We had a great discussion yesterday about the technical underpinnings of the ongoing privacy policy debate in light of the discussion draft of privacy legislation recently released by Chairman Rick Boucher (see PFF’s initial comments here and here). I moderated a free-wheeling discussion among terrific panel consisting of:
- Lorrie Faith Cranor,
Associate Professor, Computer Science, Engineering & Public Policy at Carnegie Mellon University; director of the CyLab Usable Privacy and Security Laboratory
- Ari Schwartz, Vice President & Chief Operating Officer, Center for Democracy & Technology
- Shane Wiley, Senior Director, Privacy & Data Governance, Yahoo!
Here’s the audio (video to come!)
Ari got us started with an intro to the Boucher bill and Shane offered an overview of the technical mechanics of online advertising and why it requires data about what users do online. Lorrie & Ari then talked about concerns about data collection, leading into a discussion of the challenges and opportunities for empowering privacy-sensitive consumers to manage their online privacy without breaking the advertising business model that sustains most Internet content and services. In particular, we had a lengthy discussion of the need for computer-readable privacy disclosures like P3P (pioneered by Lorrie & Ari) and the CLEAR standard developed by Yahoo! and others as a vital vehicle for self-regulation, but also an essential ingredient in any regulatory system that requires that notice be provided of the data collection practices of all tracking elements on the page. For more info, check out:
- Ari’s recent paper Looking Back at P3P: Lessons for the Future
- Lorrie’s work on P3P Deployment on Websites and Standardizing Privacy Notices: An Online Study of the Nutrition Label Approach.
- The IAB/NAI Technical Specifications for CLEAR Ad Notice (Control Links for Education and Advertising Responsibly)
In particular, we touched on the critical question raised by the Boucher bill: Will website publishers be required to disclose the data collection practices of all parties they allowed to collect data from thei webpages? While it is commonly said that websites “share” information with advertisers (a view seemingly implied by the Boucher bill), in fact, it would be more accurate to say that website publishers simply allow third parties to load tracking elements on their pages, and as a technical matter, they have no way of knowing definitively who all the data collectors on their page might be, let alone what their particular data collection and privacy practices are—not just for behavioral advertising, but for the basic reporting, analytics, conversion optimization, sequencing, frequency capping, and other techniques that make online ads profitable for publishers (thus supporting more free content and services) and also more relevant to users. More on this to come!