Online advertisers and marketers are using increasingly sophisticated tools to track us, especially on our cell phones. But most consumers are unaware of the many ways Internet traffic is being analyzed and interpreted. We examine new debates about privacy on the Web, and learn about data collection over smart phone apps.

Guests

  • Scott Thurm Senior Editor, The Wall Street Journal
  • Jules Polonetsky Co-chair and Director, Future of Privacy Forum
  • Chris Olsen Assistant Director, Privacy and Identity Protection Division, Federal Trade Commission

Transcript

  • 12:06:42

    MR. KOJO NNAMDIFrom WAMU 88.5 at American University in Washington, welcome to "The Kojo Nnamdi Show," connecting your neighborhood with the world. It's Tech Tuesday. Can your smartphone outsmart you? The folks at The Wall Street Journal say yes. Americans are buying new devices offering new features and new applications every day, and many don't think twice about dropping a dollar here and two dollars there to add so-called apps, small software products allowing you to access a new music service or a videogame or instantly update sports scores, but the journal warns don't make the mistake of thinking privacy is included in the 99-cent price tag.

  • 12:07:37

    MR. KOJO NNAMDIFor some, it will come as no surprise to learn many apps are integrally linked to advertisers. Following who you are and where you go on the Web is of crucial importance to them. Your phone's unique tracking number spilling all kinds of beans about your online behavior, and no, in most cases, you cannot opt out. So what are the pros and cons here? What's the Federal Trade Commission's role? And will intervention stifle tech innovation? To get to the bottom of this, we invited Jules Polonetsky, co-chair and director of the Future of Privacy Forum. He's previously worked as chief privacy officer at America Online and at the advertising and marketing company DoubleClick. Jules Polonetsky, thank you for joining us.

  • 12:08:24

    MR. JULES POLONETSKYGreat to be with you.

  • 12:08:25

    NNAMDIAlso with us is Chris Olsen. He is the assistant director of the Privacy and Identity Protection Division of the Federal Trade Commission. His office focuses on consumer privacy, data security and identity theft. Chris, thank you for joining us.

  • 12:08:40

    MR. CHRIS OLSENThanks, it's great to be here.

  • 12:08:41

    NNAMDIAnd joining us from studios at Stanford University in California is Scott Thurm, senior editor at The Wall Street Journal. Scott is part of the investigative team behind "What They Know," an ongoing journal series about advertising and marketing companies' mining of personal data from Web users. Scott, thank you for joining us.

  • 12:09:04

    MR. SCOTT THURMThank you.

  • 12:09:05

    NNAMDII'm gonna start with you, Scott. The Wall Street Journal recently tested 101 of the more popular apps on the Apple and Android market and found that over half were transmitting unique identifying information to advertisers and middlemen. How were they doing that?

  • 12:09:26

    THURMThey send -- when -- after the -- you download an app onto your phone, it can -- when you hit certain buttons on the app, it will send information out to these third parties, and so the ones we looked most commonly at were the phones' ID number that you mentioned. They send information about location a lot. I mean, a lot of these phones come enabled with GPS chips, and even when they're not using the GPS system, they can figure out where you are based on networks of wi-fi networks or even by the connection you make into the Internet. And they will also send information about if you fill out profiles for an app and tell them your age or gender or whatever, they'll send information about that to not just to the app that you filled out the profile for but to third parties like advertisers.

  • 12:10:26

    NNAMDIJules, before we go too far for those in the audience who may use a cell phone but who do not download apps, tell us what an app or an application is.

  • 12:10:35

    POLONETSKYIt's a small little program that you can just plug in to your current phone. If you got contacts, if you use Facebook -- a lot of people use Facebook, and they know they add different little features so they can poke their friends or play games. And so what's interesting about apps is that they're not hard to make, and today, frankly, the most popular app in the world, the most popular app that's been downloaded on mobile devices was written by a 14-year-old kid, and it's called Bubble Ball. And so that's what's interesting. You can literally be a 14-year-old, and all of a sudden 10, 20, 30 million people are downloading your program because it shows up in the iPhone app store or the Android Google app store.

  • 12:11:24

    NNAMDINot being a 14-year-old, exactly what does this app do?

  • 12:11:28

    POLONETSKYIt's just a cute little game. The number two game that was the most popular one for a while was one called Angry Birds, where birds and pigs fight, and these things can be addictive. And some of them are, frankly -- some of these apps are actually very useful. You can, you know, download a mapping device. You don't need to go buy a GPS, and, you know, Google Maps is an app that will help you find your way around, and you can use an app that will show you the weather. And so for a lot of people, that's what's exciting about these smarter phones. You really can do useful things because it has access to your data.

  • 12:12:03

    NNAMDIChris Olsen, I don't know if you can help walk us through this a bit. For instance, when I download an app like Pandora -- and with my latest smartphone, the Pandora app came with the phone -- when I use that app, the streaming music service Pandora, it provides me with the promised service, the music that I like, that I want, but what else does it do?

  • 12:12:22

    OLSENWell, what you may not know is the extent to which these apps -- and I don't wanna get into the specifics of individual apps, only because we are an enforcement agency, and we have to be careful...

  • 12:12:34

    NNAMDISure.

  • 12:12:34

    OLSEN...about potentially identifying targets. But a lot of these apps will collect location information, and you may receive a notice saying we need your location information or your current location information. But what you may not know is that any time you use the app, the location information may be collected by the application. And that location information may also be shared with numerous different advertisers or advertising companies whom you don't have a relationship with. You don't know who they are, and you may not have any idea what they're doing with the information. So, you know, the disclosures that exist here we think -- at the FTC, we think there can be improvements made in how companies provide users with information about their service.

  • 12:13:29

    NNAMDIOur number here is 800-433-8850. Have you purchased any apps recently for your smartphone? What do you know about how your data is being used, and would you alter your behavior if you knew you were being tracked? Call us, 800-433-8850, or go to our website, kojoshow.org. Join the conversation there. Send us a tweet @kojoshow, or e-mail to kojo@wamu.org.

  • 12:13:55

    NNAMDIScott, the -- most of us have heard of cookies before. Websites use them to remember us when we return to a website we've visited before. But I understand this unique ID, this unique identifier code that we mentioned earlier, has been called a super cookie. Why, Scott?

  • 12:14:15

    THURMWell, because on websites, the ecosystem has grown up so that you have a little bit of control over cookies. So we -- you know, this story we did about the phone apps was, as you mentioned, one in a series we did throughout last year about Internet privacy, many of which focused on cookies. And we, you know, we found that there's a huge economy based on trading the data generated by cookies, but on websites with cookies, you have a few defenses. You can delete your cookies periodically. You can block -- your computer can block which sites you want to accept cookies from and which ones you don't and things like that. And on phones, you have almost none of those options.

  • 12:15:03

    THURMThis ID number were talking about here is hardwired into the phone. It's, you know, it's effectively like a serial number put in when the phone is made, and so you can't block it. You can't delete it. You can't say, well, I'll let this app have the ID number, but I won't have -- let that app have the ID number. And so some -- it was actually of the marketing people that I talked to who was waxing, you know, rather eloquently about all the great tracking that they could do who said, oh, yeah, we call it a super cookie.

  • 12:15:33

    NNAMDIWell, let's cut to the chase for one second about The Wall Street study. You examined 101 smartphone apps overall. What did you expect to find, and what did you actually find?

  • 12:15:44

    THURMWell, quite frankly, we didn't know what to expect to find because no one had ever done this before. I mean, again, people have looked at cookies, and, you know, I think the work we did on cookies was in itself was groundbreaking for its breadth and scope, but when it came to apps, it -- we really were in charted territory. I mean, we had to spend months figuring out how we were gonna do this, how we were gonna capture the transmissions and then decode the transmissions and what kinds of things we'd be looking for. And what we found was, you know, you gave the highlights at the very beginning, but, you know, three-quarters of the apps or 76 of the 101 sent some identifying information either about the phone, its location or its user to some outsider, not just to the app, but to an advertiser or one of these middlemen. And so that's what we found and that -- we put it out there, and now, you know, it will be up to users and the app makers and the FTC to see how the, you know, how that ought to play out.

  • 12:16:48

    NNAMDII mentioned Pandora early and, of course, Chris couldn't speak to that specifically, but you can. When I use Pandora to stream music, what's being collected and by whom?

  • 12:17:01

    THURMWell, give me a second to get all the specific details, but the short answer is they were among the more -- that app and on both the iPhone version of the app and the Android version of the app was among the more promiscuous sender of data to others, so it sent -- well, it may take me a second here to get the specifics on Pandora, but it sent some version of the location, the phone ID, and then -- another thing, it was one of the apps that were -- first of all, it -- when you register for Pandora, it asks you to fill in this profile information. And I can't remember off the top of my head if it's actually mandatory or not if you try to skip that step if you can do it. But in any case, there's -- they're strongly urging you to fill it in, and then once you fill in, we found that they were sending things like your age, your gender, your general location around to advertisers and other third parties.

  • 12:18:00

    NNAMDIJules Polonetsky, do you find this surprising?

  • 12:18:03

    POLONETSKYWell, Kojo, I don't, and, look, the system is a bit of a mess, and some of these apps, you know, need to get their acts in order. But before we have people tossing their smartphones, you know, in a bin, we should recognize that most of these folks are using this information, worst-case scenario, to try to make sure that that little ad that appears on that little app that you probably didn't even pay attention to that they've decided that because of your age or because you're male, you're gonna get one ad versus another. You're gonna be the sports guy versus the person who might be looking for a sports car. There certainly may be some outliers, and, you know, let's hope that the FTC catches those.

  • 12:18:48

    POLONETSKYA lot of these apps are accidentally spraying data without even realizing just because they're kludged together to be the first app that users download so they can, you know, be the first fun one. But the worst-case scenario in most of these cases is that you're gonna get an ad that might actually be more relevant to you than others. Now, people ought to know about this, right? People shouldn't think this is free. It is in exchange for your data, and you ought to have control over it. We ought to know what these folks are up to so that we can make sure they're not doing anything like selling it to an insurance company or your credit company or having it used in some way that really would be discomforting. But most of these folks, frankly, as messy as the system is, are trying to give you some cute little service and pay for it with an ad targeted who they think you are.

  • 12:19:35

    NNAMDILet us know what you think. Should online advertising and marketing be more transparent? How would you do that? 800-433-8850. Chris Olsen, speaking of control, the FTC recently began laying the groundwork for giving consumers some sort of opt-out option when it comes to this type of advertising and tracking. I've seen this proposed do-not-track idea compared to the do-not-call list. Can you tell us about that?

  • 12:20:01

    OLSENYeah. The do-not-track concept is about giving consumers an easier, simpler way to prevent collection of personal information online. It's similar to do-not-call, but really only in name only. Do-not-call is a list of phone numbers that consumers can register their number and prevent getting unwanted telephone calls. Do-not-track -- we're not contemplating having a registry that would present its own privacy concerns. What we're contemplating is actually building a more effective mechanism that consumers can use to prevent unwanted tracking. This is something that industry has worked on. Industry is currently attempting to give users more transparency and more control. We've been concerned about the pace of that effort. We think that do not track will allow for a more effective approach.

  • 12:21:03

    NNAMDIHere is Luke in Fairfax, Va. Luke, you're on the air. Go ahead, please.

  • 12:21:08

    LUKEHi. Thank you. I was just wondering, what is the danger if my location is known, and I can be tracked on my smartphone?

  • 12:21:20

    NNAMDIIs there a likely danger, Jules Polonetsky?

  • 12:21:24

    POLONETSKYWell, again, what most of these -- what most of the phones today do is they require that you specifically say okay before you give anyone your location. If you're using an iPhone, you've got to specifically say, yes, this app can have my location. Now, if it's a mapping type of thing, then sure. The other day, I discovered that my -- I have a little app that helps me know when my battery is running low. It's just a little better than the one that comes built-in. And the iPhone gives you a list of who has recently accessed your location. It's very nice. And I figured, let me check it out. And sure enough, this battery charging app had been taking my location. Now, what's the harm? I guess there was an ad, and the ad that was -- because this was a free app, and the ad was a local ad for a local auto dealer.

  • 12:22:12

    POLONETSKYSo in most cases, there is no harm. However, if you don't know you're sharing location and you're sending it to some app which is nefarious -- you know, Apple does a kind of a rigorous job at making sure only apps it approves are in the app store, many of the app stores do, some of them are more open. Anything goes, and any app can get in there. And so you could download some rogue app, that seems to be a lot of fun, and it is intentionally collecting your data, and who knows what they're doing with that and your location. I mean, that's everything you've done. That's everywhere you are. And so there certainly are potentially bad uses. Most of the companies are just looking to target an ad based on, hey, this is someone who's living in this particular region.

  • 12:22:53

    NNAMDIWhat would you say to Luke, Chris, about the potential danger there?

  • 12:22:57

    OLSENWell, I would echo what Jules said. There's no doubt that a number of ad companies and app developers that are out there are trying to improve consumers lives, but there is a risk, especially when you have novice practices developed. You have, you know, people, 14-year-olds in their basement, developing apps that are wildly successful. There is a risk that you'll have the rogue app developer collect a whole host of location information, information that shows your location over time. If that gets in to the wrong hands -- and Scott, I think there was a story in The Wall Street Journal about this. If it gets in to the wrong hands, there's a risk of stalking, for example. You know, a former spouse may get a hold of that information and be able to track you down.

  • 12:23:49

    NNAMDIIndeed, Scott, we'll talk about that potential some more, but we've got to take a short break. We're still taking your calls at 800-433-8850 for this Tech Tuesday conversation about the mobile Web and online privacy. You can also send us a tweet @kojoshow or simply join the conversation at our website, kojoshow.org. I'm Kojo Nnamdi.

  • 12:25:59

    NNAMDIIt's Tech Tuesday. We're having a conversation on online privacy and the mobile Web with Chris Olsen, assistant director of the Privacy and Identity Protection Division of the Federal Trade Commission. Jules Polonetsky is co-chair and director of the Future of Privacy Forum. And Scott Thurm is a senior editor at The Wall Street Journal, which has been doing an ongoing series about advertising and marketing companies' mining of personal data from Web users.

  • 12:26:26

    NNAMDIScott Thurm, previous articles in this series examine what cookies and tracking devices are being used on the most popular websites for adults and for kids. But it was apparently much more complicated trying to figure out how the apps work, what sort of software they use and how they are transmitting the information. Apparently, you guys designed a system to intercept and record the data being transmitted by smartphones and then decoded the data stream. You didn't find any apps that were stealing, say, pictures from phones' picture albums. But technically, when we talk about potential dangers, all of those functions and data could be fair game. Isn't that so?

  • 12:27:04

    THURMThat's true. So there could be pictures, your address book is on your phone. I mean, it's one of the things that makes the phones -- the phone eco system potentially more -- even more troubling than the Web system is, number one, the things we talked about earlier, which is there are fewer defenses. But the other is that the phone is just a much more personal device than your computer. I mean, in the course of a day, I may use several computers and some of those are computers that other people use. But my phone is on my hip 18 hours a day and the other six hours, it's, you know, two or three feet away while I'm sleeping, and so it really is, you know, with the location. If you could aggregate the location overtime, you'd really have a map of a person's life.

  • 12:27:54

    THURMI wanted to go back to one other point that's couple other people made about the ads. I mean, the -- it's true that, for the moment, we think that most of this information that's been gathered is to try to serve up more relevant ads. In fact that it's not even clear how much of that is going on because the advertising on cell phones is pretty nascent.

  • 12:28:17

    NNAMDIIs restricted. Yeah.

  • 12:28:18

    THURMWell, it's just not restricted. But it's just -- it's not as well developed as it is on the Web.

  • 12:28:21

    NNAMDIOkay?

  • 12:28:22

    THURMBut one of the major lessons, I think, of the series is, when it comes to the website is that, once these data are gathered and once they're collected, we don't really -- the new uses tend to be developed for them. So in the course of the series, we found, for example, a credit card company that, based purely on cookie data, before you told them who you were, would be able to determine, you know, or try to guess what kind of offer they should give you. So if they thought you were a high spender and I wasn't, you would get the offer for the million dollar card and I would get the one for either the, you know, very high interest rate or the big annual fee that they were hoping either I wouldn't take or that, you know, they would make a lot -- make more money off me.

  • 12:29:06

    THURMWe found companies that trade this data on open markets, you know, the way that cattle futures are traded. So a thousand people who are interested in flying to Washington, D.C. in the next two weeks and for a 10th of a penny, you can get the cookies, you know, of those specific people so that you can advertise on their computer. And we found life insurers that are -- were considering at least or are considering at least, replacing some of the tests they do now, blood test and urine test with data that they can glean from cookies. And so the issue here -- it was to sort of send up a little warning flag and say, you know, here's what we found. Here's what's going on in this system right now. But, you know, based on what's happening on the Web, you know, other, there are other uses of this data could develop down the road.

  • 12:29:59

    NNAMDIOn to the telephones, again, here is Carlton in Silver Spring, Md. Carlton, you're on the air. Go ahead, please.

  • 12:30:04

    CARLTONThank you. I think a lot of these issues to some extent stem from the fact that the government over time has ruled that your own information doesn't belong to you. It belongs to the people that do acquire it and put it into that database, hence the effort a couple years to go to copyright databases. And I think if your ownership was actually yours -- a lot of these problems would very likely self correct themselves. Thank you. I'll take my answer off...

  • 12:30:33

    NNAMDIWhat do you say to that, Chris Olsen?

  • 12:30:36

    OLSENYou know, that's a -- that's an interesting point and it's one that I think has been a part of the public debate for a long time as the caller noted. There are some statutory prohibitions that actually make this issue a bit complicated. The Telecommunications Act talks about customer proprietary network information. And, you know, if you ask the telephone carriers who owns information that they hold about the customer, I think they would tell you that they certainly have a strong ownership right in it. So our focus really has not been who owns the data but has been on ensuring that customers have the knowledge that they need about how their information is being used. And have the ability to prevent unwanted uses.

  • 12:31:33

    NNAMDIAnd so people don't get unnecessarily paranoid, Jules Polonetsky, one reason why companies want to build a profile of their customers and potential customers is actually to provide better targeted content. Don't they?

  • 12:31:48

    POLONETSKYThat's true. But, you know, we should recognize that this debate is like the previous caller said, much bigger than this in Europe than in a lot of other places in the world. Privacy of your data is viewed as a human right. These are countries that went through the holocaust where databases were used to track people down and find out who is Jewish, who is gay, who is disabled. And so there's deep-rooted opinions around the world that people have a right to have a say over how their data is used. In the U.S., we have a different system. We have a consumer protection system where if companies don't hurt you, whether it's with data or with their product, well, it's a free market and companies do what they want and the business models that have been developed are collect the data to target ads, to try to subsidize content, to try to subsidize free products and services.

  • 12:32:39

    POLONETSKYBut that's starting to change because people are pushing back. The Federal Trade Commission is looking at a new regime, congressional bills both on the Democratic and the Republican side. This is not one of these issues where the Democrats wanna regulate and the Republicans wanna, you know, support only business. Just about everybody recognizes that the current system isn't working well. And the folks who might actually gain the most from putting the system in order and putting some good rules around how data is used, may actually be businesses because if folks are more trusting, sure, I'll let you have my data because I understand that it's gonna be used in the way I intend, it actually could be the best thing for not only users but for businesses. You know, I like to think about Amazon. They've got what I've purchased, my books. And that's very sensitive stuff. The librarians in Washington are the biggest, you know, privacy advocates of all. They don't want anyone knowing what you've browsed. But we're all comfortable letting Amazon, and we don't have to read their privacy policy.

  • 12:33:35

    POLONETSKYIt says, here's what you might like based on what we know about everything you've read and everything you've browsed, and we're tracking it. And you're like, oh, you're doing this for me, so I kind of like it. When you're doing it secretly in the background and you're doing it to me, well, then I'm kind of worried, because maybe it's for you and I'm gonna lose out. But you served me and you helped me, well, I might be actually very happy to have you make some money serving me and selling me what I want.

  • 12:34:00

    NNAMDIWhat do you think? Call us at 800-433-8850. Have you purchased any apps recently for your smartphone? What do you know about how your data is being used? And would you alter your behavior if you knew you were being tracked? Or, on other hand, do you feel you're being tracked for pretty aboveboard and valid reasons? 800-433-8850. Scott, Apple, for instance, purports to have relatively rigid rules about data sharing. It claims that app developers must notify users if their software tracks location data. But that isn't exactly what you found, was it?

  • 12:34:34

    THURMWell, we found one case, where some -- one app at -- when -- in partnership with advertising network, appeared to find a workaround of that location disclosure requirement. And we don't know how widespread that is. And remember, we tested 50 iPhone apps out of the 300,000 that are out there, and we restricted our selections to the ones on their most popular page. So there may be, you know, sort of less popular apps out there that are doing -- that have data management practices that are even more troubling than the ones that we found. And so, number one, we found cases where -- or the one case, where an app was sending location in the form of a latitude and longitude coordinates without having told the user it was gonna even access that information.

  • 12:35:26

    THURMNumber two, while the -- Apple makes the app disclose to you that the app is gonna use it. If you go back to Jules example a minute ago about the battery one, that the battery folks had to tell Jules that they were gonna access location. But they've never told Jules or never asked Jules if they can send it to the advertiser or the advertising network. And that's kind of an interesting issue. I mean, that -- if you -- one reading of Apple's policies suggests that they want the apps to tell you that before they do it, but, number one, we found no evidence of it. And when we asked Apple how to interpret their policy or how they interpret their policy, they wouldn't answer that question...

  • 12:36:04

    NNAMDIMaybe this...

  • 12:36:05

    THURM...so the short answer is we don't know.

  • 12:36:06

    NNAMDIMaybe this horse has already left the barn, Chris Olsen. But I get the feeling that, shouldn't I get something from my information being sold, that my information be mine to sell or at least reap some benefit from it being sold?

  • 12:36:20

    OLSENYou should at least be aware of the tradeoff you're making when you download an application. If the tradeoff is, I'm going to provide a bit of my personal information in order to get a free application or in order to get some more relevant advertising, then it's important that you understand that tradeoff before you actually download the application.

  • 12:36:45

    NNAMDIAnd at least put yourself in a position to make a demand. Jules, the iPhone actually has an icon that indicates when your location data is being shared. What does that icon look like pray tell.

  • 12:36:56

    POLONETSKYWell, it's actually a little arrow. And whenever your location is going to some app, it lights up and it lets you know location is going on. There are some Verizon phones that have this as well. And, you know, when we talked about, how do I tell a user who's in a rush? He wants to check his e-mail, look up the weather. You know, he's downloading an app. He doesn't wanna be...

  • 12:37:17

    NNAMDIFind a restaurant.

  • 12:37:19

    POLONETSKY...he doesn't wanna read a -- well, even if it's a nanocomputer, you may not wanna read a 16-page privacy policy. You certainly don't wanna sit and scroll through it in little type. And so, using symbols or icons, whether it's an arrow -- online, a lot of users are gonna start seeing little -- a little eye in a triangle that tells users that the ads they see on their computer are targeted based on what the website or what the ad network knows about them. And so, we got to come up with sort of a recycling symbol, right? We look at it, we know what it means. We see the bathroom symbol, we know what it means. We need to come up with the symbol that says, your data is being used here, you know?

  • 12:37:58

    NNAMDIBecause when it says -- when we say location, we, most times in this broadcast, have been talking about geographical location. But location can also mean all the places you've gone on the Web, the history of your searching, can it not?

  • 12:38:11

    OLSENYeah. That's a very important point. A lot of the location information that is being collected through mobile apps, for example, is location over time. You may get a disclosure that your current location is being collected or is needed. But is that clear enough to tell you that your location, over a period of time, will be collected. And it's similar, in many ways as you noted, to online tracking, where you go on the Web is available to ad networks and others who track that information.

  • 12:38:46

    NNAMDIHere is Phyllis in Falls Church, Va. Phyllis, you're on the air. Go ahead, please.

  • 12:38:51

    PHYLLISHello. I have an Android and I have a couple of questions for you. First, are flash cookies stored on the phone? And if so, how do I get rid of them? And second, is there a way for me to identify which apps are safe in terms of privacy? Is there, for example, a website that publishes such information?

  • 12:39:11

    POLONETSKYWell, there's a really interesting site that's come out of Stanford University Law School. It's called WhatApp? Kind of like what's up. It's whatapp.org. And this is a site where users specifically come and can rate apps for privacy and security and a lot of the popular ones are actually rated there. One of the best things to do as well is to look at the reviews. I mean, if you're at your computer and you download some program that, you know, you've never heard of, you know, you're risking a virus. You're risking dealing with some strange company that, you know, may not perform. You know, you need to look at some of the popular sites. And so there are lots of sites that rate the apps, and those are usually the best signal.

  • 12:39:56

    NNAMDIThank you very much for your call, Phyllis. You also wanted to know anything else?

  • 12:40:03

    PHYLLISIn terms of the storage of flash cookies?

  • 12:40:06

    POLONETSKYSo there are lots of ways that -- let's talk about websites and we'll figure out how it now works on mobile, right? There are lots of ways that websites try to remember you, all right? One way is the well-known -- although, again, I don't know that most users really understand cookies, but, you know, we've all heard about cookies. And there are controls that are built into the browser that let you delete and manage those cookies. What a lot of users weren't aware of was that flash, the program that is very popular for displaying, you know, multimedia content and video, also has a little place where a number, a piece of data can be left.

  • 12:40:43

    POLONETSKYAnd there were companies that didn't like the fact that their cookies were getting deleted and so they were backing up what they needed and re-spawning their cookie using data that they had stored in their flash cookie. But that's only another example. There are three, four, five other ways that sites can do something to try to remember you. In the mobile environment, it's a little bit different. There is less ability for these apps to put a lot of data on the phone. But on the other hand, the ID that they have sometimes is your device ID, not something you can easily delete. And so it acts as a super cookie, you know, you might say that creates a much bigger record.

  • 12:41:29

    POLONETSKYSome companies are starting to build controls, some of the leading mobile networks use regular cookies, use regular mobile cookies and will give you a way to opt out and say, look, give me an ad, but don't track me. But this is really still early in the evolution.

  • 12:41:45

    NNAMDIWe have provided a link, by the way, Phyllis, and anybody else to whatapp.org at our website kojoshow.org. Right now, we've got to take a short break. But we'll return shortly to this Tech Tuesday conversation about online privacy and the mobile Web. If you're calling and the number is busy, go to our website kojoshow.org. Send us a tweet @kojoshow or shoot us an e-mail to kojo@wamu.org. I'm Kojo Nnamdi.

  • 12:43:59

    NNAMDIIt's Tech Tuesday. We're talking about online privacy and the mobile web with Jules Polonetsky, co-chair and director of the Future of Privacy Forum. Chris Olsen is the assistant director of the Privacy and Identity Protection Division of the Federal Trade Commission. And Scott Thurm, who joins us from studios at Stanford University in California, is a senior editor of The Wall Street Journal. He is part of an investigative team behind an ongoing journal series about advertising and marketing companies, mining of personal data from Web users.

  • 12:44:29

    NNAMDIChris, many advertising companies say their entire business model could be threatened if the government tries to establish a framework for allowing consumers to opt out. How challenging is it to put consumer protections into an app after it has already been created?

  • 12:44:46

    OLSENWell, I think it's important to note that ad networks and trade associations are working right now to give consumers better disclosures and more choice. And I think Jules made the point earlier that consumer trust is critical here. And the more consumers trust the online environment, the more successful businesses as a whole will be. What we're trying to do is move this disclosure and choice mechanism further so that consumers have an easy way to exercise a choice and the trust in the environment will increase. I think that's everyone's objective.

  • 12:45:30

    NNAMDIOn to Rodney in Manassas, Va. Rodney, your turn.

  • 12:45:35

    RODNEYOkay. Thanks. I got two questions for you. One, is there an app that will prevent these apps from sending out your data? And two, which is more likely to send your data out, the free apps or the paid ones?

  • 12:45:48

    NNAMDIWhat did you find in your studies, Scott Thurm?

  • 12:45:52

    THURMWe found that free apps were, on average, the free apps were more likely to send the data, which makes sense in a way. You know, effectively, that's how you pay for free apps, that they're selling your data and that's how they make money off it. That's sort of the business model. That wasn't an ironclad rule. We tested, you know, first of all, we didn't -- we tested very few and so it, you know, we didn't even make much of this conclusion in the story because we tested, you know, 40 free apps and 10 paid apps on each platform. And that's just really too small a number to make any sort of reliable conclusion. But we -- on average, we found that the free ones send more, and that makes sense. As to the...

  • 12:46:36

    NNAMDIIs there an app to stop apps from...

  • 12:46:37

    THURMYeah. Not that I'm aware of. As -- I think what Jules mentioned a minute ago, there are -- some of the advertising networks are beginning to experiment with various ways of offering these sort of -- in the Web world what we call opt-outs, where you -- say you don't want them to collect the data or you don't want them to serve you advertising targeted at you, but it's really, really early stages of that in the wireless world. But, you know, there are -- I think it was Jules actually who made this point to me over the summer that, you know, one of the failures here is that there's never been any kind of market in privacy.

  • 12:47:17

    THURMYou know, there have been before, companies that have tried to market themselves, saying, you know, particularly in the Web context, to offer -- either better privacy on a given service that you can get from other people or a specific privacy service, and most of them have failed. But we may -- emphasize may -- beginning to see that change. I mean, I think the most dramatic evidence of that is an announcement that Microsoft made in December, which is that they're gonna ship the next version of their Internet Explorer browser with more of the privacy features turned on automatically.

  • 12:47:55

    THURMWe had written a story early in our series about the fact that at one point they were considering doing that in the current version of the browser and then they decided not to do it partly because Microsoft, they just gone into the Internet advertising business itself. And -- but, you know, they've now gone 180 on that and they said they're gonna build in more of these protections. And at some level, you can't help but then think that that's an -- Microsoft making the conclusion that the browser will sell better that way, that they'll -- I would expect that when they launch it, they'll at least some of the marketing around it will be, you know, that this is the safest browser or something like that. And that may be an indication that the people who have the money, who, you know, actually, you know, make a lot of decisions here, are beginning to think that consumers will respond to pitches around privacy.

  • 12:48:44

    NNAMDIThank you for your call, Rodney. On to Kyle who's calling from Vienna, Va. Kyle, your turn.

  • 12:48:52

    KYLEMy question is right in regards to the implications on health care and more specifically in reference to portable medical devices that people with chronic diseases such as diabetes would use, and how that information would be exchanged between health care professionals and then how the privacy aspect of that would play a role? So if you could either speak to it more broadly as far as the implications for health care, or, even more specifically, to portable medical devices, I'd appreciate it.

  • 12:49:23

    NNAMDIJules Polonetsky, portable medical devices.

  • 12:49:25

    POLONETSKYYeah. So, today, most of that information is already protected by law, or if a consumer is uploading it themselves, it may not be protected because it may not be hospital information or doctor information. But there is an ad model around that, the kind of health maybe you do need to worry about. And so I think, you know, you need to worry about the security of your device. But we don't have anyone selling your personal, you know, medical record information out there in turn for ads.

  • 12:49:55

    POLONETSKYWhat is traded and sold, however, is what you may search for. And so you may do a search for cancer. You may do a search for Viagra or something that you're particularly sensitive about. Or you may visit a website on your PC or on your mobile device about a particular disease that you're researching, that you might be embarrassed about, that you don't want the world to know, and you may not even wanna be marketed, too, on it. That's the information that is being used.

  • 12:50:20

    POLONETSKYSome companies are responsible, and while they won't do sexual information or they won't do cancer, but they will do asthma. Other companies, anything goes. And so there is a big marketplace out there. If you wanna target ads to people with -- you know, you name the embarrassing or, you know, compromising disease or illness -- there's a marketplace for that. But if it's your confidential medical record, we haven't seen anyone building a big ad business around that.

  • 12:50:45

    NNAMDIChris Olsen, any concerns about portable medical devices?

  • 12:50:49

    OLSENYou know, I think that Jules makes a good point. We made the point previously in a privacy report that we released just in December that health information is sensitive information that really needs to be protected. So to the extent that there's an app out there that is collecting health information, there needs to be a heightened level of consent, affirmative opt-in consent for that sort of information. There's definitely a lot of positive uses of health information, and we have to make sure we balance those uses against unwanted sharing of sensitive information.

  • 12:51:34

    NNAMDIWe're inviting you to join the conversation. Should online advertising and marketing be more transparent? How would you do that? Call us at 800-433-8850. We got two e-mails that I'd like to share with you. One from Ruth in Bethesda says, "I think that you have to be very naive if you think that your phone is private. We're tracked in all kinds of ways -- the grocery store, the pharmacy, especially with the advent of loyalty cards dispensed under the guise of the promise of discounts and coupons."

  • 12:52:03

    NNAMDIAnd this we got from Aaron. "It seems that our concept of reasonable expectation of privacy has not kept up with technology, moving from the notion that it is reasonable to expect companies will respect your privacy, to today's ideas that an expectation of privacy is unreasonable, if you can reasonably expect that the information can be shared. Even simple rules of opt-in instead of the opt-out model Facebook uses would help. But none of these seem to gain traction as legislation." Why is it that opt-in can't be required, Jules?

  • 12:52:38

    POLONETSKYWell, I think the advertising world is not the direct marketing world. Direct marketing is where I'd maybe sign up for something and I say, here's what I want and here's what I wanna market. Advertisers wanna delight people who don't know about a new product. And so they wanna reach you before you've said, I'm interested in this specific item.

  • 12:52:58

    POLONETSKYBut, you know, Facebook was mentioned, so let's give a good example. You know, Facebook used to be a website you went to and you saw your profile, and then you went and visited your friends' pages in. That was kind of interesting, but it wasn't all that exciting. And then they made a big change and people didn't like it. And they said, you know, when you go to Facebook, you're gonna see everything that happens at your friend's pages. We're gonna turn on this newsfeed. I would have said, no, make that opt-in. I'd -- as a chief privacy officer, I probably would have, you know, fought and said, no, no, don't do this. Lots of users said, we didn't like it.

  • 12:53:28

    POLONETSKYWell, Mark Zuckerberg, in the end, did it. People reacted, and then they said, you know, this is interesting. I like going to my Facebook page because I can see what is going on. And today, people go back and over and over and over. And so sometimes there needs to be a bit of room for innovation, for delighting people, but in ways that they like and, hopefully, not in ways that they feel uncomfortable about or feel sort of tracked or that they can't stop if they want to.

  • 12:53:54

    NNAMDIScott Thurm, here's this e-mail we got from Mike in Baltimore. "I recently posted some links and comments on my blog about gun control after Tucson. I'm not a gun owner, and I am for stronger gun control laws. Immediately, the Google ads on my blog started showing me ads for gun and target shooting schools, something I would very much never buy and really have no desire to see. It dawned on me that one could bleed some money and resources from a competitor -- political, commercial, et cetera -- by making websites or apps with smart ads that cost the opposition money by fooling ads to go to the wrong consumer or person. This reason alone makes me not want to invest in any company selling these smart ads or apps that also, supposedly, track and know who and what we are. They are just wrong or could be misguided." Talk a little bit, Scott Thurm, about, in a way, the unique role of Google -- and this is one of the big players -- the dual role of Google.

  • 12:54:47

    THURMWell, Google -- yeah, well, on the phone, they have dual role. They both operate -- they created the Android operating system, which is the, you know, the -- so iPhone's app is a sort of an Apple product, top to bottom. The device is an Apple device. The operating system that runs the phone is an Apple operating system. And Apple -- as we've talked about here, Apple manages the ecosystem of the apps and approves each app before it can be sold.

  • 12:55:14

    THURMGoogle, it's a very different setup. And so Google created the operating system for the phone. That's the equivalent of Microsoft Windows on your personal computer. And then it's allowed different companies to make different phones. So Samsung and Motorola are probably two of the more popular models of phones. So, on the one hand, it's made the operating system sort of making the rules for what the apps have to do. On the other hand, Google is one of the bigger online advertising network in the -- they bought one of the bigger phone ad networks, either at the very end of '09 or the beginning of 2010. And so they're -- they sort of have a foot in both camps. You know, they are both operating the ecosystem and they have -- you know, they're running one of the biggest advertising networks in the mobile world.

  • 12:56:06

    NNAMDIHere is Martin in Baltimore, Md. Martin, you're on the air. Go ahead, please.

  • 12:56:12

    MARTINHi. My question is, aside from sharing this information or selling it, isn't this information susceptible to Justice Department subpoenas like in the case we had with the WikiLeaks and Facebook was forced to turn over the information? And I guess what you think that says about basic civil liberties, given, you know, you need a warrant to tap a phone, but you just -- you could get someone's tracking information without a warrant.

  • 12:56:41

    NNAMDIJules Polonetsky, know anything about that?

  • 12:56:42

    POLONETSKYYeah. So most of the information that law enforcement wants is available long before you worry about a targeted ad. Law enforcement wants to know who is behind this e-mail address. Law enforcement wants to know were you visiting this website. And so they subpoena your ISP all the time. Thousands and thousands of subpoenas come into Internet Service Providers saying, you know, tell us everything about this person and where they went on the Web.

  • 12:57:08

    POLONETSKYAd networks -- I was the chief privacy officer both at AOL and at DoubleClick. AOL owns a number of ad networks, and DoubleClick is one of the largest. We never got subpoenas saying, what ad did this user see? Search providers get ads because they wanna know, hey, was this person researching, you know, how to come up with some poison to kill their spouse? Were they looking up directions to this location? But most of the data we're talking about here is useful for marketing. But the fact that I'm a sports and finance person versed on the websites I visit, not that interesting.

  • 12:57:44

    NNAMDII'm afraid that's all the time we have. Jules Polonetsky is co-chair and director of the Future of Privacy Forum. He's worked previously as chief privacy officer at America Online and at the advertising and marketing company DoubleClick. Jules, thank you for joining us.

  • 12:57:57

    POLONETSKYThank you.

  • 12:57:58

    NNAMDIChris Olsen is the assistant director of the Privacy and Identity Protection Division of the Federal Trade Commission. His office focuses on consumer privacy, data security and identity theft. Thank you for joining us.

  • 12:58:08

    OLSENThanks for having me.

  • 12:58:09

    NNAMDIAnd Scott Thurm is a senior editor at The Wall Street Journal, part of an investigative team behind "What They Know," an ongoing journal series about advertising and marketing companies' mining of personal data from Web users. Scott, thank you for joining us.

  • 12:58:23

    THURMMy pleasure. Thank you.

  • 12:58:24

    NNAMDIAnd thank you all for listening. I'm Kojo Nnamdi.

Related Links

Topics + Tags

Most Recent Shows