However, with the lack of legal privacy protections that exist in today’s world, the Google-DoubleClick deal would result in one entity controlling an unacceptably large amount of information about individual users’ online activities. If I were a member of the FTC I would recommend that Google-DoubleClick implement a tool similar to the AskEraser, allowing users to opt out of having uniquely-identified data collected about them. DoubleClick’s opt-out cookies are a start, but I would be surprised if many people knew about them. I bet most people who see DoubleClick ads online are unaware that the ads are even coming from DoubleClick, and even fewer bother to visit DoubleClick’s home page, the only place from which the opt-out service is available.

I would require Google-DoubleClick to have an easy-to-find opt-out mechanism, accessible via a link on Google’s home page. Opting out would mean that Google-DoubleClick could collect aggregated data about the user, but could not use unique cookie IDs or IP addresses. The opt-out policy would apply to Google’s search engine and other services, as well as to third-party sites that serve ads from DoubleClick.

Additionally, I would require Google-DoubleClick to allow users to review the data that the company has amassed about them and to request deletion of all unique identifiers, including IP addresses and cookie IDs, from the data.

To all readers: I hope you have enjoyed reading my blog. The project is due tomorrow, so this is my last official post, but I will try to update once in a while with new developments in the Google-DoubleClick deal as well as any important Internet-privacy-related news.

45% of the people surveyed had never voluntarliy given their name or other personal information in order to use a website, and 61% of those people would not be willing to do so. 24% of the respondents had created fake personal information when asked to register at a site.

 When asked how they felt about websites tracking the pages they visit, 27% of respondents said it would be “helpful, because the company can provide you with information that matches your interests,” while 54% said it would be “harmful, because it invades your privacy.” 63% thought that websites should not be allowed to track their visitors’ activities, and 79% said that Internet companies should ask for permission before using personal information. Finally 62% of the respondents thought that web users should have the most say over how Internet companies track people’s online activities and use personal information, while only 6% thought companies should have the most say.

1. Companies’ interest in amassing as much data on people as possible so that they can better target advertisements and therefore make more money on the advertisements, and
2. Consumers’ interest in being able to choose who gets information about them 

Right now the law leans too far in favor of interest 1. Attempts at self-regulation have not remedied this imbalance. The principles proposed by the FTC in December (see my earlier post) are a great idea, and the industry should be given a chance to comply with them through self-regulation. However, if most of the major commercial websites and advertising companies have not adopted them after a specified amount of time, the FTC needs to step in and create laws that protect consumers’ privacy. In order to strike a fair balance between the interests of companies and consumers, the new laws should accomplish the following goals:

1. Consumers should be made aware of what data is being collected. There should be a national law that is similar to (and maybe stricter than) the California Online Privacy Protection Act. Any site that automatically tracks users’ IP addresses, gives them uniquely numbered cookies, or in any way creates a record of an individual user’s online behavior, should have a privacy policy that is easy to find and understand. The privacy policy should tell users what data is collected, how the data is used, when (if ever) it will be deleted, under what conditions the data will be shared with third parties, and what will happen if the privacy policy changes. A link to the privacy policy should be located on the website’s home page. The privacy policy should be concise enough that the average person would read it, and it should be easy to find the important information listed above.
2. Companies, consumers, and the government should agree on the meanings of commonly-used terms so that there is no confusion over what companies’ privacy policies actually mean. The FTC should consider adopting the definitions proposed by the World Privacy Forum and other organizations (1).
3. Consumers must be able to opt out of any type of behavioral tracking. The easiest way to do this would be to create a national Do Not Track List, like the one that the World Privacy Forum proposed (1). The FTC should create a website where consumers can sign up for the List and should publicize the list so that the public is generally aware of it. The List should be free of charge and should give consumers the ability to choose which sites can track them and which can’t. It would also be a good idea to have an option that lets consumers opt out of tracking by all websites with a single click. In order for the list to work, all companies that conduct behavioral tracking should be required to submit their URLs to the list, and browsers should be required to adopt technology that stops sites from tracking people in accordance with the List.
4. Consumers should be able to see, edit, and delete any PII that a company has collected about them. If someone has not opted out of tracking but later decides to opt out, that person should be able to delete any embarrassing information that has been collected. Additionally, it is important that people be able to correct any inaccuracies that may be present in data collected about them.
5. Sensitive information should only be collected on an opt-in basis. I don’t think it’s necessary to ban the collection of such data, because different people may have different ideas of what information is sensitive. Some people may not mind if companies know how much money they make, since that would help ads to be more relevant, but other people may want to keep that information private. However, sensitive information (according to the World Privacy Forum’s definition) should only be collected if users choose to have it collected. Not collecting this information should be the default action.
6. Privacy laws should be strictly enforced. It should be easy for people to report violations of their privacy rights, perhaps through a website that the FTC sets up. Offending companies should be fined significant amounts of money so that they have a strong incentive to obey the law.
7. The FTC should keep privacy regulations up to date, as new tracking technology is constantly being developed. A body such as the proposed Online Consumer Protection Advisory Committee (1) should be created to report on new developments, and the FTC should pass new laws to protect privacy if the need develops.  

These proposed laws would still permit consumers to reap the benefits of customized web content and more relevant ads if they choose to be tracked. Companies could still benefit financially from behavioral targeting of the consumers who don’t opt out, and they could collect aggregated data from all users, which should still enable them to conduct research that improves their sites.

Source:

1. Consumer Rights and Protections in the Behavioral Advertising Sector. World Privacy Forum. 7 Jan. 2008 <http://www.worldprivacyforum.org/pdf/ConsumerProtections_FTC_ConsensusDoc_Final_s.pdf>.

Additionally, the letter defined non-personally identifiable information as “aggregated data not associated with any individual or any individual identifier,” and sensitive data as PII that has to do with health, finances, sexual orientation, social security numbers, insurance numbers, or government-issued ID numbers. Behavioral tracking was defined as “the practice of collecting and compiling a record of individual consumers’ activities, interests, preferences, and/or communications over time, and behavioral targeting was defined as “using behavioral tracking to serve advertisements and/or otherwise market to a consumer based on his or her behavioral record.”

I agree with these definitions. Even though an IP address may not be PII for a search engine alone, it certainly is for an Internet service provider. Any record of an individual’s behavior enables them to be profiled and targeted, regardless of whether the record is tied to a name, postal address, or social security number. I also agree that it is important for companies, consumers, and the government to agree on the definitions of commonly-used terms such as these. Otherwise it would be impossible for consumers to be fully informed of websites’ privacy practices.

Some other principles proposed in the letter include:

1. Websites cannot help themselves to data from users’ computers and should respect users’ choices to delete cookies by not continuing to set new cookies each time a user visits the site.
2. Websites shouldn’t bury important information in long, confusing privacy policies.
3. If a website puts software on a user’s computer that the user does not want, the user should be able to delete the software. 

The letter also proposed steps the government should take to insure these principles are followed:

1. Create a Do Not Track List similar to the Do-Not-Call Registry. To do this, sites that conduct behavioral tracking must submit their domain names to the FTC, the FTC must educate the public about the Do Not Track List and make it possible to sign up on its website, and browsers must make it possible to use and update the List and prevent websites from tracking users in accordance with the preferences that they have expressed on the List.
2. Require companies that conduct behavioral tracking to provide users with access to the data held about them.
3. Make it possible for the FTC to easily check up on companies to make sure they are complying with all regulations.
4. Establish a national Online Consumer Protection Advisory Committee made up of state Attorneys General and representatives from various privacy and consumer organizations to investigate new methods of tracking and develop new laws as necessary to make sure privacy rights are protected. 

Source: 

Consumer Rights and Protections in the Behavioral Advertising Sector. <http://www.worldprivacyforum.org/pdf/ConsumerProtections_FTC_ConsensusDoc_Final_s.pdf>.

On the other hand, the FTC’s solution, the Do-Not-Call Registry has a descriptive, memorable name and URL (donotcall.gov) and was widely publicized. Enrollment is free by Internet, mail, or phone, and the Registry applies to far more telemarketers than the TPS did.

In 17 years, less than 5 million people signed up with the TPS. By comparison, 10 million pepole signed up with the Do-Not-Call Registry on its first day of operation. By 2005, 60 million people had registered. Clearly, government regulation is feasible and can be done in a way that does not violate the rights of those who value the benefits of tracking. People who want to receive telemarketing calls are free to do so, while the rest of us are free from unwanted intrusions during dinner. Just as the government has acted to protect consumers’ privacy from telemarketers, the government could feasibly adopt similar measures for Internet privacy. Behavioral tracking has become so prevalent and extensive that government action may be the only solution that works.

Source:

1. Hoofnagle, Chris. “Privacy Self-Regulation: A Decade of Disappointment.” EPIC. 4 Mar. 2005. 4 Jan. 2008 <http://epic.org/reports/decadedisappoint.html>.

Way back in 1997, the FTC recommended that websites adopt some sort of anonymous payment system: the “federal government should wait and see whether private industry solutions adequately respond to consumer concerns about privacy … that arise with the growth of electronic payment systems, and then step in to regulate only if those efforts — be they market-created responses, voluntary self-regulation or technological fixes, or some combination of these — are inadequate.” (1) More than ten years later, there are still no common, easy to use online payment systems that preserve anonymity and privacy.

In 1999, the FTC and U.S. Department of Commerce announced the creation of the National Advertising Initiative (NAI) in response to a federal investigation into DoubleClick’s plan to buy large quantities of personal data from commercial data broker Abacus Direct. About a year later, the NAI announced a set of principles for self-regulation, calling for notice of websites’ privacy practices, some ability to opt out, and “reasonable” security of data. (1) There was no real means of enforcement, however, and companies that were members of the NAI were allowed to transfer data among themselves without restriction, as long as the data was only used for advertising. Furthermore, the principles applied only to members of the NAI, and eventually membership dwindled to only two companies – DoubleClick and Atlas DMT. (1)

Another attempt at self-regulation was the Individual Reference Services Group (IRSG) principles, developed by a group of data brokers – companies that sell people’s personal information to advertisers, insurers, landlords, private eyes, and the government. (1) Members of the IRSG were allowed to sell almost any personal information to “qualified subscribers,” and consumers could only opt-out of having their data sold to the “general public,” a category that did not include any of the member companies’ typical customers. (1)

The closest the FTC has come to passing privacy legislation was in 2000, when they recommended, 3 to 2, that commercial websites and ad companies be required to comply with five basic privacy principles: notice, choice, access, security, and accountability. However, a new FTC chairman was appointed in 2001 and the FTC decided to give self-regulation another chance. (1)

Since then, websites have only increased their abilities and willingness to track people’s behavior. Cookie technology has become more powerful, and cookies are increasingly set by third party advertising sites in addition to the sites that a user actually visits. Web beacons are also used extensively so that ad networks can track people’s visits to third-party sites. Digital rights management (DRM) also poses a threat to privacy, as users are increasingly required to provide identification in order to access content. Every copy of Windows Media Player is equipped with a unique ID that makes it possible to track what content people view. (1) Additionally, more and more news sites have begun requiring the disclosure of personal details in order to view their content. In surveys conducted by the Electronic Privacy Information Center (EPIC) in the 1990s, news sites customarily did not require registration of any sort. However, EPIC reported in 2005 that 7 of the top 25 news sites require the disclosure of personal information such as name, address, and email address, and 5 require the disclosure of non-personally identifiable information such as birth date, gender, and zip code. (1) These invasions of privacy cause users to resort to creating fake identities, and this causes companies to demand information even more invasively and use commercial databases to verify that the information is true.

Another problem with self-regulation is that companies have not made efforts to inform the public about how their personal data are being collected and used. Accordingly to a 2003 Annenberg survey, 57% of Internet users believe that if a company has a privacy policy, it will not share information with other entities. (1) Additionally, a Pew survey found that 56% of Internet users could not identify a cookie. (1)

Source:

1. Hoofnagle, Chris. “Privacy Self-Regulation: A Decade of Disappointment.” EPIC. 4 Mar. 2005. 4 Jan. 2008 <http://epic.org/reports/decadedisappoint.html>.

Clearly it is economically valuable for companies to find out more about their customers. By tracking our Internet activities, Google learns about our interests and serves us advertisements that we are more likely to click on. Therefore, Google’s advertisers pay Google more money. Additionally, behavioral targeting produces ads that users are less likely to find annoying. Perhaps a user could actually be served with an ad for something they wanted to buy and weren’t able to find anywhere else. 

Additionally, Google claims that behavioral tracking improves people’s search experiences. In their official blog, Google gives the example that if someone has recently been looking at sites on the Louvre and then searches for “Paris,” they’re more likely to get results about the capital of France than about Paris Hilton. (1) Google argues that it helps consumers to personalize their search results automatically, since consumers don’t have to go through the trouble of changing their search preferences to exclude certain terms or types of results. 

Furthermore, data-gathering enables Google to improve its site, which benefits Google and its users. For example, knowing how many people search for each term enables Google to provide its Spell Checker service. If someone types in a less common spelling of a search term, Google prompts them “Did you mean (the more common spelling)?” Then Google can improve the Spell Checker by tracking which suggestions are clicked on and which are not. Google can also track whether people click on the first search result or move on to another page, enabling them to further improve their search engine. According to Google’s blog, “the ability of a search company to continue to improve its services is essential, and represents a normal and expected use of such data.” (2) 

Tracking also allows Google to protect their site from security threats. Analyzing server logs enables Google to detect possible hacking attempts, phishing, spam, and attempts to monopolize their servers. The official blog goes so far as to say that “immediate deletion of IP addresses from our logs would make our systems more vulnerable to security attacks, putting the personal data of our users at greater risk.” (2) 

These benefits to Google and its customers would be diminished if users could easily opt out of being tracked. Perhaps people who often search for controversial or embarrassing topics would opt-out at a disproportionate rate, so Google’s collection of data would not accurately represent how people search. Google might argue that if data was collected on an opt-in basis, some people would be unaware of the possibilities for personalization that Google offers and would be unable to take full advantage of its services. 

Sources:

http://googleblog.blogspot.com/2007/09/search-privacy-and-personalized-search.html

http://googleblog.blogspot.com/2007/05/why-does-google-remember-information.html

The European approach to privacy tends to view privacy as a human right upon which private companies cannot infringe. The European Union has adopted a framework called the European Privacy Directive, which provides guidelines for individual nations to develop and enforce their own laws. In France, for example, employers cannot fire workers based on things they find when reading the workers’ personal emails. (1) Databases of consumer information in Europe must be registered with the government, and telemarketers and spammers can only target people who have explicitly given their permission. (1)

The Asia-Pacific Economic Cooperation (APEC) framework, on the other hand, is very weak when it comes to protecting consumers’ rights. Consumers must prove actual financial damage from the tracking and/or disclosure of their data in order for a company to be in violation of the law, something that is usually practical only in cases of identity theft. (2) This policy ignores the non-financial reasons why people value privacy, such as avoiding embarrassment or merely disliking the idea that all of one’s activities are recorded.

In the U.S., the word “privacy” is not mentioned in the Constitution, and as a result laws to protect privacy have arisen haphazardly. “There are so many industries with well-paid lobbyists ready to pounce, the minute you propose anything of any breadth you are inundated with whiny companies,” says George Washington University professor Daniel Solove. “It’s easier to do something pretty narrow and go after the ‘now’ problem and limit the amount of companies that are angry at you.” (1) For example, the Video Privacy Protection Act was passed in 1988 after a newspaper published a Supreme-Court nominee’s video rental records (1), and the Telemarketing Do-Not-Call Registry was created by the FTC in 2003 because of consumers’ frustration at excessive telemarketing calls during dinner. (3) In general, laws in the U.S. place more emphasis on protecting people from privacy intrusions by the government, while ignoring similar intrusions by private companies.

Sources: 

1. Sullivan, Bob. “Privacy Lost: EU, U.S. laws differ greatly.” MSNBC. 19 Oct. 2006. 4 Jan. 2008 <http://www.msnbc.msn.com/id/15221111/>.

2. Holtzman, David. “Google’s Paltry Privacy Proposal.” BusinessWeek.com. 12 Oct. 2007. 2 Jan. 2008 <http://www.businessweek.com/technology/content/oct2007/tc20071011_180811.htm?chan=top+news_top+news+index_technology>.

3. Hoofnagle, Chris. “Privacy Self-Regulation: A Decade of Disappointment.” EPIC. 4 Mar. 2005. 4 Jan. 2008 <http://epic.org/reports/decadedisappoint.html>.

However, some search engines, including Google, may be in violation of the California law’s guidelines of what a site must do to “conspicuously post” its policy. The law states that a site that collects data about its users must display a link to the privacy policy on its home page or “in the case of an online service, any other reasonably accessible means of making the privacy policy available for consumers of the online service.”  

It’s hard to determine exactly what constitutes a “reasonably accessible means.” Google has a link on the home page to an “About Google” page, and only when a user follows this link does a link to the privacy policy appear at the bottom of the page. Would a reasonable user necessarily think to go to “About Google” to learn about the privacy policy? And maybe, not seeing privacy as one of the topics listed in the main body of the “About” page, the user wouldn’t think to look for it at the bottom. I think it would make a lot more sense for Google to simply include a link to the privacy policy at the bottom of every page. There doesn’t seem to be a good reason for leaving this link off the home page. But because of the vague wording of the law, it is almost impossible to determine whether or not Google is meeting its legal obligations.

Source: California Online Privacy Protection Act of 2003 <http://www.leginfo.ca.gov/cgi-bin/displaycode?section=bpc&group=22001-23000&file=22575-22579 http://www.leginfo.ca.gov/cgi-bin/displaycode?section=bpc&group=22001-23000&file=22575-22579>

Google.com

Privacy policy: http://www.google.com/intl/en/privacy.html

What information do they gather when you search?

IP address, time and data of search, search terms, browser type, operating system, unique cookie ID, and what search results or ads you click on.

How long do they keep data?

Google has agreed to delete IP addresses from its server logs after 18 months, but the records of search terms may remain indefinitely.

How do they use cookies?

Cookies are used to identify each user with a string of numbers, enabling Google to track each user’s search history and customize aspects of the site. The cookies expire after two years.

What information do they share with third parties?

Google shares personal information with affiliated companies that process data for them and requires these companies to comply with Google’s privacy policy. They may also share personal information if they “have a good faith belief that access, use, preservation or disclosure of such information is reasonably necessary to (a) satisfy any applicable law, regulation, legal process or enforceable governmental request, (b) enforce applicable Terms of Service, including investigation of potential violations thereof, (c) detect, prevent, or otherwise address fraud, security or technical issues, or (d) protect against imminent harm to the rights, property or safety of Google, its users or the public as required or permitted by law.” Finally, Google can freely share aggregated, non-personal information.

Can you opt out?

Only by disabling cookies, which prevents you from using some of Google’s services.

How hard is it to find the privacy policy?

Privacy policy highlights ares two clicks from the home page – click on “About Google” and then “Privacy Policy” at the bottom of the page. Once you get to the privacy highlights, you must click on one more link to reach the full privacy policy.

Ask.com

Privacy policy: http://about.ask.com/en/docs/about/privacy.shtml

What information do they gather when you search?

IP address, URL of the last website you visited, browser type, operating system, unique cookie ID, and search term(s).

How long do they keep data?

They will remove any association of your search terms with your IP address after 18 months, but they may keep a record of the search terms indefinitely.

How do they use cookies?

Ask gives each user a unique cookie ID to track his or her search history, target ads, and customize some aspects of the site. The cookie expires after two years.

What information do they share with third parties?

They may share all the information described in the first question with affiliated companies that provide sponsored listings, news, or other content to them. They also may share personal and non-personal information if they “believe it is necessary to investigate, prevent, or take action regarding illegal activities, suspected fraud, situations involving potential threats to the physical safety of any person, violations of our Terms of Service, as necessary to render or conduct a legitimate business activity related to a service we provide, or to comply with legal or regulatory obligations.”

Can you opt out?

Yes. AskEraser, which can be enabled with a simple click of the mouse, creates a cookie that tells Ask to delete any information collected about you within hours. Searching works just as well with AskEraser turned on, but some services do not. Third-party sites described above may not delete your data even if you enable AskEraser. Also, if you violate Ask’s terms of service or Ask receives a request from law enforcement, they might keep and share data about you even if AskEraser is enabled.

How hard it is to find the privacy policy?

The policy is three clicks away from the home page. Click on “About,” then “Site Policies,” and then “Privacy Policy.”

Yahoo.com

Privacy policy: http://info.yahoo.com/privacy/us/yahoo/

What information do they gather when you search?

IP address, browser type, operating system, and search terms.

How long do they keep data?

The policy doesn’t say.

How do they use cookies?

Cookies uniquely identify each user so that Yahoo can customize ads to them and conduct research on its users. Also, third-party sites that serve ads on Yahoo set cookies in people’s browsers when they visit Yahoo.

What information do they share with third parties?

Yahoo shares information with affiliated companies and companies that serve ads on Yahoo. They also share information if they “believe it is necessary to share information in order to investigate, prevent, or take action regarding illegal activities, suspected fraud, situations involving potential threats to the physical safety of any person, violations of Yahoo!’s terms of use, or as otherwise required by law.”

Can you opt out?

You can opt out of having ads targeted to you, but not out of having your data collected.

How hard is it to find the privacy policy?

There is a link to the privacy policy at the bottom of the home page.

Ixquick.com

Privacy policy: http://us.ixquick.com/eng/privacy-policy.html

What information do they gather when you search?

URL of the last site you visited, IP address, browser type, operating system, date and time of search, search terms, and what links you click on.

How long do they keep data?

IP addresses are deleted within 48 hours.

How do they use cookies?

They use cookies to track how people use their site, but the cookies do not track users individually.

What information do they share with third parties?

They only share personal information with third parties if they “have a good faith belief that access, use, preservation or disclosure of such information is reasonably necessary to (a) satisfy any applicable law, regulation, legal process or enforceable governmental request, (b) detect, prevent, or otherwise address fraud, abuse, security or technical issues, or (c) protect against imminent harm to the rights, property or safety of Ixquick, its users or the public as required or permitted by law.”

How hard it is to find the privacy policy?

A link to privacy information is displayed prominently on the home page, and a link on the privacy page leads to the full privacy policy.

 So, in conclusion,  Google’s and Yahoo’s policies seem very similar, although Yahoo may be slightly worse than Google because it allows third parties to set ads when people visit its site. Ask is significantly more respectful of privacy because it offers the AskEraser. Ixquick advertises itself as being privacy-friendly and, for the most part, lives up to its expectations. It does collect similar data to the other search engines (but not unique cookie IDs) and uses the data to make sure no one is abusing or monopolizing its site. However, it does not use data to customize content for users and automatically deletes IP addresses from log files after 48 hours.