Internet Privacy: Are Lawmakers Thinking About It All Wrong?
BY Sarah Lai Stirland | Wednesday, September 4 2013
Those elements include basic site analytics functions from Chartbeat and Google Analytics, code that enables people to share our stories through social media, and code that enables readers to comment on the stories themselves.
But some of those bits of code are also sending information about my visit to dozens of companies that I’ve never visited before. They include online advertising networks and marketing platforms such as Google's Admeld (Google integrated it into
At the Wall Street Journal, Disconnect reports that there are 314 trackers watching me. At The Atlantic, 165, and at The DailyKos, there are apparently 212. Tracking is a bipartisan activity: At Townhall, Disconnect reports that there are 164 entities spying on me.
I have no idea what any of these trackers are sending, what they’re using the information for exactly, and how long they’ll keep whatever information that they’ve collected about me. The same thing goes for the companies that publish the apps on my mobile devices. I do know that Amazon knows a lot about me however, since I use it constantly to buy books, clothes, household objects, and to watch movies.
Meanwhile, the dozens of apps that I run on my iPhone and two iPads are constantly tracking my location, telling me that they feel ignored and need to be used, and suggesting movies and books that might interest me. Unlike many of my other friends, I haven’t invested in personal fitness and wellness systems like Fitbit yet, but when I do, there will be a whole other ream of juicy-looking data that emerging businesses could potentially use to sell me something.
Against this backdrop are various self-regulatory, state and federal level and international legislative efforts to protect indivduals' digital privacy, much of it based on the idea of giving individuals the legal right to stop themselves from being tracked either online through their computers, or through their mobile devices. In the United States, for example, the chairman of the Senate Commerce Committee Jay Rockefeller (D-Va.) has vowed to carry on this Fall with efforts to enact a Do Not Track privacy law, as has the Obama administration. Various members on both sides of the aisle in the House Commerce Committee are interested in this subject as well. (The question is whether anyone will pay attention to this issue as Congress focusses its attention on the National Security Agency's domestic spying activities.)
For its part, the never-ending discussion and debate around Do Not Track (DNT), which has been going on since at least the late Nineties, is showing its age. As legislators in Congress, industry lobbyists and privacy advocates debate the merits and limits of the concept of Do Not Track through cookies -- bit of code identifying your browser to publishers and businesses online -- the technology world has moved on, meaning that there are now a myriad of other ways to track people both online and through their mobile devices. We're involved in an arms race of sorts as advertisers try to evade escalating attempts to place limits on their activities.
Despite all of this, there's reason for optimism. Dozens of projects around the world are attempting to address what the participants see as a burgeoning market for privacy in our digital world.
Tag, You're It
One of the latest commercial efforts here in the United States is the New York-City headquartered startup called Mezzobit. Founded by former Newsweek/Daily Beast Chief Operating Officer Joe Galarneau, the company falls into the business category of tag management companies -- companies that were started to provide publishers more control online over their advertising business. But Galarneau's startup has a twist -- he wants it to be governed by a non-profit acting as a sort of adjudicator and enforcer of rules on data usage. The non-profit will eventually have 12 members on its board, and they represent the interests of the publishing industry, the advertising networks, and consumers. Like the credit ratings agencies in the financial world, Mezzobit will pay the board, called
"I had to deal with the companies out there --the Googles, the Facebooks, the whole litany of folks who collected on the Internet, and as a company, I had no real insight into what was happening with the data coming off of my digital properties, and how my audiences were being treated," Galarneau said.
The New Jersey Attorney General's recent $1 million settlement against the New York-City based online ad network PulsePoint is an example of the kind of thing that could go wrong for publishers. According to the New Jersey AG, PulsePoint had been tracking specific people online through their Safari browsers with cookies even though those users had set up their browsers to block their cookies. The company settled with the New Jersey's attorney general in late July. PulsePoint is a new company resulting from the merger of ContextWeb and Datran Media Corp. A spokesman for the merged company told a local news outlet that it wasn't even aware of what it was doing until a Wall Street Journal story came out about it.
Galarneau said that he's doesn't know the specifics of PulsePoint's tracking activities, but the idea behind Mezzobit and Dataneutrality.org is to "police third-party tags as much as is technically possible."
"This would include controlling their cookie dropping behavior, as well as "taking them apart" to understand what data elements the tags examine, what elements they transmit to their makers, and what's contained in the cookies they drop," he said. "We'll be implementing the full measure of this in the coming months -- we're only part of the way there now and are releasing improvements to our system all the time -- but we would ultimately be enforcing DNT guidelines on all tags."
In case you didn't know, cookies refer to bits of code that Web sites attach to visitors' browsers to remember who they are. They can be used for everything from allowing a Web site to remember that you've already entered your login information, to third parties placing code on your browser to track your travels across the Web so that they can sell your profile to an advertiser. A lot of what happens depends on how a cookie is configured.
In a case like PulsePoint's, he added, "We also would have sent a warning to any customer using PulsePoint, as they would be legally liable for the ad network's actions."
Galarneau said that Data Neutrality plans to explain its work to the public, as well as what information is collected on Mezzobit's customers' audiences.
"We may not tell you the 42 different ways that we handle your information, but we will summarize it enough for consumers to be able to decide whether we're doing the right thing -- so hopefully the consumer advocates will be their proxies in deciding the criteria for those 42-different ways," he said.
Data Neutrality's executive director is Sharon Geddes in Chicago. She came to the startup from the Justice Department, where she worked as an assistant general counsel. Its senior advisor is Kevin McKean, a digital publishing veteran (who, full disclosure, was one of my first bosses at Money magazine, and who, along with Merrill Brown, introduced me to my husband.) McKean is also the former editorial director at Consumer Reports. Galarneau also said that he's working with an as-yet-unnamed New York City-based ad network with nearly 100 million unique visitors to more than 500 Web properties to persuade them to join the board.
From a publisher's perspective, there are many strong business incentive to use the services of a tag management company, and companies like Bright Tag and Tag Man already exist to serve them, said Jules Polonetsky, the Future of Privacy Forum's co-chair and executive director. The forum is a privacy-focused think tank that has financial backing from many industry companies. Bright Tag is a member company. Some of those reasons include faster Web site load times by consolidating dozens of tags into just one, and just the ability to gain more direct control over audience data.
"Tag management can be another privacy-enabling tool for Do-Not-Track, as well as making sure publishers have more control over where their data goes, but it’s going to take the key stakeholders, the browsers, the ad networks, and others to [participate,]" Polonetsky said in an interview. "The more voices that are encouraging people to figure out what they want to do to respect Do Not Track the better, especially with new legislative obligations calling for more disclosure on how you respond to Do Not Track.”
By new obligations, he's referring to legislative efforts like the one in the California state legislature. California lawmakers just approved a new bill last week that mandates that all Web sites that collect personally-identifiable information disclose what they do in response to requests not to be tracked online. The bill, which still has to be signed into law by Governor Jerry Brown, also requires site operators to disclose whether they allow third-parties to track their audiences. The gaping loophole in the bill is that it requires this only of sites that use individuals' personally identifiable information, such as their names. It doesn't cover cookies. Most advertisers claim that they don't use personally-identifiable information.
Galarneau said in an interview that Data Neutrality would have the capability to customize and update privacy settings on behalf of Mezzobit's customers, and it would make its work available to all of the representatives on the board. The idea is to follow Fred Wilson and Nick Grossman's self-regulatory approach, which means disclosure and accountability between stakeholders, rather than regulatory mandates that prohibit certain kinds of behavior.
Nevertheless, Galarneau said that he also expects Mezzobit to incorporate the suggestions of third-party efforts such as Stanford University's Cookie Clearinghouse, a project run by the Center for Internet and Society's Aleecia McDonald.
Based on input from the public, the Cookie Clearinghouse plans on publishing an "accept list," and a "block list," of cookies. Toolmakers such as Disconnect, browser makers and companies such as Mezzobit would then be able to use those lists to enable individuals to automatically stop themselves from being tracked by certain kinds of sites (as described on the Cookie Clearinghouse' Web site.)
Still. Under Mezzobit's model, I still have to entrust publishers to 'do the right thing,' with whatever information they collect about me. And many of them might still use social networks such as Facebook as log-in mechanisms, meaning that I still might be forced to share some, or all, of my information and associations on Facebook and other social networks with publishers if they demand it. What if I'm the kind of person who doesn't have an account with a social network, and I don't want to be tracked at all?
Powershift to the Users?
Lots of other architects of the Web have been thinking about this, too. And they haven't just been thinking. They've been working on technical standards, such as open source authentication protocols, agreements and business relationships in order to enable a user-empowered Web. Author Doc Searls recently published a widely circulated blog post detailing a number of these efforts around the world, and has long been arguing for a new approach to "vendor relationship management," which would put the individual in the driver's seat.
Searls has been working with Kaliya Hamlin, an expert on online identity, and Phil Windley to address these issues. Together, they founded a workshop called the Internet Identity Workshop. Hamlin, aka "Identity Woman," thinks the answer lies in building businesses that enable individuals to control and manage their own data exhaust. The emerging businesses in this space are known as personal cloud services. They differ from from Google, Facebook and Apple's iCloud because the terms of service explicitly say that individuals own their own data, and are the exclusive decision-makers when it comes to using and sharing their data. The services also use open standards, meaning that individuals' information isn't locked into one service. Hamlin said that there are about 1,000 members of this emerging personal cloud community.
In her mind, the Do Not Track effort that lawmakers have adopted is untenable.
“I can’t tell you how crazy Do Not Track is, because the Internet is not the phone system," she said in an interview, alluding to the U.S. Federal Trade Commission's Do-Not-Call program.
"I have 10 devices with 40-different browser-like things, and I’m supposed to somehow keep track of it all?" she asked incredulously. "I move IP addresses all the time – everything is changing about the endpoint that I’m touching the Internet on, and somehow I’m supposed to express that I don’t want to be tracked? And somehow with this opt-in system, they’re going to be nice and honor it?"
Instead, under the regime of the personal cloud movement, all of my relevant data would be stored in my cloud, and I would decide who to share that information with. Hamlin points to the Respect Network, a company in San Francisco, and Personal.com in Washington, D.C. as examples of how this could work. But there are dozens of others, such as Mydex in the United Kingdom, trying to build similar services around the world.
The Respect Network has built a peer-to-peer technical infrastructure that includes two dozen businesses that enable individuals to control their own data. The company compares its network to a credit card network and themselves as a trustworthy bank storing individuals' personal information, like a bank stores people's money. The business is scheduled to launch next year.
Personal.com bills itself as a digital data vault that stores everything from your credit card information to copies of your passport. The basic idea of many of these services is that instead of ad-supported Google holding my notes and helping me to manage many aspects of my life, and instead of using Facebook as an authentication service, fee-based services such as Personal.com and cloud-based services with user-friendly terms-of-service contracts in the Respect Network would do the job.
"The idea here is that I would have my own data store, and I would share that information with a site that I really like," Hamlin explained. "It would be better quality data than what is effectively proto-stalking."
With personal cloud services and those from companies like Disconnect, it seems distinctly possible that one day I could travel through the Web without anyone tracking me -- unless, of course, I had offered my explicit consent.
I'm not sure what impact the rise of these kinds of services would have on the already-crippled world of journalism and content -- but there's got to be a better model than the one we have today, which is often inaccurate and untrustworthy.
The key in my mind is treating individuals as people who are capable of making their own decisions.
One example: Pinterest. In July, the social image sharing site Pinterest announced that it would honor browsers' Do Not Track settings. That means that the company won't track individuals' online surfing activities across the Web, if that is what they indicated through their browser settings. But if Web surfers do allow themselves to be tracked by Pinterest, and then visit the site, they'll then find recommended "Pinboards."
It can be a complicated process for the average person not attuned to the technical details of their devices to summon up the gumption and patience to figure all of this out. And yes, this kind if activity may have a detrimental effect on publishing on the Web.
Yet it seems to me that this set-up of giving people choices would ultimately end up making more money for everyone. I've given Pinterest permission to track me. I trust them. And funnily enough (surprise!) it turns out that they've got some pretty good links to some independent women's clothing stores that they're suggesting to me.
I've clicked through, and I'm currently eyeing a cool retro-Eighties t-shirt. I might just go ahead and splurge.