Who Owns The Privacy?

Online privacy has become an issue that finally has bled outside of the realm of behavioral targeting and it is quite rightly taking its place in discussions of ad spending, publishing and targeting of all kinds. We have been weaving it ever more deeply into the coverage at MediaPost's own OnlineMediaDaily (courtesy of specialist Wendy Davis) and the programming of the OMMA shows themselves.


At last month's OMMA Behavioral, the Interactive Advertising's Bureau's point man on public policy, Mike Zaneis, walked us through the new effort to create standardized iconography and messaging around disclosure about data collection and tracking, opt-outs, etc. Zaneis says that the IAB and its partners in the cross-industry consortium working on the project will run over 1 billion ad impressions this year to get the word out.

While some may say that the campaign is too little too late, he argues that the regulatory and legislative groups he lobbies in Washington are appreciating the effort. According to the analytics on the ad campaign, 10% of the ads being delivered get moused over, which in many cases expands the ad to offer information about ad targeting. The next wave of the effort will involve standard icons and labels that will run with ads and on publisher Web sites. For the full presentation, you can access the video/audio of Zaneis' talk here.

While the industry initiative to implement and enforce self-regulation may be slower to market than many expected, it is dovetailing with rising concern that privacy matters to everyone's bottom line. Next week in San Francisco at OMMA Global, we are taking the privacy issue that usually sits in a track about ad nets or behavioral targeting, and instead moving it into the track for publishers. The panel on Wednesday -- "Can Publishers Take Ownership of Privacy?" -- will address the critical problem of how the privacy issue ultimately will have to be taken up by the place where consumers have a direct relationship, the publisher.

I think publishers are going to have to take a good deal of the ownership of privacy and be much more aware of the policies of the partners they use. For the last several weeks I have been using the latest iteration of the Ghostery plug-in for Firefox. This tool tracks the trackers. It shows the user which ad nets and other analytics programs are using unique identifiers with your browser.

What I find really interesting here is the new pop-up window that superimposes the identities of the trackers on every page on which you land. From Google Analytics to ad exchanges and data providers, the full list gets daunting quickly at some sites. Now a part of the experience of landing on any site is seeing very clearly from the outset which cookies and beacons are at play.The net effect of this process is fascinating, because it gives the user a peek at a publisher's business model and the aggressiveness of their data strategy.

Does such knowledge change my browsing habits? No, not yet. Does it change my relationship with the publisher? To a degree. I now have a stronger sense of how the publisher is leveraging and placing value on my presence. In an indirect way, greater transparency about user tracking reinforces the notion that consumer behaviors have a cash value in the media economy. In making the case that targeting is critical to the survival of online media, publishers and advertisers are also making the case with consumers that their attention has value and that the user herself may be able to barter some of this value more effectively. As a consumer, the publishers appears to own my privacy protection, because they are the ones most obviously profiting from my data.

I was speaking with a senior ad agency executive the other day about the trends in digital advertising this year. He was among the first on the buy side to make the strong case to me that spending and privacy are going to be linked. As agencies develop demand-side platforms that aggregate audiences and inventory on behalf of clients, then the now-familiar question "who owns the data" becomes more insistent among publishers, third-party data providers and ad networks.

"Privacy and who owns the data are opposite sides of the same coin," he told me. "Until we get to the solution of both those issues, it renders the value of online media as specious." In other words, until the advertisers (or even the publishers, for that matter) know what they can extract from the data they collect and how it can be used, then it is difficult to price advertising. "Resolving the privacy issue in turn informs who owns the data, which informs how online display media is priced," he argued.

Now privacy is inextricably entwined with the publisher's and advertiser's bottom line.

FCC Commissioner Calls For Examination Of Broadband Price Hikes

Federal Communications Commission member Mignon Clyburn said Wednesday that recent broadband price hikes "should raise a red flag" for the commission. "When prices rise across the industry, and where there are only a limited number of players in the game, we have to ask ourselves whether there is any meaningful competition in the marketplace," she said.

Clyburn didn't mention any broadband companies by name, but her statement obviously referred to recent reports that Comcast and AT&T are rolling out rate hikes.

This week, it emerged that Comcast will raise rates for some services by $2 a month in the New Jersey area. Subscribers who purchase "economy" 1 Mbps downstream service, and don't bundle it with other features, will see prices increase to $40.95; subscribers to 12 Mbps "performance" will see unbundled rates rise to $59.95. News of Comcast's rate increases came shortly after a report that AT&T also is raising the price of broadband for some customers.

The reports also come days before the FCC is slated to present Congress with a national broadband plan aimed at improving high-speed Web service in the country. Among other factors, the FCC has already identified the cost of broadband as one impediment to wider adoption.

Earlier this year, the FCC released a study showing that 35% of Americans lack home broadband lines. A big chunk of that group -- 36% -- said that broadband cost too much. (That group includes people who find monthly subscription fees and installation prices too high, as well as those who say a computer itself is too costly.)

Clyburn's comments were cheered by broadband advocacy group Free Press, which earlier this week called on the FCC to "do something bold and decisive to promote meaningful competition."

"For too long, the FCC has avoided confronting the competition problem, leaving American consumers and business at the mercy of the phone and cable companies," Free Press policy director Ben Scott said in a statement. "Congress wants a plan for universal, affordable and robust broadband, and a meaningful competition policy is the key to achieving those goals."

Scott also stated that goals for increased broadband adoption "cannot be met with hope that wireless broadband might someday discipline prices."

That remark appeared to be directed at an FCC announcement earlier this week indicating that the national broadband plan would include plans to consider using spectrum for free or low-cast wirelss broadband service.

Leaked intelligence documents: Here's what Facebook and Comcast will tell the police about you

Wonder what information Facebook and Comcast will turn over to police and intelligence agencies about you? Cryptome, the site that last week posted the leaked Microsoft "spy" manual, has posted company documents that purport to describe what those companies will reveal about you. As with the Microsoft document, the information is eye-opening.

Keep in mind that what the companies turn over to police and intelligence agencies is not illegal. The companies are all, in their own ways, following the law. Still, it's disconcerting to see all that's available about you, if the documents are real and to be trusted. Here's the rundown on each.

Facebook

The "Facebook Subpoena/Search Warrant Guidelines" from the Cryptome site are dated 2008, so there's a chance they've been superseded. The document spells out how law enforcement and intelligence agenices should go about requesting information about Facebook users, and details what information is turned over.

Following is what Facebook will turn over about you, taken verbatim from the guide:

Types of Information Available

User Neoprint

The Neoprint is an expanded view of a given user profile. A request should specify that they are requesting a “Neoprint of used Id XXXXXX”.

User Photoprint

The Photoprint is a compilation of all photos uploaded by the user that have not been deleted, along with all photos uploaded by any user which have the requested user tagged in them. A request should specify that they are requesting a “Photoprint of user Id XXXXXX”.

User Contact Info

All user contact information input by the user and not subsequently deleted by the user is available, regardless of whether it is visible in their profile. This information may include the following:
Name
Birth date
Contact e-mail address(s)
Physical address
City
State
Zip
Phone
Cell
Work phone
Screen name (usually for AOL Messenger/iChat)
Website

With the exception of contact e-mail and activated mobile numbers, Facebook validates none of this information. A request should specify that they are requesting "Contact information of user specified by [some other piece of contact information]". No historical data is retained.

Group Contact Info

Where a group is known, we will provide a list of users currently registered in a group. We will also provide a PDF of the current status of the group profile page.

A request should specify that they are requesting "Contact information for group XXXXXX".

No historical data is retained.

IP Logs

IP logs can be produced for a given user ID or IP address. A request should specify that they are requesting the "IP log of user Id XXXXXX" or "IP log of IP address xxx.xxx.xxx.xxx".

The log contains the following information:

* Script – script executed. For instance, a profile view of the URL http://www.facebook.com/profile.php?id=29445421 would populate script with "profile.php"

* Scriptget – additional information passed to the script. In the above example, scriptget would contain "id=29445421"

* Userid – The Facebook user id of the account active for the request

* View time – date of execution in Pacific Time

* IP – source IP address

IP log data is generally retained for 90 days from present date. However, this data source is under active and major redevelopment and data may be retained for a longer or shorter period.

Special Requests

The Facebook Security Team may be able to retrieve specific information not addressed in the general categories above. Please contact Facebook if you have a specific investigative need prior to issuing a subpoena or warrant.

Comcast

The Comcast document is labeled "Comcast Cable Law Enforcement Handbook," and is dated 2007, so there's a possibility that it, too, has been superseded. As with the other documents, it explains how law enforcement agenices can get information, and details what information is available.

There's a great deal of detail in the 35-page document, which describes what Internet, phone, and television information will be turned over. For example, here's the IP information it will make available:

Comcast currently maintains Internet Protocol address log files for a period of 180 days. If Comcast is asked to respond for information relating to an incident that occurred beyond this period, we will not have responsive information and can not fulfill a legal request. (Comcast can process and respond to preservation requests as outlined below in this Handbook.)

As expected, Comcast will also turn over the emails, including attachments, of those who use Comcast's email service, but "In cases involving another entity’s email service or account, Comcast would not have any access to or ability to access customer email in response to a legal request."

Information Comcast turns over to law enforcement agencies varies according to the request. For example, a grand jury subpoena will yield more information than a judicial summons, as you can see in the excerpt below. Comcast notes, though, that this is just a sample, and that "Each request is evaluated and reviewed on a case by case basis in light of any special procedural or legal requirements and applicable laws." So the examples "are for illustration only."

Grand Jury, Trial, or Statutorily Authorized Administrative Subpoena

Law enforcement agencies are eligible to receive subscriber identification including items (1)-(6) without notice to the subscriber:

1) Subscriber's name

2) Subscriber's address

3) Length of service including start date

4) Subscriber's telephone number, instrument number or other subscriber number or identity, including a temporarily assigned network address

5) Subscriber's email account names;

6) Means and source of payment for such service (including any credit card or bank account number); and

7) In certain instances, email communications older than 180 days with notice.

For those who worry about privacy, though, all of this information is small potatoes. The real worry is about the use of what are called pen registers or trap-and-trace devices, which essentially capture all of your Internet activity --- the Web sites you visits, the emails you send and receive, IM traffic, downloads, and so on. Here's what the document says about them:


Pen Register / Trap and Trace Device

Title 18 U.S.C. § 3123 provides a mechanism for authorizing and approving the installation and use of a pen register or a trap and trace device pursuant to court order. All orders must be coordinated prior to submission to Comcast. Law enforcement will be asked to agree to reimburse Comcast's reasonable costs incurred to purchase and/or install and monitor necessary equipment. See "Reimbursement," below.

Comcast also details how law enforcement agencies can get details about subscribers on an emergency basis:


Emergency Disclosure

18 U.S.C. § 2702(b)(8) and § 2702(c)(4) contain provisions for the expedited release of subscriber information in situations where there is an immediate danger of death or an immediate risk of serious physical injury. Law enforcement agencies need only to adequately complete Comcast’s Emergency Situation Disclosure Request form (Reference Attachment #1) and they will receive accelerated subscriber identification.

As for your voice calls made via Comcast, here's what the company will turn over:


Call Detail Records

- Comcast maintains two years of historical call detail records (records of local and long distance connections) for our Comcast Digital Voice telephone service. This includes local, local toll, and long distance records. Comcast also currently provides traditional circuit-switched telephone service branded Comcast Digital Phone. Call detail records for this service are collected by AT&T and are available for approximately two years as well. To determine which type of service is involved, contact the Legal Demands Center—Voice and Video at 800-871-6298.

Account Records

- Account records are generally stored for approximately two years after the termination of an account. If the account has an outstanding balance due, records may be retained for a longer period of time.

As with Internet information, what phone information will be turned over depends on the specific kind of legal request, and the examples "are for information only." Here's an excerpt:


Grand Jury, Trial or Administrative Subpoena

Law enforcement agencies can receive subscriber identification including:

1) Subscriber's name

2) Subscriber's address

3) Length of service including start date

4) Subscriber's telephone number, instrument number or other subscriber number or identity, including a temporarily assigned network address

5) Subscriber's social security number (if requested)

6) Means and source of payment for such service (including any credit card or bank account number)

7) Call Detail (records of local and long distance connections)

And, as you would expect, there is the same pen register/trap-and-trace device language as in the section about the Internet.

Oddly enough, it appears that when it comes to information about your television viewing habits, you have more privacy rights than you do when it comes to information about your Internet and voice use, because it can only be turned over in response to a court order, not a subpoena. Here's what the document has to say about TV information:

Subscriber Account Identification and Related Records

For subscribers to our cable television service, the Cable Act requires Comcast as a cable operator to disclose personally identifiable information to a governmental entity solely in response to a court order (and not, for example, a subpoena) or with the subscriber's express written consent. The Cable Act requires that the cable subscriber be afforded the opportunity to appear and contest in a court proceeding relevant to the court order any claims made in support of the court order. At the proceeding, the Cable Act requires the governmental entity to offer clear and convincing evidence that the subject of the information is reasonably suspected of engaging in criminal activity and that the information sought would be material evidence in the case. See 47 U.S.C. § 551(h).

Why does the law give you more privacy protection over your television viewing habits than your Internet or phone use? I haven't a clue --- ask your congressman.