application of DPI on the Internet is still very immature and the rush to beat the competition might trample discretion.

Do you think a federal privacy law would be beneficial to consumers? To business? Is it practical to create a valuable privacy law in a rapidly changing technological environment?

Right now the privacy laws are here-and-there. Consumers wouldn’t know where to start or finish looking for the laws that apply to their situation. Business is afraid that changing these patches of laws into some kind of unified “quilt” would change things. They’re right – it will change things. But who is more used to change than your industry? You’re always either leading it or following it. So, what else do they have to be afraid of?

One of the biggest challenges I feel as a marketer is how to make decisions on marketing tools that are increasingly technical –difficult for lay people like me to understand. It’s tough to know what questions we should be asking. Can you provide thoughts on what questions marketers need to ask in order to stay on the right side of preserving user privacy?

What would my mother think of this?” is the question people should ask. If she would object, it’s probably wrong on some level. Are you having to “color” or oversell the description of what you’re doing? Are you having to bury the disclosure? Those are all signs you’re on the wrong side of the fence.

Why is it important to focus on digital business practices versus offline practices? Since reputable digital marketing technologies don’t collect PII, aren’t they LESS DANGEROUS to privacy than, say, the catalog industry or credit bureaus that routinely collect, use, and share PII?

You’re making the case for unifying these conflicting privacy laws, or at least trying to rediscover the principles or expectations that created the privacy laws we have. NebuAd missed the point, claiming that it was fine because it didn’t save any PII even though it saw everything you said and did (even PII if it happened to be in the data) when you thought you were interacting in privacy.

You’ve been very successful at documenting the questionable behaviors of very large and well funded companies. I am really amazed at your successes. What makes you so successful? How have you leveraged digital media to gain awareness for the issues you care about?

I’ve been privileged to work with others, including my clients Free Press and Public Knowledge, which are excellent in the fields that are their namesakes. They’re very interested in keeping the Internet a free and level marketplace, as are many of your readers (there would be a lot fewer online marketers if the Internet became a managed “walled garden” environment.)

My stock in trade about any subject is the set facts about it. I explain things in simple and historical terms and in ways so that others can repeat my steps and see the same results I saw. I use my real name. I avoid complication. I give both sides. I am passionate, but my value is my technical knowledge and ability, and I try and extend that to others.

It strikes me that whenever there is a controversy between privacy advocates and digital companies, the debate quickly devolves into personal attacks instead of directly addressing issues. Has this been your experience?

Yes, and it’s unfortunately contagious. We should all speak with facts and challenge our biases – or risk being challenged by both.

In closing, do you have any thoughts or advice for marketers concerned about both the ethical and legal aspects of online targeting technologies?

It’s not a war against advertising, please understand that. Don’t resist change, participate in it. You’re Internet users, too.

OK, one very personal and totally unrelated question: Is there any video online of one of your Funchords barbershop performances? ;-)

Unfortunately, because of the convoluted way that mechanical licenses work for music, I haven’t tried to clear anything that I could publish online. None of the quartets I was in ever bore the name “Funchords,” although all of my quartets have been more the up-tune and comedy variety. “One Bit Parody” was the work quartet (Intel – a play on the error-checking routine called parity), and we did company and non-company gigs both in and out of Oregon. “Spare Time” was the non-work quartet and we did local gigs and contests. The last song “One Bit Parody” ever sang together was Smile. This isn’t us, but it’s that song and we’re about that caliber -- http://www.youtube.com/watch?v=J6o-RKMVEZY

Fellow Digital Marketers: Have We Become The Enemies of Privacy?

Privacy is very important to me. Call it a typical Boomer trait, or something else. I don't care. But I am also a believer that the bills have to be paid. And in a digital environment in which consumers are not willing to pay for most content, we need to recognize that 80 cent untargeted CPMs are not going to pay for the array of content types consumers want.

Concepts like BT are essentially a trade off of better content for our non PII behavior data points. Some would call that an aspect of privacy. And certainly some people worry, rather understandably I might add, that in an environment of government "guidelines" you can drive a truck through, it's challenging to believe that companies will always behave honorably.

I like the idea of the NAI -- of companies making a concerted effort to set some standards that are clearer than the squishy FTC stuff, which it appears was written to provide everything short of actual standards.

But the problem with ONLY self regulation is that not all companies are in the NAI, and the potential for abuses is very high when there is no set-in-stone set of rules, the violation of which would yield jail time.

Frankly, I want some jail time rules. I want a set of rules that governs disclosure so that we know the limits of technologies, policies, and processes that drive ROI. And I want to see people who end up doing things that are against such laws end up behind bars. Because the stakes are too high to let self regulation govern what could well be gross violations of privacy.

I am not a lawyer, but it is my understanding that many jurists, particularly of the sort appointed by Republicans, who do not feel that the US Constitution provides privacy protections beyond those enumerated in the Bill of Rights. A document, I remind you, that was authored more than 200 years ago when the most advanced information source was a four page broadsheet newspaper. SO I would LOVE a privacy law that put that sort of thinking in check.

The sort of laws I seek would define what disclosure means in an opt-out scenario.
The sort of laws I seek would outlaw the collection of an enumerated set of sensitive information categories. Health, DNA, identity, legal behaviors, etc.
The sort of laws I seek would govern HOW data are collected.
The sort of laws I seek would govern how long information can be stored.
The sort of laws I seek would make it illegal to take acceptable forms of non PII and use them to reverse engineer PII.

There was and is some talk of such laws in Washington. I am not optimistic that that talk will continue after the election. But perhaps I will be pleasantly surprised.

But let's go a little deeper -- returning to the title of this post. I was recently at a panel discussion in which four industry leaders communicated four ideas that I found disturbing when they were juxtaposed in the three minutes or so it took to communicate all of them:

1. BT does not add value consumers understand. Targeted ads are not a consumer meaningful benefit.
2. BT does add value, consumers just could never ever ever ever ever see it. So Opt-In would never work.
3. Consumers are becoming mroe tolerant of cookies and other forms of tracking.
4. If consumers knew we were collecting the info we are collecting, they would be terrified. So, in the context of BT, we actually take steps NOT to target consumers as precisely as we can.

The bundle disturbed me individually as well as collectively.

1. I agree that targeted ads have no consumer value in most cases.
2. I take issue with the idea that consumers are stupid, or that the indirect value of free content is a concept that is beyond their understanding.
3. I think consumers hate all this tracking. You can show me all the studies you want that dispute this. As a researcher I assure you that someone could create a study that proved ANYTHING a company or organization wanted proven. You have to look at who is paying for a study, and how the questions were worded.
4. The deception in the fourth sentence is precisely the reason why consumers don't trust all this tracking.

Collectively the statements seem contradictory, and yet they appear to be the tenets of our industry.

And the underlying deception in these statements is repugnant in a world where we constantly talk about the need for transparency online.

Transparency works. Which, in my book, means that someone should be able to develop an opt-in model that gives consumers so much value that they will be happy to offer up information for the components of value that they desire. Consumers would opt in if they really could make INFORMED choices about what was traded with whom.

And until we meet that challenge, we are going to see a lot more companies and technologies go the way of NebuAd, which spent a lot of VC money on a model that is DOA. Because consumers ARE smart enough to recognize something wrong when they see it. And because companies have to make choices in very squishy arenas when there are no actual, you know, rules to live by.

Yes I get it that the world is constantly changing and that it would be nigh on impossible to make a law that would work forever. But here's the thing. We could always change the law. Update it. Make it reflect new technologies. Just because something is hard, doesn't mean we should walk away from the challenge. Or cede the concept of privacy, making hopeful noises about expecting people to behave honorably but doing little or nothing to define what that means exactly.

Look, companies are out to make money. Their behavior is checked by laws and regulations -- stuff that defines acceptable commercial behavior.

Thanks for reading, and don't forget to write.

MSNBC: Paris's Password, and Your Password, Maybe Be Darned Easy to Crack

According to this piece on MSNBC, privacy experts are ringing worry bells over the safety and security of password systems online. Specifically, they are concerned that far too many companies are using very simple security precautions -- systems that are easily beaten.

The idea is this. You find an org that uses a common user name nomenclature -- for example, first initial last name. Then, you ask to reset the password. Most systems are using security measures like What's Your Mother's Maiden Name? or "What is Your Pet's Name?" While at some point in the past that might have been relatively private info, it no longer qualifies as it has become so easy to find personal info like resumes and social media posts that often contain the info.

Here's a passage from the MSNBC post:

There are no known cases in which hackers have widely exploited “forgot your password” links, but there are indications that both researchers and criminals are training their eyes in this direction. Markus Jakobsson, principal scientist at the famed Palo Alto Research Center in California, said answers to password reset questions have become so valuable that a black market has developed for personal information like dog's names. Criminals buy buckets of personal information, obviously with an eye towards foiling security systems, for about $15 per set, he said.

In most cases, such information sets are probably the result of successful phishing attempts, Jakobsson said, where a victim unwittingly supplied personal information in response to an e-mail. But he’s seen demonstrations of far more sophisticated tools designed to “scrape” information off blogs and social networking pages for later use by hackers.

“It’s an automatic dossier building tool,” he said.

Like all scary things, the story starts with none other than Paris Hilton, whose cell phone was reportedly hacked using the name of her dog, which the crooks found online. Now, no one credible is entirely sure that the story is actually true, but it has prompted security concerns over the issue. Another passage from MSNBC:

It also prompted researchers to study the issue, which is also known as “fallback authentication.” Ariel Rabkin, a researcher at the University of California at Berkeley, is probably the first to attempt to quantify the problem. He recently published a research paper (PDF)titled in part, “Security Questions in the Era of Facebook.” It examined password reset questions at 20 banks. Of the 215 questions used by the banks, he classified only 75 as secure and usable. The others were either easy for hackers to guess or obtain, or simply too hard for consumers to remember.

"Security questions are getting weaker over time," he said. Mother's maiden name, for example, continues to be asked even though it's often now available from various online sources. "We can’t seem to get rid of that question. … If we do nothing this will get steadily worse."

Oh, the world we live in. When even PARIS HILTON isn't safe!

Thanks for reading, and don't forget to write.

Price of 6,000,000 German Identities? 850 Euros

Ars Technica reported last week that a whistleblower turned over to the Interior Ministry the identities of 17,000 Germans that his employer had obtained. The Interior Ministry took him seriously and opened an investigation that resulted in their obtaining 6 million German identities for the equivalent of $1,220.

Cheap as chips, people, and alarming to the government -- so much so that Interior Minister Wolfgang Schauble has vowed to introduce an opt in law that forbids companies from selling data unless they have the consumer's permission.

Here's an excerpt from ARS Technica:

Schäuble blasted those who profit from mining customer data, and vowed to introduce "opt-in" legislation that would only allow companies to share the information of consumers who had specifically agreed to it. Current German law offers an opt-out solution, where companies may not share the data of those consumers who specifically object to it. Schäuble also mentioned the possibility of requiring German telephone sales callers to disclose exactly how and where they obtained a given person's number.

Now, the EU is always tougher about these things than the US, but it is yet another instance of increasing consumer concern about the whole opt out system that allows firms to sell your info unless you specifically tell them not to.

I tell you, I never thought the world would move to opt in, but lately I am thinking there is a chance. Well, I think the chances are reasonable in the EU and low in the US, but every day that passes makes me reassess those chances upward.

Thanks for reading, and don't forget to write.

Tech Crunch: We Need a Digital Bill of Rights

Erick Schonfeld has a wonderful post today on Tech Crunch about the need for a Digital Bill of Rights. READ IT.

Thanks for reading, and don't forget to write.

Opt-In ISP Targeting: ATT Mulls a Different Route

As the NebuAd controversy has materialized, one of the principal criticisms of their agreements with ISPs -- and about BT in general, has been the reliance on an opt-out model. As you know, opt out requires the consumer to actively engage and tell the ISP and BT providers, "No, don't track me." The alternative, opt in, hasn't gotten a lot of traction, at least in the US, principally because there is an expectation that most people would not bother to opt in even if they were fine with the idea of targeted advertising.

Based upon the feedback provided by major ISPs in their responses to the House Energy and Commerce Committee, however, it appears that one major ISP is considering opt in as the right thing to do. This according to an analysis last week in the NY Times Here is an excerpt from Saul Hansell's analysis of ATT's vision:

While the company said it hadn’t tested such a system for monitoring display advertising viewing habits or committed to a particular technology, it expressed much more interest in the approach than the other big Internet providers who also responded to the committee’s letter.

AT&T did however promise that if it does decide to start tracking its customers online, it will “do so the right way.” In particular, the advertising system will require customers to affirmatively agree to have their surfing monitored. This sort of “opt-in” approach is preferred by privacy experts to the “opt-out” method, practiced by most ad targeting companies today, which records the behavior of anyone who doesn’t explicitly ask to not to be tracked.

The passage and entire article interested me greatly because ATT fully discloses their keen interest in participating in the online ad revenue boom, but their parallel determination to ensure that consumers are satisfied with their approach and choose to participate.

This is nothing short of gutsy. I have to admit that I have never seen opt in as a realistic solution for the current approaches to BT because while the consumer does receive value in the form of better online content paid through higher CPMs, they do not get something tangible in their hands for participation. I think this benefit is too abstract for most consuemrs to grasp and value. I do NOT subscribe to the theory that targeted advertising has significant consumer value to the average consumer, at least in the rational abstract.

Is ATT right? I hope so -- this is definiotely a situation in which I would be delighted to be wrong. And perhaps they are anticipating a different consumer value proposition for the solution they ultimately select. Is it possible that ATT is seeking a solution that provides real consumer value in exchange for participation? And I mean REAL consumer value, not their ersatz value trumped by companies like Phorm with their phish protector.

It's going to be interesting to see what happens.

Thanks for reading, and don't forget to write.

ISP Targeting: In the EU The Gun Sights Are On Phorm

I'm not suggesting for a moment that the heat is off NebuAd, but in the EU at least the company in the sights of regulators is Phorm. You may recall that Phorm had a positively disastrous time in the UK last Summer when they quietly launched their version of an ISP based ad network with BT (nee British Telecom), Virgin Mobile, and TalkTalk. Well, quietly is not the right word. Secretly is actually the correct term. Or perhaps covertly.

Phorm is the new name developed by a spyware operation called 121Media, which used offers of free secondary utility applications to convince people to download their adware/spyware products. Tomato/tomahto. As with Gator, the early days of this business in particular were loaded with examples of people not understanding that they were allowing 121Media to track their behaviors and field targeted ads. 121Media claimed it was those pesky partners that distributed their software that were to blame for these atrocities. Several millions of Americans including myself will find the story rather familiar -- we downloaded apps that gave Gator permission to field ads to us based upon serving habits. Then, when we realized what we had done, we found Gator all but unremovable.

OK, so Phorm. They changed the name of the company and shifted their focus from getting people to download their offering to getting ISPs to sell them the non PII portion of the info that made ad targeting possible.

Only trouble is, they didn't tell the people that were being tracked in the test. Some 18,000 of them. I don't mean they buried the revelation. They didn't tell them AT ALL, even in an intentionally quiet way.

How was this all discovered? Well, by a reader of TheRegister.co.uk, as outlined in this post. Here's an excerpt:

In June 2007, Reg reader Stephen noticed his Firefox 2.0.0.4 installations making suspicious unauthorised connections to the domain dns.sysip.net every time he visted any website. Naturally worried his machines had contracted some kind of digital infection, Stephen performed a series of exhaustive malware scans, which all came back clean.

He wasn't the only BT subscriber to notice that his browser was making the mysterious contacts around July last year, as this thread archived at Thinkbroadband.com shows.

"I spent all weekend wiping my disks clean and reinstalling from backups (four PCs seemed to be affected). I spent a further two days researching and installing all kinds of anti-virus, anti-spyware and anti-rootkit utilities. But even after all that I still have this problem!" Stephen told us at the time.

Having failed to trace the source of the dodgy redirect in his own network, he contacted BT to suggest one of their DNS servers may have been hijacked. BT dismissed the idea, yet the browser requests were still making an unauthorised stop off at dns.sysip.net.

Worried that his business' financial data might be being monitored, Stephen continued to investigate. A Whois search for dns.sysip.net revealed the domain was registered by Ahmet Can, an employee of a new online advertising company called 121Media. The address is now registered through a third party private domaining agency. 121Media rebranded itself as - you guessed it - Phorm in May 2007.

This is, you'll be unsurprised to learn, indeed the same Phorm that BT, Virgin Media and Carphone Warehouse recently revealed they had agreed to sell their customer's browsing habits to, despite the questions over its links to spyware. For helping Phorm target advertising, the ISPs are set to bag a cut of click revenues.

So, throughout the test period Phorm and BT had a novel consumer communications system.

DENY DENY DENY!

BT actually called the hijack process by which the system worked a clear incidence of malware.

But then! On 2/14/2008, BT and two other companies announced they had a deal, and that the hijack process was

validated under best industry practices, both through an independent audit conducted by Ernst & Young (View report PDF) and a Privacy Impact Assessment undertaken by Simon Davies, MD of 80/20 Thinking and Director of Privacy International.

Malware...revolutionis[ing] current standards of online privacy and fully protect[ing] the identity of consumers. Tomato...tomahto.

Phorm was paired with an application called Web Wise which was supposed to make people feel OK about the tracking. It was and is a phishing detector.

The British government essentially decided not to deeply pursue whether laws had been broken in the BT test. They issued their opinion that things were okiedokie, but many European web experts disagreed, as outlined in this post on TheRegister.co.uk.

(Has the US started exporting Bush Administration officials? ;-) We've have loads more folks like this, UK, if you want them. 2 for 1 sale through November.)

Here's a morsel:

"The explicit consent of a properly-informed user is necessary but not sufficient to make interception lawful.

"The consent of those who host the web pages visited by a user is also required, since they communicate their pages to the user, as is the consent of those who send email to the user, since those who host web-based email services have no authority to consent to interception on their users' behalf."

And the EU earlier this summer insisted they do so. Here is the text of the letter that was sent to the Brits by Brussels:

Dear Sir,

I am writing to you in relation to certain issues arising from the past and future deployment by some major United Kingdom Internet Service providers of the technology provided by a company called 'Phorm' to serve their customers with targeted advertisements based on prior analysis of these customers' internet usage.

In March 2008, a number of news items appeared in the media concerning the planned use by United Kingdom ISPs of the Phorm technology. Many of these publications raised issues concerning the impact of this technology on the privacy of Internet users. The information published on the web also included an e-petition submitted to the Prime Minister and a complaint made to the Information Commissioner's Office (ICO). In addition, in early April 2008, BT published a briefing according to which it had performed trials of the Phorm technology in autumn 2006 and summer 2007. In a TV interview, a BT representative confirmed that these trials had been performed without informing the customers affected and obtaining their consent.

The European Commission has already been contacted by Members of the European Parliament from the United Kingdom who communicated the concerns of their constituents regarding the deployment of Phorm technology. The issue has also been the subject of several written parliamentary questions addressed to the Commission by MEPs asking the Commission to comment on the applicability of WU legislation and also to set out its intended action in relation to the previous trials. Finally, a number of individuals have also written to the Commission directly to express their concerns and invite it to intervene in the matter.

In order to provide the response that is expected from it, the Commission needs to base itself on a clear understanding of the position of the United Kingdom authorities. Several EU law provisions concerning privacy and electronic communications may be applicable to other activities involved in the deploment of Phorm technology by ISPs.

In particular, Directive 2002/58/EC on privacy and electronic communications, which particularises and complements for the electronic communications sector the general personal data protection principles defined in the directive 94/45/EC (Data Protection Directive), obliges Member States to ensure the confidentiality of communications and related traffic through national legislation. They are required to prohibit listening, tapping, storage or other kinds of interception or surveillance of communications and the related traffic data by persons other than the users without their consent (Article 5(1)). The consent must be freely given, specific and an informed indication of the user's wishes (Article 2(h) of Directive 95/46/EC). Traffic data may only be processed for certain defined purposes and for a limited period. The subscriber must be informed about the processing of traffic data and, depending on the purpose of processing, prior consent of the subscriber or user must be obtained (Article 6 of Directive 2002/58/EC).

In the light of the above, we would highly appreciate it if the United Kingdom authorities could provide us with information on (1) the current handling by the United Kingdom authorities of the issues arising from the past trials of the Phorm technology by BT and on (2) the position of the United Kingdom authorities regarding the planned deployment of the Phorm technology by ISPs.

As regards the first issue, according to applicable EU law the responsibility for investigating complaints concerning such trials and determining whether the national legal provisions implementing the requirements of the relevant EU legislation have been complied with lies with the competent national authority(-ies) in the United Kingdom. The Information Commissioner's Office (ICO), which is responsible for enforcing the United Kingdom Data Protection Act 1998 (DPA) and Privacy and Electronic Communications Regulations 2003 (PECR), has made a number of statements on Phorm. In its latest published statement of 18 April 2008, the ICO analyses the conformity of the deployment of the Phorm technology with the DPA and the PECR. At the same time, the ICO indicates that it does not have responsibility for enforcing the Regulation of Investigatory Powers Act 2000 (RIPA), which has been invoked by some individuals who question whether the use of Phorm entails an unlawful interception of communications under this Regulation. In this respect, the ICO refers to a statement by the Home Office, which says that it is questionable whether the use of Phorm's technology involves an interception within the meaning of RIPA and that it does not consider that RIPA was intended to cover such situations. The ICO concludes on the issue of RIPA by stating that it will not be pursuing this matter. At the same time, the ICO statement does not include any indication as regards the intentions of the ICO in relation to the investigation of possible breaches of other relevant legal provisions* in the past trials of the Phorm technology.

Second, as regards the issues arising with regard to the planned future deployment of the Phorm technology, there appears to be a certain discrepancy between how it is envisaged by the ICO, the ISPs and Phorm itself. One of the most significant issues in this regard is the way in which customers will express their consent to the application of Phorm technology in their case. While the ICO seems to suggest that the consent of users for the Phorm technology should be on an opt-in basis and also BT seems to confirm this approach, Phorm has indicated that it intends to tackle user consent through providing 'transparent meaningful user notice'.

I would therefore be grateful to receive the response of the United Kingdom authorities on the following questions:

1. What are the United Kingdom laws and other legal acts which govern activities falling within the scope of Articles 5(1) and 6 of Directive 2002/58/EC on privacy and electronic communications and Articles 6, 7 and 17(1) of Directive 95/46/EC?

2. Which United Kingdom authority(-ies) is (are) competent (i) to investigate whether there have been any breaches of the national law transposing each of the above-mentioned provisions of Community law arising from the past trials of Phorm technology carried out by BT and (ii) to impose any penalties for infringement of those provisions where appropriate?

3. Have there been any investigations about the past trials of Phorm technology by BT and what were their results and the conclusions of the competent authority(-ies)? Are there ongoing investigations about possible similar activities by other ISPs?

4. What remedies, liability and sanctions are provided for by United Kingdom law in accordance with Article 15(2) of the Directive on privacy and electronic communications, which may be sought by users affected by the past trials of the Phorm technology and may be imposed by the competent United Kingdom authority(-ies) including the courts?

5. According to the information available to the United Kingdom authorities, what exactly will be the methodology followed by the ISPs in order to obtain their customers' consent for the deployment of Phorm technology in accordance with the relevant legal requirements and what is the United Kingdom authorities' assessment of this methodology?

Given the urgency of this matter I would highly appreciate receiving your reply within one month of receipt of this letter.

Yours sincerely,

Fabio Colasanti

The EU has far stricter definitions of online privacy protections.

The Brits demured from responding, so the EU has since issued a "prewarning" followup letter.

This is beginning to become a rather significant embarassment for the UK government, BT, and Phorm. More as it develops.

If you are looking for more on Phorm, make sure you head over to TheaRegister.co.uk. They are clearly at the forefront of this investigation and issue. After all, they broke the story and typically break every significant development on the topic.

Thanks for reading, and don't forget to write.

If You Don't Like the News, Lay Off the PR Folks

NebuAd has let go both its internal PR team and its PR firm. Their PR firm, The Horn Group, confirmed the parting of ways according to this piece on The Register.

One understands why the layoff occurred, though in the defense of the team, NebuAd is certainly in new waters where there is little precedent as to how to shape public opinion. Dustups about BT were pretty minor in the past, and there are plenty of companies collecting PII, which would seem on some level more serious than what NebuAd does.

What's interesting about the layoff is the accompanying info that they are going to hire a new PR team focused less on business press and more on regulatory issues. What THAT says is they expect a tough row of hoeing over the fate of their ISP based out opt model.

I'll say this for NebuAd's now separated PR people: these folks know how to spread the word. This is not left handed praise. Before Robb Topolski's report, NebuAd was travelling with full sails of largely excellent press coverage. Their CEO was EVERYWHERE touting the power of their model.

You can fault them for not having a better plan for the regulatory and PR problems that befell the company beginning a month or two ago, but for pure corporate hype and PR these people knew their stuff.

Perhaps you will find that an odd point to make -- what I think it means is that PR< like virtually every other area of marketing these days, is increasingly becoming a field for the versatile. While the web seemingly ushered in an era of experts, the opposite seems to have occurred. Companies are moving away from the dedicated digital team toward a model where EVERYONE is expected to know about digital, because it is the central core of current and future marketing.

In the PR vane, operating a powerful PR organization will be about more than a hype team -- it'll be having a sound strategic approach to both the hype development mandate and the contingencies for potential public or industry backlash.

Here's a piece of what MediaPost's Wendy Davis wrote on the topic of the layoffs and the future of NebuAd:

It's not surprising that NebuAd would be feeling an economic squeeze, given that several broadband providers have suspended plans to work with the company while Congress investigates. Lawmakers are now questioning whether companies like NebuAd and Phorm, which purchase data about users' Web-surfing activity to send them targeted ads, violate federal wiretap laws. Rep. Ed Markey, for one, has said he believes ISP-based behavioral targeting requires users' opt-in consent.

Still, the layoffs, combined with the new PR strategy, make clear that NebuAd didn't anticipate the degree of pushback it's now facing, both from policymakers and privacy advocates. Of course, until this summer, NebuAd didn't have much reason to think Washington would take an interest in its activities.

For the most part, online behavioral targeting seemed to fly under lawmakers' radar earlier this decade, when companies like Tacoda and Revenue Science were getting started. That situation had started to change by 2006, when the Center for Digital Democracy and U.S. Public Interest Research Group filed an FTC complaint about behavioral targeting techniques. The FTC held a town hall meeting last November, but few people were yet discussing NebuAd and other companies that rely on data purchased from ISPs.

But when news that NebuAd was testing its ISP-based targeting model trickled out earlier this year, it was clear that behavioral targeting was entering new territory. Older companies only know when users visit a site within one of their networks, but ISPs know about all sites that are visited and all search queries entered.

SO what IS the future of NebuAd??? Naturally as an outsider I have no idea, but here are my guesses:

1. A name change. Whether deserved or not, they may as well be called KGB Industries at this point.

2. A freeze on making efforts to sign up for ISPs AT LEAST through the end of the year. My understanding is that they have already begun this free period. I think this would make sense not because it'll actually make a difference in sign-ups from ISPs -- my guess is that the doorbell isn't ringing right now -- not when BNET is reporting that the feds are investigating the company under wiretapping laws. But rather as a signal throughout the organization that they need to make their model right.

3. Some sort of consumer communication solution that will make opt-out a more palatable solution. I don't think they will go opt-in -- I don't think opt-in is a realistic approach for an ad network. There's no consumer value to all this beyond the dubious possibility that it lowers ISP costs.

Will this stuff come to pass? I have no idea. But I do know that those layoffs were probably necessary given the burn rate. Even after the layoffs, 60 people is a big pile of salary and bennies.

Thanks for reading, and don't forget to write.

New Revelations in DC ISP-Based "Deep Packet" BT Scrutiny

Early emanations from the House Energy and Commerce Committee's examination of privacy issues primarily related to ISP based BT are pretty interesting and revealing. Here are some highlights:

30 companies were asked about their Deep Packet BT and other tracking practices. Based upon the information provided to the committee, Chairman Markey has stated his intention to introduce opt-in privacy legislation next year. Reports WaPo:

Markey said he and his colleagues plan to introduce legislation next year, a sort of online-privacy Bill of Rights, that would require that consumers must opt in to the tracking of their online behavior and the collection and sharing of their personal data.

But some committee leaders cautioned that such legislation could damage the economy by preventing small companies from reaching customers. Rep. Cliff Stearns (R-Fla.) said self-regulation that focuses on transparency and choice might be the best approach.

But let's not get ahead of ourselves in this post. Here are some of the things that the inquiry uncovered.

On August 1, the committee wrote to a long list of companies (ISPs mostly) asking them to detail their "deep packet" and other tracking programs and policies. The list reads like a who's who of connectivity:

AOL LLC (ISP and Content Provider)
Bresnan Communications (ISP)
Cable One, Inc. (ISP)
Cablevision Systems Corporation (ISP_
CBeyond (ISP)
CenturyTel (ISP)
Charter Communications (ISP)
Comcast Cable (ISP)
Covad Communications Company (ISP)
Cox Communications, Inc. (ISP)
Earthlink (ISP)
Frontier Communications Corporation (ISP)
Google (Nuff said)
Insight Communications Inc. (ISP)
Knology, Inc. (ISP)
Mediacom Communications Corporation (ISP)
PAETEC Holding Corp. (ISP)
Qwest Communications (ISP)
Suddenlink Communications (ISP)
TDS Telecom (ISP)
Time Warner Cable (ISP)
TW Telecom, Inc. (ISP)
United Online, Inc. (ISP, among other things)
Verizon (ISP)
Windstream Corporation (ISP)
XO Communications (ISP)
Yahoo (Nuff Said)

All of their responses are available in pdf form here.

Check out a copy of the request here.

The 11 questions they asked each company to respond to were (paraphrased):

1. Do you or have you tailored ads to user web surfing patterns?
2. If so, how did you address sensitive health, financial, PII, and how were those policies developed?
3. In what communities have you engaged in these practices?
4. How many consumers were affected?
5. Did you do an analysis of privacy laws as you developed your programs?
6. Did you notify consumers? How? Provide a copy of the notification.
7. Did you do opt in or opt out, and if opt out, why?
8. If opt out, how many did so?
9. If opt out, did you do a legal analysis of the opt out procedure and notification?
10. What is the status of the data collected? Has it been destroyed? Is it periodically destroyed?
11. Do your systems and process allow for the tailoring of ads based upon behaviors?

If you read my recent post on Embarq and NebuAd, you will see a high degree of similarity between this list and the list Embarq was asked to complete a few weeks ago.

Here are my response summaries (I read each doc carefully but I am not a lawyer, so if in doubt click on over and read it yourself.):

AOL: Nothing surprising here. They do BT, privacy policy notification, opt out. Estimate that "tens of thousands" have opted out.

Bresnan: NebuAd Test 4/1-6/26, in Billings MT, 6000 customers, users notified by email and a web site page in addition to privacy policy. Opt out, 18 opted out (3/10ths of one percent.)

Cable One: Small test, beginning last year, undisclosed vendor. Based upon the description of the vendor, it is likely NebuAd. Tested in Anniston, AL for 180 days beginning 11/20/2007. 14,000 customers. Notification via inclusion in acceptable use and privacy policies. Opt out, no indication of the number of people who opted out. Says they would do opt-in if they we're going to deploy network wide.

Cablevision: Hasn't done it.

CBeyond: Hasn't done it.

CenturyTel: Small test in Kalispell MT - small numbers of people in Idaho and Wyoming, NebuAd, 20,000 person test. Sent email notification to users affected in the test. Email said changes were made to the privacy policy but did not specify what they were -- invited the user to click and read policy to figure it out. Says they also sent email notification and bill stuffer to people noting the change in policy. Opt out. 82 persons opted out (4 tenths of one percent.)

Charter: Cancelled plans for a test.

Comcast: Hasn't done it.

Covad: Hasn't done it.

Cox: Hasn't done it.

EarthLink: Hasn't done it.

Frontier: Hasn't done it.

Insight: Hasn't done it.

Knology: Tested via NebuAd in parts of Panama City FL, Columbus GA, Knoxville TN, Huntsville AL, and Augusta GA. Stopped test as a result of Congress raising concerns. Opt out, notification via customer service agreement change. Change unannounced. No info on number of households affected or opt outs/opt out rates.

Mediacom: Hasn't done it.

PAETEC: Hasn't done it.

QWEST: Hasn't done it.

Suddenlink: Hasn't done it.

TDS: Hasn't done it.

TimeWarner: Hasn't done it.

TW Telecom: Hasn't done it.

United Online: Has considered deep packet inspection based BT, but has not implemented.

Verizon: Hasn't done it.

Windstream: Hasn't done it.

XO: Hasn't done it.

Yahoo: Does use BT but not deep packet, over 75,000 opt outs in July 2008 (still a fairly low number given that Yahoo reaches several hundred million users a month.)

Of all the responses, Google's have so far received the msost attention, chiefly because of the tremendous reach and market power of the giant. Here is what WaPo had to say on the topic in a recent article:

Alan Davidson, Google's director of public policy and government affairs, stated in the letter that users could opt out of a single cookie for both DoubleClick and the Google content network. He also said that Google was not yet focusing on "behavioral" advertising, which depends on Web site tracking.

But on its official blog last week, Google touted how its recent $3.1 billion merger with DoubleClick provides advertisers "insight into the number of people who have seen an ad campaign," as well as "how many users visited their sites after seeing an ad."

"Google is slowly embracing a full-blown behavioral targeting over its vast network of services and sites," said Jeffrey Chester, executive director of the Center for Digital Democracy. He said that Google, through its vast data collection and sophisticated data analysis tools, "knows more about consumers than practically anyone."

Microsoft and Yahoo have disclosed that they engage in some form of behavioral targeting. Yahoo has said it will allow users to turn off targeted advertising on its Web sites; Microsoft has yet to respond to the committee.

Said Markey:

Increasingly, there are no limits technologically as to what a company can do in terms of collecting information . . . and then selling it as a commodity to other providers," said committee member Edward J. Markey (D-Mass.), who created the Privacy Caucus 12 years ago. "Our responsibility is to make sure that we create a law that, regardless of the technology, includes a set of legal guarantees that consumers have with respect to their information."

I am sure there'll be more to come, and the oldest living gumshoe reporter will be there to parse it all for ya. ;-)

Thanks for reading, and don't forget to write.

Udenti: Some People Just Don't Get It ;-)

My business partner John and I laugh about a pitch we went through at a previous agency, where the client had extremely tight security and privacy regs for its agencies. There were tight limits on who got to see what, how many people could see anything, and a host of demands for physical and electronic safeguards.

At the time, our agency protected data rather...minimally, as the evaluators found when they got their tour of the agency and found the door to the server room propped open near another propped open door leading to a smoking porch shared by several companies. Happily the agency has since corrected those issues, but not in time.

The evaluators' letter was very nice, but if you can hear a letter when you see it, this one would have sounded like the X on Family Feud.

Anyway. Udenti offers a really compelling set of electronic ways that user data can be protected. Companies can group their customer data into bundles and give different teams in an org access to certain parts. It's sort of a need to know kinda thang. So, for example, PII might be in a bundle, purchase history in another, comments and inquiries into another, and so on.

But these bundles are not doorless walls, it's just that the gates have locks, and the teams with access get to decide if someone outside the door should get access to something. Let me spin a little story here to explain the relevancy.

If a customer service tech needed to know what model of a product a consumer has in order to meet their needs better, they could request access from the purchase history guardians. It seems like a legit reason, so ding, the electronic door opens for that record.

Another aspect of this might be that some people can see data, and others can modify it. A nice additional aspect of data security.

Here's the 60 sec pitch:



Over at TC, the vid isn't getting a great thumbs up reception, but if you read the comments, its all about the supposed paucity of enthusiasm, not the concept. OK then. I see the point, but I suggest that in this instance it's important to try the steak rather than focusing solely on hearing the sizzle.

I think we need to remember that not every idea is a revolutionary consumer app that makes purple chickens dance across your mobile screen. And recognize that technology like Udenti that is focused on security is interesting for what it is rather than how the box looks.

Also, I thought the vid was fine. Though a little sizzle never hurts when you're selling the steak. But every day gives us an opportunity to make progress, not perfection.

I like this concept. I am a marketing guy, so I dunno the 1s and 0s of how it works. As Barbie says...math is hard...but the idea of this sounds really valuable to me, and I will be watching for more info over time. I don't think it can unprop a door to a server room, though. Perhaps Udenti 2.0 or Udenti Platinum. ;-)

Thanks for reading, and don't forget to write.

NebuAddendum

Well, while I was on vacation Embarq replied to Congress’s request for information about the test they conducted with NebuAd, the ISP targeting ad network that has lately felt Congressional heat on its little piggies.

Tom Gerke, the President and CEO of Embarq, signed the response, which answered nine committee questions clearly and succinctly. The full text of Embarq’s response to Congressman Markey and his committee appears on this page of Broadcast and Cable.

Here are some highlights to that response:

NOTIFICATION

How were subscribers notified?: As I expected, the notification was in the privacy policy, and the rationale for that was that that is how ad networks do it.

Why not Opt-In: Because the industry does it opt-out. Which if I may editorialize for jut a mo’, doesn’t actually answer the question. But then we ALL know the answer.

WHAT IS ROBUST

The big news – or perhaps the sound bite – of the disclosure memo was that 15 people availed themselves of the opportunity to opt out of tracking, which was announced in the privacy policy.

15 out of 26,000 represents .06%, rather a low percentage. I say rather low because, according to a recent eMarketer report, the percentage of people who dislike the concept of BT is rather high. Specifically, 45% of consumers, according to a recent Harris Poll, were uncomfortable with BT-style tracking. .06%/45% leads to the mathematical conclusion that only about 1% of the people who are concerned about BT opted out. A bit of a googly for anyone who thinks that privacy policy notification meets the spirit of the FTC’s robust notice requirement. I’m not saying 99% couldn’t find it. I am just saying…

RAMIFICATIONS

Meanwhile, it appears that Embarq has suffered little for their NebuAd test – according to this article from the Kansas City Business Journal, their stock price is faring nicely despite the unwanted publicity.

It’ll be interesting if the ISPs get to skate through this controversy unscathed.

Rep Markey Wants More Info About Embarq and NebuAd

In this MediaPost news story, they report that NebuAd continues to be under Congressional scrutiny despite the generally friendly reception they got last week at the Commerce Committee hearing on BT and privacy.

According to the piece, ISP Embarq CEO Tom Gerke was sent a letter that questioned whether his company had provided robust notice to consumers about the tests they ran with NebuAd.

The text of the letter, which I found on Congressman Markey's site, appears below:

July 14, 2008

Mr. Tom Gerke
Chief Executive Officer
Embarq
5454 W. 110th Street
Overland Park, KS 66211

Dear Mr. Gerke:

We are writing with respect to a recent test conducted by Embarq to tailor Internet advertising to the web-browsing patterns of individual Embarq subscribers. We are interested in the nature of this test as well as the impact that this test, and the underlying technology it employed, could have on consumer privacy and other issues.

We understand that Embarq conducted a test earlier this year in a select community in conjunction with NebuAd to create consumer profiles for the purpose of serving ads to consumers based upon their search and surfing habits. As you may know, questions have been raised regarding the applicability of privacy protections contained in the Communications Act of 1934, the Cable Act of 1984, the Electronic Communications Privacy Act, and other statutes, to such practices.

In particular, we are concerned that Embarq may not have directly notified the subscribers involved in the test that their Web use was being analyzed and profiled. We therefore request that you answer the following questions in order for us to better understand the nature of the test conducted, its impact on consumers, and the broader public policy implications of this technology.

1. In what community was the test conducted and how was that community chosen?

2. How many subscribers were involved in the test?

3. How did Embarq notify subscribers in the affected community of the test? Please provide a copy of the notification. If Embarq did not specifically or directly notify affected subscribers, please explain why this was not done.

4. Did Embarq conduct a legal analysis regarding the applicability of consumer privacy laws on the service used in the test? If so, please explain what that analysis concluded.

5. Please explain why Embarq chose to conduct the test allowing consumers who objected to "opt out" rather than first asking customers to "opt in."

6. How did Embarq notify subscribers in the affected community of their opportunity to "opt-out" of the test? If Embarq did not specifically or directly notify effected subscribers of the opportunity to "opt-out," please explain why this was not done.

7. How many subscribers in the affected community opted out of participating in the test?

8. Did Embarq conduct a legal analysis regarding the adequacy of the "opt-out" notice and mechanism employed to allow consumers to effectuate this choice? If so, please explain what that analysis concluded.

9. What is the status of the consumer data collected during this test? Has it been destroyed?

Thank you in advance for your attention to this matter. We respectfully request a response by Monday, July 21, 2008.

I don't know if Embarq notified their customers or not beyond including info about it in its privacy policy, though this passage from the MediaPost article indicates that many ISPs that worked with NebuAd did not.

But software researcher Robb Topolski, who recently tested NebuAd and concluded that the program violated users' expectations of privacy, said the vast majority of the Internet service providers who worked with NebuAd did not seem to send separate notifications to subscribers. Instead, they apparently placed information about the program in their terms of service, privacy policies or other lengthy documents subscribers generally ignore.

I am anxious to see Embarq's response. What constitutes robust notice is ill defined by the government, at least in form. The government, to my knowledge, does not have a proscribed process by which consumers are to be informed.

Is it enough to put it in the privacy policy? Is it enough to put it in a brief and well organized privacy policy? If they put it in the privacy policy, do they then need to alter the customer that the privacy policy has been altered? If so, how must they notify? Would an on site notice do it? Is email OK? Do they need to send a letter?

Presumably the answer to this relates to whether each of the tactics described above resulted in satisfactory levels of consumer awareness.

The googly, from Embarq's perspective, is that the generally accepted means of notification in BT has been in privacy policies. Google, for example, does not send out letter before you download their toolbar telling you that all the places you visit are fair game for analysis.

Will ISP targeting be held to a higher standard than the rest of BT? I think that would be dead wrong. To me, the difference between ISP targeting and traditional BT from a privacy perspective seems to relate to the amount of info collected. A notificaiton process is either right or wrong, whether the BT provider collects 20% of my web visits or 100%. And if i am not mistaken, there are currently a number of companies out there diligently pairing BT data with PII, and they are doing so with modest consumer notification. For example, portals and Facebook. NebbuAd may be collecting more information, but other companies are collecting more PERSONAL information.

I'm not sure what I think the standard should be in terms of the form of notification. But I am sure that it should be applied to all BT, not just the technologies that collect the most complete picture. Because if the latter route were taken, at what point would the amount of data collected lead to the requirement of more outbound notification practices? 99%? 98%? 73%

Off my soapbox.

The challenge of this kind of notification is one of the classic push me pull yous of marketing. Often, the government looks at measures like opt out rates to determine whether the average consumer could be reasonably assumed to be notified. There is a lot of grey area between tucking it away where few will see it and sending out letters or emails.

One of the most interesting answers will be to question 5 -- about why they chose to do opt out rather than opt in.

Markey also released a statement when he informed the world about the request for information.

"Surreptitiously tracking individual users' Internet activity cuts to the heart of consumer privacy. The information collected through NebuAd's technology can be highly personal and sensitive information. Embarq's apparent use of this technology without directly notifying affected customers that their activity was being tracked, collected, and analyzed raises serious privacy red flags."

Ouch.

Thanks for reading, and don't forget to write.