Archive for the ‘Policy’ Category

Thinking About Location-Aware Apps?

October 19, 2010 Leave a comment

Then please, check out this white paper I co-authored recently with Janet Jaiswal, Director of Enterprise at TRUSTe.  TRUSTe is one of the few organizations that offers a privacy certification for mobile apps and services.  Over the last few months, I’ve been working with TRUSTe on their mobile privacy certification program. In this white paper, Janet and I zero in on geo-location – exploring the market dynamics, privacy concerns and some best practices around location-aware apps and services, and the hot new area of “geo-marketing.”


CWAG Panel touches on the challenges of Privacy 3.0

Yesterday, the Conference of Western Attorneys General (“CWAG”) hosted a superb panel entitled “Privacy 3.0 – Emerging Enforcement & Policy Issues” at their annual meeting in Santa Fe, NM.  Featured on the panel were FTC Commissioner Julie Brill, Assistant AG Shannon Smith of the Washington Attorney General’s Office, Professor Chris Hoofnagle of UC Berkeley Law School and Professor Paul Ohm of the University of Colorado’s Law School.

The panelists discussed the enforcement approach to privacy and data security in the 1.0 (notice and choice) and 2.0 (harm-based analysis) eras – and how this approach may need to change in the current age given continuing challenges: the emergence of scholarship showing that “anonymization” is a fallacy, the continuing struggle to create clarity around key terms used in privacy, and the need to educate consumers about basic privacy concepts.  The panel also discussed the States’ approach to some of these developments – such as the Massachusetts data law.

You can view the full webcast on CWAG’s site.

Disclosure: I worked with CWAG to help pull this panel together.

Tipping Towards an Opt-In

A few years ago, I became an instant fan of Malcolm Gladwell’s groundbreaking book – “The Tipping Point” – based on an epidemiological theory that says that in aggregate, “little things” can make a big difference.  Since then, I’ve observed the phenomenon play out on the policy stage several times – financial reform and healthcare are two immediate examples that come to mind – and I wonder if the theory has any application in what’s currently happening with online privacy today.  I think it does – particularly if you view a tipping point in scientific terms i.e. the point at which an object is displaced from a state of stable equilibrium due to a series of successive events, into a new equilibrium state qualitatively dissimilar from the first.

To say that online privacy was ever in a state of stable equilibrium is a stretch.  We are however, approaching the end of a current era in online advertising and marketing – an era in which companies captured personal and confidential data from users, and then monetized that data to sell ads back to those very same users, often without the user’s authorization or knowledge. That state of equilibrium has been threatened by many events in the last few months – market developments, consumer outcry and regulatory attention all converging to catapult data privacy and security onto the national agenda and into the mainstream press.  Some commentators, such as Jeff Chester, have characterized these events as a perfect storm; I see them a bit differently – not a storm, but a series of occurrences that finally “tipped” the issue, as companies attempted to push the privacy envelope with various features that compromised a user’s privacy (and in some cases the user’s express wishes to keep their data private).  Each of these features involved sharing data with a third party and not surprisingly, each triggered a privacy outcry – because they provided no meaningful way for users to opt-out of the feature before personal data was exposed.

It’s amazing to think that most of these pivotal events only happened during the last three months.  To recap:

February 9, 2010 – Google launches Google Buzz, and overnight, transforms users’ Gmail accounts into social networking pages, exposing personal contacts.  Google later remedies the situation by making the feature opt-in.

April 27, 2010 – 4 Democratic Senators led by Chuck Schumer of New York, send a letter to Facebook CEO Mark Zuckerberg complaining about the privacy impact of Facebook services, including its instant personalization feature (which exposed user profile data without authorization on launch).  Senator Schumer follows up his letter with a formal request urging the FTC to investigate Facebook.  Facebook eventually announces new privacy controls.

May 5, 2010 – EPIC and a coalition of other advocacy organizations file this complaint, urging the FTC to investigate Facebook.  In the complaint, they assert that “Faceboook’s business practices directly impact more American consumers than any other social network service in the United States.”

May 14, 2010 – Google announces, via a post on their policy blog, that their Streetview cars have inadvertently been capturing payload data from open WiFi networks – in violation of US, European and other global data protection laws – for over 3 years.

May 21, 2010 – The Wall Street Journal reports that a group of social networking sites – including Facebook, MySpace and Digg – routinely share user profile data with advertisers, despite public assurances to the contrary.

The result? With each successive product or feature launch, the privacy debate is now tipping towards a privacy regime that could be much stricter than anything we’ve seen before – a requirement that companies get a user’s affirmative opt-in to any use of personal data for advertising and marketing purposes.

Privacy nerds may want to revisit the words of David Vladeck, head of the FTC’s Bureau of Consumer Protection, in a New York Times interview that took place last August i.e. before the privacy mishaps of the last 3 months.  When asked about whether the FTC would mandate an opt-in standard for user disclosures, Mr. Vladek responded:

“The empirical evidence we’re seeing is that disclosures on their own don’t work, particularly disclosures that are long, they’re written by lawyers, and they’re written largely as a defense to liability cases. Maybe we’re moving into a post-disclosure environment. But there has to be greater transparency about what’s going on. Until I see evidence otherwise, we have to presume that most people don’t understand, and the burden is going to be on industry to persuade us that people really are well informed about this.”

The emphasis on transparency becomes even more important with the  impending rollout of the FTC’s privacy framework this summer.  Will  the FTC make an affirmative opt-in mandatory in all instances where personal data is being shared with a third party?  Clearly, an opt-in is one of the best ways to ensure transparency, and to give users meaningful notice about what data is being collected.  The question is whether an opt-in requirement would be so cumbersome it would turn users off of the service altogether.  For instance, would an opt-in be required once – before the feature is first launched, or each successive time it launches?

Also, it’s unclear whether the FTC’s framework will derive strength (or weakness) from a federal privacy law if such a law does indeed pass this session.  Critics on both sides have mostly panned the House legislation i.e. the Boucher-Stearns bill, but there is news of another, more stringent bill being drafted by Senator Schumer who reached his tipping point with Facebook as outlined earlier.

I saved my most important “little thing” for last. Even if you don’t believe that the privacy debate has yet to reach a tipping point, consider this: in June, the Supreme Court will issue its decision in City of Ontario v. Quon. This is the first time that the Supremes have considered the crucial question of what expectation of privacy users have in their electronic communications.  Their decision will most likely impact any regulatory or legislative scheme around privacy currently being proposed by the federal agencies or Congress.  Most importantly, a Supreme Court decision that finds an expectation of privacy in electronic communications will most certainly translate into increased obligations on companies that deal in these types of electronic communications and data.  A tipping point?  Absolutely.  In fact, such a decision would definitely signal something much bigger (to quote another popular book title) – a Game Change for advertising and marketing on the web.

Coming to Grips with Reality

January 7, 2010 Leave a comment

One of the first tasks for government in the new millennium is a gargantuan one: regulating today’s Internet.  At least two federal agencies are taking the plunge, having announced their intent to create comprehensive frameworks that would ensure online privacy (FTC), and access to broadband capability (FCC) for Internet consumers. Both the FCC and FTC continue to conduct workshops and solicit comment on the relevant topics – and we should see an initial draft of these plans shortly.  For instance, Chairman Genachowski’s national broadband plan is now due for release on March 17.

How you feel about the Obama Administration’s invigorated Internet policymaking activities is probably closely related to your view on net neutrality.  Should the Internet be regulated? That question is now moot. The real question is whether effective regulation can even be designed at this stage in the Internet’s evolution.  And before we reach that answer, policymakers and regulators must confront the reality about consumers, business models and the role of data collection on the Internet today.

First, who is today’s Internet consumer?  Arguably, they are a driving force behind the evolution and adoption of Internet technologies and not just passive users.  Witness the recent explosion in mobile web usage (driven mostly by consumers’ need for “anytime, anywhere” access to information) for proof of this proposition.  Indeed, the consumerization of technology (web search, iPhone), has given rise to many of the tech policy issues we wrangle with today. Yet, there is little or no research on how individual consumers view important issues – like online privacy – and how these attitudes can vary depending on age and location (after all, internet consumers are not a homogenous bunch).  Policymakers should take the time to carefully study the Internet consumer– perhaps using technology to reach out directly – and to keep refreshing that research alongside development of any regulatory scheme. Citizen focused initiatives, like the FCC’s Open Internet website, are a start in the right direction.

Second, we must recognize that data collection is part of how today’s Internet works.  The most successful companies of the last decade were those that were able to use data or information in innovative ways, such as enhancing online searches (Google) or providing more relevant recommendations to online shoppers (Amazon).  Information enhances customer relationships; it also fuels targeted advertising – the lifeblood for many companies on the web. Internet policies should be constructed with these realities in mind.  In addition, research is truly needed on consumers’ attitudes towards data collection – is it the gathering or the sharing of information that’s the issue?

Finally, Internet business models are always changing.  The Internet is constantly forcing companies to rethink how they do business (check out Professor Doug Lichtman’s podcast, Can Content Survive Online, for more thoughts on this point). Business models die and are resurrected all the time -who ever thought that the walled garden would make a comeback? Policymakers and regulators must keep current with industry developments to remain both effective and relevant in this area.

Will reality be part of future policy making or regulatory activities?  Already, the first working week of the decade has provided an opportunity for comment:   Is TV Everywhere an authentication technology that secures premium content for subscribers or a collusive effort by media companies to restrain online media competition?

Trying Another Form at the FTC’s first Privacy Roundtable

December 7, 2009 Leave a comment

At the first of the FTC’s Exploring Privacy roundtables held earlier today, Chairman Leibowitz was asked whether the FTC approach to regulating privacy has been successful.  Artfully dodging the question, Leibowitz responded by likening the privacy issue to Winston Churchill’s view of democracy:

“it has been said that democracy is the worse form of government — except for all those other forms that have been tried from time to time.”

The Chairman’s remark encapsulated the spirit of the day, as a reinvigorated FTC dived deep into consensus building with a who’s who from the world of privacy policy. This is just the start of the inquiry, with another two roundtables to follow. The plethora of smart thinking and ideas that flowed in stream-of-consciousness fashion from today’s panelists were helpful to the evolution of a regulatory construct for online privacy.  Yet, many questions remain unanswered.  And even with all the bright minds in attendance, the contours of an effective regulatory scheme for online privacy remain unclear.

More research on web attitudes, custom and habits is needed. As we learned today, the personal data ecosystem is extremely complex and layered (like those privacy notices you can never find the bottom of).  Did you know that there are over 20 different categories of companies – including web marketers, search engines and online data brokers – that currently collect information in personally identifiable or aggregated form? Incidentally, the FTC did a great job of pulling together supporting material for the roundtable, including this slide on the personal data ecosystem that should be a must-view for anyone surfing or shopping on the web.

Clearly there is tension between the approach advocated by those representing the consumer interest (CDT, CDD, EPIC, etc.), and those involved in what Commissioner Harbour described as a “digital arms race” – the race to monetize content and information and build massive ad-viewing bases in the digital economy. Consumer organizations are urging the FTC to adopt stricter privacy regulations – at a time when online advertising is exploding on both the desktop and mobile web.  Now, the FTC must engage in a careful balancing act – develop a regulatory framework that protects consumer data online while not impeding the growth of technological innovations that utilize profile data.

The discussion will continue at a second FTC roundtable on January 28th.   Here are some of the discussions I hope to hear in round two:

  • The volume of personal data that travels on the web today pales in comparison to the volume of data we will see in a future of web-enabled devices and integrated systems. Does a use-based classification system with individual opt-outs for each type of information really work with large volumes of information?  Or should all personally identifiable information be regulated in the same way, irrespective of use?
  • Several panelists indicated that self-regulation is not working.  What’s the alternative? Is the failure of self-regulation attributable to the lack of clear government guidelines or engagement on what online privacy policies should look like?
  • In 2008, for the first time, more people accessed the web through their mobile phones than through a desktop. As the FTC attempts to get ahead of the online privacy issue, what considerations should be given to privacy protections on the mobile vs. desktop web?

Academic Survey Shows Public Discomfort with Targeted Ads

September 30, 2009 Leave a comment

Evidence of how the average consumer views online privacy is usually absent from the heated debates on this multi-layered issue (for more, see my very first post to the Balancing Act).  That may start to change after today.  A group of professors from the University of Pennsylvania and the University of California Berkeley have published the results of a survey of 1000 adult Internet users and found that most respondents were not comfortable with Internet marketers gathering data and then using that data to deliver tailored ads – a process known as behavioral advertising.

At least two of the survey’s results deserve a moment’s pause.  First, while over 66% of the survey’s respondents said that they were not comfortable with tailored ads, that number jumped to 86% when respondents learned how marketers gather the data that is used to serve tailored ads. Second, even in the era of living life online via Facebook or MySpace, 55% of the young adults (18-24) surveyed were not comfortable with tailored ads.  This means that  younger, Internet-savvy users do believe in some notion of privacy online.  Just these two findings should concern Internet companies that collect data and use that data to deliver tailored ads and content.  But the survey should also concern regulators – as these findings signal widespread unease with how products and services are marketed on the Internet today.

Discussing the survey in today’s New York Times, the authoring professors stated that the survey is “the first independent, nationally representative telephone survey on behavioral advertising.”  Hopefully, it will remind lawmakers of the importance of empirical evidence in evaluating the policy issues surrounding targeted ads.  And the timing could not be better, particularly now as a perfect storm brews around the online privacy issue – federal legislation to be introduced by Rep. Rick Boucher, the FTC’s upcoming privacy roundtables, and recent comments by David Vladek, the newly appointed head of the FTC’s Bureau of Consumer Protection, that could “upset the online advertising ecosystem.”

Indeed, the price for free web content is often advertising, including behavioral advertising.   Will consumers be willing to give up the variety of free content currently available on the web in exchange for content on websites that do not track Internet behavior?  Will consumers be satisfied with disclosures or perhaps opt-ins, or is online privacy a non-negotiable?  Perhaps the next study or survey will shed some more details on this Gordian Knot of an issue.  Let the questions begin.

Note to Commerce: Entrepreneurs need Tech Training too

September 30, 2009 Leave a comment

Last week, Commerce Secretary Locke announced the creation of a new Office of Innovation & Entrepreneurship that will focus on helping entrepreneurs achieve their business goals.  According to the Washington Post blog post by “Federal Eye” Ed O’Keefe, the new department will:

…” help coordinate the federal government’s efforts to help entrepreneurs turn their ideas into actual products, companies and jobs. It will also focus on education, training and mentoring issues; improving access to capital for small businesses; and help create government-backed incentives for entrepreneurs and potential investors.”

This new initiative comes at a crucial time for small and medium businesses.  Many smaller companies face mounting costs (wages, healthcare, insurance) and are struggling to stay alive in the current recession.  At the same time, most industries are witnessing a massive wave towards consolidation as big companies swallow up smaller companies whose share prices have been greatly depressed in the global economic downturn.  As noted most recently by the Economist, this trend – which is particularly prevalent in the healthcare and technology industries – presents a new challenge: how does a smaller company remain relevant in a world dominated by larger, better-funded competitors?

I believe a big part of that answer lies with technology. Web technologies and cloud computing are truly leveling the playing field thanks to innovations like email and websites which give smaller companies the same level of business efficiency and professionalism as their larger counterparts. It’s important that we train future entrepreneurs – not just on business issues, but also on the technologies that can them gain an edge in today’s fiercely competitive markets.  Educating entrepreneurs on current business productivity technologies is crucial to the success of the Administration’s efforts to revitalize the small business sector.

The Administration already recognizes the importance of technology in stimulus and job-retraining efforts.   Let’s hope they also see how important technology and effective tech education is for the entrepreneurs who will run the businesses of tomorrow.

Categories: Policy Tags: ,