Ten Fallacies About Web Privacy

Privacy on the Web is a constant issue for public discussion—and Congress is always considering more regulations on the use of information about people's habits, interests or preferences on the Internet. Unfortunately, these discussions lead to many misconceptions. Here are 10 of the most important:

1) Privacy is free. Many privacy advocates believe it is a free lunch—that is, consumers can obtain more privacy without giving up anything. Not so. There is a strong trade-off between privacy and information: The more privacy consumers have, the less information is available for use in the economy. Since information helps markets work better, the cost of privacy is less efficient markets.

2) If there are costs of privacy, they are borne by companies. Many who do admit that privacy regulations restricting the use of information about consumers have costs believe they are born entirely by firms. Yet consumers get tremendous benefits from the use of information.

Think of all the free stuff on the Web: newspapers, search engines, stock prices, sports scores, maps and much more. Google alone lists more than 50 free services—all ultimately funded by targeted advertising based on the use of information. If revenues from advertising are reduced or if costs increase, then fewer such services will be provided.

3) If consumers have less control over information, then firms must gain and consumers must lose. When firms have better information, they can target advertising better to consumers—who thereby get better and more useful information more quickly. Likewise, when information is used for other purposes—for example, in credit rating—then the cost of credit for all consumers will decrease.

4) Information use is "all or nothing." Many say that firms such as Google will continue to provide services even if their use of information is curtailed. This is sometimes true, but the services will be lower-quality and less valuable to consumers as information use is more restricted.

For example, search engines can better target searches if they know what searchers are looking for. (Google's "Did you mean . . ." to correct typos is a familiar example.) Keeping a past history of searches provides exactly this information. Shorter retained search histories mean less effective targeting.

5) If consumers have less privacy, then someone will know things about them that they may want to keep secret. Most information is used anonymously. To the extent that things are "known" about consumers, they are known by computers. This notion is counterintuitive; we are not used to the concept that something can be known and at the same time no person knows it. But this is true of much online information.

6) Information can be used for price discrimination (differential pricing), which will harm consumers. For example, it might be possible to use a history of past purchases to tell which consumers might place a higher value on a particular good. The welfare implications of discriminatory pricing in general are ambiguous. But if price discrimination makes it possible for firms to provide goods and services that would otherwise not be available (which is common for virtual goods and services such as software, including cell phone apps) then consumers unambiguously benefit.

7) If consumers knew how information about them was being used, they would be irate. When something (such as tainted food) actually harms consumers, they learn about the sources of the harm. But in spite of warnings by privacy advocates, consumers don't bother to learn about information use on the Web precisely because there is no harm from the way it is used.

8) Increasing privacy leads to greater safety and less risk. The opposite is true. Firms can use information to verify identity and reduce Internet crime and identity theft. Think of being called by a credit-card provider and asked a series of questions when using your card in an unfamiliar location, such as on a vacation. If this information is not available, then less verification can occur and risk may actually increase.

9) Restricting the use of information (such as by mandating consumer "opt-in") will benefit consumers. In fact, since the use of information is generally benign and valuable, policies that lead to less information being used are generally harmful.

10)Targeted advertising leads people to buy stuff they don't want or need. This belief is inconsistent with the basis of a market economy. A market economy exists because buyers and sellers both benefit from voluntary transactions. If this were not true, then a planned economy would be more efficient—and we have all seen how that works.

By PAUL H. RUBIN

Mr. Rubin teaches economics at Emory University.

Suit Distinguishes Facebook's Click-Fraud Liability

Facebook's contract with pay-per-click marketers does not completely protect the social networking service from liability for problematic clicks by outside companies, despite a disclaimer stating that Facebook has no responsibility for click fraud, a federal judge has ruled.

But the judge also ruled that Facebook's disclaimer successfully precludes liability for clicks made by outside companies that are seeking to drive up their competitors' ad costs.

The mixed decision, issued this week by U.S. District Court Judge Jeremy Fogel in San Jose, Calif., draws a line between clicks that were "fraudulent" in the sense that the clicker had dubious intentions, and clicks that were improper for other reasons, such as when technical problems prevented users from reaching a landing page.

Fogel ruled that Facebook's disclaimer protects the company only from clicks made by third parties with an intent to defraud, and not clicks that don't go through for more benign reasons.

The ruling left both sides claiming they had scored points in the litigation, which cleared the way for the marketers to obtain evidence from Facebook through the pre-trial discovery process.

"Plaintiffs view it as a significant victory because the judge rejected Facebook's argument that a click fraud disclaimer immunized it against liability for any type of improper third party click," said Jonathan Shub, who represents the marketers. "We believe that the evidence will show that Facebook has immature systems resulting in improper billing of a wide range of clicks for which advertisers should not have been charged."

For its part, Facebook said it was "pleased a number of claims have been dismissed for good." The company added: "We believe the remaining, much narrower, claims are also without merit and will fight them vigorously."

The case dates to last summer, when sports site RootZoo and several other online marketers sued the social networking service, alleging discrepancies between their internal data and the number of clicks they were charged for by Facebook. RootZoo's original complaint alleged that its analytics showed that 300 clicks were generated by Facebook on June 2, 2008, but that Facebook charged the company for 804 clicks.

Facebook asserted that its contract with marketers precluded liability for click fraud because it included the following language: "Facebook shall have no responsibility or liability to me in connection with any third-party click fraud or other improper actions that may occur."

But RootZoo and the other marketers successfully argued that "improper actions" means only clicks made with a harmful intent, and not clicks that are "non-fraudulent but otherwise invalid." Such an invalid click could occur when the same user inadvertently clicks on an ad twice in rapid succession, or clicks on an ad but doesn't actually reach the marketer's site.

Fogel's ruling this week revisited an earlier decision dismissing claims against Facebook stemming from improper clicks by third-party companies. After that decision, the marketers filed amended papers spelling out why they sought to hold Facebook liable for invalid third-party clicks.

Specific Media Sued Over Flash Cookie Use

Online ad network Specific Media has been hit with a lawsuit for allegedly violating Web users' privacy by using Flash cookies for tracking purposes.

In a complaint filed in U.S. District Court in the Central District of California, six Web users allege that Specific Media failed to provide adequate notice about its online data collection techniques, including Flash cookies. The lawsuit also alleges that Specific Media used Flash cookies -- which are stored in a separate location from HTML cookies -- to recreate HTML cookies that users had deleted so it could "obtain personal identifying information, monitor users, and to sell users' data."

The company's "privacy documents require college-level reading skills for comprehension and include substantial legalese, ambiguous and obfuscated language designed to confuse, disenfranchise, and mislead the users," the lawsuit asserts.

In addition, the use of Flash cookies to recreate deleted HTML cookies "unfairly wrests control from users," the lawsuit alleges.

Specific Media has not yet responded to Online Media Daily's request for comment.

Flash cookies were originally designed to remember users' preferences for Flash-based applications like online video players, but some companies also use such cookies to store the same type of information that is normally found on HTTP cookies. With this type of data, Flash cookies can be used to reconstruct HTTP cookies, even when consumers have deliberately deleted their HTTP cookies to avoid tracking. Because Flash cookies are stored in a different place from HTTP cookies, users who delete the latter don't also shed the former. People can trash Flash cookies via Adobe's online controls, but many users don't appear to be aware of the cookies.

The complaint refers extensively to a report about Flash cookies published last year by researchers at the University of California, Berkeley and other schools. That paper outlined how Flash can be used to circumvent consumers' settings.

After the report was published, some Federal Trade Commission officials said they were concerned about the use of Flash for tracking purposes.

The Web users argue that Specific Media's alleged tracking techniques violate federal and state wiretap laws. They are seeking a class-action lawsuit.

This lawsuit marks the third time this summer that companies have been sued over Flash cookies. Defendants named in the prior two lawsuits include Quantcast, Clearspring, Walt Disney and NBC Universal.

All of the Flash-cookie suits were filed by lawyers David Parisi and Joseph Malley, both of whom are among the attorneys suing defunct behavioral targeting company NebuAd for allegedly violating users' privacy.