Recently, CDT’s Harley Geiger wrote a guest blog post for Business 2.0 Press discussing new developments in digital signage and behavioral advertising in the wake of the online advertising study released last week.
Check it out and let us know what you think. Thanks again to Business 2.0 Press for the opportunity.

CDT, EFF, and other commenters on the Google Books settlement sent a letter to Google’s lawyers yesterday asking the company to reconsider the privacy protections it will build into Google Books, taking advantage of the last-minute extension in the case. Google and the authors and publishers who sued the company are currently renegotiating the proposed settlement in order to resolve concerns raised by the Department of Justice last month [http://thepublicindex.org/docs/letters/usa.pdf].

CDT filed a brief on the original settlement, arguing that it should be approved, but recommending that strong, enforceable privacy safeguards be put in place. Yesterday’s letter asks that Google reconsider our recommendations, and similar ones from other advocates, in light of the extension. Google took some good steps in a privacy policy posted last month, but those commitments are incomplete and not adequately enforceable by the Court. Now that the deadline has been lifted, Google has the chance to make stronger commitments to reader privacy that the Court will have the authority to enforce.

The delay, while certainly a blow to the progress of the settlement, provides an opportunity to improve it. While the Justice Department’s concerns the parties are currently addressing did not include reader privacy, the lack of adequate safeguards nonetheless remains a problem—one that, given CDT’s brief and those of the other signers of today’s letter, Google is certainly aware of and has the resources to address. In light of the scrutiny the settlement has received and the recent setback, Google would do well to improve the settlement in all the ways it can. Protecting reader privacy should be an easy one.

For those of you in the Bay Area, CDT and TRUSTe are cohosting a lunch discussion as part of their TechPolicy Series. Today’s discussion is “Social Networking – The Challenges of Privacy and Openness” and will focus on how the growth of sharing and connecting on the web is impacted by the need for privacy protections for users. Event details are below:

Wednesday, October 7th
12:00 PM – 1:30 PM
Google Campus, Kiev Training Room, Building 40
1600 Amphitheatre Pkwy
Mountainview, CA

Speakers:
-Chris Conley, Technology and Civil Liberties Fellow, ACLU Northern California
-David Glazer, Engineering Director, Google, and Board member, OpenSocial Foundation
-Hemanshu Nigam, Chief Security Officer, MySpace
-Tim Sparapani, Director, Public Policy, Facebook

Moderated by Fred Vogelstein of Wired Magazine

More information on the event is available here and the event will be live tweeted by @CDT_LIVE with the hashtag #netpolicy.

The event also has a dial-in number:
REMOTE CALL-IN INFORMATION:

US Dial in: 866.457.4646
Global Dial in: 617.224.4646
Participant Passcode: 51458039

Working with law students at UC Berkeley’s Samuelson Law, Technology, and Public Policy Clinic, CDT recently submitted comments in a FCC proceeding on the implications of Smart Grid Technology, highlighting the need to protect consumer privacy and implement critical security protocols in developing the modernized electrical grid.

At the core of the new grid’s functionality is the collection and use of highly detailed data about consumer energy consumption, including realtime consumption data about specific appliances (such as, air conditioners, microwaves or home healthcare equipment). This granular usage data reveals deeply personal information about consumer habits, and about consumer activities within the private space of the home. Given both the sensitive nature and high commercial value of this data, utilities and third-party businesses will be eager to make use of it, as will law enforcement investigators and, unfortunately, criminals. For example, if your thermostat is set at 55 degrees for 3 days in the winter in New England, that is a good signal that you are away from your house. As such, a lack of care around this data will pose serious privacy and security risks for consumers. These issues are further complicated by the reality that the Smart Grid, at present, is governed by a patchwork of state and federal laws

Realizing the likely benefits of the Smart Grid, including improving energy efficiency, reducing utility bills, and protecting the environment, will require consumers to trust that these new technologies will be protective of personal information and secure against threats.

CDT urged the Commission to ensure that privacy is integrated at every point in the network via appropriate technological design at the outset, so that privacy and security do not have to be later retrofitted onto the system. Further, the collection and use of consumer data by utilities or third-party providers should follow Fair Information Practice (FIPs) principles, including providing consumers with: transparent notice about data collection practices, meaningful choice regarding the use and disclosure of usage information, and reasonable access to, and the ability to correct or dispute, all usage information.

Recently, CDT Policy Analyst, Andrew McDiarmid spoke at the Washington Legal Foundation about privacy issues in the Google Books Settlement. The video of Andrew’s discussion, as well as several other videos from the event, are available here.

Researchers at UC Berkeley and the University of Pennsylvania’s Annenberg School of Communication recently released the results of a large-scale study of consumer attitudes toward behavioral targeting (also known as behavioral advertising). The report’s findings were astonishing in their simplicity: the majority of consumers do not want their information collected and used for the purpose of customizing targeted news or advertisements. Consumers also believe they have the right to access and control information that companies have collected about them.

Study authors reported a number of significant findings. Among them:

If given a choice, 68% of Americans “definitely would not” allow advertisers to follow them online even if their online activities would remain anonymous. 19% “probably” would not allow this tracking.

63% of Americans feel that laws should require advertisers to delete information about their Internet activity immediately. 69% of Americans would like to see a law giving them the right to access all of the information a Web site has collected about them.

62% of respondents believe that “If a website has a privacy policy, it means that the site cannot share information about you with other companies, unless you give the website your permission.”

As CDT’s Heather West wrote in a piece about privacy concerns amongst young adults, even digital natives object to behavioral targeting. The study authors reported that 86% of young adults reject advertisements that are tailored based on their activities across multiple Web sites. If the advertisements are tailored based on information gathered about their offline behavior, then 90% of young adults want nothing to do with these ads.
(more…)

CDT Policy Analyst, Heather West, wrote a guest blog post for Wired’s GeekDad blog discussing whether or not online privacy is a generational issue. In light of the release of a survey on behavioral advertising conducted by professors at both the University of Pennsylvania and The University of California, Berkeley, the post highlights how the younger demographic is demanding more control of their data and identities online and is more engaged than ever on the issue of online privacy. The post is available on Wired’s website here.

Netflix recently announced winners of the one-million-dollar “Netflix Prize” and its plans for a new competition, creatively dubbed “Netflix Prize 2.” Although details of this second contest still haven’t been made public, the New York Times has reported that competitors will be challenged to “model individuals’ ‘taste profiles’,” based on a dataset that will hold “demographic and behavioral data,” including information about members’ ages, gender, ZIP codes, genre preferences, as well as their rental histories and movie ratings.

The announcement of Netflix Prize 2 illustrates the continued blinders that companies have about the ease with which individuals listed in supposedly anonymized datasets can be identified. The ostensibly anonymized dataset released to the public for Netflix Prize was limited to the video rental histories of 480,000 Netflix subscribers, the ratings (1-5 stars or “no rating”) that subscribers gave each movie, and the date that subscribers rated each movie. As law professor and CDT Academic Fellow Paul Ohm has pointed out, between 2006 and 2008, researchers Arvind Narayanan and Vitaly Shmatikov showed that if you know just a little information about a friend (or enemy’s) movie-viewing habits, using the Netflix Prize database you can likely uncover every movie your friend ordered through Netflix and how she rated it.

Add demographic and behavioral data into the mix and how do you even take seriously claims that the data has been and will remain de-identified?

Netflix is far from the only company releasing easily de-anonymized data under pretenses that the sets’ contents are unidentifiable. From the user identifications that came out of AOL’s infamous data release to Latanya Sweeney’s use of Massachusetts residents’ ZIP code, birth date, and gender – all found in public voter rolls – to identify individuals whose “anonymized” hospital records had been publicly released, the pretense of anonymization is time and again revealed as false. Companies need to own up to the privacy risks inherent in releasing such data and find more comprehensive and robust methods for truly de-identifying their data and protecting their customers.

Recently, CDT was asked to testify about the ways that technology can be used to improve financial oversight during a 2009 congressional session that saw “bank bailouts,” “housing markets” and “economic stability” become commonly used buzzwords. While TARP and mortgages aren’t our usual area of expertise, we have a lot to say on how Congress can ensure that the databases supporting these endeavors can help the government be more transparent and protect privacy at the same time.

The Troubled Asset Relief Program – or TARP – has been in the news a lot lately, as the program designed to strengthen the financial sector comes under scrutiny from the media and the public to figure out whether or not the program is actually working. Unfortunately, there hasn’t been an effective way to track TARP funding, in part because so many agencies are involved in distributing the money. One of the bills we discussed, H.R. 1242 (and companion bill S. 910), would create a centralized database for TARP information. It’s surprising that a program of this size doesn’t already have a way to consolidate the information around it’s expenditures, but not even the oversight committee has an easy time tracking the dollars. TARP funds are distributed by 25 agencies, using incompatible and outdated systems to track spending. The H.R. 1242 database would not only centralize this information for easy access, but would require almost real-time updates to the information.

We believe that the database needs to be made public in order to allow the media, watchdogs, and citizens to see how TARP money is being spent. A good example to follow is the Recovery.gov website, which pulls together information from the 28 agencies distributing Recovery Act funds. The site allows users to sift through stimulus contracts in useful ways and, though not perfect, it is an incredibly important step in keeping the public in-the-know. The lack of a similar site for TARP has made it difficult for the public to understand the program – so it’s a perfect opportunity to make a government database public.

Another bill we talked about in our testimony, H.R. 932 looks to improve technology for oversight on housing issues by linking location information to mortgage information, making it easier to track foreclosures, abusive lending practices, and vacancies. Currently, land parcel information is kept by counties, but centralizing them would allow regional analyses of the housing crisis and regional responses. Of course, if regional geo-databases are created, they may not fall under the privacy protections imposed on the federal government. In that case, it will be vital to ensure that the databases are subject to privacy and security protections. The financial information that can be correlated to land parcels is both personally identifiable and sensitive, as financial information is defined as sensitive by almost all definitions.
(more…)

The FTC recently announced approval of the terms of a settlement with Sears Holding Corp. (which owns Sears and K-Mart stores) over charges that the company failed to “adequately disclose” that it was collecting personal information using a spyware program secretly installed on consumers’ computers.

Between 2007 and 2008, 15 of every 100 visitors to sears.com or kmart.com were presented with a pop-up window that offered the opportunity to “talk directly to a retailer” and become part of “a place where your voice is heard and your opinion matters, and what you want and need counts!” No mention was made that this “opportunity” also installed detailed tracking software on the user’s computer.

Customers who asked for more information were offered a $10 coupon in exchange for downloading – and keeping on their computer for at least one month – software from Sears or K-mart that would allow them to become “part of something new, something different[.]” Consumers probably didn’t realize that by “new” and “different,” the advertisement meant “all-seeing” and “invasive.” Indeed, this software monitored both online and offline behavior, peering into online secure sessions and culling information from consumers’ email subject and recipients, online bank statements, drug prescription records, video rental records, and similar histories and accounts.

Customers effectively (and blindly) sold their privacy by agreeing to a lengthy terms of service agreement that showed up at the end of a long registration process. The agreement was presented in a small “scroll box”; consumers could only see ten lines of the policy at a time and not until the 75th line could the user find any description of the invasive tracking.

The FTC found that the software’s function was not fairly represented and that the “failure to disclose these facts…was, and is, a deceptive practice.” As remedy, the FTC has required that “if Sears advertises or disseminates any tracking software in the future, it must clearly and prominently disclose the types of data the software will monitor, record, or transmit.” Moreover, this disclosure must occur separately from any general terms of service or user license agreement and, if data will be accessed by a third party, must include a notification that data will be available to a third party. The FTC has also required that Sears Holding Management Corporation delete all data collected by the software.
(more…)