Companies often promote consistent and reliable customer experiences. KLM touts itself as “the reliable airline” while Michelin touts its dependability “because so much is riding on your tires.” And now we have Yahoo, who announced that it will be increasing the social networking functionality in Yahoo Mail. Yahoo has the ability to promote consistency in determining user defaults for sharing information.
But social networking is a product much different than most – it is participatory. Passengers can’t fly airplanes and drivers don’t design tire tread, but social networking users control what and with whom they share information.
So what happens when a social networking service changes functionality or adds new features? How does a company be consistent in carrying-over a user’s preference from the prior version to the new one? What assumptions should it make on user privacy preferences for new features?
These considerations matter whenever an online service tries to increase its social networking functionality. Last week, Facebook unveiled new privacy controls, and we blogged that it was a welcome response to clear-up confusion. In the coming weeks Yahoo will change how status updates work in Yahoo Mail. Michael Arrington’s TechCrunch article describes it well:
[C]urrently to see status updates for others in Yahoo Mail, you have to have a mutual follow, meaning both people have agreed to be “friends.” You can then see that user’s Yahoo status updates as well as updates on third party services that they have added to their Yahoo profile as well. In the new version there will no longer be a requirement for a mutual follow. So, like on Twitter, users can follow whomever they choose. This isn’t actually a dramatic change for Yahoo, since users can follow others in this way already on Yahoo Messenger.
Like Google and Facebook before it, Yahoo is adding features to make its service more “social.” And because of the scrutiny over the changes by Google and Facebook, Yahoo seems to be going out of its way to assure users that they can rely and depend on Yahoo. According to the Yahoo Corporate Blog: Continue reading →
Adam Thierer & I offered our initial thoughts upon first reading the discussion draft of the privacy bill introduced by Rep. Rick Boucher (D-VA) & Cliff Stearns (R-FL). In PFF’s latest TechCast, I sat down to discuss the bill and my concerns about it with PFF’s VP for Communications, Mike Wendy:
Stay tuned for more from us on this. PFF plans to file written comments, as solicited by the bill’s authors, by June 4. For more on this, check out our comments to the FTC last December on these issues.
Subscribe now to PFF’s TechCast podcast (generally 5-8 minutes) by RSS or through iTunes!
By Adam Thierer & Berin Szoka
Opt-in mandates may soon be coming to an Internet near you! Rick Boucher, House Energy & Commerce Committee Chairman, is expected to soon introduce the privacy bill he’s been working on behind closed doors for many months. At the heart of the bill is supposed to be a mandate that websites and services obtain opt-in consent prior to collecting information with users—at least if they plan on sharing that information with any third party or doing with it beyond what a narrow safe harbor would allow.
Boucher is apparently trying to strike the right balance between “protecting privacy” and the benefits to users of advertising and data collection. But there may be significant costs to an opt-in regime that are little appreciated by privacy advocates, who tend to think of opt-out as meaningless and opt-in as the ideal of user empowerment. In their new paper “
Opt-in Dystopias,” Google’s Senior Policy Counsel Nicklas Lundblad and Policy Manager Betsy Masiello provide a sophisticated analysis of the dark side of opt-in. They argue that “mandatory opt-in applied across contexts of information collection is poised to have several unintended consequences on social welfare and individual privacy,” specifically:
• Dual cost structure: Opt-in is necessarily a partially informed decision because users lack experience with the service and value it provides until after optingin. Potential costs of the opt-in decision loom larger than potential benefits,
whereas potential benefits of the opt-out decision loom larger than potential costs.
•
Excessive scope: Under an opt-in regime, the provider has an incentive to exaggerate the scope of what he asks for, while under the opt-out regime the provider has an incentive to allow for feature-by-feature opt-out.
•
Desensitisation: If everyone requires opt-in to use services, users will be desensitised to the choice, resulting in automatic opt-in.
•
Balkanisation: The increase in switching costs presented by opt-in decisions is likely to lead to proliferation of walled gardens.
Lundblad and Masiello discuss each of those concerns in great detail, so read the paper for further elaboration. They do a particularly good good walking the reader through the complexity of even defining what we mean by “opt-in,” which is far trickier than most people imagine.
Continue reading →
by Adam Thierer & Berin Szoka, Progress Snaphot 6.1
Stephanie Clifford of the
New York Times posted a very interesting article this week summarizing a recent “on-the-record chat” the Times staff had with Federal Trade Commission (FTC) chairman Jon Leibowitz and FTC Bureau of Consumer Protection chief David Vladeck. The interview [discussed by Braden here] is profoundly important in that it reveals an alarming disconnect regarding the relationship between “privacy” regulation and the future of media, which were the subjects of their discussion with Times staff. Namely, Leibowitz and Vladeck apparently fail to appreciate how the delicate balance between commercial advertising and journalism is at risk precisely because of the sort of regulations they apparently are ready to adopt. Because the value of online advertising depends on data about its effectiveness and consumers’ likely interests, and because advertising is indispensable to funding media, what’s ultimately at stake here is nothing short of the future of press freedom.
The “Day of Reckoning” Is Upon Us
Leibowitz and Vladeck spend the first half of
The Times interview wringing their hands about “privacy policies,” the declarations made by websites and advertising networks about their data collection and use practices (for which the FTC can and must hold them accountable). But the two feel that privacy policies don’t adequately inform consumers. Chairman Leibowitz claims that online companies “haven’t given consumers effective notice, so they can make effective choices.” And Mr. Vladeck states that advise-and-consent models “depended on the fiction that people were meaningfully giving consent.” But he and the FTC seem ready to abandon the notice and choice model because the “literature is clear” that few people read privacy policies, Vladeck told the Times. He and Leibowitz continue:
“Philosophically, we wonder if we’re moving to a post-disclosure era and what that would look like,” Mr. Vladeck said. “What’s the substitute for it?” He said the commission was still looking into the issue, but it hoped to have an answer by June or July, when it plans to publish a report on the subject. Mr. Leibowitz gave a hint as to what might be included: “I have a sense, and it’s still amorphous, that we might head toward opt-in,” Mr. Leibowitz said.
This clearly foreshadows the regulatory endgame we have long suspected was coming. When the FTC released its “Self-Regulatory Principles for Online Behavioral Advertising” eleven months ago, we asked: “What’s the Harm & Where Are We Heading?” Their answers to both questions have become clearer with each new calculated comment—all apparently intended to slowly “turn up the heat” on the advertising industry so that the proverbial frog will stay in the pot until the water finally boils. Leibowitz’s FTC has simply dodged the “harm” question with a four-part strategy: Continue reading →
A coalition of ten self-described “consumer and privacy advocacy organizations” today demanded legislation that would restrict the collection and use of data online for customizing advertising based on Internet users’ interests. I’ll have more to say on this but here are my initial comments:
These so-called “consumer advocates” are actually anti-consumer elitists. Not only do they presume that consumers are too stupid or lazy to make their own decisions about privacy, but they ignore the benefits to consumers: more relevant advertising plus more and better content.
Advertising has been the “mother’s milk” of media in America since colonial times and the future of media depends on the ability of publishers to replicate that revenue model online. Micropayments, donations, subscriptions alone simply can’t fund a vibrant marketplace of ideas. Only personalized advertising can sustain publishers through the Digital Revolution.
Regulatory advocates haven’t demonstrated any harm to consumers that would justify such sweeping preemptive regulation. By strangling funding for new media, such regulations would amount to an “Industrial Policy” for the Internet. Instead, policymakers should focus on educating consumers and empowering them by promoting development of better privacy management tools.
Mediapost has published an interview I gave to Omar Tawakol, founder of the BlueKai registry entitled “User Empowerment, Not Regulation, Is The Answer to Privacy Concerns About Targeted Ads” in which I summarize the arguments Adam Thierer and I have been making since our “Principles to Guide the Debate” piece last September.
We argue for user empowerment over restrictive defaults (like “opt-in”) for data use and collection because, as the Supreme Court held in 2000: “Technology expands the capacity to choose; and it denies the potential of this revolution if we assume the Government is best positioned to make these choices for us.”
We promote tools that let users make their own decisions about privacy, not only because those decisions are fundamentally subjective, but because regulatory mandates could stifle the development of online content and commerce.
I also note the parallels between speech controls and privacy regulation, and call for a consistent, principled approach to both:
Since 1997, the Supreme Court has struck down multiple legislative attempts to censor online and offline content [especially the CDA] because there were “less restrictive alternatives” that would not so heavily burden free speech rights. In a 2000 cable-related decision, the Court held that “targeted blocking [by users] is less restrictive than banning, and the Government cannot ban speech if targeted blocking is a feasible and effective means of furthering its compelling interests.”
Courts have struck down other federal and state speech controls because parents had the tools to filter their kids’ access to information online, in video games, etc., as described in my PFF colleague Adam Thierer’s ongoing catalog of these tools…
Many who oppose industry self-regulation are not really “consumer advocates” because they don’t recognize that consumers have many, competing values. Those regulatory advocates are more interested in their preferred one-size-fits-all mandates than in empowering users to determine their own privacy preferences.
Like advocates of censorship, privacy zealots assert great dangers to which citizens are supposedly oblivious but which urgently require government intervention-dismissing arguments to the contrary as either uninformed or irresponsible.
The comments on the interview are equally worth reading. Jeff Chester, who has made a career out of attacking advertising, quickly posted a comment dismissing, but ignoring, my arguments about consumer welfare as corporate propaganda—just as he did with his comment on the post Adam and I wrote in June about congressional hearings on the issue featuring Chester (and Scott Cleland, the right-wing “Bizarro Chester“). I’ve had it with Chester’s ad hominem attacks on the motives of those who disagree with him, as I explained in my reply to Chester: Continue reading →
Internet policy Shame Artist extraordinaire Chris Soghoian has struck again! Chris recently shamed the online advertising industry into improving their privacy practices with his Targeted Advertising Cookie Opt-Out (TACO) plug-in for Firefox. Now Chris has set his sight on the security practices of cloud service providers.
A letter released this morning, signed by 37 leading online security experts (and organized by Chris), calls on Google to offer persistent SSL (HTTPS) encryption by default for all Google services—or at the very least, to make more visible the option currently given to users to opt-in to use SSL for all communications. Google, in its response, indicated that it was already “looking into whether it would make sense to turn on HTTPS as the default for all Gmail users.”
While Google’s response identifies some clear problems with implementing persistent SSL for all users (esp. connection speed), few would deny that it makes sense for webmail providers to encrypt all traffic using SSL, rather than sending email data “in the clear,” which risks interception by hackers. We at PFF hold no brief for Google, in fact we have found ourselves disagreeing with them on many other occasions on a range of issues (most notably net neutrality mandates). Nonetheless, on this front, Google has long been a leader, having offered SSL since Gmail launched and having begun providing the persistent HTTPS option last summer while most of their competitors still use SSL only for the initial authentication that occurs when a user first signs in. While the letter focuses on Google and webmail in particular, this issue has far broader implications for all online cloud service providers.
No Free Lunch: The Costs of Encryption
Gmail, Yahoo! Mail, Hotmail, etc. are, of course, “free” (
i.e., ad-supported). Google in particular has lead the way in increasing the functionality offered in Gmail, not just constantly increasing the total storage space provided to every user (now over 7GB), but regularly adding innovative new features—at no charge to users. Continue reading →
As Berin mentioned last week, we have a new paper out on proposals to expand the Children’s Online Privacy Protection Act (COPPA) of 1998. We generically refer to those COPPA-expansion efforts as “COPPA 2.0.” Hence, the title of our paper: “COPPA 2.0: The New Battle over Privacy, Age Verification, Online Safety & Free Speech.” To recap what Berin already noted, in the name of improving online child safety, some legislators and state attorneys general (AGs) are advocating the expansion of COPPA’s “verifiable parental consent” model of age verification before certain sites or services may collect, or enable the sharing of, personal information for children.
Unlike “COPPA 1.0,” however, which only applied to children under the age of 13, “COPPA 2.0” would apply to all minors up to age 17. Moreover, the range of sites covered by the new law would generally be expanded to include just about any site or service with social networking functionality.
Since Berin has already summarized our general concerns with efforts to expand COPPA’s “verifiable parental consent” online age verification system to cover more online users and sites, I thought I would focus here on what I believe will be the most controversial (and important) part of our paper — our discussion about how COPPA 2.0 affects the speech rights of both adults
and adolescents.
Continue reading →
Google’s new “Interest Based Advertising” (IBA) program represents the company’s first foray into what is generally called “Online Behavioral Advertising” (OBA): In order to deliver more relevant advertising, Google will begin tailoring ads delivered through AdSense on the Google Content Network (GCN) and YouTube.com (but not Google.com). This tailoring will be based on a profile of each user’s interests created by tracking their browsing activity across sites that use AdSense-but not search queries or other user information. Until now, (i) AdSense has delivered essentially “contextual” advertising by choosing which ad to display on a page based on an algorithmic analysis of keywords on that page; and (ii) Google has tracked users’ browsing only for analytics purposes-to limit the number of times a user sees a particular ad (to prevent overexposure) and to allow sequencing of ads in campaigns where one ad must follow another.
Google is sure to be attacked for crossing a “line in the sand” drawn by some privacy advocates between contextual and behavioral advertising-even though Google’s closest competitor, Yahoo!, already offers a similar program, and the concept in general is hardly new. Google’s position as the leading search engine and third party ad-delivery network will no doubt cause paroxysms of privacy hysteria among those who consider targeted advertising inherently invasive, unfair or manipulative.
But those whose first priority is advancing consumer privacy, not advancing a political or regulatory agenda, should applaud Google for excluding sensitive categories and for putting the new Ad Preference Manager at the core of the company’s new IBA program. The Ad Preference Manager sets a new “gold standard” for implementing the principles of Notice and Choice, which have formed the core of both OBA industry self-regulation and the various regulatory proposals made in recent years. Indeed, Google has done precisely what Adam Thierer and I have called for: giving consumers more granular control over their own privacy preferences by developing better tools.
Continue reading →
The Technology Liberation Front is the tech policy blog dedicated to keeping politicians' hands off the 'net and everything else related to technology.