Messaging Newswire
Follow Us on Twitter
Facebook Page
Google Plus Page
RSS feeds
Privacy & Messaging
Widgets & RSS FeedsWe are perhaps in the golden age of the Internet. It is free, uncensored, and unites the world in ways hard to imagine for our grandparents, who relied on such things as the Western Union telegram. In the 1920s and ’30s a telegram was cheaper than a long-distance call. It may even have been the precursor to texting because punctuation cost extra leading to brevity in the extreme with pronouns, and verbs omitted—the word STOP substituted for a period. For us today, email or VoIP are cheaper than an overseas telephone call. But along with this amazing openness, information availability, and inexpensive communications, has come the desire to make money online. Once the Internet began to mainstream, e-commerce was not far behind and along with it came marketing and advertising. Of late there has been much discussion about behavioral targeting, which is not really a new industry. It has been used in direct marketing, telemarketing and through publishers for many years. In the past, information about geographic location, purchase history and the like were used to target content. And it worked. Lately, however, we hear more and more from privacy advocates about online behavioral advertising and targeting tactics. This is largely because the barrier to collecting consumer information is substantially lower online. Unlike with direct mail, there are no wasted stamps or paper.
Last November the Federal Trade Commission held a Town Hall to exam behavioral advertising and consumer protection. The meeting explored the types of information that companies collect about consumers as they travel across the Internet, and whether the information collected is anonymous or personally identifiable. A key focus was on how this information is used and shared, and what consumers understand about the collection of information online. A goal of the meeting was to determine if these practices are resulting in consumer harm and loss of privacy. Why now? It is not really surprising if you think about it. The advertising industry is transforming itself, forming new combinations and developing new strategies to take full advantage of what the Internet has to offer. Online companies of all types are moving into the advertising space or expanding their presence in order to generate revenue and enhance or complement other services offered by their businesses. The Commission has examined behavior advertising in the past, including a 1999 Online Profiling workshop. “The advertising market has changed dramatically since our earlier workshop in 1999 and the practices involved in behavioral advertising have changed along with it,” observes Lydia Parnes, director of the Bureau of Consumer Protection for the Federal Trade Commission. “First, behavioral advertising has become more prevalent and it’s expected to become even more widely used in the coming years. Second, marketers are seeking to expand substantially the information they collect and analyze to increase the precision of their behavioral advertising. Third, the industry has seen a recent flurry of consolidation, resulting in more consumer information in fewer hands.”
Has privacy shifted with the maturation of the Internet? “From the very beginning, people could easily see how data flies on the Internet in ways they never could understand in the offline world,” observes Fran Maier, executive director of TRUSTe, a non-profit organization dedicated to building consumer trust in the Internet. “That is why TRUSTe was brought about in the first place, if consumers cannot have trust, they are not going to engage. The level of engagement now is high, but I think everyone agrees it could be so much higher, but we really need to increase the confidence online.” Maier goes on to say that historically, in the mid-1970s, fair information practices came about requiring notices, awareness, choice, access, security, integrity, enforcement, and redress. “These are still good, but I do not think they are enough going forward.”
Awareness
To the FTC, one of the first steps in reviewing the possible threat to privacy is consumer awareness. “One of the things we grapple with and are trying to gather information on,” says Richard Quaresima, assistant director of the Federal Trade Commission Bureau of Consumer Protection, division of Advertising Practices, “is understanding what is the consumer awareness? One of the themes that kept arising from the Town Hall was that a lot of people—in particular consumer privacy advocates—believe that the concept of tracking advertising is largely invisible to consumers.”
The Center for Democracy & Technology (CDT), a non-profit public interest organization specializing in law, technology, and policy, believes that behavioral advertising poses a growing risk to consumer privacy. “Consumers are largely unaware of the practice and thus are ill equipped to make informed decisions and protect their information,” states Leslie Harris, president and CEO of CDT. “They have no expectation that their browsing information may be tracked and sold. Furthermore, consumers are rarely provided sufficient information about the practices of advertisers or others in the advertising value chain to gauge the privacy risks and make meaningful decisions about whether and how their information may be used.”
Is the average consumer aware of the lengths that advertisers are tracking their information? “Probably not,” concedes Maier. “Then again, let’s think about the harm issue. I do not think behavioral targeting right now is the harmful issue that spyware was. But I think it is smart for industry and legislation and regulators to pause and say let’s take a look at it before it gets to be one of those issues. I do not know that there has been an identity theft situation or compromise because of behavioral targeting at this point and time. Even the creepy factor hasn’t quite happened as bad as you might expect. I do think there are advertisers that are taking a careful look at not targeting to a level that is way too personal.”
In his address at FTC’s Town Hall meeting, Dr. Larry Ponemon, chairman and founder of the Ponemon Institute revealed some findings in regards to privacy. “I’m oversimplifying, but in our research about 8 percent of Americans appear to really care deeply about privacy to the point where it changes their behavior. About 70 to 72 percent are people who will probably say ‘privacy’s important, but we’re not willing to forego any inconvenience’. So, it doesn’t actually show in behavior studies any meaningful difference from the other group called privacy-complacent people, like my children who basically will post all these pictures and stuff on Facebook.” Ponemon went on to say that in general, EMEA and Latin Americans tend to be more privacy centric than people in the U.S. and Asia.
Following the Town Hall meeting, FTC staff proposed some governing principles for behavioral advertising and sought comment on the principles from interested parties. The comment period closed earlier this year, and the FTC is reviewing all the comments it received. “We put out the principles to encourage greater self-regulation,” says Quaresima. “The FTC has not called for any kind of legislation or regulation in this area. We have called for self-regulation. There has been some proposed legislation at the state level, and hearings have been held in recent weeks, in particular about information that has been tracked, and information gathered through companies that have arrangements with ISPs to analyze Web traffic. That has been a particular source of concern to different people of congress.” (See ISPs, Behavioral Advertising, and Privacy on facing page.)
Employee Privacy
What of privacy and messaging when it comes to employees? Has our need for monitoring data leaks and auditing email translated to less privacy for the average enterprise employee? “One of the most important benefits data loss prevention and monitoring technology—as opposed to manual processes—is that it can help to avoid the uncomfortable situation of reading other employees email by instead scanning for just those things that pose a legal, financial, regulatory or competitive risk,” says Keith Crosley, director of market development, for Proofpoint. “As a result, Proofpoint feels that companies should be very clear with their employees about what channels are being monitored and what things are being monitored for.”
How much is being monitored by enterprises today? “When Proofpoint first started surveying enterprises about their use of monitoring techniques and technologies, more than four years ago, we found that about one third of companies performed regular audits of outbound email content and (to our surprise at the time) that about 40 percent of large companies employed staff to read/monitor the content of outbound email,” reveals Crosley. “These numbers have stayed relatively constant over time. For example, our 2008 research showed that 38 percent of surveyed companies performed regular audits of outbound email content and that 41 percent of large companies employ staff to read/analyze outbound email content.”
David Ferris, president and senior analyst of Ferris Research, thinks that certain aspects of email monitoring have been going on for a very long time, but it is our awareness that is growing. “I recall in 1991 talking with Exxon. The company was not worried about emails being intercepted, except in certain countries where they would not put it past the government to intercept email in order to get involved with (business) negotiations. In those countries, Exxon said it avoided using email for communications with the local people.”
Maybe employee privacy at the corporate level has not been lost, because in truth, perhaps it never existed in the first place. According to Crosley, “I don’t think that there has been much change in the past few years in terms of the level of privacy that employees actually enjoy. What I think has changed is employee attitudes and expectations.” Crosley notes that in 2004, their survey findings were surprising—even shocking—to many. “But even at that time, those findings really just confirmed what many employees had always suspected. When I would discuss these findings with people, it used to take some time to explain the legal/financial/regulatory risks that were motivating companies to monitor outbound communications (either with technology or with manual processes).”
Crosley says that along with the high profile data loss events that has continued to occur over the years and with more and more individuals having first-hand experience of identity theft; of being personally notified of data breaches involving their personal information; and as employees have become more personally familiar with regulations such as HIPAA; people have become much more personally aware of the impact of data loss. “I think this has changed their attitudes about monitoring,” summarizes Crosley. “That is, as a consumer, as a customer of other large enterprises that have substantial amounts of their valuable financial/healthcare/identity information under their control people now understand the risks.”
Notification and Opt-Out
Privacy advocates agree that much of what concerns them is the users’ lack of awareness that their information is being tracked and monitored. “Consumers’ behavioral advertising profiles may incorporate many different kinds of data that are not personally identifiable by themselves,” says Harris. “Many networks avoid linking profiles to what has traditionally been considered ‘personally identifiable information’ (PII)—names, addresses, telephone numbers, email addresses, and other identifiers. But as the comprehensiveness of consumer advertising profiles increases, the ability to link specific individuals to profiles is growing. The risk of supposedly non-personally identifying data being used to identify individuals has spurred several ad networks to take extra steps to de-identify or remove personal information from their data storage.”
Along with the need for awareness campaigns for consumers to learn more about what information is being harvested about them, many believe that a more obvious opt-out should exist. “If I was to read tea leaves, I’d say in the future we will be looking at a broader, more effective opt-out opportunity for consumers,” says Maier. “I think that there will be some interesting examples of notice, where consumers will be asked or be able to see why they got this ad. The ad choice program from eBay is a good example of this. My personal opinion is that I do not think advertisers should be afraid of opt-outs, I do not think that many people will do it, and I think that if advertisers make a clear statement of what they are collecting and how they are using it, consumers will understand the value proposition.” Maier believes that left unexplained behavioral targeting can seem threatening. She also thinks that there might be more opportunities for consumers to become anonymous. “I think the biggest thing is that consumers are going to have the opportunity to make a decision and make a choice and through that choice extend control over their profile, their person and the whole bit.”
Ponemon findings support that consumers want control over the privacy of information they share with online marketers. “Consumers actually prefer personalization when it is relevant and it actually provides interesting content.” The key Ponemon suggests is to ensure the opt-in appears desirable. “Survey research shows that when consumers see the word ‘cookie’ they are less likely to opt in. It has this negative connotation, especially when it’s in a policy.” Ponemon does say that while people hate cookies and permissions, people actually like the idea of having someone spend the time trying to understand what they’re interested in. “Consumers are willing to share more and better personal information about themselves when they have a trusted relationship with a marketer. Consumers want to rule over their online experience and 84 percent want to have more control over the types and frequency of Internet ads that they receive.”
When it comes to employees, Crosley believes that, “Companies should be clear with employees about the fact that employee email is often made public.” He points to the increasing use of email as a rich source of evidence in both civil and criminal cases. “This is one of the biggest changes we’ve seen in the past five years. In 2004, only 10 percent of companies surveyed said that employee email had been subpoenaed in the past year, but in 2008, that number had jumped to 24 percent.” So even employees could do with an awareness campaign.
Risks and Rewards
As Maier points out, has there been any actual harm done by behavioral targeting? Does collecting the data by its nature invade privacy? “Most of this information is anonymous and is not personally identifiable,” states Quaresima. “It is a different type of data. It is generally not your name or social security number or that type of data. They do know your IP address, so they associate a set of behaviors to a computer, but not necessarily tied to an individual. This computer has read articles on travel, this computer has visited car sites, but they do not know who owns the computer.”
A challenge of the modern age is the speed at which innovations happen and information is exchanged. Stepping back to look at the larger privacy picture, Ferris observes, “If you look at it from a human level, I think we are changing. In a way we are forced to worry less about things. Things that we used to see as private, we are much more prepared to talk about.” As well as discover with just a few keystrokes and a few well-selected search terms. Has privacy changed so much, or has our access to data removed the barriers? “There has been a quantitative change in the accessibility of information and that is important,” believes Ferris. “I think actually a lot of these technologies which are gnawing away at privacy are a big force for good in ways that you and I may not be so aware of, but we must remember that many members of mankind live far different lives. Consider the hardships of people in Zimbabwe – now I think the flow of information is making it much harder for the regime there to maintain its existence tenably. My gut feel is, I do not feel bad about loss of privacy. Most of us do not have to worry if someone finds out where we live.”
It would seem then that the benefits of free flowing information outweigh privacy. To Harris, however, it is the invisible nature of the data gathering that needs to stop, not the actual act of gathering. “For behavioral advertising to operate in a truly privacy-protective manner, data collection needs to be limited, data retention limits should be tied to the original purposes for collecting the data, and opt-out must completely remove consumers from the service.” She thinks that consumers need to be informed about what data is being collected about their Internet activities, and know how the information will be used, whether the information will be shared with others, and what measures are being taken to ensure that any transfer of data remains secure. “They should be presented with this information in a manner that supports making an informed choice, and that choice should be honored persistently over time,” she argues.
A New Definition
In the end, it boils down to the need for advertisers and enterprises to disclose policies and make any monitoring, and data collection known. In the case of consumers, it is also important that they have control over such activities. “It is not just about PII and the legal stuff that goes around it,” acknowledges Maier. “It is more about user control and user control about their personal information and where they go and what they do. It is also about control over their computer. Strictly speaking, the issues of spam and spyware, or pop ups and adware that people labeled privacy issues, was really about control over your space. It is the intrusion factors. I think that we have really evolved privacy almost full-circle, where years ago, in the early days of the Internet, a lot of the focus on privacy was about your personal information, and don’t get me wrong, that is still really important, but we have gone back full circle to a broader definition of privacy, and it means control over your space.”
