The topic of privacy in behavioral targeting seems to come in waves. One minute, it’s all anybody talks about, and you’d think the entire infrastructure of the Internet would come crashing down if somebody didn’t solve this problem right quick. The next minute, it seems we’ve got a ‘Don’t ask, don’t tell’ policy, and the issue gets shunted to the back burner.

Just recently, we’ve been squarely in that first phase, starting with

Anecdote 1: Elyse Tager’s piece Privacy and Behavioral Targeting Heat Up at ClickZ.

Elyse talks about the challenges faced by cookie-based behavioral targeters who use historical information to infer future behavior:

NebuAd launched with all best intentions, attempting to address the issue of scale with its now huge network — a major disadvantage for behavioral targeting in most cases. Plus, NebuAd has a robust privacy policy addressing consumer concerns directly.

But last week, two of those ISP partners backed out of the relationship. Charter Communications announced it was withdrawing due to subscriber concerns. CenturyTel is pulling out after the warnings from Reps. Edward Markey, a Massachusetts Democrat, and Joe Barton, a Texas Republican, who said the technology “raises several red flags.”

The red flags in question have to do with the amount and detail of data being collected about individuals. It’s a problem endemic to targeting solutions that rely on knowing as much detail as possible in the hopes that the behaviors will be repeated.

Tager points out two solutions being proffered: data portability and predictive modeling.

Another solution, which I covered in earlier columns, is predictive modeling to better target behavior. Companies such as aCerno and Epic Advertising use advanced algorithms and technologies that don’t rely on cookies to establish inferred behavior, which is less intrusive and far more predictive of future behavior, according to these suppliers.

As you’ll know if you read this blog with any regularity, VortexDNA relies on a predictive modeling approach.

Personally, I believe data portability is only a solution for the technological elite. It is simply not feasible to ask my mom to manage her data.

The FTC is pushing for self-regulation. If the issue were between the Market forces, on the other hand, will make a difference. NebuAd’s ISP partners backing out will make a difference. Will it be enough, though? Congress might not think so, which leads us to

Anecdote 2: Heather Green’s piece Congress to Push Web Privacy at BusinessWeek.

On the second page of the article, Green mentions The Center for Democracy and Technology’s desire for a Do Not Target list (along the lines of the Do Not Call list). What she doesn’t mention is the obvious problem with such a list: in order to not target you, they have to know who you are. So you have to register in some way, giving them the very information you’re hoping to keep from them.

She closes with an apt comment on the benefits of federal privacy legislation:

Some in the industry think that legislation might be the way to set a common standard and avoid inconsistent, piecemeal legislation on the state level. Microsoft came out in 2005 in favor of federal privacy legislation and thinks others are beginning to agree. “Companies are coming around to the notion that it’s not only compatible with their business practices but [that it] can help them by enhancing consumer trust and making compliance more streamlined,” Microsoft’s Hintze says. Microsoft advocates privacy baselines that cover not just the online collection of data, but offline collection as well.

David Hallerman, analyst at researcher eMarketer, says legislation would go a long way toward assuaging fears of advertisers who fret consumers don’t want their privacy compromised. He says that if an online privacy law were passed, “the benefit would be there for advertisers, publishers, and the public.”

Given public concerns about privacy, I tend to agree with Hallerman. Allow companies whose practices are aboveboard the opportunity to be recognized as such. I like that Microsoft is getting behind it. Google seems to be going in a different direction, as evidenced by

Anecdote 3:Wendy Davis’ piece Polish On Google?s New Chrome Tarnished By Privacy Questions at the Daily Online Examiner.

So Google is finally trying to take the battle to the Microsoft-controlled browser terrain, instead of just hanging out comfortably on the high ground of search and letting Microsoft lose battalion after battalion in a series of poorly-planned attacks. According to Davis, though, the new browser is a long way from offering any privacy benefits:

…the browser raises significant privacy questions. Google states in the Chrome privacy policy that it will log the IP addresses of people who download the browser. It also says that all URLs or other queries typed into Chrome?s address bar will be sent to Google, which will use that information to make suggestions to users.

The browser?s privacy policy says it will ?process? information received from Chrome users but ? in a crucial omission ? doesn?t say whether it will retain the data or for how long: ?Information that Google receives when you use Google Chrome is processed in order to operate and improve Google Chrome and other Google services,? the policy states.

I don’t think consumers are going to go for it. It’s too intimate to gather these different services together. It’s like your bank buying your DVD store, and the guy who approves your loans also gets to know about your perverted taste in movies.

The bottom line is that the privacy landscape is shifting. So how should you handle your own privacy policies?

Do the right thing.

Some years ago, a friend of mine urged me to become an SEO, touting tactics that were legal and fine at the time but that would be considered black hat today. “It’s so easy! All you have to do is use this automated program that will create hundreds of sites at once, all linking back to your client’s site.” Thankfully, I didn’t go for it; I might have made money in the short term, but it would have been bad news in the long run.

The same holds true for privacy. Forget about what you can technically get away with, or what you can assume your customers won’t notice. Just do the right thing. Be fair. Consider the customer. Consider the cost to them as well as the benefit. And behave in a way that lets you hold your head high.

In a mixed up, muddled up, shook up world, your integrity is a real asset.

Your thoughts on this topic are welcome.

A few hilarious videos from The Vacationeers to brighten your day… (hat tip: Hongkiat.com)

“The Googling I: Google Maps”

“The Googling II: Google Moon”

“The Googling III: Google My Maps”

“The Googling IV: Google SMS”

Enjoy…

The story has gone something like this:

Google: “You don’t need to have any privacy concerns about the IP addresses that we store — they aren’t personally identifying.”

Viacom: “Okay, then, give us your user logs.”

Google: “No! That’s a violation of privacy!”

Judge: “But you just said…”

We all know that people can figure out who we are based on our activity. A person living at 123 Main Street who works at the power company, exercises at Bally’s, and drinks coffee at the Starbuck’s on 23rd and Vine doesn’t have much of a secret identity, even if I don’t tell you her name.

If you claim on the one hand that your data don’t hold any privacy implications, it stands to reason there shouldn’t be a problem if those same data are released. The fact of the matter is, there are privacy considerations when you’re dealing with people’s search queries or video preferences.

This isn’t the first negative tone I’ve heard towards Google in recent days. They’re getting slammed for hiking the price of day care. They’re getting blamed for fostering obscenity. A Valley bigwig says the company is an effing train wreck.

I’m confident the truth, as always, is more complex and multifaceted than these articles portray. Part of it is indicative of the sheer size of the company: grow enough over a long enough period of time, and folks will find something to complain about. Part of it is demonstrative of the stratospheric expectations they’ve set. Part of it is that they face the same microscopic level of scrutiny as a candidate for President.

When it comes to privacy, however, they’re learning that they can’t have it both ways. People are giving the judge a hard time for not understanding the implications of his order, but the judge was following irrefutable logic, based on Google’s own claims, policy, and videos.

What do you think of the Viacom-YouTube-Google privacy porridge?

Summary: This is a reprint of my Search Insider column from last Friday.

Chris Morrison at VentureBeat has been one of the privileged few to get a sneak preview of Powerset; he recently reported that the semantic start-up?s unofficial tagline is, ?We?re not a search engine.?

According to Morrison, this is standard for any company looking to dodge the hype of the ?Google-killer? moniker — fair enough; although, based on Powerset?s behavior to date, they don?t seem inclined to dodge hype of any variety.

There?s another reason for Powerset and its ilk to shun the search engine label, though: search isn?t broken.
Remember Gord?s Breaking the Google Habit series? Over five of his Search Insider columns, he discussed how people form habits and what it takes to change. We got a more scientific understanding of what we knew instinctively already: habits are darn hard to break, even if you want to break them.

Take overeating. Despite pills and patches and pop psychology, millions are locked in a seemingly unbreakable cycle — and that?s something that people want to give up. That?s something that goes to the heart of people?s senses of self-esteem and wellbeing, something that can extend or diminish life expectancy.

There?s no equivalent downside for using Google, which means that merely offering a slightly better version doesn?t represent a convincing argument. Nobody is going to change search engines because the top 10 results are slightly more relevant.

So those companies looking to compete have to take a different approach: the we?re-not-a-search-engine approach. This is the approach demanded of disruptive technologies since the beginning of time. Don?t offer a faster horse, build a car.

The road to success requires would-be Google-killers to solve a problem that Google doesn?t solve, to create a new habit under a new circumstance, where it can flourish free from the inexorable pull of ingrained attitudes.

This is why David Berkowitz reported last September that MySpace was the fourth largest search engine: because they?re competing in a different arena.

Twine is another great example; it represents a totally new way of interacting with data. You can create a habit of using Twine without threatening your Google use, transitioning slowly and imperceptibly until you wake up one day and say, ?Remember when we all thought Google couldn?t be beaten??

This is also why it?s so important for Google to snap up a token presence in every emerging Web 2.0-3.0-4.0 space. They know that they?re unlikely to be threatened on their own turf, and they want to make sure they?re at least in the ring wherever the fight?s going to be.

The great philosopher Osho said, ?If you want to do something with darkness, you have to do something with light, not with darkness at all. You have to light a candle, and suddenly there is no darkness.? I?m not suggesting that Google represents the Forces of Evil here, but the concept is transferable: light the candle of a new habit, and the old habit disappears.

Will Powerset be the candle of a new habit? That remains to be seen. Ultimately, though, someone will be the candle; as Osho also said, ?Habits die hard. But they die certainly — if one persists, they die.?

One of my favorite quotes is from one of my least favorite people: Mike Tyson. “Everybody has a plan,” he said, “until they get hit.”

His words?and Google’s motto?sprang to mind as I read the news in TechCrunch that Google recommended a ‘No’ vote on two proposals, one on human rights and one on censorship.

The censorship bit calls for minimum standards:

1) Data that can identify individual users should not be hosted in Internet restricting countries, where political speech can be treated as a crime by the legal system.

2) The company will not engage in pro-active censorship.

3) The company will use all legal means to resist demands for censorship. The company will only comply with such demands if required to do so through legally binding procedures.

4) Users will be clearly informed when the company has acceded to legally binding government requests to filter or otherwise censor content that the user is trying to access.

5) Users should be informed about the company?s data retention practices, and the ways in which their data is shared with third parties.

6) The company will document all cases where legally-binding censorship requests have been complied with, and that information will be publicly available.

The proposed Human Rights Committee would review and make non-binding policy recommendations regarding human rights issues.

Most of the commenters on TechCrunch slammed Google for encouraging people to vote against these proposals. Fabian Schonholz, however, felt otherwise:

This is a little ridiculous.

If you want to operate in any country, any company, american or otherwise, should respect the laws, customs, traditions and ways to operate that the country dictate. The only thing a shareholder can do is force the company not to operate on the countries that insult their sensitivities. It is presumptuous of any of us to think that we have the RIGHT to change how countries operate and behave.

I agree with Fabian; at the same time, I don’t think the proposals suggested anything in contrary to what he says. The censorship proposal, for example, explicitly states that the company will conform to legally binding requests. So it seems more like a case of not wanting to rock the boat than anything else.

In addition, Google is likely to get its way; last year, shareholders rejected a different proposal to stop the search giant from self-censoring.

Nonetheless, I’d like to know the rationale for the ‘No’ recommendation on the Human Rights Commission. Google’s mum on the topic?the proxy statement offers no explanation and there’s nothing on their blog?but it just doesn’t seem consistent. How can you not be evil if you don’t even have thorough information about the human rights implications of your actions? What is the business activity that might be shut down if these two proposals go through?

If you’ve got more information about this, please let me know in the comments. If you want more information, say that too.

Yesterday, I began the Six Sigma Privacy series with a discussion on the user attitude to online privacy, primarily focusing on the observation that most Internet users don’t really care. Today, I’m going to take a look at how some of the big players approach the topic. The bottom line is that there’s lots of talk and not a lot of action.

Privacy advocates want people to believe that this is the single biggest issue since the Colonies seceded from England. Consumers are apathetic. How do the titans of the Internet tackle privacy?

Back in July, Microsoft and Ask came together to call for global privacy standards:

Building on their respective efforts to protect consumer privacy, industry leaders Microsoft Corp. and Ask.com, a wholly owned business of IAC (NASDAQ: IACI), today joined together in the commitment to call on the industry to develop global privacy principles for data collection, use and protection related to searching and online advertising. The companies will work with other technology leaders, consumer advocacy organizations and academics to come together and join them in working on the development of these principles, which could include developing and sharing best practices to provide more control for consumers.

?As search and other online services progress, it?s important for our customers to be able to trust that their information is being used appropriately and in a way that provides value to them,? said Peter Cullen, chief privacy strategist at Microsoft. ?We hope others in the industry will join us in developing and supporting principles that address these important issues. People should be able to search and surf online without having to navigate a complicated patchwork of privacy policies.? [emphasis mine]

Google followed suit in September, with Peter Fleischer calling for global privacy standards at a UNESCO conference:

…Google is calling for a discussion about international privacy standards which work to protect everyone’s privacy on the Internet. These standards must be clear and strong, mindful of commercial realities, and in line with oftentimes divergent political needs. Moreover, global privacy standards need to reflect technological realities, taking into account how quickly these realities can change.

Their announcement, though, was met with resounding cynicism, according to MediaPost coverage:

“…It’s clear that this is motivated in part to dampen the growing opposition to the DoubleClick takeover,” said Jeff Chester, executive director of the Center for Digital Democracy (CDD). “Google is attempting to head off a global regulatory digital train wreck.”

…”Google is under enormous pressure from many countries around the world who are fed up with their arrogance and their unwillingness to make meaningful changes to their business practices,” said Marc Rotenberg, executive director of EPIC. “They are also trying desperately to push the acquisition of DoubleClick through the Federal Trade Commission. And they’ve met enormous resistance.”

…Critics argued that the search giant gave no specifics for how to move forward with a global implementation–calling it another sign that the endorsement was just Google posturing for the FTC.

“Mr. Fleisher is lobbying to get a privacy Band-aid placed over an ever-growing flow of personal data being squeezed from consumers (by Google and others),” said Chester.

Poor Google. Evil-avoidance notwithstanding, they’ve gotten so big that pretty much anything they do these days is greeted with cynicism. Take Maile Ohye and the Google Privacy Videos (one and two). Just a few days ago, Ryan Singel at Wired gave his non-held-back opinion on them:

The video skips right over the part where Google opts in new users to the tracking program without explaining to people what the program is or does.

Instead, it jumps from the “create a Google account screen” to a heartwarming story about how having searched for the “Rolling Stones” in the past will help Google disambiguate a later search on the word “bass” – so it knows you are interested in the instrument, not the fish.

This might be interesting if it were true, which I doubt it is since I’d wager MORE people who searched on the “Rolling Stones” in the past are anglers than musicians.

But why let that get in the way of a good cover story for why Google really wants to collect data about you which is, as we all know, the ad dollars.

Anyway, back to Fleischer and Google’s request for global privacy standards. In September, Google’s CEO, Eric Schmidt, added his voice to the conversation:

More encouragingly recent initiatives in this area by the United Nations, the Asian-Pacific Economic Co-operation Forum and the International Privacy Commissioners? Conference have all focussed on the need for common data protection principles. For individuals such principles would increase transparency and consumer choice, helping people to make informed decisions about the services they use as well as reducing the need for additional regulation. For business, agreed standards would mean being able to work within one clear framework, rather than the dozens that exist today. This would help stimulate innovation. And for governments, a common approach would help dramatically improve the flow of data between countries, promoting trade and commerce.

I recommend you click on the link to Schmidt’s piece and read the response from Ann Cavoukian, who chaired a working group of Commissioners convened for the purpose of creating a single harmonized privacy standard; she points out that the issue isn’t standards creation but standards implementation:

I would also like to draw your attention to documents already produced by highly regarded international authorities on privacy and suggest that the issue is not one of developing new standards, but of raising the bar by observing existing global standards and privacy principles.

What does this all add up to? Major players understand the importance of being seen as caring guardians of the people’s privacy. They talk about it, create videos about it, call for global standards for it. I’m just not yet convinced that effective actions are being taken about it, or even that these companies want people to truly understand the issues at stake. The Maile Ohye videos aren’t designed to raise awareness; they’re designed to keep people calm.

But what should they be doing instead? Tomorrow I’ll discuss some of the issues involved and why this topic is important. Until then, I’d love to hear your opinion about how the big players handle online privacy. Do you think they do a good job? Or should we demand something better?