The Web's Bushiest Site

A couple of weeks ago the Interactive Advertising Bureau, one of the largest industry groups and self-regulatory bodies in online advertising, instated a new code of conduct for its members. In summary, the new code requires any IAB member site that collect information about users to display the logo to the right as an indication to users that collection is occurring, and to provide users with information about what is being collected and why.

While the new code of conduct has taken flack for not actually providing clear notice, this latest action by the IAB does bring some attention to the organization’s (beta) Opt-Out page. The Opt-Out page provides users with a way to request that IAB members not collect information about them for advertising purposes. The page, located at http://www.aboutads.info/choices/, is pretty simple to use: all you need to do is visit the page, make sure you are on the “All Participating Companies” tab, select the companies that you don’t want to have track you (or click “Select All Shown” to opt-out of tracking from all IAB advertisers), and then click Submit Your Choices at the bottom. Once you submit your choices, a cookie will be placed on your computer informing the companies you selected that you do not wish to be tracked. Aside form the Opt-Out page, the site includes information about online advertising (with an industry spin of course) such as how to adjust the privacy settings in your browser and the self regulatory principles of the IAB that are worth checking out.

Does it Work?

So the page is easy to use, but does it actually increase your privacy? Well, there are a few factors to consider that show the weaknesses of the opt-out page:

It applies to IAB members – which are a lot of advertisers to be sure, and includes most of the biggest advertising companies. Still, there are a lot of other companies and sites out there that are not IAB members, and thus are not affected by this Opt-Out page.

It relies on companies respecting your decisions – Between the IAB’s own enforcement and the threat of FTC legal actions, IAB companies have plenty of reason to not track you if you tell them not to. Unfortunately, the history of Internet privacy is full of examples of sites or companies not respecting the wishes of consumers, even when they have said they would. For that reason, some skeptisim is reasonable here, and personally I’m not yet ready to trust the intentions or ability of the IAB to respect my privacy decisions. This opt-out page allows you to ask that companies shutoff their tracking, which is different from the approach tools such as Ghostery take, which actually blocks information from being sent, and is an approach I’m more willing to trust right now.

It uses cookies – If you are concerned about privacy on the Internet, you probably have your browser set to not accept cookies/delete cookies when you close the browser/or delete cookies often. That means the Opt-Out page is pretty useless to the privacy concerned, since any choices set via the page will be lost within a short amount of time. This is a problem that engineers and policy makers have been discussing since Do-Not-Track became a big deal, and in my opinion it reveals a problem with how cookies are managed by browsers. The current cookie management model of the major browsers is built on an all or nothing choice – either have all cookies on and retained, or have all cookies off and deleted. Despite years of messaging about how bad cookies are, the IAB’s Opt-Out page shows that not all cookies are bad. Browsers need a more sophisticated cookie management system that allows a user to select which cookies can be kept for a long time and which should be deleted right away. Until that happens, the Opt-Out page might as well not exist, and users should instead use opt-out plugins like TACO.

It only applies to one browser on one machine – This limitation applies to many privacy protection tools, but it is an important one. If you submit opt-out requests in Firefox on your home PC, then tracking will still occur on IE on that PC, or Firefox on your laptop.

So Should I Use It?

The short answer is no.

Unfortunately, the Opt-Out page isn’t a reliable tool for privacy protection, mostly because of the cookie problem discussed above. This is especially unfortunate since this page is likely the result of hours of discussion involving IAB companies, the FTC, and consumer groups, and represents what I would like to believe is an honest effort by the industry to address privacy concerns.

Given the level of discussion and work going into Do-Not-Track, it is likely that the IAB’s Opt-Out page will merge with a browser based Do-Not-Track manager. Until that happens, privacy concerned consumers will have to continue to rely on third party tools to prevent companies from tracking them all around the Internet.

“… there is no way we should do business with companies that have agreements with stealth provisions and that aren’t intelligible. So how are we going to change the world? Make clarity, transparency, and simplicity a national priority.”

A year and a half ago, Alan Siegel described in less than 5 minutes why the problems of privacy and consumer trust run rampant on the Internet. That legalese that every website presents you doesn’t actually inform you of anything. It is a tool of websites to obtain legal authorizations and protection.

Privacy policies were not meant to be used this way. The FTC originally promoted privacy policies as a tool for informing consumers of the benefits and risks of using websites. Over the years they have evolved into dense blocks of text that are not only useless to consumers, they are harmful to consumers.

Why aren’t clear notices a national priority? Siegel thinks they should be. The FTC has stated again and again that consumer notices should be clear and easy to understand. Unfortunately, industry self-regulation bodies and Congress don’t seem to be as interested in presenting consumers with clear and transparent information.

Why aren’t clear notices a national priority? I think we should ask the DMA’s Consumer, Ethics, and Privacy department, or IAB President Randall Rothenberg. More importantly, we should ask that question to our Representatives and Senators. We might also want to ask, why is it OK for businesses to trick consumers? Why aren’t consumers treated with respect by our businesses and our government?

Chris Hoofnagle of UC Berkeley recently did a Q & A with the San Francisco Chronicle about federal policy regarding online privacy. He highlighted the rapid changes that occur in tracking practices and the great disadvantage most users experience in protecting their privacy online. Noting that when a user performs a privacy protecting action many sites either work around the protection or just completely ignore the user’s desire, Hoofnagle argues that federal policy should turn its attention towards data retention limits as a means of establishing privacy as an online default. I agree that retention limits should be implemented in some form, but I must respectfully disagree with the implied belief that it is time to give up on user involvement in privacy protection.

As new technology continues to challenge our definition and valuation of privacy, our society needs to have a public discussion on how privacy should react to technology and vice verse. In order to match our democratic values, this discussion needs to be as inclusive as possible. To this end, federal policy needs to raise public awareness of online privacy issues and educate citizens about new threats to privacy, as well as the benefits and consequences of lost privacy. If federal policy shifts to focus on regulations defined by law and rule makers, citizens will lose their place in the discussion of privacy and technology. Furthermore, by giving up on the idea that citizens are involved in creating their online privacy environment via choice and consent, they will be deprived of one of the only situations in which citizens are educated about online privacy and asked to think critically about its value. Our society is still coming to terms with the degradation of an important value. It is all the more important that as many people as possible develop a thoroughly considered opinion on privacy and be able to voice that opinion. Defining what privacy means as a social norm in this nation, and how regulation will reflect that norm, needs to be a nationwide effort, not the function of a handful of industry and government representatives.

The fact that companies disregard the voiced privacy choices of users should not be an impetus for removing users from the privacy protection system; it should be the subject of policy initiatives that fix the broken system. Many FTC enforcement actions regarding privacy have punished deceptive actions.  In my opinion, a company action that disregards a voiced privacy choice by a user is just as  deceptive as a company action that contradict its own privacy policy because users have a reasonable expectation that if a company offers opt-outs and accepts P3P or Do-Not-Track messages then it will respect the voiced privacy decisions of a user.  P3P failed not because of technical limitations. It failed because companies were not punished for lying to users via the protocol. This type of behavior should not be tolerated in matters of commercial interaction nor matters of privacy.

So lets keep our focus on P3P and Do-Not-Track. When companies choose to ignore those technical solutions lets not call that a failure of technology. Lets recognize it for what it is, companies hearing consumers and ignoring their voices.

For most of the 90s and the early 2000s the home PC served as the foundation for an incredibly generative computing platform. By generative I mean that this PC platform allowed for relatively easy innovation and modification. Pretty much anybody was able to install whatever software was available to them, either at a store or on the Internet, in order to modify their PC foundation to meet their needs and desires. At the same time, because the PC platform was so open, a great number of people were able to create programs to meet their needs and desires, and with the advent of the Internet these programs could easily be distributed to users all over the world who wished to install them.

During this period a set of social, economic, and technical norms were established regarding a user’s ability to modify and define their personal computing platform. In general, users either purchased a finished piece of software or they acquired free (as in beer) software in order to modify the functionality of the PC hardware that they owned. The user knew what features he/she was acquiring and therefore, in theory, knew exactly what features his/her computing platform had and what activities occurred on it. Further, mostly due to the technical limitations of the time (especially the limitations of the Internet) as well as the ownership that users had over their computing platform, the norm of the time was that any changes that the software producer wanted to make to the software required some conscious act of permission on the part of the user, such as purchasing and installing an upgrade. Therefore, the user was fully aware of any changes that were occurring to his/her computing platform.

This paradigm is currently shifting. Beginning in the mid to late years of the first decade of the 21^st century, the Internet became a feasible foundation for a cloud based computing platform. While the cloud has not yet replaced the PC as the favorite computing platform of society, users are recognizing the benefits of cloud based services, especially the link to a ubiquitously available network, and making use of cloud based services. As the cloud becomes a new foundation for a generative computing platform the question has been raised: so what?
(more…)

Why do people jailbreak their Apple products? Sarah Perez asked this question at ReadWriteWeb and has concluded that people want better applications for their Apple products. Since the new iPad either addresses or nullifies many of the complaints posed by consumers, Perez then argues that there are far fewer (legitimate) reasons to jailbreak the iPad. As the argument goes, if you want some aspect of your iPad experience improved then talk to Apple, they will take care of your desires.

Perez’s argument is about the end product, the features and quality of the computer platform that I will hold in my hands. What is missing, however, is a consideration for the process. How will that end product get made? Who will make it? What role will I, as a consumer, have in the production process? While analysis continues to revolve around the quality and features of the software on the iPad, the issue that really motivates jailbreaking is the desire to change the process that leads to software on the iPad. Autonomy is the real motivation. Consumers remember having the power to define their computing platform and there are many who are not ready to cede that power to some licensors in Cupertino.

(more…)