Catchy headlines like “Heavy Social Media Use Linked With Mental Health Issues In Teens” and “Have Smartphones Destroyed a Generation?” advance a common trope of generational decline. But a new paper in Nature uses a new and rigorous analytical method to understand the relationship between adolescent well-being and digital technology, finding a “negative but small [link], explaining at most 0.4% of the variation in well-being.”

What really sets apart the new paper from Amy Orben and Andy Przybylski is that it aims to capture a more complete picture of how variables interact. The problem that Orden and Przybylski tackle is endemic one in social science. Sussing out the causal relationship between two variables will always be confounded by other related variables in the dataset. So how do you choose the right combination of variables to test?

An analytical approach first developed by Simonsohn, Simmons and Nelson outlines a method for solving this problem. As Orben and Przybylski wrote, “Instead of reporting a handful of analyses in their paper, [researchers] report all results of all theoretically defensible analyses.” The result is a range of possible coefficients, which can then be plotted along a curve, a specification curve. Below is the specification curve from one of the datasets that Orben and Przybylski analyzed.

Amy Orben and Andrew Przybylski explain why this method is important to policy makers who are interested in the tech use question:

Although statistical significance is often used as an indicator that findings are practically significant, the paper moves beyond this surrogate to put its findings in a real-world context.  In one dataset, for example, the negative effect of wearing glasses on adolescent well-being is significantly higher than that of social media use. Yet policymakers are currently not contemplating pumping billions into interventions that aim to decrease the use of glasses.

Truthfully this is the first time I have encountered specification curve analysis and am quite impressed with its power. For more details, check out the OSF page, the writeup in Nature, and the full paper. Also, Michael Scharkow details how to apply SCA to variance and includes some R code.

When the government tells someone to shut up, we call it censorship and the First Amendment requires the government to defend its regulation. But what if the government just says, “Shhhh… could you please turn that down?” Rep. Anna Eshoo’s Commercial Advertisement Loudness Mitigation Act (“CALM Act” – HR 1084) would do just that: require the FCC to issue rules that broadcast and cable TV ads:

(1) … shall not be excessively noisy or strident; (2) … shall not be presented at modulation levels substantially higher than the program material that such advertisements accompany; and (3) [their] average maximum loudness…  shall not be substantially higher than the average maximum loudness of the program material that such advertisements accompany.

Now,  I understand where Ms. Eshoo is coming from: I have a very low tolerance for noise in general and for television in particular—and it’s not just about commercials. (I find TV news at least as “noisy” and “strident” as commercials. That’s why I opted-out from the whole TV thing in about 2000. Yup, that’s right: I found better things to do with my time and the supposedly all-powerful “gatekeepers” of Hollywood couldn’t do a damn thing about it. You should try it if you don’t like what’s on TV! To paraphrase Voltaire, “I disapprove of what you say watch,  but I will defend to the death your right to say watch it! You can get most of what’s worth watching on DVD or online anyway.) But do we really need bureaucrats in Washington micromanaging volume levels? Maybe Congressmen would have a little more time to read the bills they vote for if they they weren’t so busy fiddling with everyone else’s remote!

Eshoo’s bill has passed the House Energy & Commerce Committee’s Communications Subcommittee just as the TV industry is completing work on voluntary standards of their own. That’s one “less restrictive” alternative to regulation. What about technological empowerment? If Americans really hate loud commercials so much, why don’t they demand TVs with built-in volume normalization features? But this bill isn’t merely unnecessary, it would also set a disturbing precedent in at least six ways.

First, while it might seem that a regulation could draw clear lines with simple rules here about volume, Cliff Stearns (R-Fl) points out that “it is difficult to regulate volumes, since commercials are produced by a number of studios and companies that use different technologies and volume standards.” But this ambiguity merely increased the potential for selective enforcement, which would exist even where it were possible to craft precise rules.  Because the law makes no distinction about “non-commercial” (i.e., not-for-profit) advertisements, this means a politicized FCC could use volume controls as a weapon against opposing political advertising or other non-profit speech it did not like. Anyone who’s ever lived under a Home Owner’s Association should understand how easily an HOA president with a personal grudge could use hyper-technical rules about what shade of blue you have to paint your own mailbox to harass you. And isn’t “strident” the very adjective most commonly used to write off the arguments of those with whom we disagree?

Second, even though it does not exempt non-commercial ads, the bill does embody a recurrent presumption that it’s ok to regulate advertising in ways we wouldn’t accept for the “show” itself (i.e., non-advertising content). Of course, the show could be “commercial” (which, in First Amendment terms, means it would generally get only “intermediate” scrutiny) while the advertisement could be “non-commercial”—such as a political ad. But even if most ads are commercial, so what? If the government is going to protect us from “noisy or strident” commercials, why not all “noisy or strident” programming? Even the most annoying TV ad is probably less annoying than, say, the James Carvilles of the world debating the Glenn Becks of the world. (Of course, users really bothered by noise, but unwilling to give up TV, would probably much rather have a dynamic market for TVs with volume moderating features than rules that dull the din of commercials alone.)

Third, I’m sure that the government would defend Eshoo’s bill, if signed into law, as a restriction on the “time, place and manner” of speech. Although such restrictions are much easier for the government to defend than most restrictions on speech, the government must still show that the regulation is “narrowly drawn” and “serves a significant government interest.” So… what’s the interest here? I’m a little disturbed by the idea that the government has a “significant interest” in what goes on in the space between Americans, their couches, and the electronic display of their choosing. (If we were talking about non-consensual “second-hand television” like TVs blaring in airports, I might be slightly more sympathetic: It’s awfully hard to escape the sound of TV when you’re stuck at the gate waiting for a flight. But commercials are only marginally more annoying to me than most TV, and airport TVs generally show news anyway—the height of annoyingness. I’d much rather see airports, bars, etc. adopt directional sound technologies so that users can move out of the “blast radius” and into peace and quiet simply by moving over a few seats.)

Fourth, I understand that most users probably do wish that commercials probably weren’t so loud. But, this very fact, combined with the ease with which users can now skip all commercials (36% of U.S. homes have a DVR), creates a pretty powerful incentive for the TV industry to self-regulate the volume level of advertising. “Noisy or strident” advertising is just another example of the “tragedy of the commons” at work: Absent any rules, every individual advertiser has an incentive to jack up the volume in order to attract attention, and doing so will probably work up to a certain point of increased annoyance by the user. But collectively, such ads hurt all advertisers because they increase ad blindness, ad deafness, and/or outright commercial skipping. The same dynamic plays out on the Internet, where flashing, blinking, bouncing, strobing dancing ads really drive users nuts and make them turn to tools like AdBlock Plus and Flashblock—which is why ad networks like Google have policies that implement their own “time, place and manner” rules out of pure self-interest. Such rules are useful and valuable. They benefit advertisers, consumers and the ad network alike, because there exists a basic harmony of interests between them: annoying ads don’t really benefit anyone in the long-term.  Do we really want government bureaucrats making these decisions instead?

Fifth, if the FCC has a “significant” interest in “protecting” us from annoying TV ads, why shouldn’t the F TC protect us from annoying ads online? Here, the problems of government making rules become even more obvious as the medium is far more dynamic. But users already have radical user empowerment tools.

Finally, what about the unintended consequences of such regulation? For example, will intermediaries be responsible for compliance?

Rep. Zack Space (D-Ohio), raised the issue of the impact of the bill on small cable operators. He said that while he was not disputing the need for uniform commercial volume, he said the bill, “perhaps unintentionally” was prejudiced [against] small operators. He pointed out that many of those operators did not insert ads themselves or have “the right to alter national feeds unilaterally, like some of the bigger cable companies.” He said that those operators “simply pass through broadcast signals and have no means of adjusting the volume of commercials on the stream.”

If the FCC were to hold ad-distributor intermediaries liable for the volume-compliance of ad-producers, that could certainly disadvantage small distributors and perhaps even promote consolidation—both horizontal and vertical. But isn’t media consolidation the great evil that “media reformistas” are constantly warning us about?

If only our would-be “Net Nannies” in Congress, the FCC, FTC, state capitols and, of course, Brussels were more like the Park Service! The WSJ reports on “Why there are so few guardrails at the Grand Canyon:”

Sunday a crowd gathered in Acadia National Park, on Mount Desert Island along the Maine coast, to watch the surf, roaring with energy from an offshore hurricane, smash against the shore. A towering wave crashed over some onlookers, dragging half a dozen into the ocean. A 7-year-old girl drowned. Soon it was asked why officials had let the crowd get so near waters so dangerous. “The Park Service’s goal is to get people out into the park,” Acadia Chief Ranger Stuart West told Maine Public Broadcasting. “And we don’t want to take that opportunity away from the public.” It’s a measure of how coddled we’ve become that Mr. West’s simple and reasonable statement seems almost shocking. But the Park Service, with its emphasis on protecting the lands in its care, has developed a refreshingly laissez-faire attitude toward protecting visitors…. It seems that those who frequent the outdoors have an aversion to nanny-statism, which allows the Park Service to take a grown-up attitude toward its visitors: “Their safety is their responsibility,” says Ron Terry, Zion’s public information officer. “We couldn’t possibly put railings up everywhere. It wouldn’t be feasible, nor would we want to.”

Amen!  If only we took the same approach to the online environment:  educate users about the risks (real or subjective) to their privacy, safety or delicate sensibilities and empower them to the maximum extent possible to make decisions for themselves—or for parents to decide which “perilous canyon trails” to let their kids go down. The wonderful, unique thing about the online environment is that each user’s experience can be customized: Technological filters tools allow parents to create “guardrails” just for their kids (e.g., blacklists of sites inappropriate for kids), without needing to have a guardrail installed for all users (e.g., COPA).

The parallels continue when one considers the human tendency to mis-perceive risks, which creates “technopanics” in Internet policy just as it creates panics about the various health risks of the great outdoors:

We could all boycott the beach until sundown or protect ourselves by donning modified bee-keepers’ rigs—broad-brimmed hats, long-sleeved shirts and proper trousers. But few of us do. What a contrast with how we react when confronted with other threats and risks. Told of some minuscule risk attached to some chemical, we tend to panic, demanding that billions be spent to protect us from the slightest exposure. Phthalates—eek! And yet, with more than a million skin cancers diagnosed each year in the U.S., few of us hesitate to saunter outside sans sombrero. What gives? “Most people, including professionals, don’t understand relative risk,” says Seymour Garte, a professor of occupational health and author of “Where We Stand: A Surprising Look at the Real State of Our Planet.” We get nervous flying a commercial jet yet don’t think twice about driving the highway. “People are more often risk averse if they feel they aren’t in control of the exposure,” Prof. Garte says. The sun may present a clear and present danger, but we generally control how much of it we get, which makes us all too comfortable with getting all too much. But beyond that, we like getting out in the sun, whether to swim or golf, play tennis or hike along cliffs. And so we accept the risk and keep our oncological anxieties in check. It’s an attitude worth remembering the next time a health scare comes along. And in the meantime, don’t forget your hat and please be sure to hold the railing.

Again, user empowerment can help to reduce hysteria by making users feel like they’re in control of the situation.

Mediapost has published an interview I gave to Omar Tawakol, founder of the BlueKai registry entitled “User Empowerment, Not Regulation, Is The Answer to Privacy Concerns About Targeted Ads” in which I summarize the arguments Adam Thierer and I have been making since our “Principles to Guide the Debate” piece last September.

We argue for user empowerment over restrictive defaults (like “opt-in”) for data use and collection because, as the Supreme Court held in 2000: “Technology expands the capacity to choose; and it denies the potential of this revolution if we assume the Government is best positioned to make these choices for us.” We promote tools that let users make their own decisions about privacy, not only because those decisions are fundamentally subjective, but because regulatory mandates could stifle the development of online content and commerce.

I also note the parallels between speech controls and privacy regulation, and call for a consistent, principled approach to both:

Since 1997, the Supreme Court has struck down multiple legislative attempts to censor online and offline content [especially the CDA] because there were “less restrictive alternatives” that would not so heavily burden free speech rights. In a 2000 cable-related decision, the Court held that “targeted blocking [by users] is less restrictive than banning, and the Government cannot ban speech if targeted blocking is a feasible and effective means of furthering its compelling interests.” Courts have struck down other federal and state speech controls because parents had the tools to filter their kids’ access to information online, in video games, etc., as described in my PFF colleague Adam Thierer’s ongoing catalog of these tools… Many who oppose industry self-regulation are not really “consumer advocates” because they don’t recognize that consumers have many, competing values. Those regulatory advocates are more interested in their preferred one-size-fits-all mandates than in empowering users to determine their own privacy preferences. Like advocates of censorship, privacy zealots assert great dangers to which citizens are supposedly oblivious but which urgently require government intervention-dismissing arguments to the contrary as either uninformed or irresponsible.

The comments on the interview are equally worth reading.  Jeff Chester, who has made a career out of attacking advertising, quickly posted a comment dismissing, but ignoring, my arguments about consumer welfare as corporate propaganda—just as he did with his comment on the post Adam and I wrote in June about congressional hearings on the issue featuring Chester (and Scott Cleland, the right-wing “Bizarro Chester“).  I’ve had it with Chester’s ad hominem attacks on the motives of those who disagree with him, as I explained in my reply to Chester:

Despite our profound “Conflict of Visions,” I must rush to Mr. Chester’s defense to point out [contrary to the assertion of another commenter who criticized Chester’s motives] that his salary has only reached “six figures” in one of the three years for which Chester’s group, the Center for Digital Democracy, has filed their Form 990 returns with the IRS: $101,500 in 2005, but a mere $97,925 in 2006 and $96,750 in 2007 (including benefits). Given CDD’s declining donations, Chester’s salary has grown from 35% of CDD’s income in 2005 ($288,807) to 56% ($172,852) in 2007. As a result of deficit-spending to maintain Chester’s salary, CDD’s 2007 assets were just half what they were in 2005 ($203,508 / $411,174). These returns are available on guidestar.org. I might take the same approach Chester takes in attempting to dodge our arguments: question his motives and suggest that the hysteria level of his arguments has grown in close correlation with his increased need to boost CDD’s donations, which have sagged even as his salary has remained constant. But unlike Chester and others who suffer from the “Vision of the Anointed,” I am not in the business of—as Thomas Sowell put it—”disdainfully dismissing” arguments contrary to my own “as either uninformed, irresponsible, or motivated by unworthy purposes.” I truly take Chester at his word: I think he genuinely believes the fantastical claims he makes about the evils of “targeted” advertising and that advertising is manipulative, creating what Neo-Marxists would call “false consciousness” (making people think they want things they don’t). I don’t think he’s merely trying to drum up donations (although that may be a happy coincidence of his Chicken-Little-ism). I ask only that Chester grant us the same respect by recognizing that our arguments are deeply rooted in a principled belief that online advertising creates enormous value for consumers, and that better targeting should be celebrated as a way of sustaining media in the 21st century, not an evil conspiracy by a shadowy cabal of advertisers. I take no pleasure in noting that Chester makes more money than I do (assuming his salary has not finally started to decline since 2007 along with the apparent downward trend in CDD’s donations). Moreover, since my market value as a recently-practicing lawyer is probably considerably higher than this, I gave up quite a lot to fight the battle of ideas when I joined The Progress & Freedom Foundation last year. Chester may not agree with my arguments, but for him to dismiss me as a corporate whore is simply laughable. If I really wanted to sell out, I would go back to a law firm at an annual salary greater than the donations his Center for Digital Democracy received in 2007. I would not have chosen a career as a consumer advocate at considerable personal cost if I were not utterly sincere in my convictions. So, please, Jeff, spare us all your sanctimony and engage our arguments on substance. Your dismissal of Omar Tawakol is also grossly unfair, since BlueKai has been an industry leader in empowering users with its consumer preference registry. On substance, I find it equally amusing that Chester has embraced the rhetoric of “consumer empowerment” in support of an agenda that is about just the opposite: making choices for users. Our argument is that we should to do everything we can to empower users to make their own choices about privacy preferences through tools like the BlueKai Registry, Google’s Ad Preference Manager and other more radical innovations. But Chester’s argument is that government should mandate restrictive default settings (e.g., opt-in). This is not empowerment but arrogant presumption: Chester is an elitist not only because he presumes that consumers are as paranoid about “being tracked” as he is, but also because he would impose a default (no tracking) that would destroy the economic value created by targeted advertising. That default has enormous costs for users as an “Industrial Policy for the Internet,” reducing revenues for publishers whose “free” content and services Chester takes for granted, but which benefit Internet users around the world.

On July 27th, The Progress & Freedom Foundation hosted a Capitol Hill panel discussion entitled “Online Child Safety, Privacy, and Free Speech: An Overview of Challenges in Congress & the States.” The event featured remarks from:

• Parry Aftab, Executive Director, WiredSafety.org
• Todd Haiken, Senior Manager of Policy, Common Sense Media
• Jim Halpert, Partner, DLA Piper
• Berin Szoka, Senior Fellow, The Progress & Freedom Foundation

We’ve just released the transcript of the event, which I have also pasted down below the fold in a Scribd document reader. Also, the audio for this event can be heard by clicking below:

Download mp3

Here is the full event description:

Online child safety, privacy, and free speech remain hotly debated issues at both the federal and state level. Bills introduced in Congress to address cyberbullying concerns propose either educational initiatives or a criminalization approach. Access to objectionable content also remains a concern and a new, government-mandated task force is looking into those issues. Meanwhile, state officials, including many state attorneys general, continue to explore age verification mandates for social networking sites and some have considered building on the federal Children’s Online Privacy Protection Act (COPPA) to expand “parental notification” mandates. The Federal Trade Commission (FTC) has recently announced an expedited review of COPPA to see if it is keeping up with new developments. The FTC is also exploring child safety in virtual worlds. New concerns about “sexting,” or the sending of sexual explicit images over mobile devices, has also raised new concerns led some lawmakers to ponder penalties.

How serious are these concerns? Is legislation or regulation needed to address them? What free speech issues are at stake? Should Congress take the lead or leave it to the States to experiment with different models? These and other issues were discussed by a panel of leading experts in the field of online safety and privacy policy.

Transcript PFF Online Child Safety Privacy Hill Event (7-27-2009) http://d.scribd.com/ScribdViewer.swf?document_id=18756666&access_key=key-1blb7az1ag406howibuk&page=1&version=1&viewMode=

Adam Thierer & I have just released a detailed examination (PDF) of brewing efforts to expand the Children’s Online Privacy Protection Act of 1998 to cover adolescents and potentially all social networking sites—an approach we call “COPPA 2.0.”

As Adam explained on Larry Magid’s CNET podcast, COPPA mandates certain online privacy protections for children under 13, most importantly that websites obtain the “verifiable consent” of a child’s parent before collecting personal information about that child or giving that child access to interactive functionality that might allow the child to share their personal information with others. The law was intended primarily to “enhance parental involvement in a child’s online activities” as a means of protecting the online privacy and safety of children.

Yet advocates of expanding COPPA—or “COPPA 2.0″—see COPPA’s verifiable parental consent framework as a means for imposing broad regulatory mandates in the name of online child safety and concerns about social networking, cyber-harassment, etc. Two COPPA 2.0 bills are currently pending in New Jersey and Illinois. The accelerated review of COPPA to be conducted by the FTC next year (five years ahead of schedule) is likely to bring to Washington serious talk of expanding COPPA—even though Congress clearly rejected covering adolescents age 13-16 when COPPA was first proposed back in 1998.

We’ll discuss some of the key points of our paper in a series of blog posts, but here are the top nine reasons for rejecting COPPA 2.0, in that such an approach would:

• Burden the free speech rights of adults by imposing age verification mandates on many sites used by adults, thus restricting anonymous speech and essentially converging—in terms of practical consequences—with the unconstitutional Children’s Online Protection Act (COPA), another 1998 law sometimes confused with COPPA;
• Burden the free speech rights of adolescents to speak freely on—or gather information from—legal and socially beneficial websites;
• Hamper routine and socially beneficial communication between adolescents and adults;
• Reduce, rather than enhance, the privacy of adolescents, parents and other adults because of the massive volume of personal information that would have to be collected about users for authentication purposes (likely including credit card data);

• Would likely be the subject of massive fraud or evasion since it is not always possible to definitively verify the parent-child relationship, or because the system could be “gamed” in other ways by determined adolescents;
• Do nothing to prevent offshore sites and services from operating outside these rules;
• Present major practical challenges for law enforcement officials in the face of such evasion by both domestic users and offshore sites;
• Could destroy opportunities for new or smaller website operators to break into the market and offer competing services and innovations, thus contributing to consolidation of online content and services by erecting barriers to entry; and
• Violate the Commerce Clause of the U.S. Constitution, since Internet activity clearly represents interstate commerce that states have no authority to regulate.

I’ve already laid out my own reactions to Google’s roll-out of an “interest based advertising” (IBA) program here.  In a nutshell, I applauded Google setting a new “gold standard” in user empowerment by providing:

• Notice in their IBA-targeted ads of who’s paying for the ad and the fact that Google is serving it; and 
• A link to a powerful “Ad Preference Manager” that allows users to:
  • See and modify the “digital dossier” (to use the fearmonger’s term) of interests associated with the cookie on their computer; and 
  • Opt-out of tracking for IBA purposes.    

But as I predicted, despite these pro-privacy features (and despite the fact that other major companies such as Yahoo! and Microsoft already have IBA programs), a number of privacy advocacy organizations are attacking Google for daring to enter the IBA (or “online behavioral advertising”) business at all.   I’ll have much more to say about the criticism of Google’s new Ad Preference Manager soon, especially coming from Marc Rotenberg of EPIC (a “disaster“) and Jeff Chester of CDD—precisely the sort of the “paroxysms of privacy hysteria” I predicted.  

But first, the criticism from Ari Schwartz of the Center for Democracy & Technology requires a response today.  At its best, CDT plays a vital role in calling corporations to continually raise the bar on privacy.  My own think tank, the Progress & Freedom Foundation, works closely with CDT on many issues, such as advocating user empowerment through technological means as a constitutionally “less restrictive” way of protecting children than government censorship.

 Here’s what Ari had to say:

[T]he opt-out is based on a failed premise. The truth of the matter is that the industry needs to work together to move beyond the discredited cookie opt-out model….  Google claims to have improved upon the old model by creating a plug-in for users to keep their opt-out cookie while deleting the rest of their cookies. While as a technical matter that may be true, without an industry-wide solution these plug-in options just serve to confuse users about what they need to do to protect themselves. If this plug-in approach catches on, will users need to download a plug-in from every network advertiser and every analytics company to stop the tracking? That model just isn’t sustainable.

Ari is setting up a straw man when he suggests that users are going to have to download a separate plug-in for every ad network.  The obvious solution, as Ari points out, is an industry-wide plug-in. But if it’s so obvious, why can’t CDT just write it themselves?  Indeed, why didn’t they write it years ago?

These aren’t rhetorical questions.  I  really  want to know what would be required to create a plug-in that does what Google’s plug-in does for every other ad network’s opt-out cookie in the Opt-out tool developed by the Network Advertising Initiative (NAI):  Maintain “persistent” user choice by checking to see whether a user has deleted whatever their opt-out cookies and, if so, restoring those cookies.  

CDT will probably insist that, if it’s really so easy to create such an industry-wide plug-in, NAI should have done so years ago.  Maybe so.  Perhaps if the industry had moved faster to innovate in privacy protection, they would be in a stronger position right now politically.  Of course, if the industry moves slowly in this regard, maybe that’s because they’ve got their hands full trying to keep advertising, the economic engine that funds the Internet’s “free” content and services, working-a reality Ari ignores.  Or perhaps it wouldn’t matter:  It seems that no matter what industry might do, it’s just not good enough for Ari.  Under the banner of “Keeping the Internet Open, Innovative and Free,” Ari is in fact leading CDT in a full-on attack on the Internet, pushing for regulation that will make the Internet:

• Less “Open” to competition among service providers and the diversity of voices and choices produced by online content creators who depend on advertising;
• Less “Innovative” in terms of new content, new services, new online personalization technologies, and new advertising business models that could broaden the base of economic support for the entire Internet; and
• Less “Free” both in political terms—“free” from government regulation and controls—and in financial terms—“free” to users because advertisers foot the bill.

CDT ignores these very real costs to crippling online advertising, which will ultimately be borne by the very consumers whom CDT claims to be protecting.  This is precisely why Adam Thierer and I have argued so strongly for a layered approach (and here at page 7) to privacy concerns about online advertising that combines self-regulation and tough FTC enforcement of privacy policies with a recognition that only by empowering individual users to make their own choices can we balance inherently subjective concerns about privacy with the need to fund the Internet’s future:

We stand at an important crossroads in the debate over the online marketplace and the future of a “free and open” Internet.  Many of those who celebrate that goal focus on concepts like “net neutrality” at the distribution layer, but what really keeps the Internet so “free and open” is the economic engine of online advertising at the applications and content layers.  If misguided government regulation chokes off the Internet’s growth or evolution, we would be killing the goose that laid the golden eggs. 

Back to the plug-in…  CDT argues that the opt-out cookie system is flawed in respects other than ensuring the persistence of user opt-outs.  We can debate that question.  But I’d just like to get a clear answer once and for all about why CDT hasn’t already developed this plug-in themselves.

Here‘s the NAI opt-out, Ari, and here‘s the code for Google’s plug-in—it’s open source! How much easier could Google have made this for you?  Quit yapping and start coding! 

Since CDT doesn’t seem up to the task, we’ve already modified the Google plug-in to preserve another ad network’s opt-out cookie (download our beta plug-in here) and are currently working to expand the plug-in to work for multiple cookies—which is simply a matter of coding.  We’d welcome help from anyone with experience in writing Firefox plug-ins. 

NAI could (and probably should) do this, themselves.  But if CDT wants to start being philosophically consistent about empowering consumers across in the board —on privacy issues as well as child protection issues—writing this plug-in themselves is a great way to shame the rest of the advertising industry into picking up where Google left off.   I suspect CDT’s failure to do so thus far reflects a crass political calculation that anything they does to empower users to manage their own privacy through technical solutions simply undermines their arguments that only government can protect users—thus weakening their push for regulation.  So much for CDT’s declared mission of “seek[ing] practical solutions to enhance privacy!”

Google’s new “Interest Based Advertising” (IBA) program represents the company’s first foray into what is generally called “Online Behavioral Advertising” (OBA):  In order to deliver more relevant advertising, Google will begin tailoring ads delivered through AdSense on the Google Content Network (GCN) and YouTube.com (but not Google.com).  This tailoring will be based on a profile of each user’s interests created by tracking their browsing activity across sites that use AdSense-but not search queries or other user information.  Until now, (i) AdSense has delivered essentially “contextual” advertising by choosing which ad to display on a page based on an algorithmic analysis of keywords on that page; and (ii) Google has tracked users’ browsing only for analytics purposes-to limit the number of times a user sees a particular ad (to prevent overexposure) and to allow sequencing of ads in campaigns where one ad must follow another. 

Google is sure to be attacked for crossing a “line in the sand” drawn by some privacy advocates between contextual and behavioral advertising-even though Google’s closest competitor, Yahoo!, already offers a similar program, and the concept in general is hardly new.  Google’s position as the leading search engine and third party ad-delivery network will no doubt cause paroxysms of privacy hysteria among those who consider targeted advertising inherently invasive, unfair or manipulative.

But those whose first priority is advancing consumer privacy, not advancing a political or regulatory agenda, should applaud Google for excluding sensitive categories and for putting the new Ad Preference Manager at the core of the company’s new IBA program.  The Ad Preference Manager sets a new “gold standard” for implementing the principles of Notice and Choice, which have formed the core of both OBA industry self-regulation and the various regulatory proposals made in recent years.  Indeed, Google has done precisely what Adam Thierer and I have called for:  giving consumers more granular control over their own privacy preferences by developing better tools.

How Google’s Ad Preference Manager Works

For years, debates about how OBA should be regulated (whether by industry or by government) have revolved around two key questions: 

• Notice: How should consumers best be informed about the data that’s being collected about them, how it’s being used, by whom, and so on?
• Choice: How should consumers be given the ability to opt-out of tracking for OBA purposes?

While there are significant philosophical disagreements about some aspects of these debates-such as whether the default should be opt-in or opt-out-much of the debate has come down to questions of implementation that may seem trivial or easily-solved to lay people:  Where should notice be provided?  If notice is provided in ads themselves, what should the link say and how big should it be?  By what technological means should users be able to opt-out of tracking?  Google has provided an elegantly simple solution to these questions. 

Google provides “notice” to users in two ways:

• In the ads.  In the bottom left corner of each AdSense ad on sites in the GCN, users will see the URL for the advertiser’s website.  This is already the case for all text ads, but not for display ads.  In the bottom right corner of both display and text ads, users will see an “Ads by Google” link.  Thus, the ad itself provides the user notice of (i) who’s paying for the ad and (ii) who’s serving it. 
• In the Ad Preference Manager.  If the user clicks the “Ads by Google” link, they will see which of the ~20 categories and ~600 subcategories have been associated with the tracking cookie in their browser.  Thus, Google provides notice to the user of what’s in their so-called “digital dossier.”

Google provides “choice” to the user in two ways:

• Editing categories.  The Ad Preference manager not only shows the profile that has been algorithmically assembled of their likely interests, but it lets them decide for themselves which categories they’re really interested in.  If a user finds that they have been placed in the “Automotive > Motorcycles” category but actually owns a SUV, they could select “Automotive > Trucks & SUVs”-or no Automotive category at all.  
• A persistent opt-out.  Users can decide to opt-out completely from having their data collected for IBA purposes.  That choice will be respected in the future, and will therefore be “persistent.”

The Persistent Opt-Out Plug-in

For roughly a decade, the OBA industry has operated under a self-regulatory scheme developed by the Network Advertising Initiative (NAI).  NAI lets users opt-out of receiving ads based on OBA targeting.  But privacy advocates have objected on three grounds:

First, privacy advocates argue that it’s currently too hard for users to find the NAI opt-out tool since users don’t know which ad network is serving which ads and there’s no obvious way to get from an ad to the opt-out option.  Google moots this argument by making its opt-out easily accessible to anyone who clicks on the “Ads by Google” link that appears beneath every IBA-targeted ad.

Second and most importantly, privacy advocates decry NAI’s opt-out because it isn’t “persistent”- i.e., it requires the placement of a special “opt-out cookie” on the user’s computer, which may be inadvertently deleted when users delete all their cookies.  Indeed, many users do precisely that on a regular basis through either their browser or antivirus software-thus erasing their own opt-out choice.  Google moots this argument too:  While Google’s opt-out also relies on a special opt-out cookie, Google has created an easily installed plug-in for the two most common Web browsers, Internet Explorer and Firefox, that ensures that the opt-out cookie is automatically recreated even if a user deletes their cookies.  For the Chrome and Safari Web browsers (which do not support plug-ins), Google has outlined a simple procedure whereby users can achieve the same result.

Third, many critics worry that any cookie-based opt-out mechanism still involves sending data to ad networks that the ad networks could use to track users-despite promises in their privacy policies not to do so.  Even though the FTC can enforce such policies, it may be difficult for users to determine what the ad networks are doing with the data they receive from users that have opted out of tracking.  Although Google’s system seems to be no different in this regard from how other NAI member companies handle opt outs, truly privacy-sensitive users could easily address this concern by configuring their Web browser to not send any data to these networks and/or not allow any persistent cookies, as we’ve discussed in our Privacy Solutions Series.   

A Superior Solution to a “Do-Not-Track” Registry

The privacy advocates who lambaste the inadequacies of the NAI opt-out system have demanded the creation of a government-run “Do-Not-Track” registry loosely modeled on-but very different in practice from-the FTC’s Do-Not-Call registry, by which over 170 million Americans have opted out of receiving telemarketing calls.  Google’s Ad Preference Manager provides a better system.

First, it proves that the “persistency” problem can be solved.  In fact, since Google’s plug-in is open source, these privacy advocates may be able to use it to create a browser plug-in that works for opt-out cookies from other NAI member companies.  Indeed, given how simple Google’s plug-in is, one wonders why they didn’t do this when NAI’s Opt-Out Tool was first made available.  Perhaps the technologists at these organizations have spent a little too much time developing elaborate regulatory solutions and too little time focusing on empowering users.  Or perhaps these organizations simply decided that creating such a tool would undercut their argument that only government intervention could protect users’ privacy.  Ironically, some of the organizations pushing Do-Not-Track have joined us in emphasizing the effectiveness of user empowerment tools in other contexts-such as online child protection, where parental control software offers a more effective alternative to government regulation of Internet content that also does less to restrict constitutionally protected speech.  Even more ironically, their Do-Not-Track proposal specifically calls for the development of browser-based tools to implement the government-maintained Do-Not-Track database.  In an era when anyone can write a browser plug-in that can achieve wild popularity (such as the roughly 43 million downloads of the Firefox plug-ins AdBlock Plus and NoScript), these advocacy organizations have little excuse for not practicing what they preach. 

Second, Google has set a new standard in both Notice-by including a link to the opt-out in every ad-and Choice-by respecting user’s opt-out preferences.  Other ad networks now face intense pressure to catch up with, or outpace, Google by implementing the same kind of Notice and Choice.  Indeed, NAI will now be expected to improve its own opt-out system with a browser plug-in capable of preserving opt-out preferences for all of its members’ ad networks.  To the extent that this plug-in might work better with cooperation from the ad networks, that cooperation should now be more forthcoming than ever. 

Third, if these privacy advocates’ real objection to any cookie-based opt-out system-whether the NAI opt-out tool or Google’s plug-in-is uncertainty as to whether opt-out preferences would really be respected by ad networks that continue to collect tracking data (as discussed above), who better than Google to lead the market in setting higher standards for privacy protection?  Ultimately, these standards will be, and should be, enforced by the FTC under its existing authority to punish unfair and deceptive trade practices.

What This Episode Says About Google

Some privacy advocates will argue that Google is just too big-and therefore too “scary”-to be allowed to engage in OBA, and may try to paint Google’s entry in the OBA marketplace as a net loss to privacy, notwithstanding the extremely pro-privacy way in which Google has implemented its “IBA” service.  But if this incident demonstrates anything about Google, it’s the following:

First, it’s no accident that Google is now leading the pack of third party ad networks by developing innovative solutions that respect consumer privacy.  Unlike most third party ad networks, Google is directly focused on the demands of consumers:  In addition to the ad network they acquired from DoubleClick, of course, Google offers consumers a wide array of other online services (search, email, maps, etc.).  Because these services (and their competitors) are all free, Google has to compete in what economists call “non-price terms”-such as privacy.  So, Google has a lot to lose by alienating its users and a lot to gain by being seen as a leader in privacy protection.  Would an independent DoubleClick have taken so much care to address privacy concerns?  As the developer of a competing search engine once said about the Internet search industry, ”you earn your right to be in business every day, page view after page view, click after click.”  

Second, it’s no accident that Google was a late-comer to the OBA market, lagging behind Yahoo! in particular.  The most likely reason Google has taken its time in rolling out an OBA product is that Google is subject to a unique level of scrutiny by privacy advocates by virtue of its size.  Being the “big kid on the block,” Google has to be especially careful not to appear to be “Big Brother.”  This reputational check on Google should allay some concerns about Google’s size.

Third, this episode also demonstrates the advantages of having a player like Google large enough to be able to singlehandedly set a new paradigm in privacy protection.  Google risks alienating some advertisers and publishers with its bold empowerment of users, but was willing to take those risks because of its incentives as a consumer-facing company and able to do so because of its leadership in the marketplace.  Uncomfortable as this reality may be for those who fret about antitrust issues and indeed for Google itself, the simple reality is that sometimes it takes “big dogs” to make self-regulatory systems truly effective.  For example, the video game industry’s highly effective content rating system has worked because the titans in that field were big enough to push through a tough system and keep it working.  Similarly, Microsoft has led the way for years in empowering users by offering in Internet Explorer the most sophisticated cookie management tools available in any browser, as we’ve discussed.  In a nutshell, privacy leadership requires scale. 

Conclusion

Google’s Ad Preference Manager, with its persistent opt-out plug-in, offers precisely the kind of robust opt-out that privacy advocates have always demanded.  Google deserves a rousing “Amen!” from privacy advocates.  But those who respond to this program by insisting that “more needs to be done on how to educate people and tell them how to opt out,” are right in two senses.  First, Google has shown other ad networks how to do more to empower users.  I am confident that they will rise to that challenge by continuing to refine self-regulation through technological innovation.  Second, this is by no means the last word in privacy protection from Google, which operates in the midst of continually-evolving privacy standards.  I expect Google and competing ad networks will continue to innovate in developing technologies that empower users to manage their own privacy-and that this competitive “race to the top” will improve online privacy protection in a broader sense beyond just advertising by putting pressure on other online service providers to improve their privacy practices and policies.

But I fear that too many privacy advocates will instead see this as just another reason for the government to intervene-perhaps because of fear of Google engaging in OBA or  because they think the government, not Google, should be developing privacy solutions.  Or perhaps they think Google’s system shows that a system of government-mandated solutions really could work.  To the contrary, Google’s approach is precisely the kind of innovation that would be discouraged by pre-emptive government regulation.  Worse, those who would freeze privacy protection in place would also freeze in place much of the Internet itself, precluding development of new business models that would compete with Google, allaying concerns about competition and benefiting consumers.  Why preclude broadband providers, for example, from figuring out how to deploy ad-targeting technologies in a manner that does as much to empower users with better privacy controls as Google has-especially when this could create a new source of funding for “free” content and services and even discounts on broadband? 

I hope instead that the effectiveness of Google’s approach will shift the policy debate about protecting user privacy back to an emphasis on the layered approach Adam Thierer and I have outlined, supplementing consumer education, industry self-regulation, existing state privacy tort laws, and  FTC enforcement of corporate privacy policies with increasingly powerful technological “self-help” tools that allow privacy-wary consumers to take privacy into their own hands.

Statue at FTC Headquarters: “Man Controlling Trade” (We’re rooting for the horse!)

Adam Thierer and I have just released a new PFF paper entitled “Targeted Online Advertising: What’s the Harm & Where Are We Heading?” (PDF) about the FTC’s new “Self-Regulatory Principles for Online Behavioral Advertising.”  Adam lampooned some of the attitudes at play in this debate in a great rant yesterday.

But we give the FTC credit for resisting calls to abandon self-regulation, and for its thoughtful consideration of the danger in stifling advertising-the economic engine that has supported a flowering of creative expression and innovation online content and services.  That said, we continue to have our doubts about the FTC’s approach, however-well intentioned:

1. Where is this approach heading?  Will a good faith effort to suggest best practices eventually morph into outright government regulation of the online advertising marketplace?
2. What, concretely, is the harm we’re trying to address?  We have asked this question several times before and have yet to see a compelling answer.
3. What will creeping “co-regulation” mean for the future of “free” Internet services?  Is the mother’s milk of the Internet-advertising-about to be choked off by onerous privacy mandates?

We stand at an important crossroads in the debate over the online marketplace and the future of a “free and open” Internet. Many of those who celebrate that goal focus on concepts like “net neutrality” at the distribution layer, but what really keeps the Internet so “free and open” is the economic engine of online advertising at the applications and content layers. If misguided government regulation chokes off the Internet’s growth or evolution, we would be killing the goose that laid the golden eggs.

The dangers of regulation to the health of the Internet are real, but the ease with which government could disrupt the economic motor of the Internet (advertising) is not widely understood-and therein lies the true danger in this debate.  The advocates of regulation pay lip service to the importance of advertising in funding online content and services but don’t seem to understand that this quid pro quo is a fragile one: Tipping the balance, even slightly, could have major consequences for continued online creativity and innovation.

As we conclude:  Self-regulatory efforts can be refined, especially through technological innovation to better satisfy the concerns of policymakers, privacy advocates, and average consumers.  For example, if websites and ad networks participating in a self-regulatory framework supplemented their current “natural language” privacy policies with equivalent “machine-readable” code, that data could be “read” by browser tools that would implement pre-specified user preferences by blocking the collection of information depending on whether the privacy policies of certain websites or ad networks met the user’s preferences about data-use. Such robust and granular disclosure, if implemented for behavioral advertising, would exceed the wildest dreams of those who argue that users currently do not read privacy policies-without disrupting the browsing experience or cluttering websites.  But this system would only work if users had to make real choices about paying for”‘free” content and services by disclosing their personal information.

Truly privacy sensitive users should be free to opt out of whatever tracking they find objectionable-but not without a cost:  The less data they agree to share, the less content and services they can fairly expect to receive for free.  Concretely, this means that they might not be able to access certain sites, content, or functionality without watching extra (untargeted ads), or paying for that content or service (assuming such a micropayment model can be worked out).  Of course, there will always be ways to “cheat” in such a system, but Commissioner Harbour is exactly right on one point:  Each content creator and service provider must be “free to strike whatever balance it deems appropriate.” This freedom is vital to the Internet’s future because the easier we make it for some users to get “something for nothing,” the smaller will be the economic base for the content and services everyone else takes for granted.  Again, there is no free lunch.

You can download our paper in PDF form on the PFF website or view it below in Scribd.  (Click the rectangle-in-rectangle button at the top right to maximize the iPaper viewer.)