Posts Tagged ‘NAI’

Where is the boundary? Conflicting standards on health-related ad targeting

November 24, 2010

A spooky experience with drug-ad targeting was the initial inspiration for the PrivacyChoice project, so it won’t surprise you that I support the call for an FTC investigation into pharmaceutical ad targeting. There’s a big difference between building a profile about what kind of car you want to buy and a profile that infers that you’ve just been diagnosed with cancer. Ask consumers and they would overwhelmingly say that this kind of targeting should be opt-in, not opt-out.

Here’s a key point: There’s a major conflict between the two published industry standards for ad targeting based on health conditions.

In the Network Advertising Initiative 2008 Principles (pdf), “sensitive” health information is defined as: “Precise information about past, present, or potential future health or medical conditions or treatments, including genetic, genomic, and family medical history.”

On the other hand, the DAA’s 2009 self-regulatory principles (pdf) say that prior consent is only necessary before collecting “pharmaceutical prescriptions or medical records related to a specific individual.” This standard is much narrower, and permits collection of online behavior to infer medical conditions, so long as personal prescriptions or medical records are not involved.

The DAA should promptly adopt the NAI rule, which appropriately gives consumers the choice of whether to have health-related behavior tracked. It’s not only the right thing to do; without protective and consistent standards, health-based profiling could rightly become a flashpoint that sinks the overall self-regulatory effort. Protecting the fortunes of pharmaceutical marketers isn’t worth it.

The new opt-out page: a missed opportunity

November 24, 2010

The new centralized industry opt-out page is now in beta on the aboutads.info site, which is a production of the new Digital Advertising Alliance. The new page consolidates opt-outs for the tracking companies participating in the self-regulatory program (at this point, the NAI member list). This is the page that websites can now point to as part of providing enhanced notice and choice. Over time it may supplant the NAI’s current group opt-out experience.

Unfortunately, it’s not an upgrade. Here’s why:

  1. Don’t make me read. Like the NAI page, the new page is text heavy, and choices are largely below the fold (particularly on a laptop). The site does not explain the process visually or with video (NAI’s site does).
  2. Don’t make me scroll. It’s admirable that the page has a global opt-out button (in addition to the ability to “check all”); but why bury that button at the very bottom of the page?
  3. Make it easy to see where I stand. Like the NAI page, a user sees which of three states they are in for each company: opted-out, not opted out and with active tracking cookies, or not opted out and with no tracking cookie. But unlike the NAI page, the user has to click through different tabs to see to see status. And gone are the NAI’s reassuring green checkmarks that provide unambiguous confirmation of success.
  4. Don’t make me do this again. There’s no instruction as to how to make the opt-out choice survive cookie-clearing (through a browser add-on or bookmark). At least the NAI built an add-on for this purpose, although it has never moved out of beta and was never offered as part of the opt-out process. It seems like a considered decision has been made that durability is not a requirement for the program. This won’t inspire confidence in the advocates of a meaningful “Do Not Track” option.
  5. Tell me this really works. As with the NAI site, the opt-out is billed only as terminating the use of behavioral information, not the collection of behavioral data. The new page could have been an opportunity to state that no behavioral profile data will be collected about consumers who have opted out.

A trade organization like DAA has limited funding and too many committee inputs, so perhaps it’s not fair to expect a delightful privacy experience for consumers. Assuming the opt-out platform is open, independent companies should and will build better versions. Recent research confirms that the privacy experience has a big impact on brand impression, so hopefully advertisers will push for “a little more Steve Jobs” when it comes to privacy design.

How to know if self-regulation is working: Feature article in Adotas

September 27, 2010

Some key elements are now in place for the self-regulatory framework to ensure privacy and choice in ad tracking. Today in Adotas I’m suggesting three key things that will indicate initial success for the new system:

  1. The consumer experience is great;
  2. Failures are visible; and
  3. Outliers are shunned.

Read the article at Adotas.

Hey NAI, we’re gaining on you!

September 17, 2010

Here’s a fun graph that shows how the PrivacyChoice service is growing in popularity. It’s a neat comparison, since privacychoice.org and networkadvertising.org are the primary sources of consumer privacy information and choices for ad targeting.

New goal: make those lines cross!

Transparency works: Specific Media kills the cache

September 11, 2010

Specific Media’s privacy practices have drawn more attention than they would have liked in the last several months. One issue highlighted in a prior post was SM’s use of local cache storage for unique user IDs — which, like a Flash cookie, could be used as a “back up” identifier after the user clears their regular browser cookies. That’s a no-no under rules of the Network Advertising Initiative, so it was a puzzle when the NAI appeared to have closed out Specific Media’s overdue 2009 review with cache-based ID storage still in place.

Now it appears that Specific Media has put an end to cached ID storage (based on yesterday’s revision to their privacy policy). That’s good news, since now there can be no implication that the NAI would permit this kind of practice.

Assuming Specific Media has killed the use of the cache on the backend (we haven’t tested this, yet, but will), I’d like to think that this is an example of how transparency can work to bring individual company practices in line with industry norms. Even better would be if the NAI would be so bold as to report directly and publicly on these issues as they arise and are resolved.

AddThis: Still breaking the bargain

August 19, 2010

hI wrote last week about how AddThis has ignored significant privacy questions as it starts to harvest data for behavioral targeting. AddThis sharing widgets, installed on 1.5 million websites, now collect behavioral profiles for auction to third-party ad delivery companies.

I’m not objecting to the notion of collecting and using data through a widget. My objection is that, by failing to tell consumers and publishers about what’s going on, they are breaking the implicit bargain in the consumer data ecosystem. The “bargain” says that consumers get free content and services (like nifty sharing widgets) in exchange for their anonymous data, but data collection comes with robust notice of how data are collected and used, and a meaningful chance to opt-out.

What’s amazing is that, even after losing AOL as a partner over this issue, ClearSpring and AddThis are still breaking the bargain by hiding the ball from consumers and publishers. Here’s what I mean:

  • There’s still no prominent mention of profiling in the AddThis signup process, except one buried deep in the terms of service.
  • You also won’t find any announcement in the AddThis Blog, even though they could easily have cut and pasted from the extensive blog post about the program on the Clearspring blog (their separately branded portal for advertisers and ad partners). Apparently, the behavioral profiling of 1 billion users isn’t as blog-worthy as supporting the re-tweet button or Will and Charlie’s trip to the Internet Identity Workshop.
  • You won’t find any announcement in the AddThis Developer Forums, although one curious developer happened to discover it on  July 21 (pre-announcement, hmmm), and was provided some special code to disable cookies. If you want his code and didn’t catch that particular forum entry, good luck finding it in the help documentation (I couldn’t). You have to email them to get it.
  • You won’t even find a mention of behavioral profiles in the AddThis FAQ. There is a question, “What data does AddThis collect and why?” and the answer consists of a link to the AddThis privacy policy. Paragraph 17 of the privacy policy does discuss profile sharing. I guess it was too much trouble to provide a summary of the changes on the top of the page, or anything at all on the AddThis homepage (like “New!” next to the privacy policy link).

In this light, it’s hard to take Clearspring’s CEO seriously when he says to the Wall Street Journal that “This is very much a participatory system” for publishers.

Are they terrified that if they actually provide good disclosure, more publishers like AOL will freak out, either over privacy or uncompensated leakage of valuable profile data? Personally, I doubt that, but it’s all in how you handle it. One thing’s for sure: hiding the ball isn’t working.

Two more interesting questions to think about:

What about back-end processes? Front-end disclosure is important, but the rubber meets the road on the back-end where consumer profiles are used and shared in ways invisible to users. For AddThis, there’s a critical back-end privacy function of keeping email addresses (which are used extensively in the service) separate from behavioral profiles. If AddThis won’t invest in simple front-end disclosures, why should anyone feel assured that they are investing in robust back-end privacy processes?

Where will the NAI come out? I’ve been told that Clearspring is in the process of applying for NAI membership. Can the NAI admit Clearspring with a deeply flawed privacy framework, particularly since publisher-to-consumer disclosure is a principle that the NAI vowed to enforce more strongly in 2010? Is it consistent with NAI policies for NAI members to purchase and use Clearspring’s tainted data, as Media6Degrees apparently may already doing?

Note 8/21: AddThis appears to be responding, and has a blog post on AddThis now about the new program. Still watching for integration of prominent notice and easy opt-out for publishers and consumers, to see if they really mean it.

Specific Media: Out of the NAI doghouse?

August 18, 2010

More than six months ago, Specific Media was the sole ad delivery company singled out as having potential compliance issues in the NAI’s 2009 report (discussed in an earlier post).

The company just updated their privacy policy in two respects:

  • Adopted a 12 month maximum retention period for user data (nice work!).
  • Added a very interesting disclosure about the use of browser caching to store user IDs (more in this in a future post).

I can only speculate that these changes are related to the successful completion of Specific Media’s compliance review. The fact that we don’t really know is instructive — and disappointing — for the self-regulatory effort. The NAI should have been more clear about the nature of Specific Media’s issue, and should have published an update that clarifies the issue in detail and how it was remedied. If no issue was found, that should be clear as well.

Let’s face it: One reason self-regulation is failing to win more supporters is that many view it as an unnatural act for an organization of companies to police the behavior of its own members. Compliance failures will happen, and when they do they need to be visible and the oversight response needs to be completely transparent. Nothing would inspire more confidence in self-regulation than really putting a company in the doghouse from time to time — in a way that advertisers, partners and consumers can’t miss.

A Self-Regulatory Moment

March 26, 2010

An earlier post about Google’s new “certified ad network” program raised the question of whether websites should disclose to consumers which third-party networks may have access to user data through AdSense. Google’s program allows certified networks to use previously collected behavioral data to target ads served through AdSense, but prohibits (by contract) the collection of new data for future use. Based on this distinction, Google does not provide consumers with any specific notice-and-choice as to certified ad networks.

Lurking here is a fundamental question about ad-targeting disclosure: is it good enough to provide notice and choice only when behavioral data are being collected, or must you also provide it when being used?

Google’s approach seems founded on a literal reading the FTC’s 2009 Staff Report on Behavioral Advertising (see page 52), which by its terms speaks only of notice-and-choice on every website “where data is collected.” The NAI’s self-regulatory principles use similar language. But neither the FTC nor the NAI discussed “use” versus “collection,” the involvement of multiple companies in delivery of a single ad, nor a notion that disclosure standards might differ in those cases.

There are good reasons to conclude that consumers deserve notice-and-choice both at the point of collection and the point of use of behavioral data.

  1. The serving of a targeted ad will be the moment of recognition for many consumers; the very point at which they want to understand and exercise their choices. If they can’t easily identify the company serving the ad based on prior collected behavior, they have no way to prevent it from continuing.
  2. With visibility as to which third-parties have access to data, consumers can make their own decision about whether to rely on Google’s contractual rules about how it may be used. Google’s approach is a black box for consumers; they receive no direct assurance from the certified ad network about their practices, nor any assurance that Google will monitor or enforce the contractual prohibitions on their behalf.

In plain terms, Google says to the consumer: If you don’t opt-out when information is first being collected about you, you lose the practical ability to do so when it is used to show you targeted ads. Google’s own opt-out program does not appear to remove the user from receiving behaviorally targeted ads from non-Google networks through AdSense.

Did the FTC Staff intend this outcome? There’s nothing in the rest of the Staff’s discussion to indicate that they meant to exclude the use-only situation from enhanced disclosure.  Indeed, in distinguishing first-party from third-party data collection, the Staff said:

By contrast, when behavioral advertising involves the sharing of data with ad networks or other third parties, the consumer may not understand why he has received ads from unknown marketers based on his activities at an assortment of previously visited websites. Moreover, he may not know whom to contact to register his concerns or how to avoid the practice.

In the same statement, the FTC Staff spoke to this kind of novel situation when they said, “Where the data collection occurs outside of the traditional context, companies should develop alternative methods of disclosure and consumer choices that meet the [transparency] standards described above …”

The IAB-led coalition has adopted principles that require notice-and-choice “when data is collected from or used on a Web site for Online Behavioral Advertising purposes …” (page 17) The IAB’s overall approach to disclosure is premised on embedding notice into ad-delivery, which like the FTC explained, satisfies a consumer curious about why they saw a particular ad. This is true whether or not data are also being collected for future targeting.

“Fourth-party” ad delivery of the sort now available in AdSense is increasingly common, and Google’s precedent may end up as an industry standard. If enhanced disclosure only applies at the point of collection of behavioral data, and not at the point of use, that should be based on a thoughtful discussion of the consumer impact, rather than a narrow reading — and most likely a mis-reading — of FTC staff guidance.

This will be an important test of the industry’s self-regulatory framework. Google is an NAI member (as are several certified ad networks), and this question involves interpretation of NAI guidelines. One way or another, the NAI must pass judgment on the point, and in doing so will demonstrate whether consumers (and the FTC) can count on an effective self-regulatory effort for behavioral advertising.

Flash-cookie opt-outs: The VideoEgg Example

March 12, 2010

In an earlier post I was critical of VideoEgg’s opt-out implementation, but with their latest upgrade, they now have one of the easiest and most durable opt-out processes of any ad network. Unlike many ad companies that bury the opt-out link in the text of their privacy policy, VideoEgg presents it at the top of the privacy statement, in an easy to use button. VideoEgg links to this policy from every page on their site (including the homepage) with the title, “Privacy Policy and Opt-out.” And most importantly, because the opt-out is maintained using a Flash cookie, it stays in place even when a user clears their normal browser cookies.

Here’s an idea for how VideoEgg can build on this good work:  Why not join the Network Advertising Initiative and help the rest of the industry adopt Flash cookie opt-outs? This will involve a significant change to the NAI’s opt-out framework, but would be an ideal way to ensure that consumer choices remain persistent without the burden of installing browser add-ons.

“It’s about the websites, stupid.”

February 20, 2010

Much time and energy is being expended to build systems to verify compliance with the notice-and-opt-out framework for online behavioral advertising. The notion is that an independent organization can confirm that behaviorally targeted ads always are accompanied by the proper notice-and-choice disclosure, and that ad delivery companies refrain from showing behaviorally targeted ads to consumers who have opted-out.

The pace of technological development suggests that these efforts are misguided.

To understand why, consider these two recent developments:

  • Panopticlick, which demonstrates that operating system and browser configurations are sufficiently unique to identify a computer over time, even without using cookies, supercookies or any other affirmative means of tracking.
  • Scout Analytics’ new tracking service, which identifies a user (not a computer) based on the unique signature provided by how they type and use their mouse.

Given the huge value in behavioral targeting, you can expect to see a whole host of approaches like these, which offer far greater accuracy and durability. Because these technologies work purely on the backend, they do not leave artifacts like cookies that provide a forensic means to determine when tracking is occurring.

It is conceivable that behavioral targeting might be detectable through continuous correlation between behaviors demonstrated and the subject matter of advertising delivered, in a panel or other test environment; but the likely effectiveness and necessary scale of such a system are in the realm of speculation.

In practical terms, only two things really matter:

  1. The decisions that websites make about which companies are allowed to collect information about users, which come into sharper focus as those decisions face public and regulatory scrutiny.
  2. The published policies and reputations of tracking companies, supported by the audits and other oversight provided by organizations like the NAI and TRUSTe, which websites can rely upon in making those decisions.