The FTC Sticks it to Online Advertisers

Big news in privacy recently as the Federal Trade Commission (FTC) finally took a stand against Internet advertising companies about how they collect and use our information online. As you know, currently one of the only ways to bypass ad-tracking online is to use VPNs or proxies that stop advertisers from viewing your actions, like AnchorFree’s Hotspot Shield, a free VPN that keeps date private online. However, going forward, consumers may have even more control in keeping their information safe from prying eyes. Last week, advertising companies received an ultimatum of sorts — clean up your act or suffer the consequences!

Last week, the FTC issued the final version of its “set of proposed principles to guide the development of self-regulation in this evolving area” with its top recommendation to be more transparent and provide users with exactly what information was collected about them, as well as ways to bypass data tracking.

“Industry needs to do a better job of meaningful, rigorous self-regulation or it will certainly invite legislation by Congress and a more regulatory approach by our commission,” Commissioner Jon Leibowitz wrote in a statement released with the report. “Put simply, this could be the last clear chance to show that self-regulation can — and will — effectively protect consumers’ privacy in a dynamic online marketplace.”

Meanwhile, privacy groups still maintain that these proposed principles are not quite enough:

“They’re punting this back to the online advertising industry, when they should have put their foot down and set some minimum rules,” said Jeff Chester, president and founder of the Center for Digital Democracy. “Simply asking the industry to be more responsive doesn’t get to the heart of the threat to privacy.”

While these principles are unlikely to result in any drastic changes in online data tracking procedures, the dissemination of such ideas is a step in the right direction. What’s needed here is a way for relevant advertising and user privacy to work together.

“This is about advertising, so these people ought to be creative,” said Eileen Harrington, acting director of the commission’s bureau of consumer protection. “We know advertisers can get their messages across when they want to. They darn better want to get this message across: ‘This is what we are collecting and this is how we are using it.”

Amen to that.

Fears of Google’s New Latitude Service Span the Globe

Is it just us or is the launch of every new Google feature or application — namely Chrome in September and StreetView on an ongoing basis — meet criticism from privacy advocates? Google’s newest location-tracking service, Latitude is no exception to our theory and has been receiving lots of traction as a potential hotbed for enabling location tracking without user knowledge or consent. London’s Privacy International has been the loudest voice in condemning its use.

As the privacy watchdog group warned last Thursday, “Google’s new Latitude location-sharing service could be a gift to stalkers, prying employers, jealous partners, and obsessive friends.”

The newest Google offering, Latitude allows users to share their location data with friends via their mobile phone or computer. However, with this information exchange, many potential problems arise.

Cognizant of privacy backlash, Google proactively addressed the issue on the day of the launch. “Fun aside, we recognize the sensitivity of location data, so we’ve built fine-grained privacy controls right into the application,” Vic Gundotra, VP of engineering on Google’s mobile team said. “Everything about Latitude is opt-in. You not only control exactly who gets to see your location, but you also decide the location that they see.”

However, Privacy International is quick to question the meaning of this statement and mentions that the possibility of a second party obtaining access to a user’s phone and location without user knowledge is a definite hazard of the service.

As InformationWeek’s Thomas Claburn reported, Privacy International exposed five different scenarios for abuse:

• An employer provides staff with Latitude-enabled phones on which a reciprocal sharing agreement has been enabled, but does not inform staff of this action or that their movements will be tracked.
• A parent gifts a mobile phone to a child without disclosing that the phone has been Latitude-enabled.
• A partner, friend, or other person gains access to an unattended phone (left on a bar on in the house) and enables Latitude without the other person’s knowledge.
• A Latitude-enabled phone is given as a gift.
• A phone left unattended, for example with security personnel or a repair shop, is covertly enabled.

All seem like valid arguments to us. On the other hand, we do agree with Claburn there do exist bigger issues that call individual privacy and security rights into question, as well as situations users bring upon themselves. In a subsequent article, Claburn argues that Latitude hardly presents a privacy risk compared to other intiatives sprouting up around the world, and that “people are their own worst enemy when it comes to privacy.”

Expressing nonchalance when posting personal information to social networking sites, banking online on unsecured wireless networks, and engaging in similar activities, users put themselves in danger on a daily basis. Latitude is just presents another opportunity for users to mistakenly offer up their information if not paying attention and deciphering what exactly they are releasing to the Internet.

Just another reminder to be cautious when utilizing new technologies and services that could potentially leave your personal data exposed to other parties. (Don’t forget that Hotspot Shield is a great way to remain anonymous and secure when surfing online or on your iPhone.)

Ixquick Outshines Google, Microsoft, and Yahoo!

Ixquick, a Dutch search engine made it into the (unofficial) record books on Wednesday. The “World’s Most Private Search Engine” has become the first to function without retaining the user Internet Protocol (IP) address in order to increase user privacy protections that it has emphasized since its launch in 2006.

“At Ixquick we feel people have a fundamental right to privacy,” said Ixquick chief executive Robert Beens. “Using a search engine is sharing your innermost secrets and habits which should be safe. Ixquick has the best privacy policy of the search industry. Today it has become even better.”

Timed to coincide with Data Privacy Day on a few days ago, Ixquick will go from retaining the user IP address, which designates the Internet connection used, for 48 hours to eliminating retention all together. Coupled with ISPs tracking behavioral data online, the IP address allows easy user identification and runs into problems amongst privacy advocates.

“The technical need to store IP addresses for 48 hours – blocking automated use of Ixquick’s servers – has been overcome by recent technological developments,” said an Ixquick statement.

The closest any US search engine has come to lowering data retention periods is Yahoo! with a period of three months. Talk about a breath of fresh air. We’re curious to see if the news elicits any similar moves in the US.

Transitioning from 2008 to 2009: What is in Store for the Online Privacy Space?

When we started this blog back in September, we were looking to spark a conversation about how Internet users globally are being put at risk by the current lack of actionable online privacy measures. We’ve made it a main objective to track all news in this space and have welcomed feedback from industry thought-leaders, consumers, advertisers and even the ISPs themselves — and thought we’d share a recap of what we thought were the most important issues during the second half of 2008, to help better understand what will happen in 2009.

From Our Own Backyard to Overseas, Behavioral Tracking Finds a Home

Perhaps the biggest issue of 2008 was the rampant move toward behavioral targeting by ISPs. While this issue seen action from established companies like Tacoda and Revenue Science for years — NebuAd, Phorm and other companies new to the scene stirred up controversy.

The fire sparked in June when Charter Communications, one of the largest providers of cable-based broadband service in the U.S., “backed off of a plan to insert advertisements onto Web pages — using a company called NebuAd — based on its users’ Web-surfing habits after privacy advocates called the program an ‘attack on users.’ This was only the beginning of the blaze.

Congress got word of this controversial functionality and called out NebuAd to change its privacy notification features to allow customers to opt-in voluntarily rather than have to opt-out of the service (Around the same time, AT&T, Time Warner Cable and Verizon all agreed to get the permission of users before performing behavioral ad tracking in the future). To make a long story short, NebuAd essentially shut down on American grounds — even the CEO stepped down following congressional scrutiny. However, this has not stopped the behavioral technology overseas.

Last month, Phorm, a company that offers the technology similar to NebuAd, ended its trials with ISP British Telecom (BT) and planned beginning steps to roll out the technology across the entire network. NebuAd is following suit and hopes to get the ball rolling again on foreign soil. However, it still has loose ends to tie up in the US, particularly a lawsuit filed by 15 angry Web users against the ad targeting enterprise and the six ISPs that utilized the company’s technology without user consent.

In Other News…

Privacy Cops didn’t limit the discussion to just behavioral targeting but pushed to include all thoughts about privacy, and even had some news of our own to announce.

• Throughout 2008, Yahoo, Google and Microsoft competed to lower their data retention periods and we’re hoping the trend continues to no retention whatsoever. Yahoo’s most recent announcement to only hold data for 90 days trumped Google’s September promise to hold it for six months, and Microsoft said it would match Yahoo’s three month period if the other two giants did so as well.
• Google Street View was another ongoing story we covered as it continued its trip around the world, opening in New Zealand, France and other countries. Still, many countries are vehemently opposed to the technology, namely Japan and this Germany town. We’ll see how much footage the Google cars can capture in 2009.
In Australia, a colossal infringement on privacy rights was announced in October. Australia became the first democratic nation to filter Internet content via deep packet inspection (DPI). Under the government’s $125.8 million Plan for Cyber-Safety, it was announced that Australians would not be able to opt-out of the censorship but rather have the option to chose between two blacklists: one that blocks content inappropriate for children, and one that blocks illegal material. Preliminary trials showed that even the best Internet content filters would block approximately 10,000 pages (out of one million) incorrectly.
One of our biggest accomplishments in 2008 was to announce the configuration of our new security product, Hotspot Shield for iPhone. Hotspot Shield was the first free security iPhone application to keep Internet sessions 100% secure and anonymous, and our iPhone application is just another platform to extend our participation into the mobile security conversation (which we believe will become a hot topic in 2009).

So What’s Next for 2009?

Our hope is that 2009 brings a sense of urgency to the realm of consumer privacy online. Moreover, we would like to see Internet users valued for the information they provide to third-party companies and ultimately, advertisers. Based on developments already making headlines, we expect a wild ride this year in the privacy world.

Phorm is already researching using financial incentives to encourage users to sign up to its ad-targeting technology. Consumer advocacy groups are on the horn scrutinizing Google’s mobile advertising practices that may violate children, adolescent and other consumer privacy laws. Additionally, four groups representing ad networks, portals, publishers, ISPs, and ad agencies have joined forces to convince Congress that the industry is capable of policing itself rather than have government step in and regulate behavioral targeting.

We’re only two weeks into 2009 and battles are beginning. We’ll continue to provide you commentary on the action every step of the way.

9, 6, 3 – What Comes Next?

Recently, Yahoo announced its plans to make user information anonymous within 90 days, a change from the previous standard of 13 months. Additionally, not only will the data be anonymized on searches but also on page clicks, advertising clicks and page views.

Edward J. Markey (D-Mass), the chairman of the House Subcommittee on Telecommunications and the Internet and a founding member of the Congressional Privacy Caucus, responded positively to Yahoo’s move and its implications on the competition. He stated: “Yahoo voluntarily sets a new standard for privacy protection, a standard against which Microsoft, Google and others will now be compared. Privacy is a cornerstone of freedom and I applaud Yahoo’s announcement for recognizing that consumers deserve ample privacy protections in the digital era to ensure trust and freedom on the Internet.”

While we are on the same page as Markey with advocating privacy protection online, shorter data retention limits are hardly enough to provide user privacy online. Unless the practice of tracking and storing user data is completely eradicated from the industry, Google, Microsoft and Yahoo are only a handful of companies that will continue to collect and store personal information without user knowledge. Users are powerless to control what is seen and what is not; this practice is unacceptable.

Yes, Google did took the first step in limiting storage periods when it halved the time it stored user data from 18 to nine months earlier this year. Yes, Microsoft announced earlier this month that it would cut its retention time to six months if its competitors did the same, and now Yahoo is promising a similar plan. However, even Yahoo’s plan to scramble the IP addresses by deleting the last eight bits is drawing criticism from privacy pundits on its inadequacy to provide full anonymization.

While shortening data retention periods and deleting IP addresses look good on paper, more stringent rules need to be enforced to put the user in command of their information. Keeping the data for months at a time does not provide any control to the user. Furthermore, as long as the company executives make the decisions on how long to keep information about what an individual does online or what to do with that information, progress cannot be made.

That said, the developing trend here is promising: Google’s nine months of data retention led to Microsoft’s predicted six, and now Yahoo just announced its plan to only hold data for three months. While we’re not mathematicians at AnchorFree, let’s hope the current pattern continues, and the next jump is to zero — meaning the practice is eliminated entirely; that is the only way to put control back in the hands of users and out of the hands of unscrupulous executives looking to leverage the data.

In the meantime, AnchorFree does offer a free consumer Virtual Private Network (VPN) called Hotspot Shield that provides full anonymity to consumers on the Web. The download puts users back in the driver’s seat to browse free of fear of data storage and tracking. Check it out here.