[LINK] e-Privacy and US Law
stephen at melbpc.org.au
stephen at melbpc.org.au
Mon Aug 11 18:34:56 EST 2008
Web Privacy on the Radar in Congress
By STEPHANIE CLIFFORD
www.nytimes.com Published: August 10, 2008
Here are some things Internet users can discover about Kiyoshi Martinez, a
24-year-old man from Mokena, Ill., from some of his recent posts online.
He watched The Colbert Report on Tuesday night, he likes the musician
Lenlow and he received bottles of olive oil and vinegar for his birthday.
Mr. Martinez has Facebook and LinkedIn pages, a Twitter account and a Web
site that includes his résumé.
So it is surprising to learn that Mr. Martinez, an aide in the Illinois
Senate, is also vigilant about his privacy online.
Im pretty aware of the fact that anything you do on the Internet pretty
much should just be considered public, Mr. Martinez said. While he knows
that companies are collecting his data and often tracking his online
habits so they can show him more relevant ads, he said, he would like to
see more transparency about what the company intends to do with your data
and your information.
Like all privacy matters, its something that people need to be informed
on, Mr. Martinez said.
Those same questions of data collection and privacy policies are
attracting the attention of Congress, too.
There is no broad privacy legislation governing advertising on the
Internet. And even some in the government admit that they do not have a
clear grasp of what companies are able to do with the wealth of data now
available to them.
That is why Congress, at this point, is wanting to gather a lot more
information, because no one knows, said Steven A. Hetcher, a professor at
Vanderbilt University Law School. That information is incredibly
valuable; its the new frontier of advertising.
Beyond the data question, there are issues of how companies should tell
browsers that their information is being tracked, which area of law covers
this and what if anything proper regulation would look like.
On Aug. 1, four top members of the House Committee on Energy and Commerce
sent letters ordering 33 cable and Internet companies, including Google,
Microsoft, Comcast and Cox Communications, to provide details about their
privacy standards. That followed House and Senate hearings last month
about privacy and behavioral targeting, in which advertisers show ads to
consumers based on their travels around the Web. If an advertiser knows
that Mr. Martinez watches The Colbert Report, for example, it might show
him an ad for The Daily Show.
As advertisers become more sophisticated about behavioral targeting, and
online privacy standards become increasingly varied, regulators and
privacy advocates are becoming concerned.
A few companies have taken precautionary measures to try to fend off
criticism; in the last few days, for instance, both Yahoo and Google have
made it easier for people to opt out of targeted ads on their sites.
But that may not be enough.
Some type of omnibus electronic privacy legislation is needed, said
Representative Edward J. Markey, Democrat of Massachusetts, chairman of
the House Subcommittee on Telecommunications and the Internet, regardless
of the particular technologies or companies involved.
He and the other members of the House expect to receive responses from all
of the companies by early this week. With the responses to the House
letters, we can understand exactly what each sector of the communications
industry is technically capable of doing, and how they use the information
once they do get access to it.
One of the controversial new behavioral-targeting technologies is called
deep packet inspection, and a company that does it NebuAd was a focus
of the July Congressional hearings.
In NebuAds version of deep packet inspection, a hardware device is put
into an Internet service providers network that can track where users are
going online. NebuAd looks for categories that the user will be interested
in. If the device notes that a user is browsing or searching for sites
about German automobiles, it can deliver an ad about German automobiles
later that day, even when the user is on a site about pets.
NebuAds chief executive, Bob Dykes, who testified at the hearings last
month, said his company protects privacy.
We dont have any raw data on the identifiable individual, Mr. Dykes
said in an interview last month. Everything is anonymous.
He said NebuAd took several steps to ensure that the information could not
be traced back to an individual or an Internet protocol address. The
company avoids sensitive categories, he said; someone making a search
about H.I.V., for example, would not see related ads. And NebuAd cannot
gain access to secure sites.
Mr. Dykes came under scrutiny at the hearings for NebuAds technology and
for how the company notified consumers.
The ways that some Internet service providers told consumers about their
tracking were vague or too subtle, some privacy advocates and congressmen
NebuAd lost several customers this summer amid all the scrutiny, including
CenturyTel, Charter Communications, WideOpenWest Holdings and Embarq.
We will not be using this technology again until such time as all the
privacy concerns have been addressed, said Charles Fleckenstein, an
(Page 2 of 2)
Mr. Dykes said, We are perfectly O.K. for some of our partners to wait
until we have a better, more informed education of the public and folks in
Washington before they resume their rollout.
The NebuAd controversy illustrates the difficulty of regulation in online
advertising, when new ways of tracking users arise regularly and companies
have different ways of handling data.
The Federal Trade Commission has made some tentative steps toward
standards, including a December proposal on behavioral-advertising
practices. The proposal suggested that companies provide a clear notice to
consumers that lets them opt out of tracking, notify consumers if the
company changes the way it uses the data and use reasonable security
measures. It also sought comment on several matters.
But Lydia B. Parnes, the director of the F.T.C.s Bureau of Consumer
Protection, has said she supports industry self-regulation, saying that it
isnt yet clear that the consumer is being harmed and that regulations
might be too specific to current technologies. Laws have been made on
slices of the privacy pie, including data about finances or children. But
complying with various pieces of legislation is difficult, companies said.
Compliance is becoming very complex and not very clear in terms of what
applies to a new and emerging business model, said Mike Hintze, the
associate general counsel at Microsoft. From the companys perspective of
trying to comply with these laws, we thought a comprehensive federal
privacy law made a lot of sense.
There is some industry support for a comprehensive law, but any wide-
ranging law would require some legal wrangling.
Theyre raising these bigger-picture questions, and those questions are
inherently intertwined not just with privacy laws, but also with contract
law, computer-intrusion law, consumer-fraud law, said Andrea M.
Matwyshyn, an assistant professor of legal studies and business ethics at
the Wharton School at the University of Pennsylvania.
When legislators are trying to regulate in this area, theyre always
caught a little bit between a rock and a hard place, she said. You dont
want to adopt a technology-specific standard thats destined to fail as
technology advances faster than the law can ever hope to embody. At the
same time, you need to allow adequate specificity in the law to allow
companies to comply with it and allow consumers to know what their rights
Some advertising industry groups say self-regulation is enough. The most
prominent programs are the Online Privacy Alliance and the Network
Advertising Initiative. Both ask members to follow principles on notifying
consumers and avoiding personally identifiable information.
Regulation is certainly going to have unintended consequences and
unintended impact, said Mike Zaneis, the vice president for public policy
at the Interactive Advertising Bureau, a coalition of online advertisers.
Some civil liberties groups disagreed.
Theres a self-regulatory program out there which hasnt been very
effective, said Alissa Cooper, the chief computer scientist at the Center
for Democracy and Technology. She said her organization was concerned
about NebuAds technology. As for general federal privacy legislation, she
said, the center supports it but thinks more information is needed about
The letter from the House committee, she said, was a really welcome
development in the absence of any kind of regulation.
The companies dont feel the need to explain everything theyre doing,
she said, so a little bit of pressure from Congress or the F.T.C. can go
a long way.
As government representatives think about legislation, they are also
trying to gauge how aware and concerned consumers are about online
A recent study of about 1,000 Internet users asked them if they agreed
with the statement that they were comfortable with advertisers using
their browsing history to decide what ads to show them. Thirty-nine
percent strongly disagreed; only 6 percent strongly agreed. The study was
conducted by TNS Global, a research firm, and TRUSTe, an online privacy
Is privacy a concern for younger consumers, who are splashing personal
details all over MySpace? The sparse data available suggest that it is.
A study last year of 2,274 British adults showed that people ages 18 to 24
considered privacy tied with avoiding hate and offense as the most
important consideration in digital technologies. For older people, privacy
was second to avoiding hate and offense. The study was conducted by
YouGov, a British research firm.
People my age in their 20s or in their 30s a lot of them are very
clued up on protecting privacy on the Internet, said Ben Saxon, 23, a
student in Cambridge, England. He has started a Facebook group objecting
to Phorm, a NebuAd-like company that is working in Britain and is starting
to court the United States market. Still, he said, I dont think complete
privacy on the Internet is actually possible anymore.
More information about the Link