Wednesday, July 9, 2008

Imperfect Synopsis (Not a Transcript): Senate Commerce Hearing on Privacy Implications of Online Advertising


Yesterday the US Senate Commerce Committee held a 1.75 hour hearing on privacy and online advertising. There to testify were NebuAd, MSFT, Google, FaceBook, Center for Democracy and Technology, and Competitive Enterprise Institute.

I wasn't there, of course, but did watch the entire webcast (twice -- I know, what a policy wonk I am,) and am going to both report on the happenings and give interpretations based upon those viewings.

Hey, I am not a reporter, but I am going to do my best to report rather than editorialize.

By no means is this a transcript. Rather, I am trying to summarize the gist because I don't think many people will watch the vid or read a transcript and because hearings like this are absolutely critical to the future of the industry and the shape it will take.

-----

Broadly, the purpose of the hearing was to determine whether more government oversight and regulation is required to protect consumer privacy. ISPs were invited to attend, but decided not to. Apparently there will be a future hearing of ISPs only.

Lydia Parnes, Director of the Bureau for Consumer Protection of the FTC, began the hearing with a prepared statement that noted that they have been examining BT for a long time and with particular concern over PII, health, and financial information.

FTC Lydia Parnes reviewed the FTC's past Town Hall on BT and privacy, and the three key findings:

1. BT may provide value to consumers.
2. BT raises privacy concerns and concerns about
3. Everyone believes in transparency and some level of consumer control.


Based upon the Town Hall and their past research, the FTC has four key beliefs about BT and how it should be conducted.

1. Companies that collect info should disclose the practice and let people choose. Note: the FTC has, in the past and currently, has found either opt-in or opt-out as acceptable for "non-sensitive, non PII info.
2. Companies must provide reasonable security and retain data only as long as necessary.
3. If companies want to use data in a way other than disclosed in 1., they must get consumer permission to do so (opt-in.)
4. Sensitive data (e.g., health) should only be collected on an opt-in basis.


FTC says it is "cautiously optimistic" about the ability for self regulation to do the job of offering consumer protection.

From there, they went to Jane Horvath, the Senior Privacy Counsel for Google.

Ms. Horvath said that Google always puts their users first. That users can with one click switch providers if they are dissatisfied with Google's privacy policies, so they must put their users first to protect consumer loyalty.

She then reviewed the economic and consumer value of BT.

She continued to say that three privacy design fundamentals drive everything at Google:

1. Transparency: She said they are very active in educating consumers about their privacy via the Google Privacy Channel on YouTube, among other means.
2. Choice: She said consumers have the option of what data is made available. She pointed to the off the record feature on GoogleTalk as an example.
3. Security: She also said they have incredibly intense security for data at Google.

She also said that Google targeting is primarily context- versus behavior-based.

They recommended the following:

1. Google supports establishing a comprehensive Federal privacy law with uniform standards and penalties.
2. Google supports FTC's efforts at developing principles/standards with industry.
3. Display ads should be better labeled.


Then she showed a video that explains how to remove cookies from a browser. The video is from their privacy YouTube channel. It was an example of their proactive approach to education.

Bob Dykes, CEO of NebuAd, was next. He outlined his own security background. He then reviewed their standards that he said ensure that no one can derive PII from their system.

He said that consumers significantly benefit from more relevant ads while they get robust privacy protections. BT also provides economic value to small web sites and ISPs.

He stressed anonymity and how important it is to their system.

The outline of his privacy foundation principles was as follows:

1. Prior robust notice about the service.
2. Time to choose whether to opt out and ongoing opps to opt out.
3. No PII.
4. Do not store raw data linked to identifiable individuals.
5. High data security.


He then said that those who claimed that they do not require robust notice or an opportunity to opt out are wrong. That those are central to their model. He also said that those who claim that they traffic everything are incorrect.

He further stated that they do not track:

1. Webmail
2. Email
3. IM
4. VOIP traffic
5. Info about password Protected Sites


as well as some other web traffic.

He said that their standards have been vetted by the Panama Institute and that they are engaging with a Big Four accounting firm to audit the veracity of their statements.

He then said that NebuAd supports the past privacy paradigm promulgated by the Committee.

Next up was Leslie Harris, President and CEO of the Center for Democracy and Technology.

She began by stating that their POV/argument centered on three points and several recommendations.

1. BT is growing and consumers are uncomfortable with it and don't have the tools to control their info. Aggregation on non PII can result in reverse engineering PII. There is a lack of transparency and meaningful controls. She said 59% of people are not comfortable with BT according to a recent poll.
2. ISP targeting adds consumer and legal concerns. That an ISP MAY give access to info on everything one does online to a third party. That consumers do not want traffic intercepted by an ISP and given to a third party. They also believe that the law requires prior opt in versus opt out. ISP targeting has not done this.
3. Self regulation is not enough. NAI is a failure. And only now that the FTC and the Senate have demonstrated concern has the NAI responded with modest improvements. Additional legislation is required.


She then made the following recommendations.

1. More hearings necessary on ISP targeting and sensitive info.
2. Need privacy legislation.
3. FTC needs to issue enforceable guidelines.
4. Do not track list should be offered.


Chris Kelly, CPO of FaceBook was next. He said that privacy is a foundation of the network. Specifically:

1. Consumers have the power of choice in who they share with and what communities they join and what info they share.
2. They are transparent in how they use info to serve relevant ads.


Specifically:

1. He said FaceBook is very focused on letting consumers choose. That default settings are high on the privacy meter. You choose what info to include and not include in profiles, and with whom you share your info.
2. You should have access to info others want to share.


He said controls are built into every aspect of FaceBook. That they offer easy to use tools to control personal info. They've created a lock icon to indicate that users can control info disclosure.

He also stated that ad targeting on FB is non-PII. That they make that clear in their policies and communicate the idea that targeting has value to consumers.

Next up was Clyde Wayne Cruz, Jr., VP Policy at the Competitive Enterprise Institute. He began by saying privacy will become a bigger issue in the future because of incredible new technologies on the horizon.

He said that it's very difficult to legislate privacy online because consumers have different wants and needs and because the environment is extremely complex and constantly changing.

He posited that firms alter info handling without law, so law is unnecessary. That consumers, and especially online, get to choose, and that that is a better force for regulation.

He said a lot more here about cyber crime and a variety of other issues but I am going to focus on the BT relevant stuff.

Finally, Mike Hintze, Associate General Counsel at Microsoft went. He reiterated the value of advertising online and how targeting was important to paying for the web and in tailoring online experiences.

He said that MSFT cares deeply about privacy. That they have done more than anyone else in the industry on this score. That they have a robust set of internal standards to govern privacy.

Last July, they issued MSFT standards revolving around:

1. Transparency - Clear link to privacy on every page of their sites and with simple and precise policies.
2. Control - Consumers can opt out and tie the opt out to the Live online account so that databases are not rebuilt as with cookie deletion.
3. Choice - MSFT uses anonymized identifier to disconnect PII from actions.


He said they recommend a federal privacy law and self regulation. They also work hard to educate consumers.

From here the hearing went to questions. I don't know the senators by sight and the super on the webcast obscured their name tags, so I am going to focus on the questions rather than the askers.

AGAIN, THIS IS NOT A TRANSCRIPT! I AM TRYING TO DO A DETAILED SUMMARY BUT THESE ARE MY INTERPRETATIONS OF WHAT THEY SAID, NOT WHAT THEY ACTUALLY SAID!

First question to NebuAd: What is the difference between NebuAd and wiretapping?

Dykes: I am not a lawyer, but NebuAd has a legal memo they will share attesting to their view that they are well within the law. The info collected is non PII. That all info is collected using anonymous identifiers and the data are relevant only inasmuch as they classify people into target groups, that page level data is not stored nor can they connect PII to the data using their system.

Question: This wouldn't be operable as an opt-in model, right?

Harris: Our wiretap laws don't require the collection of PII to be enforced. Also, while they may not be using all the info, they are collecting all the info.

Dykes: Only certain info is used and that is not stored. Only the category that someone falls into is stored. The rest is ignored and also not stored. And consumers can opt out, are offered robust notice, and they do opt out.

Question to FaceBook: Do 3rd party app providers have access to all info in user profiles?

Kelly: A user must actively add the app and acknowledge that they are collecting info. Then the app maker can request data but will only receive the data that the user has consented to share on FB. Then the app maker can only retain the info for 24 hours. If they violate this the app can be shut down.

Question: What is the best estimate of the degree of use of this info abusively -- beyond BT?

Harris: No one knows and there are no rules in place to control it. NAI members have made a commitment, but lots of companies are not in the NAI.

Dykes: As a result of abuses with AOL Search data in 2004 - when it became clear than non-PII data could be reconstructed into PII if associated with individuals, however anonymized, NebuAd wanted to avoid the risk. Their approach of bucketizing users into segments mitigates the risk. The bucket is stored, not all the data that put someone in the bucket. They resolved never to keep raw data that had the potential to create abuse. They don't have it or keep it. No data is connected to PII, only to anonymoized info.

Question: Would ensuring that all of this collection of data is made anonymous solve the problem of potential abuse?

Harris: You can't entirely mitigate the risk. When AOL made search data available, it took very little time to construct PII from it.

Dykes: In the case of AOL. certain kinds of info made it possible to interpolate PII like specific real estate searches that made it possible to identify people. But NebuAd stores the segments, not the specific data.

Harris: But profiling poses that risk. That profiles COULD include that. That for example if you search for your name you are essentially revealing PII.

Dykes: Which is why they don't store info like that. It is irrelevant to the model.

Question: Is true anonymity possible?

Dykes: I believe so.

Question: Is any legitimate benefit to consumers sacrificed by true anonymity.

Dykes: We chose not to collect PII.

Cruz: You're always taking a little risk online. The Internet is not a secure environment. Also, we're not going to WANT pure anonymity. Crime is always possible on an open network like the web. No guarantees possible online. We can try our best but there will always be risk.

Question: What would Federal law or principles entail?

Harris: We don't need a BT law, we need a privacy law. It's bigger than BT. There should be rules about transparency, time limits, opt out or opt in based upon the sensitivity. It's a complicated topic but technology shouldn't govern the basic principles of privacy. We don't want a law that freezes tech development. It's all a matter of balance.

Hintze: We need a national privacy law. We need to harmonize all the federal and state laws. Consuemrs need a common baseline protection.

Dykes: The law needs to focus on privacy. But it must also be careful not to stifle competition.

Harris: Companies stand in different positions to the consumer and we need to take that into account.

Question: Is there a way to approach this where we would govern the type of Internet connection used instead of the content?

Harris: Our laws are outdated. The potential risks are there, and the info would also be available to the government. That is a key danger. For example, email privacy has very little legal protection.

Question: Do you believe consumers are entitled to opt-in?

Harris: It depends on data and context. ISP yes because it is the center connection. It's complicated. PII and non PII are starting to merge. The risk is that an anonymous ID can be connected to PII. We need a baseline privacy bill.

Question: Has the FTC studied security -- storage and encryption?

Parnes: Data security is part of our principles as is the idea that data is stored only as long as necessary.

Question: Do you know everything I do online if I use your site, Google and MSFT?

Horvath: If you're signed in on Google, we know your searches, but not what you did off our site. It's only connected to IP addresses.

Question: How long do you keep records?

Horvath: 18 months.
Hintze: 18 months.

Question: If NebuAd comes to you and asks for a contract -- give us everything you have -- would you consider it?

Hintze: We aren't sharing that info with anyone.
Dykes: We don't want such data. We only use data to put people into innocuous categories.

Question: Does competition between sites protect consumers? Are sites competing or going to compete with privacy standards?

Harris: No There is not enough consumer understanding. Also, companies store the data for too long and anonymization is not as simple as it sounds.

Dykes: Not sure Harris understands what NebuAd actually does. Would like to calrify after the hearing with her.

Question: Summarize your points.

Harris: There are great benefits from advertising but companies are collecting more, increasingly personal info. Self regulation is good but not enough. We need a baseline privacy law.

Kelly: We are at the forefront. We only know what people decide to share. And if companies want to target using that info, advertiser does not get PII.

Dykes: We welcome regulation about privacy. Focus on the sensitivity of the type of info. Strong controls are necessary but room should be left for innovation. Self regulation will also be important.

Cruz: We need to worry about criminals - self regulation doesn't help us there. But law can stifle. We need to let the market evolve. We don't want to impede that.

Hintze: Must protect consumer privacy. If we don't we will undermine the business model. Microsoft leads but we are a small player in online advertising. We need legislation plus self regulation.

Parnes: We need baseline privacy legislation to give consumers assurance, plus we believe in self regulation.

-----

Well, there is my non transcript. If it had value for you I am happy. If you disagree with the interpretation of my summary anywhere, please say so and I will note your disagreement in the post. I did my best to get the gist.

I'm going to give my impressions of the info and its import this weekend in another post. Until then...

Thanks for reading, and don't forget to write.

No comments:

Post a Comment

Because people have been abusing the comment platform to place phony links to deceptive sites, I am now moderating all comments. If your comment is legit and contains a relevant link, it will be published.