A journalist by training, Meline Toumani shocked friends and family by moving to Turkey and embarking on a journey to understand a people and a country she'd been taught were the enemy. The result is "There Was and There Was Not," part political history, part deeply personal memoir.
The Federal Trade Commission is proposing new tools to protect the privacy of Internet users. Among the proposals: requiring a “Do Not Track” option in all browsers by the end of 2012. But many technology and advertising companies warn that new regulations could end up stifling innovation and making it harder and more expensive to provide tailored services. We examine new approaches to Internet privacy.
- Justin Brookman Director, Consumer Privacy Project, Center for Democracy & Technology
- Marc Groman Executive Director and General Counsel, Network Advertising Initiative
MS. REBECCA ROBERTSFrom WAMU 88.5 at American University in Washington, welcome to "The Kojo Nnamdi Show," connecting your community with the world. I'm Rebecca Roberts, sitting in for Kojo. Coming up this hour, by now, you may be aware that you leave digital footprints everywhere you travel on the World Wide Web, but you may not be aware yet of just how valuable those footprints are. A simple visit to a news site can funnel data instantly to a dozen other companies, most of whom are in the business of helping advertisers target specific online audiences.
MS. REBECCA ROBERTSBut federal regulators are in the process of crafting rules that would require Web surfers to be given a do-not-track option, rules that would restrict how online companies collect information about Web users and share it with their affiliates, and possibly change the game for companies whose most valuable resource is that very information itself. Joining me to discuss this are Maneesha Mithal. She is the associate director of the Division of Privacy and Identity Protection at the Federal Trade Commission. Welcome.
MS. MANEESHA MITHALThank you.
ROBERTSAlso here is Justin Brookman, the director of the Consumer Privacy Project at the Center for Democracy & Technology. Welcome to you.
MR. JUSTIN BROOKMANThanks for having me on.
ROBERTSAnd also joining us here in studio is Marc Groman, executive director and general counsel of the Network Advertising Initiative. Welcome to you, Marc.
MR. MARC GROMANThank you very much. It's great to be here.
ROBERTSAnd you can join us by calling 800-433-8850, or email us at email@example.com. You can also get in touch us with us through our Facebook page or by sending a tweet to @kojoshow. So let's sort of define our terms here to talk about why we're having this conversation now. Maneesha, I understand that there is a conversation going on at the Federal Trade Commission outlining the beginnings of a sort of do-not-track plan. Can you tell us where that stands?
MITHALSure. I should just mention at the outset that the do-not-track recommendations that we're making are part of a broader initiative. One of the things that we know is that a lot of -- there's been a lot of public incidents about consumer privacy. And those incidents erode consumer trust, especially if consumers don't know what's happening. So our call for Do Not Track is simply an effort to inject a little bit more transparency and choice in the process.
MITHALSo, as you mentioned, there are companies that are taking your digital footprints across the Web. We want consumers to be aware of that. We want consumers to be able to have choices not to be tracked, and we want just some more transparency to build consumer confidence in the Internet.
ROBERTSAnd this is at the same time or within the same context as the Obama administration's privacy bill of rights, but that actually did not include a do-not-track requirement. Can you explain the distinction?
MITHALSure. So both the administration and the Federal Trade Commission issued reports on consumer privacy. The reports are entirely consistent. The administration called for legislation based on a consumer privacy bill of rights. The FTC report also calls for legislation. Our report is a little bit more about specific examples, like Do Not Track, like mobile, like data broker industry.
MITHALAnd so we have specific examples in our report. We had put out a call for comment back in 2010. We got about 450 comments, and our report basically responds to those comments, provides some examples and provides some guidance to industry as they implement best practices in all of these areas.
ROBERTSWell, in the interest of providing some examples and making sure our audience knows exactly what we're talking about, Justin, why don't you take us through just a for instance. Suppose I am looking for the latest information about the Republican primary, and I go to a news site. What's happening?
BROOKMANSure. So you go NewYorkTimes.com, for example, and the thing is when you go to a site like New York Times, you're not just visiting one site. You're visiting, like you said, a dozen or more, so all the ads on those sites aren't served by New York Times. They're served by maybe Google or Yahoo or Microsoft. And when you go there, they can drop a cookie, so -- okay, this is user 12345.
BROOKMANThere will also be maybe a Facebook window or a tweet button. There also might be kind of invisible pixels just for -- so companies can drop a cookie. And so then later that day when you're going to ESPN.com or somewhere else, you know, those same companies are serving ads to you there. They say, ah, it's user 12345. That person was on New York Times earlier today. And so, you know, you browse across the Web. You see the same third-party companies over and over again.
BROOKMANYou don't know who they are, right? I mean, you're aware of some of the bigger ones like Google and Yahoo, but it's increasingly smaller companies like the Rubicon Project, (unintelligible), I mean, companies you've never heard of. And when they have -- we call it real estate on The New York Times, when they have a little pixel on there or an advertisement, they can correlate what you do over space and time, so they can, you know, over time build up a very detailed profile about the kind of things that you do.
ROBERTSAnd they know I'm user 12345. Do they know I'm Rebecca Roberts who lives in Washington, D.C. and personal details about me?
BROOKMANBy and large, no. So when you sign up for Google, for example, you give Google personal information. Google actually does a pretty good job of siloing that. So Google knows, you know, I'm Justin. Here's Justin's Gmail account. Then they kind of have, like, a firewall of code to protect the behavioral data -- we call this behavioral data, but what they see when they are a third party on ESPN and NewYorkTimes.com.
BROOKMANYou know, so, back in 2000, Double Click, which is a company that Google bought -- they bought this behavioral ad network -- thought about maybe trying to combine real-name data with that. And then the FTC in 2000, in response to consumer outrage, kind of stepped in, and Double Click agreed, OK, we're not going to do that.
BROOKMANThat said, increasingly, I think, companies are kind of more interested in kind of merging personal, you know, what we call offline data about real name and stuff with that behavioral data, and especially in mobile devices where my mobile device is much more about me as a person than my computer is. And so what industry, I think, has done by and large a pretty good job of not going down that road, but there's certainly no legal prohibition on them doing it.
ROBERTSAnd, Marc Groman, how do companies make money that way?
GROMANWell, by serving advertisements that are more relevant to users on the World Wide Web, they're able to generate more revenue and charge more for an advertisement that is actually more likely to be relevant to a particular user and reflect what are perceived to be or inferred to be a user's interest. But I'd like to really go back to the very important question that you asked which is, and how Justin explained it, is that it really is about browser or user 12345.
GROMANIt is not about Marc Groman, where I live, my email or any other personally identifiable information. And about the issue of merging personally identifiable information with this more anonymous data, I represent the Network Advertising Initiative, and we have close to 85 members now. And we do a compliance review every year. And not one company that I reviewed, meaning the NAI, is currently merging this more anonymous data about user interest with PII.
GROMANIt simply is not happening by companies that are engaged in best practices. Even though it may be legal, our members are not doing this out of concerns for consumer privacy and transparency.
ROBERTSBut from behavioral data, you can learn quite a lot, right? I mean, I searched for directions to one of my kids' friends' house, and I bought, you know, size five soccer cleats. And I bought a ticket to, you know, Denver. And you have now have found out I have kids, where I live, and that I have family in Denver, at least occasionally go there, without knowing anything about my name and my address.
GROMANSo that -- what is happening based on the anonymous 12345 number is that a profile, based on perceived interest, is being created in the backend. In order to create categories of users around general categories, such as interested in travel, family, hotels, or maybe another car enthusiast or a person in the market to purchase a home, and these are general categories which are created in order to allow advertisers to be connected to users.
GROMANAnd there are new tools that allow for enhanced transparency around this today. For example, if you're interested to see how one particular company might categorize your interests, you can go to something called a -- and I'll just use this as one example -- the Google ad preferences manager. And you can actually see the categories that your browser, not you, but your browser has been placed in to show you that they think you're interested in travel or family or other categories.
GROMANAnd Google actually gives you the option to change those categories, to correct them and to allow you to opt out. And I actually just did this recently. And to show you how sometimes it's accurate or not, many of the categories really were, but Google also explained that they thought, based on my browsing patterns, that I was a 25- to 34-year-old female, which would then show you how unaccurate (sic) it is and how it's really not tied to a user.
ROBERTSWell, let's turn this out to our audience. If your browser had a do-not-track option, would you use it? Why, or why not? Or are you actually willing to provide an online company with some of your personal information so that its tools can work better for you? Join us by calling 800-433-8850 or email us firstname.lastname@example.org. You can also get in touch with us through our Facebook page or by sending a tweet @kojoshow.
ROBERTSAnd so if this is -- as you say, Marc, you've surveyed your members. And they are not merging that personal information browser history. That's -- there's no -- there's nothing stopping them from doing it. They just haven't done it for self-regulatory or audience reasons.
GROMANRight. It isn't -- there's no law that currently prohibits that. But, importantly, self-regulations, such as the NAI, has stepped up to the plate and put in place really important best practices because, as Maneesha mentioned, the FTC report does highlight some issues around transparency, notice and choice. And we believe that transparency, notice and choice are absolutely critical in this space. And we are committed to that and other best practices, including the ability for consumers to opt out of online behavioral advertising if they are uncomfortable with the practice and would like to do so.
ROBERTSAnd how easy is that to do?
GROMANSo there are a number of ways to do it. On the NAI page, if you go to the homepage of NetworkAdvertising.org, we actually have a large button that says opt-out choice. I will tell you that, last year, we had about 8.5 million unique users visit the NAI website. Of those 8.5 million, about 850,000 users used our opt-out mechanism, which shows to me that for those who are interested, for those who are -- care, they're able to find the opt-out mechanism.
GROMANAnd they're able to opt out. That said, I fully agree with anyone who says we can do more. I agree it is incumbent on us to educate consumers and to do what we can to make transparency and choice even easier.
ROBERTSAnd, Justin Brookman, if the industry can do more, what more should they do, do you think?
BROOKMANRight. So the NAI opt-out is, I think, a good starting place. You know, there's two questions. One, why would anyone think to visit the NAI page, right? I mean, there's no reason for people to go there in the first place. And then, two, you know, how does that opt-out give -- register with my computer? So it's -- I think today it's done by a cookie. They'll put a cookie in my computer saying, OK, this person doesn't want to be tracked by all these networks.
BROOKMANAnd the problem is, you know, as a privacy conscious user, I delete my cookies every once in a while. So then when I delete my opt-out cookie, next time I go back to NewYorkTimes.com, all those companies will say, well, I don't see a cookie, but I don't see an opt-out cookie either, so we're going to start tracking him again.
ROBERTSI'm going to stop you for one second and ask you to explain what a cookie is.
BROOKMANOh, I'm sorry. Fair enough.
BROOKMANSo a cookie is a little text file that is used to kind of remember pseudonymously who you are in your browser. So you go to New York Times. New York Times can do their own little cookie saying, OK, this is -- we'll fill a text file on his browser saying this is user 12345, so next time I come back to NewYorkTimes.com, New York Times can say this person reads a lot of stories about the style section or the New York Giants.
BROOKMANYou know, maybe he logged in. He pays for the crosswords. This way, we can remember how many stories he's read this month. So cookies are pretty useful for remembering who people are. And so, on a first-party basis, I think people kind of get that and understand it. So, you know, I go Amazon. I don't mind that Amazon knows where I surf around and what kind of things I buy, what kind of things I'm looking at.
BROOKMANIt's this third-party tracking which I think many people find kind of inherently a little creepy, right? I get that I'm sharing with New York Times what stories I'm looking at. I don't get that I'm sharing with 12 different ad companies what I'm doing. So -- and so for the...
ROBERTSSo just to put it in the example of the user experience, it's one thing to go to Amazon and get the you-might-like list based on your previous purchases. It's another to get a banner ad for shoes you looked at a couple of sites ago, but didn't quite buy.
BROOKMANRight. 'Cause then you're thinking, you know, how did this site know that? Who knows -- who's following me from this site to that site? And so I think people kind of generally agree that, you know, opt-out -- there should be some sort of opt-out right. We should be able to say, hey, knock it off, right? And so the NAI opt-out and some other similar programs were a good start. But, you know, there's that stickiness issue that once you get rid of your cookies, you need to start over.
BROOKMANSo, you know, about five years ago now, a bunch of consumer groups, including CDT, where I work, kind of called for -- well, we need to come up with a better mechanism. It's called Do Not Track. It's like a one setting. You know, you tell the world, I don't want to be tracked because I can't go and find all these companies, not just the NAI companies, but other companies who might be tracking as well. I need a kind of, you know, universal button tell everyone to leave it alone.
BROOKMANThen kind of nothing happened for, like, three years or four years maybe. And then it was a couple summers ago, where Chairman Leibowitz of the Federal Trade Commission kind of resurrected the idea, said, you know what, we've been working on behavioral advertising for a while. The choices aren't great yet. Maybe there really needs to be Do Not Track. And since then, we've seen, I think, tremendous effort and work from industry certainly, from consumer groups and the FTC in trying to find a way to make this happen.
BROOKMANSo, right now, most of the browsers do have a Do Not Track setting. The problem is no one is really entirely sure what it means yet, so turning it on doesn't do a whole lot today. It's my hope, and I think it's everyone's hope, that in maybe six months or maybe a year's time, turning it on will have a consistent meaning everyone agrees upon.
ROBERTSManeesha, what does the FTC think it means?
MITHALSo there are a couple of things that I wanted to just respond to. First, I just wanted to challenge the notion that just because the data is not merged with traditionally personally identifiable information that it doesn't matter to consumers. I think we've seen a lot of incidents where researchers and others are able to take disparate bits of data and re-identify consumers based on that data.
MITHALSo just because it's not Maneesha Mithal, it's cookie 12345, doesn't mean that I don't have a privacy interest in that information, especially because it can be used to track me over time and track my behavior and movements over time. Second, I think Marc mentioned that, you know, his company is maybe doing a good job. They may not be selling the information for other purposes. They may be honoring opt-outs. But as he said, there are no legal requirements in this area.
MITHALSo, for example, I might not mind getting targeted ads, and I might not mind the fact that, you know, I want to get hiking ads or I want to get gardening ads. But maybe I'll mind if a company sells the information about my surfing behavior. So, let's say, I'm looking for a deep fryer on the Internet, and they sell that information to my insurance company. I think consumers would mind about that.
MITHALAnd so these are the types of things that we're trying to get industry to agree to and come up with a Do Not Track system that not only doesn't serve me targeted ads but doesn't collect my information to sell for other purposes.
ROBERTSWe are talking about the possibility of having a workable Do Not Track system when you browse online. My guests are Maneesha Mithal -- she's the associate director of the Division of Privacy and Identity Protection at Federal Trade Commission -- Justin Brookman, director of the Consumer Privacy Project the Center for Democracy & Technology, and Marc Groman, executive director and general counsel at Network Advertising Initiative. We need to take a quick break, but we will come back in just a minute. Stay with us.
ROBERTSWelcome back. I'm Rebecca Roberts, sitting in for Kojo Nnamdi. It's Tech Tuesday, and we are talking about Do Not Track and how much information Web users want to be collected about them and whether they want to be able to opt-out of some of the information tracking that goes on when you visit sites on the Internet.
ROBERTSMy guests are Maneesha Mithal, associate director of the Division of Privacy and Identity Protection at Federal Trade Commission, Justin Brookman, director of the Consumer Privacy Project the Center for Democracy & Technology, and Marc Groman, executive director and general counsel at Network Advertising Initiative. You can join us, call 800-433-8850, or email us at email@example.com. Would you opt-out if there was an option to do so in terms of the information that is gathered about your Web browsing habits?
ROBERTSOr is some information useful to you so that the targeted advertising can work better, or that websites can use all of the functions that they can by knowing something about you? You can also get in touch with us through Facebook page or by sending us a tweet to @kojoshow. So we were talking about whether self-regulation is working, whether something needs to be more thorough and whether Do Not Track has a definition that users understand or that industry agrees on. Marc Groman, what would your definition of Do Not Track be if such a thing existed?
GROMANWell, I actually think that the term Do Not Track is really very confusing. It's imprecise and really doesn't explain to consumers, or actually anyone in the ecosystem, what may happen, and therefore, is problematic. And so I think that we agree that we want consumers to have a choice about online behavioral advertising and have the ability to very easily express that choice. And that's why many in industry have agreed that a new browser-based tool that would allow consumers to easily express that choice is something that we agree to and that we're willing to work on.
ROBERTSSo what would that look like when you open your browser? Whether it's Firefox or Explorer, whatever, there's something -- some kind of a settings button that allows to...
GROMANRight. So I think it could under preferences, and I think it's important, though, when we have this conversation and when consumers are making this choice that we bring into this conversation the absolutely critical role that advertising plays on the Internet and for the worldwide web, that we and the consumers understand that this kind of advertising, including intraspace advertising, is what allows for all of these amazing, innovative, creative free services that we all -- and free content -- that we all appreciate.
GROMANWhether it's your free email address, a free blog site, free social networking or content sites, including really small publishers who are able to offer you really interesting content, all of those products and services are relying on advertising and intraspace advertising, which allows for increased revenue, not just increased relevance.
ROBERTSAnd, Justin Brookman, do you think that if there were a way to opt out of that kind of advertising that the business model would change? That a lot of that content couldn't be free anymore?
BROOKMANI don't think so. I mean, I think, like Marc said, the vast majority of free content is supported by advertising. And I think consumers get that, right? That's the value proposition. I'm reading an article, I get there's ads on the side that I'm paying attention to. What I think is not clear is the fact that that ad is watching me just like I'm watching it and remembering what page I'm on and then creating this dossier about me. Now, today, the pretty small minority of advertising is actually just behavioral advertising -- based advertising.
BROOKMANNow, it's true that in certain context, that'll be the best ad to show. Most of the time, the best ad to show will just be based on what I'm looking at right now. From reading a story about the New York Giants, it makes sense to show me an ad for football tickets, right? There's no, like, privacy invasion from that. That's when most advertising is online.
BROOKMANYou know, later from a New York Times reading a story about, you know, people being killed in Syria, there's no real good advertising to show there. That's what we call contextual, based on the story that I'm reading. There, a behavioral story might be okay. And so you have New York Times wants to say to me, look, you know, we're not doing so well these days. We need to track you across multiple sites in order to show you, maybe 43 stories instead of 20. That's fine.
BROOKMANI don't really care if they want to make that value proposition with me. My problem is that's not happening today. People don't understand that their reading habits, their viewing habits, what they do online is being collected by these desperate companies, and so that's why I think, you know, there needs to be a kind of better transparency about what's happening and also more robust controls in there right now. And I think we all pretty much agree with that basic point.
ROBERTSAnd is there a way to find out who's tracking you and for what purpose?
BROOKMANYeah. So there are add-ons, little programs you can add to your browsers. The one that I use, you can search for a product called Ghostery. Ghostery is a company that works actually with some of the self-regulatory groups. And then when you install the add-on in your browser -- they make it for all the major browsers -- it'll show you all the little companies that are also there on that page that same time.
BROOKMANSo some of the better publishers might just have, you know, a few companies that might have an analytics program which I think people don't think as that invasive. But then some of these sites like, I think, dictionary.com famously was cited as -- when you get to dictionary.com, it's literally dozens and dozens and dozens of companies leaving over 200 cookies on one visit. So it can be illuminating and potentially scary that all these sites are looking at the things that you're looking up on dictionary.com.
BROOKMANOr maybe you don't care. Maybe you trust these companies, you trust the ecosystem, you trust the self-regulation. I'm not telling people to go either way. I just want people to be able to make informed choices. That's a lot harder to do right now.
MITHALYeah. I want to go back to your original question about what's the appropriate definition of Do Not Track. One of the things that we've said is that we don't -- we understand that there are uses of data that are beneficial to consumers. So, for example, we know that companies track consumers for the purpose of preventing fraud and insuring the security of the Internet. We don't want to affect that type of use of information.
MITHALWhat we're saying is fraud prevention, first-party marketing -- and when I talk about first-party, I mean I'm on Amazon's site. Amazon can tell me book recommendations. First-party marketing, security, fraud prevention, those types of things seem to be reasonably expected by the consumer. And we don't think that that should be subject to choice. There are certain categories like advertising back to the consumer that we think consumers would care about, selling to other companies for purposes as I mentioned before for making credit decisions, employment decision.
MITHALI think a lot of consumers would be concerned if advertisers and ad networks are selling their information to potential employers, insurance companies, financial companies, in order to make decisions about consumers. So those are the types of things we want to get at. I think the main point that we've made is Do Not Track doesn't simply mean do not advertise. Do Not Track means don't track for any of these purposes.
ROBERTSAnd would that work, do you think, Marc Groman?
GROMANWell, at a high level, generally, yes. I want to make the point, though, because these examples come up often in these debates around the use of data for eligibility decisions, which seems to incite a lot of fear in people that third-party advertising that works are collecting data, and somehow that information is going to be used to change the value of your insurance, to deny you employment or to impact your credit, and that is simply not the case.
GROMANIt has been policy at the NAI for years that information collected for advertising may not -- absolutely may not -- ever be used for eligibility decisions like that. And so on that front, I'm actually in violent agreement with Maneesha and believe that is really absolutely critical. And so we agree.
GROMANThe important point about the term Do Not Track, and I think what we agree on also, was that it is impossible, given how the World Wide Web and Internet work and function today, that a Do Not Track mechanism or a preference to not have advertising could stop all collection. It would simply break the ecosystem, and that is something that we are very concerned about.
ROBERTSWhat do mean by break the ecosystem?
GROMANWell, the way the World Wide Web works, I mean, simply serving a webpage or even a generic display advertisement requires the collection of some information from a user's browser just to provide that service. And so the notion that if somebody selects a button in their browser, which, you know, some people want to call Do Not Track, that information from that browser isn't going to be sent to a wide range of parties to serve advertisements, to serve the actual content or website you want, just won't work.
BROOKMANAnd I agree with that, right. I mean, the example, though, as I said before, contextual advertising, which I don't find to be privacy invasive, right? They don't need to remember anything about me. You know, when I go to New York Times and am reading that story, Google or whoever is serving the ads still needs to get a little bit of information about me. They need to know that I'm looking on an Android phone. They need know my IP address, which is like the address of where I am, so pretty unique information.
BROOKMANSo they have to collect a fair amount of information. I think everyone is pretty much in agreement that these third parties, even when Do Not Track is turned on -- and I understand that's why Marc finds the term Do Not Track a little bit confusing -- certain information is going to have to be transferred. And then I think everyone kind of agrees that some of this eligibility stuff and probably advertising is off the table (unintelligible) like a narrow ranged middle that everyone is fighting about.
BROOKMANAnd maybe it's not the most important issues. I mean, maybe we've worked out the hardest ones. But my issue with current industry definitions right now is that, if you meet any of these categories -- and fraud prevention is certainly legitimate, you know, attribution is certainly legitimate so, you know-- you know, I saw this ad on New York Times, and later I went to Nike. New York Times deserves the money for that. That, I get. And then there are things like, you know, market research, for example.
BROOKMANIf I turn on Do Not Track, can companies follow me around the Internet to build a very detailed profile about me, not to change my ads but to kind of learn about how people cruise on the Internet, right? If you do this on your TV, it's like a Nielsen box. So people kind of agree to that. So, yeah, I'll be a Nielsen subscriber this month. I'll tell Nielsen what I'm doing just so they can learn about how people watch TV, right?
BROOKMANIf I turn on Do Not Track, do I reasonably expect that companies are going to be able watch everything, you know, lots of what I do online, and then catch against that unique cookie for forever, right? I mean, there's no real logical stopping point for when they want to turn that off. Now, I think that's, again, kind of marginal case, and we're kind of working on the details on how it's going to work. But I think, you know, right now, where industry has said they think Do Not Track is, I think most advocates and, I think, regulators have kind of said it's not quite good enough.
ROBERTSAnd let's again ask our audience. If you have any questions about what sort of information is gathered about your habits online, who's gathering it, what they're using it for, you can give us a call, 800-433-8850, or email us, firstname.lastname@example.org. Maneesha, it sounds like there's actually quite a lot of consensus in this conversation. So does that mean the systems already working pretty well? What is the federal role here?
MITHALYes. So I think there is a lot of high-level agreement on various principles. I think industry has done a great job in making forward progress. They've made certain commitments. I think our job at this point is to make sure that industry follows through on its commitments, and I'll give you a couple of examples. So one of the issues that we've had is that we've asked companies to make sure that Do No Track is easy to find and easy to use. I think, as was pointed out earlier, some of the options that are out there are very difficult for consumers to find.
MITHALA consumer is not going to know about NAI. They're not going to know how to get to that page. I think some of the initiatives that are going on right now are helping solve that problem by baking that Do Not Track button right into your browser settings. So I think that's something that we'd like to see go further. I think another area is that we've seen a tremendous progress by the advertising industry. I think there are industry players out there that are going to continue to track. An example is Facebook.
MITHALSo Facebook has a like button that's available on many sites, and that's very similar to a cookie. So if I'm on The Washington Post and I see a Facebook like button, Facebook has the capability of collecting my data. So it's not just...
ROBERTSBut you have to press that button.
MITHALNo, actually. So I think most consumers would understand if I press the like button, that means that Facebook can collect information.
ROBERTSYou can choose who gets that information.
MITHALExactly. But even before I press the like button, Facebook has the capability of getting information about me just because, you know, they could see that I'm on The Washington Post site. And if they have another site with a like button, they could see and track me across those sites. We want consumers to have choices in those realms as well, so I do think Do Not Track is limited to the advertising industry. It includes analytics companies, companies like Facebook, social networking companies and others. And so we'd like to see it a little bit more universal.
ROBERTSAnd, Marc Groman, one of the issues here that the audience is kind of a moving target, I mean, that are expectations of how much information about ourselves is shared is changing all the time.
GROMANWell, I think that it's important to recognize that different consumers have different perspectives and different feelings about information collection and information sharing. And so there is really -- I don't believe there's any universal consumer perspective, which is why we agree that transparency and choice are important. And if I may, the point was made how well consumers know about NAI or a consumer choice mechanism.
GROMANAnd in the past year, NAI members have donated tens of millions of ad impressions around an educational initiative to educate consumers about intraspace advertising and the network advertising initiative. And they also want to highlight the DAA program, which includes an icon. There is now an icon that is inserted into advertisements online. That icon is in probably over 1 trillion ads each month, and that leads consumers to more information about intraspace advertising and a mechanism to allow them to opt out.
ROBERTSWhat does the icon look like?
GROMANIt is a little triangle, which you can see in, most often, the upper right hand corner of a banner ad or an online advertisement. And if you click on that, it links you to choices you have about online behavioral advertising that companies that are involved in advertising and the ability to opt out from specific companies or from all members in the self-regulatory program.
ROBERTSWe are talking about tracking online and whether or not there should be federal regulation about it and what sort of mechanisms might be put in place in order to affect that. We're going to take a quick break, but we will come back with more of our conversation. You can join us, 800-433-8850. Please stay tuned.
ROBERTSWelcome back. I'm Rebecca Roberts, sitting in for Kojo Nnamdi. We are talking about online tracking with Maneesha Mithal from the Federal Trade Commission, Justin Brookman from the Center for Democracy and Technology and Marc Groman from the Network Advertising Initiative. And let's turn now to your calls. This is Teri (sp?) in Montgomery County. Teri, welcome to "The Kojo Nnamdi Show."
TERIThanks very much. I have a comment responding to the idea of opting out and a question. I'm a baby boomer with my own business, breast cancer survivor, mother to a teenage girl. And I'm on the Internet all day. I have five browsers open. And I would not choose to opt-out. I appreciate the diversity of information that's presented to me through the ads and the suggestion, but I absolutely welcome intelligent monitoring and legislation and discussion and information like you have today.
TERIMy question is I went to a tech conference over the weekend, and they said that mobile apps are particularly sticky. So if I did want to opt out, would I have to do something different on my laptop than I did on my mobile apps? Thanks for taking my question.
ROBERTSThanks, Teri. Let's see if we can get you an answer. Marc Groman?
GROMANWell, thank you very much, Teri, for calling. And I appreciate those comments and the thoughtful question. I do think that mobile apps do raise a different issue, and it's important to recognize that. Currently, the NAI and the current self-regulatory initiatives around online behavioral advertising really govern the collection of information from websites in your Web browser. And the mobile apps that you have on your smartphone or other portable device are really a different conversation and one that, candidly, I'm less familiar with.
GROMANBut it is a very important topic going forward. It's a very important privacy issue going forward and one that I know we will be looking more closely at to make sure that there is transparency and privacy around data collection with mobile apps.
BROOKMANYeah. The short answer is that it's a lot harder to even opt out today on the mobile space. There's two kinds of tracking that you can be talking about. It could be the tracking on your mobile browsers when you're surfing on, like, the Safari on your iPhone or your browser on an Android phone. That operates, I think, kind of similarly to how it works on the Web today.
BROOKMANBut as far as mobile application, as far as the ads and the services that are used by Angry Birds or ESPN, the app, and what not, there really isn't this kind of robust self-regulatory initiative to give you choices to opt out of lots of different companies. There are a couple of companies that you can find and ask to opt out of. I think Google you may be able to opt out through your phone 'cause they own a mobile tracking company as well. But the conversation is just not there yet.
BROOKMANI mean, for behavioral advertising I think part of the reason you heard us all agreeing so much earlier is because I think the FTC has done a great job of kind of hammering that industry to kind of get to the right place on offering real choices in transparency. It's taken about 15 years for behavioral advertising to get them to a space that's pretty good. Mobile ecosystems has been only about, you know, four, five years old. The tools just aren't there.
BROOKMANFortunately, it's -- we're just starting to see pressure about exporting this idea of do-not-track to mobile as well. Mozilla, the company that makes Firefox, has talked about developing a mobile operating system where do-not-track is built-in to the operating system so you can kind of hit one easy button and say, hey, all my apps, don't sell information about me to third parties. Again, we're not there yet. We're still trying to finalize the details on do-not-track for the Web. But I think we really need to get the conversation moving as fast as possible for mobile as well.
ROBERTSLet's hear from Ryan in Glen Echo. Ryan, welcome to "The Kojo Nnamdi Show."
RYANYes. My primary question is on the lines of credit reporting bureaus and their access to this information. The gentleman from NAI said that their members do not share this information, but that doesn't mean other members do not. Is there any information about what information is being shared about to health agencies or credit reporting bureaus from other people? Do these agencies say that they do not use this information perhaps?
ROBERTSRyan, thanks for your call. Maneesha Mithal.
MITHALYes. It's an issue that we're exploring at the Federal Trade Commission. We enforce a law called the Fair Credit Reporting Act. And if the information from your surfing behavior is used for credit decisions, for employment decisions, then you're entitled, if you're denied credit or insurance, to get a notice from the company that's denied you the employment or the insurance or the credit. Once you get that notice, you can inquire further and correct the information.
MITHALI think what the Fair Credit Reporting Act doesn't do is that it doesn't prohibit this practice altogether. So as we said before, there's no legal requirement not to sell information to employers, insurers, credit companies, and so that's something that we're concerned about. And that's one of the reasons why we don't want to focus on do-not-advertise. We want to focus on do-not-track.
ROBERTSLet's hear from Kate in Baltimore. Kate, thanks for waiting on the line. Welcome to "The Kojo Nnamdi Show."
KATEThank you so very much. I'm founder and vice president of Maryland Smart Meter Awareness. And as you're talking about tracking and privacy issues, currently, the utilities are moving ahead with implementing the smart meters on the smart grid, which will, of course, track our energy usage as well as other aspect of our lives: what appliances we're using, whether we are using any appliances, when and so forth. And so I'd like -- in terms -- currently, there is no opt-out.
KATEThey are not allowing utilities, at least in Maryland, currently -- they are not allowing an opt-out, although the Public Service Commission has opened a hearing. But I'd like you to speak to the privacy issues that are involved in this -- in the utilities using these smart meters.
ROBERTSKate, thank you for your call. Maneesha Mithal.
MITHALYeah. So I think, at the outset, I talked about the fact that do-not-track is just one component of some broad best practices that we're recommending the companies implement. So it's not just for behavioral advertising that we're asking companies to implement choice. And I think this goes to the previous caller's question, too. Whether it's mobile apps or using your loyalty card at supermarkets or the smart grid question that the previous caller just asked about, we're saying that there should be more transparency in all of those industries and more choices.
MITHALAnd so I think one of the initiatives that we have is we've asked companies to come together to talk about choices, to talk about how they can provide choices more simply to consumers, to provide information about who's using their data, what it's being used for and what's being shared with.
BROOKMANYeah. This is something -- we've been focusing a lot on do-not-track because so much of the debate in Washington have been around, you know, behavioral advertising. But we have -- at CDT have argued for a long time. There really needs to be a baseline law in this country that requires everyone who takes your personal information to give you, you know, basic rights around your privacy, that they're telling you what's going on, giving you basic choice around it, don't take any more data than you need and getting rid of it after you're done.
BROOKMANAnd the caller's absolutely right. The smart grid -- the smart meters are increasingly going to be a big issue. And while we're kind of just ramping up the discussion on mobile, a lot of the smart electricity grid conversations are moving forward without a lot of robust discussion of privacy initiatives. And you can think about it as cars as well. Increasing cars are interconnected, increasingly putting geolocation trackers into all cars to things like OnStar. You know, what are the parameters for how those companies need to collect use your data and tell you about it?
BROOKMANYou know, unfortunately, when so much of the conversation is just around advertising and the poor little advertisers have been hammered over their head for the last several years about -- maybe not terribly controversial, but I mean, I think it's still important use of data. You know, all of these other industries are kind of forging ahead with collecting and using information in ways that are actually terribly useful and valuable, right?
BROOKMANI mean OnStar provides very good service. But, you know, do I want OnStar tracking me all the time and selling my information, you know, where I'm going all the time to all sorts of different parties? I would say definitely not. But there is, in this country at least, and most of the rest of the world has privacy laws, saying companies had to give you basic information and choice around your data.
BROOKMANThe United States is kind of the outlier in that we don't have that. The only -- the basic law in the United States of America is just don't lie about what you're doing. You don't have to actually tell them what you're doing. But if you do make a representation, it has to be accurate. And so, for that reason, I think some companies have even shied away from being transparent about what they're doing because if they happen to make a misstatement, so then they can be liable.
BROOKMANSo, I mean, I think the takeaway from all this for us is there really should be, you know, a basic privacy law in this country requiring everyone to tell you what they're doing.
ROBERTSSo the don't lie imperative leads to vagueness.
BROOKMANIf you find a legal hook -- you have to find that hook, and the hook has to be provided by the company of making a statement that you can then go after them for. So a smart lawyer is going to say, hey, don't get many hooks. And so that's why an unfortunate trend in privacy policies and some other representations is toward vagueness.
BROOKMANNow, you know, you had -- I said less about the law. You know, fortunately, there's a fair amount of pressure from regulators and the FTC, from European regulators as well, kind of trying to get companies do the right thing to make more up-front disclosures and more clear disclosures about what's going on. We've actually seen pretty good progress, right, that way. But, as you say, it's not really the law. It's just, you know, what pressure can be brought on some companies.
ROBERTSManeesha, would you characterize the U.S. as an outlier on this path?
MITHALYes. We don't have a law that requires notice and choice up front across all sectors. We have a law requiring notice and choice when you collect children's information, when you collect health information or when you collect financial information. But one of the things we call for in our report is broad-based privacy legislation. We think a lot of good companies are already providing notice and choice. We think all companies should be providing notice and choice, and we think legislation can help meet that goal.
ROBERTSLet's hear from Tina in Dover, Del. Tina, welcome to "The Kojo Nnamdi Show."
TINAHi. Thanks for taking my call. I hope you didn't already answer this 'cause it seems like such a simple question. What is the difference between the do-not-track option and the InPrivate browsing sessions that Internet Explorer offers?
ROBERTSDoes anyone have an answer for Tina?
MITHALWell, I think the -- as I understand it, the InPrivate browsing mode only applies to a particular session. So I can go in, and I can be anonymous during that session. I think what a do-not-track button would do is it would express your preference every time I went on the Internet. So that's how the -- how it's different.
BROOKMANYeah, InPrivate browsing is...
BROOKMANMarc, do you want to -- OK. I mean, InPrivate browsing is kind of like -- everyone, don't track me. No one, even first parties, can't track cookies. So, in some ways, it's more privacy-protective, at least with regard to cookies. Now, for better, for worse, there are other ways to track you besides cookies. You know, anytime you make a Web request to a party, you know, you have to give them a lot of kind of information, which, over time, can be kind of unique.
BROOKMANSo you have to give them your browser information, what fonts you have installed in your browser, all sorts of different little bits of information. But there are a lot of companies who take the information and find a way to give you what they call a digital fingerprint. So they can track you even without cookies. It's my understanding private browsing doesn't really do anything about that.
BROOKMANSo do-not-track -- when -- InPrivate browsing prevents the setting of cookies. Do-not-track would kind of send a signal out to the world, to anyone who's watching what you're doing. Your browser will be sending out, in addition to the request of what you're trying to do, a little instruction saying, hey, don't track me. Again, today, it's still pretty much -- I mean, it's not honored in the breach. No one -- not many companies are really acknowledging it today.
BROOKMANMost of the major advertising companies have all agreed they're going to acknowledge it by the end of the year. Now, there's still the question about the outliers, but the good news about the do-not-track header is that even the outliers, they still get the instruction. So, you know, maybe at some point in time, we can make an argument that companies who receive the instruction and don't follow it are violating the law.
ROBERTSWe have an email from Heather, who says, "I really don't want my surf habits to be tracked. So when I heard your guests mention the opportunity to opt out, I went to the site to try and close the door, so to speak. But of all the many opt-out buttons I clicked, very few of them actually worked. I did not get the desired green check to indicate I had officially opted out.
ROBERTS"Obviously, this isn't working too well, so this is somewhat disconcerting. I think a more definitive process needs to be created, one that really means do not track." Marc, can you explain what happened to Heather?
GROMANSo without actually being at her computer...
ROBERTSRight. Of course.
GROMAN...with her, you know, it's difficult for me to say. And I'm hoping that it actually worked better. But to the extent that the consumer is concerned that it didn't work or has questions about it, I would invite them and encourage them to send an email or to contact us so that we can work through that. But, again, 840,000 consumers last year used the opt-out tool.
GROMANNot only do -- does it generally work -- in fact, it does work -- but to go to Justin's point about persistence and clearing cookies, just this past year the Digital Advertising Alliance did add a persistence feature so that even if a consumer in a browser such as Chrome or Internet Explorer clears cookies, they can download a plug-in so that they have a durable opt-out that will last even if cookies are opted out.
ROBERTSBecause clearing your cookies just takes away everything that's already there. It doesn't stop new ones from being dropped in.
GROMANWell, that's correct. And so, previously, the way the opt-out mechanism worked for the NAI and other self-regulatory organizations is that you would set a cookie, an opt-out cookie that told our members not to do online behavioral advertising. And so, of course, if you cleared all your cookies, you would be clearing the opt-out cookie as well. So by using the new tools that are provided by the DAA, that allows that to continue.
GROMANSimilarly, Justin made the point -- he mentioned digital fingerprinting or other technologies beyond cookies that can be used for tracking, and that is right. But it's important to note that, at the NAI, if you opt out of online behavioral advertising, even though we're using an opt-out cookie, that includes all tracking mechanisms. You can't -- a company won't honor your opt-out using cookies and then track you for OBA purposes using another technology such as fingerprinting. That wouldn't be permitted.
BROOKMANThat's right. My only point with it, InPrivate browsing would not necessarily affect it.
BROOKMANAnd I think it's really the case. I mean, I think there are all these kind of confusing tools out there: InPrivate browsing, you know, getting rid of third-party cookies, getting rid of Flash cookies, getting rid of local storage. You know, we at CDT put out a report a couple of years ago, maybe about a year ago, kind of comparing the five major browsers across all their privacy settings. It ended up being like a 17-page chart, saying this browser is good at this.
BROOKMANThis one could work on this. And the kind of conclusion we came away from in the end was they all do a pretty good job on certain things. But if you're really using 17 pages of privacy settings, that's too much. The average users, there's no way they're going to be using that. So there really needs to be simpler, clearer, more consistent controls, and that's where do-not-track comes in.
BROOKMANSo I'm hopeful that that will be a consistent across-browser experience, that clicking the do-not-track button on any browser will have a clear accepted meaning and really work for consumers by the end of the year.
ROBERTSAnd, Maneesha, if you had to lay odds on there being a clear, easy-to-use do-not-track system by the end of the year or whatever, what would you say?
MITHALI think the odds are pretty good. I think a lot of companies have made commitments to get this done by the end of the year. And so we're certainly going to be watching closely and hope that's done.
ROBERTSAnd what do you think has to happen in order to make that happen?
MITHALSo I guess a couple of things have to happen. One is that the advertising companies have announced that they will honor the browser tool, and they said that that's going to take some time to implement. So we think that's a step in the right direction. The companies have also said that they're going to implement principles so that it's not just do not advertise. It's also do not sell for employment, insurance, credit purposes.
MITHALAnd I think once they implement those measures, I think that will help. I think it's also important to note that there's another process going on at the World Wide Web Consortium. This is called the W3C, and this is a forum where the industry members, consumer groups, the tech community, browser vendors all come together to try to create a do-not-track standard and to create a common language to work around.
MITHALAnd that process is ongoing, and we hope that that will be successful as well. So there's a lot of flowers blooming, so to speak, and we'd like to see success in as many areas as possible.
ROBERTSThat's Maneesha Mithal, associate director of the Division of Privacy and Identity Protection at the Federal Trade Commission. We're also joined here in studio by Justin Brookman, director of the Consumer Privacy Project at the Center for Democracy & Technology, and Marc Groman, executive director and general counsel at the Network Advertising Initiative. Thank you all so much for coming in, having this conversation. Coming up next on "The Kojo Nnamdi Show," the role of the fairy tale in the 21st century. Stay with us.
Most Recent Shows
The Rolling Stone writer who described a gang rape and other sexual assaults at the University of Virginia joins Kojo to look at the challenges of treating rape as a violent crime.
Kojo talks with Shane Harris, a national security writer now at The Daily Beast, about the mushrooming "military-Internet complex" and what's happening on the front lines of cyber warfare.
Kojo explores local debates of the story with Maryland Attorney General Doug Gansler and a student-activist who is leading protests in the District.