We had an opportunity this week to address the increasingly thorny issues associated with authenticating identity at the Federal Trade Commission (FTC) Workshop “Proof Positive: New Directions for ID Authentication.” With the debate over how and whether to implement the REAL ID Act looming, the broader issues of what constitutes identity and what we should do to protect it have come to the forefront. Although we remain deeply troubled by the REAL ID Act and its implementation, we were grateful to the FTC for creating this forum to address an issue that isn’t going away.

CDT Deputy Director Ari Schwartz took part in a panel on establishing identity through government ID programs and took the opportunity to officially unveil our draft Privacy Principals for Identity in the Digital Age, which aim to address the issue in a way that takes into account privacy, security and the broader issues associated with identity.

The two-day workshop provided a useful overview of the issues and featured thought provoking questions about what types of identity authentication we’re willing to accept and what we already take for granted. Amidst a lively discussion during the final panel about all the different privacy issues that consumers are facing, the FTC’s Naomi Lefkovitz suggested that some of the issues might be resolved with comprehensive, uniform consumer privacy legislation (see the webcast of panel 7 here). We couldn’t agree more.

The FTC and DOJ made news by unveiling a strategic plan to combat ID theft. Although the plan contains some important provisions, we were concerned that it addressed only the symptoms of a dilapidated national privacy framework and not the root causes.

In 1999, when the FTC held its online profiling workshop in 1999, there was almost an entirely different Internet advertising industry. At that time, the online advertising was rapidly becoming a mainstay of every Internet user’s online experience, the industry was still in its infancy and the technologies being deployed were still undergoing rapid development. DoubleClick, the network advertising industry leader that was acquired by Google last Friday, was serving an average of 45 billion ads per month at that time - approximately one fourth of the number of ads that it serves today.

Advertising volume is just one of the many ways that the landscape has changed. More and more consumers are making use of technologies such as Web search and Web-based email, with a corresponding increase in the collection and use of the associated data for marketing purposes. Profiling information is also being used across contexts - data collected on the Web might be used to target ads on television or radio, and databanks of information collected offline are being used to target online ads. Online video advertising and integration with Web 2.0 services are gaining increased attention as marketers tap into the ever-evolving multimedia online experience. The Network Advertising Inititive (NAI) agreement that was signed at that time is now completely out of date, to the point that it may not apply to any particular company today.

In light of all these developments, CDT has been urging the FTC to revisit the privacy issues surrounding online profiling and behavioral targeting. Earlier this year, we wrote a letter to FTC Commissioner Thomas Rosch that outlined what an FTC workshop on these issues might look like. We believe the time is ripe for the FTC to drill down on current technologies, re-examine the self-regulatory landscape, and identify the Commission’s own future course in relation to targeted advertising.

Google’s acquisition of DoubleClick shows exactly why an FTC workshop is needed. Google has traditionally focused on matching advertising to the context of a particular Web site, gathering mounds of data about how users interact with particular ads on individual sites. DoubleClick, on the other hand, specializes in gathering data across sites in an effort to help companies target rich media advertisements.

Google, today, says that it has no plans to tie past history or search information across Web sites. Google says that it has no plans to match the DoubleClick cookies with any Google cookie. Yet, the possible integration of these two data sets - along with all of the other search data that Google collects - raises issues that the FTC could not have foreseen in 1999 and exemplifies the evolving privacy challenges in the online advertising space. It’s time to deepen the dialogue about behavioral targeting, and an FTC workshop would be a great way to start.

EMI’s announcement this week that it will make its music available on iTunes in a DRM-free format is a very welcome development.

Regardless of what you think about DRM — and CDT is not opposed to it — giving consumers a broader range of choices is crucial for creating a more vibrant online music marketplace. EMI’s announcement represents a significant new choice, in two respects.
First, while independent music labels have been offering online music without DRM for some time through services like eMusic, EMI becomes the first major music label to offer a DRM-free online option for a large portion of its catalog. And second, Apple’s iTunes, the dominant online music store, has not previously sold tracks that could easily be transferred to non-iPod portable devices. When iTunes sells EMI music without DRM, the music won’t be tied to the Apple platform.

It will be interesting to see how consumers exercise this new choice. ITunes will continue to offer regular tracks with DRM for $.99, alongside the new DRM-free tracks with higher sound quality for $1.29. So this will be at least a partial test of how consumers feel about DRM and whether they care enough to pay extra to avoid it.

I say “partial test” for two reasons. First, since the new higher priced tracks will be not just DRM-free but also higher audio quality, the motivations behind consumer purchasing decisions may not be entirely clear. For example, some audiophile consumers may choose the DRM-free version for reasons unrelated to their opinion of DRM. Other consumers might prefer DRM-free music, but not want to pay for premium audio quality they don’t feel they need.

Second, there remains the question of how many consumers really know what DRM does. Will mainstream consumers understand, when offered the same song at two prices, what the difference is?

I think this will depend to a substantial extent on the interface iTunes develops for presenting the choice to its customers. When a person goes to buy a song, will there be a clear explanation of what “DRM-free” means in concrete terms? Will there be, for example, a link to a description of Apple’s FairPlay DRM and the usage limitations it entails? If the interface offers enough context to promote informed consumer choice, it may have the side effect of increasing the public’s awareness of DRM and the way DRM can affect uses of digital media.