Working in any field of public policy is a bit like living in a haunted house: You spend most of your day dodging bogeymen, ghosts, phantasms, phantoms and specters of imagined harms, frauds, invasions and various conspiracies supposedly perpetrated by evil companies against helpless consumers, justice, God, Gaia, small woodland creatures and every sort of underserved, disadvantaged and/or underprivileged group of man, animal, vegetable and mineral imaginable.

But Internet policy—particularly online privacy—tends to be haunted by such groundless imaginings far more than most other areas of policy, largely because it manifests itself in ways that are far more real and immediate to ordinary users. For example, as outraged as any of us might feel about the Gulf oil spill, how many of us have the slightest clue what’s really involved (beyond what we’ve learned watching TV anchors stumble through a vocabulary they don’t understand)?

By contrast, huge numbers of Americans have daily interaction with web services like those provided by Google, Microsoft, Yahoo, Twitter and Facebook. That doesn’t mean we necessarily  understand how these technologies work. Indeed, quite the contrary! As Arthur C. Clark said, “Any sufficiently advanced technology is indistinguishable from magic.” But we often think we know how these technological marvels work, and certainly sound much more informed when we spout off (pun intended) about these things than, say, “top kills” on the bottom of the ocean floor. In short, we know just enough web services to be dangerous when we ground strong policy positions in our unsophisticated understanding of how things really work online.

There are few better examples of this than the constantly repeated bugaboo that “Facebook sells your data to advertisers!” Or “Facebook only wants you to share more information with more people for advertising purposes!” These myths bear no relation to how advertising on social networking sites actually works, as Facebook CEO Sheryl Sandberg explains beautifully in a short tutorial video. Here’s the key portion:

We also protect your privacy by virtue of the way our advertising system works. Because our system chooses which ads to show you, we don’t need to share any of your personal information with advertisers in order to show you relevant ads. In order to advertise on Facebook, advertisers give us an ad they want us to display and tell us the kinds of people they want to reach. We deliver the ad to people who fit those criteria without revealing any personal information to the advertiser. The only information we provide to advertisers is aggregate and anonymous data, so they can know how many people viewed their ad and general categories of information about them. Ultimately, this helps advertisers better understand how well their ads work so they can show better ads.

And here’s the video:

http://www.facebook.com/v/10150228703690484 You can’t blame average users for not understanding how Facebook’s ad system works. That doesn’t make them stupid! They may be ignorant, but their ignorance is perfectly rational. Ultimately, it’s up to companies like Facebook to try to overcome the perception-of-technology-as-magic problem—lest consumers assume it must be black magic. Still, I’m sure we’ll keep hearing this myth repeated in the future, as similar myths have been in other areas of the privacy debate. I only wish more companies would prepare similarly concise videos that explain how their systems work to dispel some of this technopanic hysteria. Here are two particularly good examples of effective tutorials:

Today’s Online Safety Technical Working Group (OSTWG) meeting included some heated debate about whether online intermediaries should be doing more to assist law enforcement to help track down child predators and those producing and distributing child pornography. (It’s not clear whether or when NTIA will actually put the archived video or a transcript online at this point).

Most interesting was the third panel of the day (agenda), which devolved into a shouting match as Dr. Frank Kardasz (resume) of the Arizona Internet Crimes Against Children (ICAC) Task Force basically accused Internet intermediaries of being willing accomplices in crimes of sexual abuse against children—and suggested that they could be charged as co-defendants in child porn prosecutions. A few industry folks in the room expressed their outrage at such slander. A retired law enforcement officer perhaps put it best when he said that he had never dealt with an ISP that didn’t sincerely want to help law enforcement stop this monstrous crime.

Apart from those pyrotechnics, and a superb morning presentation by the Pew Internet Project’s Amanda Lenhart about “Social Media & Young Adults,” the most interesting part of the day concerned data retention mandates. Even as a debate rages in Washington about how much collection and use of online data should be permitted, Dr. Kardasz suggested online service providers should be required to hold user data for 5 years. A number of attendees noted the staggering costs of such a mandate given the sheer volume of information shared every day by use, especially for startups for whom building monitoring and compliance infrastructure can be a significant barrier to entry. Of course, practical objections are always answered with practical counter-solutions—in this case, several attendees asked why we couldn’t just provide tax incentives or stimulus money to defray such costs. One attendee joked that we’d have to devote the entire state of Montana just to house all the necessary server farms.

But the strongest objection came from John Morris of the Center for Democracy & Technology, who rightly noted that no amount of government subsidies for data retention could prevent leakage of sensitive private data. For this reason and because of the basic civil liberties at stake whenever the government has access to large pools of data about its citizens, Morris argued that we need to strike a balance between how we protect children & the values of free society. Dave McClure of the US Internet Industry Association (USIIA) seconded this point powerfully: If such vast data is retained, it will be abused.

Then the riposte from advocates of data retention mandates: Aren’t online intermediaries already retaining huge amounts of consumer information? If they can do that, why can’t they retain the data we need to track down child predators and child porn distributors?

John Morris and the ACLU’s Chris Calabrese patiently explained just how different these two kinds of data retention really are. Advertisers don’t care who you are—just what you’re likely to be interested in. So it simply isn’t worth the cost for them to retain the massive logs of data tracking every site a user has been to and when, or even tying that information to an IP address. All the advertiser wants is to be able to correlate information about likely interests with a cookie that uniquely identifies a computer (which likely, but not necessarily, corresponds to a user). I couldn’t have explained this difference better myself!

They didn’t specifically get into this example, but even a company like Phorm, which offers behavioral advertising based on inspecting packets sent back and forth by an Internet user doesn’t actually retain the kind of “digital dossier” of a user’s browsing activity that some advocates of increased data regulation fear–or that law enforcement wants. Instead, Phorm examines certain kinds of pages visited by users (e.g., no HTTPS or email) and looks for keywords (excluding sensitive things like phone numbers, social security numbers and credit card numbers) that suggest the user might be interested in a particular marketing category. The data about where the user has visited is then discarded, leaving only the marketing categories matched to that user’s unique ID (e.g., dog-owner, fly-fisher).

So even when it comes to the much-feared “Deep Packet Inspection,”what advertisers want is profoundly different from the kind of data retention mandates proposed by Kardasz and others in law enforcement. Moreover, given the costs entailed in data storage and processing, the mere fact that something is theoretically possible doesn’t mean advertisers are willing to pay for it just to try to tell you about their product! That critical point has been missing from most of the ongoing conversation about regulating “targeted” advertising, which tend to focus on the theoretical possibility of a particular data collection/use/aggregation practice rather than whether it’s actually being done or even whether it would make economic sense to do so. So I’m glad to see John Morris and Chris Calabrese making these vital points.

I don’t mean to pull a “gotcha!” on them as representatives of two organizations that have also been outspoken in calling for restrictions on the private use of data (especially since I can’t do justice them by quoting them precisely here without a transcript of the event or the ability to go back and listen to this fascinating exchange again). I’m sure they would respond that the potential for abuse still exists when private companies collect data about users for advertising purposes: Some companies might collect so much data that it could be tied back to a particular user and cause actual harm if released, which is always a possibility. That would be a fair response, but it would at least place us in a constructive debate between reasonable people about the costs and benefits of data sharing and whether government regulation is really the best way to address privacy concerns.

The important point is that they recognize the difference in kind between the collection of limited amounts of data for advertising purposes and the kind of comprehensive data mandates proposed by Kardasz and others. If nothing else, that difference means that one can take a principled stance—as I do—against data retention mandates as a governmental invasion of our privacy but also in favor of reliance on user empowerment, education, targeted enforcement of existing laws, etc. as less restrictive alternatives to government regulation of private data use, just as with parental control and empowerment over parentalist censorship.  As Adam Thierer and I have argued, because there are significant costs to regulation for consumers, free speech and culture, any government mandates should be narrowly tailored to addressing real, demonstrable harms rather than vague, unsubstantiated fears or amorphous concepts like “dignity interests.”

The other critical part of our “layered approach” to privacy concerns is building a higher “Wall of Separation Between Web and State.” Concretely, that means opposing such onerous data retention mandates and reforming ECPA—a subject mentioned only at the end of today’s meeting. In the comments I filed recently on the Notice written by CDT for the FCC, I praised CDT’s work in this area and look forward to working with them (and the ACLU and groups like EFF) on that cause in the future, despite our differences on private data use regulation.

The Progress & Freedom Foundation has just launched the new Center for Internet Freedom.  CIF offers an alternative to the proliferation of advocacy groups calling for government intervention online by offering timely analyses and critiques of proposals that diminish the vital role of free markets, free speech and property rights.  We aim to drive the Internet policy debate in new directions by emphasizing a layered approach of technological innovation, user education, user self-help, industry self-regulation, and the enforcement of existing laws consistent with the First Amendment.  Such an approach is a less restrictive—and generally more effective—alternative to increased regulation.  

Here are some of the issues I’ll be working on as CIF’s Director in conjunction with my esteemed colleagues Adam Thierer, Adam Marcus, and adjunct fellows: 

• Defending online advertising as the lifeblood of online content & services, especially in the “Long Tail”;
• Emphasizing market solutions to problems of privacy protection, especially regarding the use of cookies and packet inspection data;
• Protecting online speech and expression both in the U.S. and abroad;
• Defending Section 230 immunity for Internet intermediaries;
• Opposing online taxation and legal barriers to e-commerce and digital payments, especially at the state and local levels; and
• Ensuring that Internet governance remains transparent and accountable without hampering the evolution of the Internet.

By Berin Szoka & Adam Thierer Progress Snapshot 4.19 (PDF)

Since the fall of 2008, a debate has raged in Washington over “targeted online advertising,” an ominous-sounding shorthand for the customization of Internet ads to match the interests of users.  Not only are these ads more relevant and therefore less annoying to Internet users than untargeted ads, they are more cost-effective to advertisers and more profitable to websites that sell ad space.  While such “smarter” online advertising scares some—prompting comparisons to a corporate “Big Brother” spying on Internet users—it is also expected to fuel the rapid growth of Internet advertising revenues from $21.7 billion in 2007 to $50.3 billion in 2011-an annual growth rate of more than 24%. Since this growing revenue stream ultimately funds the free content and services that Internet users increasingly take for granted, policymakers should think very carefully about what’s really best for consumers before rushing to regulate an industry that has thrived for over a decade under a layered approach that combines technological “self-help” by privacy-wary consumers, consumer education, industry self-regulation, existing state privacy tort laws, and Federal Trade Commission (FTC) enforcement of corporate privacy policies.

In an upcoming PFF Special Report, we will address the many technical, economic, and legal aspects of this complicated policy issue-especially the possibility that regulation may unintentionally thwart market responses to the growing phenomenon of users blocking online ads.

We will also issue a three-part challenge to those who call for regulation of online advertising practices:

1. Identify the harm or market failure that requires government intervention.
2. Prove that there is no less restrictive alternative to regulation.
3. Explain how the benefits of regulation outweigh its costs.

The Online Advertising Market

While there are other forms of targeted advertising based on who you are (“demographic”) or where you are (“locational”), the most important varieties are based on what you’re searching for, seeing or doing online at any particular moment (“contextual”) and the pattern of what you’re searching for, seeing or doing over time (“behavioral”). The bulk of Internet advertising falls into one or both of these last two categories, with behavioral advertising growing rapidly.

Search engines deliver contextual ads on search results pages based on the search keywords entered by a user, while third-party advertising networks (some of which also run search engines) deliver contextual ads on behalf of website operators who sell ad space to the network, with the ads displayed on each page chosen according to keywords on that page. Contextual advertising is far “smarter” than displaying the same “dumb” untargeted banner ads to every user, because the contextual ad uses keywords to “guess” what the user is interested in based on the context of each page. But the purely contextual ad network doesn’t “remember” what the user has looked at in the past, so its insights into what the user would find relevant are very limited, especially for some websites. Online behavioral advertising (OBA) solves this problem and increases the value of advertising space on all websites by targeting ads based on a “profile” of the user created by tracking websites the user has visited—as well as limiting the number of times a user is shown a particular ad.

The Perceived Harm Driving Calls for Regulation

For a decade, the basic technology behind OBA has changed little: When a user visits the typical webpage, they download not only the webpage contents but also a small piece of code that allows the website to distinguish that user’s browser from other browsers (a “cookie”)—without personally identifying the user. Some cookies are required to make sites work properly (“site cookies”) while others (“tracking cookies”) are used by the third party ad network in which that site participates to recognize that browser across multiple sites participating in the ad network, and thus create a “profile” of what the user might be interested in. Even though such profiles themselves are anonymous, many privacy advocates have pointed to four reasons why online profiling is becoming “too invasive:” (i) It is sometimes possible to infer the actual identity of the user; (ii) though all browsers allow users to opt-out of tracking by “cleaning out” their tracking cookies, a website may be able to restore deleted tracking cookies through the use of cookie alternatives such as “Flash cookies”; (iii) certain vulnerabilities in current browser design make it theoretically possible to “sniff” a user’s browsing history, cache or bookmarks; and (iv) the use of “packet inspection” by Internet Service Providers (ISPs) (instead of the use of cookies) to track online browsing amounts to illegal wiretapping.

The other concerns expressed by the advocates of regulation vary significantly. Some fear that browsing profiles could be captured by hackers, somehow associated with personally identifying information, and used for identity theft. These advocates demand limits on data retention as well as data security mandates. Others demand that users have access to their own profiles—a goal inherently in tension with data security. Most share a vague queasiness about “being tracked” and about advertising in general, while downplaying the effectiveness of self-regulation or user self-help.

Perhaps most legitimately, others fear that the real “Big Brother”—the government—will gain access to a “honeypot” of surveillance data that might be associated with individual users. A variety of other solutions have been proposed to what is, for the most part, a poorly defined problem, including a government-run “Do Not Track” registry to make it easier for users to block tracking cookies; mandating opt-in for some or all forms of profiling; and banning completely the collection of tracking data about sensitive subjects, cross-referencing of data sets, and use of packet inspection data for OBA.

The Less Restrictive Means: A Layered Approach

But how should policymakers decide which, if any, of these interventions are really necessary–or would even be effective? Ironically, those who demand immediate OBA regulation to protect user privacy are often the first to insist on less burdensome approaches whenever a policy “problem” involves purely non-commercial speech. For example, emphasizing personal and parental responsibility is often favored as the more sensible approach to dealing with free speech and child protection concerns. But, as Chapman University Law Professor Tom Bell has asked, why not apply the same standard across the board? Why not expect those especially privacy-sensitive users who object to OBA to do something about it? To the extent effective self-help privacy tools exist, they provide a means of solving policy problems that is not only “less restrictive” than government regulation but generally more effective and customizable as well. Why settle for one-size-fits-all solutions of incomplete effectiveness when users can quite easily and effectively manage their own privacy? Indeed, those who advocate personal responsibility and industry self-regulatory approaches to free speech and child protection issues should be advancing the same position with regards to privacy.

Fortunately, a wide variety of self-help tools and “technologies of evasion” are readily available to all users and can easily thwart traditional cookie-based tracking, as well as more sophisticated tracking technologies such as packet inspection. While cookie management tools that allow users to delete their cookies have been standard in browsers for some time, the latest generation of browsers incorporates far more advanced control over what kind of cookies browsers will accept from websites in the first place. Furthermore,  the extensible nature of modern browsers allows any freelance software developer who sees a way to improve a browser to do so by writing an add-on that “plugs in” to the browser using standard programming interfaces designed by each browser developer.  Many such add-ons are wildly popular, but even those users who never install a single one benefit from the acceleration of browser evolution made possible by add-ons.  We will be documenting examples of these tools in our upcoming Special Report and in an ongoing  series of blog essays.

The Benefits of Smarter Advertising

The “free” Internet economy is based on a simple value exchange: Users get access to an ever-expanding collection of content and services at no cost from websites that are able to generate revenue from “eyeballs” on their pages by selling space on their sites to advertisers, usually through ad networks. The smarter that advertising, the more free content and services it can support. This is the same value exchange that has supported free, over-the-air television and radio content for decades. The only difference is technological: Because websites can connect directly with the user, they need not rely on crude profiling tools such as Nielsen ratings.

There are larger economic benefits of smarter online advertising. First, it makes the overall economy more open and competitive by allowing small market entrants to reach consumers with messages about their products. Second, those who attack the use of packet inspection by ISPs for OBA fail to see that it is precisely the kind of “game-changer” that could disrupt Google’s currently dominant market position. Third, the involvement of ISPs in OBA could help defer broadband costs: Even if OBA revenue does not completely subsidize monthly service costs, smarter advertising could at least keep prices in check and potentially lower them significantly going forward.

But smarter advertising isn’t just about selling products or services. It is ultimately about making all kinds of speech more cost-effective. The ability to “target” listeners more narrowly also increases the ability of political and other not-for-profit speakers to communicate their messages. In short, smarter advertising means more voices, more choices, and more speech. The line between “advertising” and “content” is already blurring rapidly, as the technologies used to customize advertising are also used to customize webpages and ad networks themselves are used to deliver content.

The Larger Implications of Potential Regulation

As if reducing the advertising revenue generated by each web ad didn’t do enough to reduce the total amount of funding for free web content and services, government regulation of targeted online advertising could reduce advertising revenues even further by aggravating the problem of adblocking in two ways. First, the less relevant ads are, the more annoying users will find them, and the more likely users are to try to block them. Increased relevance is perhaps the most important remedy for adblocking and the best way to maintain the implicit value exchange that currently supports free Internet content and services

Second, regulation could short-circuit the eternal battle of technological one-upmanship between online advertisers and those users who rely on the technologies of evasion to “opt-out” of seeing ads or being tracked. Such privacy-conscious users are “free-riding” off of those users who don’t opt-out, since (at present) they generally don’t lose access to the free content and services supported by the targeted advertisements that other users do see. The user who blocks tracking, but not ads, is still free-riding off those users who don’t opt-out of tracking. On a large enough scale, such self-help has the potential to disrupt the value exchange of the Internet, just as automatic commercial-skipping has already disrupted the value exchange of television. As with all “Spy v. Spy” battles, this long-term trend is inevitable: As more sophisticated technologies of evasion are incorporated seamlessly into browsers and can be used without significantly degrading the browsing experience, their use will become increasingly mainstream. But ultimately, just as with television commercial-skipping, market forces can and will, if permitted, respond through technological means and the development of new business models. Today’s implicit quid pro quo may become, of necessity, explicit: Websites and ad networks will have to find increasingly creative ways to grant access to certain content and services for users who do not block ads or the tracking that makes ad space more valuable. Policymakers should take care not to ban such technologies or cripple such business models (e.g., through requiring opt-in), which may rely on more sophisticated forms of targeting such as the use of packet inspection data.

As users face an increasingly clear choice between (i) getting content and services for free supported by behavioral advertising and (ii) paying to receive those same services and content without tracking or even without ads altogether, policymakers will finally see whether users are really as bothered by profiling as the advocates of OBA regulation insist. Given the ongoing and widespread replacement of fee- or subscription-supported web business models with ad-supported models, it seems likely that the vast majority of consumers will continue to choose ad-supported models, including profiling.

Conclusion

The questions raised above—about the harm that supposedly requires intervention, the availability of less restrictive means, and the cost/benefit analysis of regulation—are vital considerations for the future of the Internet. Indeed, if smarter online advertising will not fund the Internet’s future, what will? As both the desire for “free” services and content and the need for bandwidth expand, OBA has the potential to offer important new revenue sources that can help support the entire ecosystem of online content creation and service innovation, while also providing a new source of funding for Internet infrastructure and making ads less annoying and more informative. That would certainly seem preferable to increased user fees or other “pay-per-view” pricing models for Internet content and services.

But looming legislative and regulatory action could stop all of that by replacing the current regime—in which the FTC merely enforces industry self-regulatory policies—with one in which the government preemptively dictates how data may be collected and used. The more enlightened approach is a “layered” approach to privacy protection that combines industry self-regulation, enforcement of industry-established privacy policies, consumer education, and user “self-help” solutions. These and other issues will be addressed in greater detail in our upcoming PFF Special Report.