[LINK] e-Privacy and US Law

stephen at melbpc.org.au stephen at melbpc.org.au
Mon Aug 11 18:34:56 AEST 2008


Web Privacy on the Radar in Congress 
 
By STEPHANIE CLIFFORD
www.nytimes.com Published: August 10, 2008 

Here are some things Internet users can discover about Kiyoshi Martinez, a 
24-year-old man from Mokena, Ill., from some of his recent posts online.

He watched “The Colbert Report” on Tuesday night, he likes the musician 
Lenlow and he received bottles of olive oil and vinegar for his birthday. 
Mr. Martinez has Facebook and LinkedIn pages, a Twitter account and a Web 
site that includes his résumé.

So it is surprising to learn that Mr. Martinez, an aide in the Illinois 
Senate, is also vigilant about his privacy online.

“I’m pretty aware of the fact that anything you do on the Internet pretty 
much should just be considered public,” Mr. Martinez said. While he knows 
that companies are collecting his data and often tracking his online 
habits so they can show him more relevant ads, he said, he would like to 
see more transparency “about what the company intends to do with your data 
and your information.”

“Like all privacy matters, it’s something that people need to be informed 
on,” Mr. Martinez said.

Those same questions of data collection and privacy policies are 
attracting the attention of Congress, too. 

There is no broad privacy legislation governing advertising on the 
Internet. And even some in the government admit that they do not have a 
clear grasp of what companies are able to do with the wealth of data now 
available to them.

“That is why Congress, at this point, is wanting to gather a lot more 
information, because no one knows,” said Steven A. Hetcher, a professor at 
Vanderbilt University Law School. “That information is incredibly 
valuable; it’s the new frontier of advertising.”

Beyond the data question, there are issues of how companies should tell 
browsers that their information is being tracked, which area of law covers 
this and what — if anything — proper regulation would look like.

On Aug. 1, four top members of the House Committee on Energy and Commerce 
sent letters ordering 33 cable and Internet companies, including Google, 
Microsoft, Comcast and Cox Communications, to provide details about their 
privacy standards. That followed House and Senate hearings last month 
about privacy and behavioral targeting, in which advertisers show ads to 
consumers based on their travels around the Web. If an advertiser knows 
that Mr. Martinez watches “The Colbert Report,” for example, it might show 
him an ad for “The Daily Show.”

As advertisers become more sophisticated about behavioral targeting, and 
online privacy standards become increasingly varied, regulators and 
privacy advocates are becoming concerned. 

A few companies have taken precautionary measures to try to fend off 
criticism; in the last few days, for instance, both Yahoo and Google have 
made it easier for people to opt out of targeted ads on their sites. 

But that may not be enough.

“Some type of omnibus electronic privacy legislation is needed,” said 
Representative Edward J. Markey, Democrat of Massachusetts, chairman of 
the House Subcommittee on Telecommunications and the Internet, “regardless 
of the particular technologies or companies involved.” 

He and the other members of the House expect to receive responses from all 
of the companies by early this week. With the responses to the House 
letters, “we can understand exactly what each sector of the communications 
industry is technically capable of doing, and how they use the information 
once they do get access to it.”

One of the controversial new behavioral-targeting technologies is called 
deep packet inspection, and a company that does it — NebuAd — was a focus 
of the July Congressional hearings. 

In NebuAd’s version of deep packet inspection, a hardware device is put 
into an Internet service provider’s network that can track where users are 
going online. NebuAd looks for categories that the user will be interested 
in. If the device notes that a user is browsing or searching for sites 
about German automobiles, it can deliver an ad about German automobiles 
later that day, even when the user is on a site about pets.

NebuAd’s chief executive, Bob Dykes, who testified at the hearings last 
month, said his company protects privacy.

“We don’t have any raw data on the identifiable individual,” Mr. Dykes 
said in an interview last month. “Everything is anonymous.”

He said NebuAd took several steps to ensure that the information could not 
be traced back to an individual or an Internet protocol address. The 
company avoids sensitive categories, he said; someone making a search 
about H.I.V., for example, would not see related ads. And NebuAd cannot 
gain access to secure sites.

Mr. Dykes came under scrutiny at the hearings for NebuAd’s technology and 
for how the company notified consumers. 

The ways that some Internet service providers told consumers about their 
tracking were vague or too subtle, some privacy advocates and congressmen 
said. 

NebuAd lost several customers this summer amid all the scrutiny, including 
CenturyTel, Charter Communications, WideOpenWest Holdings and Embarq. 

“We will not be using this technology again until such time as all the 
privacy concerns have been addressed,” said Charles Fleckenstein, an 
Embarq spokesman.

(Page 2 of 2)

Mr. Dykes said, “We are perfectly O.K. for some of our partners to wait 
until we have a better, more informed education of the public and folks in 
Washington before they resume their rollout.”

The NebuAd controversy illustrates the difficulty of regulation in online 
advertising, when new ways of tracking users arise regularly and companies 
have different ways of handling data.

The Federal Trade Commission has made some tentative steps toward 
standards, including a December proposal on behavioral-advertising 
practices. The proposal suggested that companies provide a clear notice to 
consumers that lets them opt out of tracking, notify consumers if the 
company changes the way it uses the data and use reasonable security 
measures. It also sought comment on several matters.

But Lydia B. Parnes, the director of the F.T.C.’s Bureau of Consumer 
Protection, has said she supports industry self-regulation, saying that it 
isn’t yet clear that the consumer is being harmed and that regulations 
might be too specific to current technologies. Laws have been made on 
slices of the privacy pie, including data about finances or children. But 
complying with various pieces of legislation is difficult, companies said.

“Compliance is becoming very complex and not very clear in terms of what 
applies to a new and emerging business model,” said Mike Hintze, the 
associate general counsel at Microsoft. “From the company’s perspective of 
trying to comply with these laws, we thought a comprehensive federal 
privacy law made a lot of sense.”

There is some industry support for a comprehensive law, but any wide-
ranging law would require some legal wrangling.

“They’re raising these bigger-picture questions, and those questions are 
inherently intertwined not just with privacy laws, but also with contract 
law, computer-intrusion law, consumer-fraud law,” said Andrea M. 
Matwyshyn, an assistant professor of legal studies and business ethics at 
the Wharton School at the University of Pennsylvania. 

“When legislators are trying to regulate in this area, they’re always 
caught a little bit between a rock and a hard place,” she said. “You don’t 
want to adopt a technology-specific standard that’s destined to fail as 
technology advances faster than the law can ever hope to embody. At the 
same time, you need to allow adequate specificity in the law to allow 
companies to comply with it and allow consumers to know what their rights 
are.”

Some advertising industry groups say self-regulation is enough. The most 
prominent programs are the Online Privacy Alliance and the Network 
Advertising Initiative. Both ask members to follow principles on notifying 
consumers and avoiding personally identifiable information. 

Regulation is “certainly going to have unintended consequences and 
unintended impact,” said Mike Zaneis, the vice president for public policy 
at the Interactive Advertising Bureau, a coalition of online advertisers. 

Some civil liberties groups disagreed. 

“There’s a self-regulatory program out there which hasn’t been very 
effective,” said Alissa Cooper, the chief computer scientist at the Center 
for Democracy and Technology. She said her organization was concerned 
about NebuAd’s technology. As for general federal privacy legislation, she 
said, the center supports it but thinks more information is needed about 
data-handling.

The letter from the House committee, she said, was “a really welcome 
development in the absence of any kind of regulation.”

“The companies don’t feel the need to explain everything they’re doing,” 
she said, “so a little bit of pressure from Congress or the F.T.C. can go 
a long way.”

As government representatives think about legislation, they are also 
trying to gauge how aware and concerned consumers are about online 
privacy. 

A recent study of about 1,000 Internet users asked them if they agreed 
with the statement that they were comfortable with advertisers’ using 
their browsing history to decide what ads to show them. Thirty-nine 
percent strongly disagreed; only 6 percent strongly agreed. The study was 
conducted by TNS Global, a research firm, and TRUSTe, an online privacy 
network.

Is privacy a concern for younger consumers, who are splashing personal 
details all over MySpace? The sparse data available suggest that it is. 

A study last year of 2,274 British adults showed that people ages 18 to 24 
considered privacy tied with “avoiding hate and offense” as the most 
important consideration in digital technologies. For older people, privacy 
was second to “avoiding hate and offense.” The study was conducted by 
YouGov, a British research firm.

“People my age — in their 20s or in their 30s — a lot of them are very 
clued up on protecting privacy on the Internet,” said Ben Saxon, 23, a 
student in Cambridge, England. He has started a Facebook group objecting 
to Phorm, a NebuAd-like company that is working in Britain and is starting 
to court the United States market. Still, he said, “I don’t think complete 
privacy on the Internet is actually possible anymore.”
--

Cheers people
Stephen Loosley
Victoria, Australia



More information about the Link mailing list