From the agenda: The perennial arguments over user privacy, online targeting and tracking, and regulation vaulted to a new level this year even as advanced applications instigated more debate over the invasive nature of digital technologies. The Federal Trade Commission weighed in with policy recommendations, but do they address consumer needs and the full breadth of online targeting practices? Are social networking, ISP-level data collection and Web-based applications introducing new layers of complexity to the privacy debates? Is privacy the third rail that could very well stop or seriously retard many of the models for personalization and targeting that we’ve been discussing throughout OMMA Behavioral itself? A team of legal and industry experts take a gut check. Moderator: Wendy Davis. Speakers: Colin O’Malley, TRUSTe; Mike Benedek, AlmondNet; Bennet Kelley, Internet Law Center; Eric Goldman, High Tech Law Institute; Alistair Goodman, Exponential; Lauren Gelman, Center for Internet and Society.

Colin: There are absolutely policy issues with BT; there was a time when cookies wasn’t something we were addressing at all. There was also a time when PII was the real focus of what we needed to cover. PII is certainly still important, but anonymized profiles can also contain a vast amount of data, especially with a unique identifier. Anonymous data is incredibly important to the sense of privacy and security of someone online.

Mike: I would agree — basically, I would distinguish between the ISP behavioral companies that have a full view of everything the consumer does online, similar to adware and distinguished from traditional ad companies that only have access on a site where they dropped a cookie. The principles of the NAI are geared toward ensuring full notice and consent so that anytime data is collected from a consumer on a site, a privacy policy with an opt-out notice must be displayed. It’s important that as an industry we keep the government apprised of what we’re doing.

Alistair: I agree with what Colin said, the potential for abuse is always there. However, in practice, we are a long way away from any of that. As members of the NAI, we operate a fully transparent network, we’re not interested in collecting PII and using it for behavioral purposes; we’re actually interested in increasing reach for advertisers. We’re not at all interested in targeting them, because quite frankly a segment of one isn’t all that interesting. In practice, the fear could be there, but the kinds of aggregate data that we’re using and applying isn’t even close to some of the things that are going on in the offline space. We did this years ago, and got to the point where it’s okay to make tax data with your name and address available? to marketers for free — and I think that’s way creepier.

Bennet: Starting point is to consider the creepiness factor and its relationship to the concerns being raised. We’re talking about technology, and with tech comes a certain amount of fear because it’s unknown.

Eric: My proposal as starting point #1 is to retire the word ‘privacy’ as part of this conversation. It’s so complicated and rolls up so many different concepts, that we might be talking about different things and talking past each other. I think one of the hardest parts is that so many of the harms are inchoate harms — the starting point of a harm that may never get there. I definitely agree with the point that because it’s on the Internet we get a lot more stressed about things that we’ve accepted either directly or indirectly offline. Why are we treating the Internet differently? What is it that should make us more concerned? Finally, relevancy trumps creepiness — if BT delivered relevant, just in time information, many people would get over their creepiness, but the problem is that I actually have yet to see that happen.

Lauren: I disagree with almost everything everybody said. (KC: Ha ha!) I believe you suffer a privacy harm even if your identity isn’t stolen. I don’t think privacy is only about whether I’m going to get a more relevant ad; I think society changes when they live under an umbrella that their actions are being watched, and each small step takes us further along that path where you don’t know where each bit of information is coming from. I did a lot of talks about blogging and that you have to be up front about who you are and why you’re saying what you’re saying. The point is that if you’re going out on the web looking to buy a car you have certain expectations about how your information is going to come to you, and when it comes in different ways, that’s what’s creepy.

You can do a baseline shift, and say we’re not as bad as what’s happening offline, or this isn’t personally identifiable, or this is the white hat and it’s really the black hat people you should be going after, but there are certain expectations about how the market leaders act and set the standards for what’s acceptable. This concept that it’ll all be anonymous or pseudonymous is fine in a room full of industry people, but it’s not the sort of thing you can set standards to.

Do you think there should be regulation that would require people to opt in to this sort of targeting?

Lauren: I don’t see why that would be bad. If I want to buy a car, I want to give people the opportunity to market a better or cheaper car to me. The fact that I red a newspaper ad about it or that I have a friend who bought a car should be relevant. Create business models around a much richer way of connecting people who want to buy something with people who want to sell something.

Bennet: But if you’re going to regulate, it has to be on an opt out model.

Colin: There are real privacy issues, and I do think? the industry in the past has been able to hide behind a couple of fronts (like not collecting PII). You can be very creepy and seriously impact customer expectations without any PII. With ISP-level targeting as an example, we’re talking about the kind of behavioral targeting done by a third party that people know, and I don’t think that there’s a conceptual leap between what had been done in the past and what’s being done now. Really, most people have no idea that there are companies they’ve never heard of that are tracking what they do and selling that information to advertisers, and even the folks in D.C. don’t draw those distinctions either.

Mike: How much information the ISP-level targeting has on the consumer vs traditional BT companies. To agree here with Bennett, one important thing is to make that distinction. When ISP companies are integrated with a cable company, they see everything — EVERYTHING — that a consumer does when they’re online. A traditional targeting company only has access on the page where they dropped the cookie and on the page where we serve an ad, and, if they’re an NAI member, they’ll inform the consumer of what’s happening and give an opt out link. We don’t collect PII; we use non-persistent session cookies that expire after 60 days; as a matter of practice we don’t target after 30 page; we have a privacy officer who reviews every site that we work with? and I can’t tell you the number of deals we’ve walked away from because of inadequate privacy policy.

There are more companies out there that cleanse your computer of spyware than there are spyware companies (KC: I don’t know if that’s true, but it’s very repeatable). I’m a Canadian citizen, I can’t even vote in the US, but all I get are Barack Obama ads.

Lauren: Facebook is the most horrible privacy example; you cannot download any application from Facebook without granting access to that developer to all of your content. On Facebook if you check the box that says don’t share my cookies, you don’t get the app. When is the right place? Would you prefer that advertising 1.0 be regulated now while we wait? With apologies to TRUSTe, the policy model has been a disaster; who reads privacy policies? That’s why I think regulation is necessary. The beginning of something new is a time when the industry leaders who understand what the downstream privacy issues are can work with regulators to come up with standards with some teeth.

Bennet: It’s evolving — you’re seeing a new generation of privacy policy. The first approach was too much like lawyers. The second approach should be more like marketers. There was that story that a company put in their privacy policy that the first so many people? to respond would get $100, and it took six months to give the money away.

Eric: Offline, either consumers don’t care or they’ve found out and have been powerless to go about making a change. Either we have to regulate completely because consumers are blissfully ignorant, or we could take their ignorance to mean that talk is cheap.

Lauren: My students are the type of people who might have something online from college and now may have concerns about their Supreme Court clerkship.

Eric: This is a Lost Generation, and there’s always a Lost Generation — in the 70s it was marijuana. This generation put stuff online before we realized the power of publishing this sort of content. If a machine knows my idiosyncrasies and that’s the end of it, has there been a harm? Some privacy advocates would say yes, but I say who cares? If there’s harm, it comes from something after that fact — some adverse consequence where somebody thinks differently about me. So we might choose to focus our regulation on the next step, the action that generates the harm.

But what if a third party takes that data? Or what if that company is subpoenaed?

Bennet: When Oppenheimer first tested the atom bomb, there was a very real possibility that they could have blown up the atmosphere, but fortunately it was a small risk. Let’s deal with the actual issue rather than the hypothetical.

Alistair: We are dealing with a new industry; it’s only been 14 years since the first ad has been served. Let’s focus on the positive. This is the industry that enables all this content to be free, and if we go right to the end of the spectrum and say everything has to be opt-in, we begin to stifle creativity and access. I read 7 newspapers a day and I would never be able to do that if I had to pay for all seven. Swinging all the way to the other extreme seems Draconian.

Eric: If we treat ads as the price for things people want, that’s a lose-lose proposition for this industry. If ads are the cost, they become the pain, the thing to be avoided.

Alistair: It’s about taking relevancy further and finding out when it’s valuable rather than intrusive and annoying.

Colin: When we look at these decisions and say it needs to be opt-in or opt-out, it’s oversimplifying the issue. What we need to do is set standards for minimum behavior. Also, privacy statements are necessary. Even if only 4% or 2% or 1% are reading them, the people who are watching the industry are judging companies by their privacy statements and how well the companies adhere to them. We’re also seeing that consumers really dislike irrelevant ads. Relevancy is not just a marketer’s pitch; consumers want it, yet at the same time they’re really uncomfortable with targeting. There’s a disconnect between the high level of concern about targeting and the high level of desire for relevancy. There hasn’t been good enough dialogue between industry and consumers. “These are the corporate entities, this is why we’re targeting you, this is the potential upside, this is what’s going on…” It’s not enough to say there is an opt-out somewhere if you discover it; we have to talk to people, and right now is a fairly narrow window of time for us to control that messaging.

That’s it for today! Thanks for joining me at OMMA Behavioral And, of course, your comments are always welcome!

This entry was posted on Monday, July 21st, 2008 at 11:59 pm and is filed under OMMA Behavioral. You can follow any responses to this entry through the RSS 2.0 feed. You can skip to the end and leave a response. Pinging is currently not allowed.