Saturday, December 04, 2010

More discussion about "do not track": a stop at an Internet cafe

Yesterday, I stopped at an Internet café in Washington DC and paid the $3 for surf for 15 minutes. I tried a variety of domains and browsers, and found that browser history disappeared when I closed it. Ads served to me were indeed more general than I would receive at home, but were still of fair quality, but tended to become more specific as I continued to surf. All of this suggests, heuristically, that Internet users even now have some control over how much “tracking” is done of them if they bother to find out.

The value of marketing to users is not so much in immediate purchases, as in creating interest over time. The car that I bought in midi 2009 (a Ford Focus) was certainly influenced by ads I had seen for months. Movies I see may be influenced by previews and trailers on the Internet. Commercials can have good quality. (When I lived in Minneapolis, I heard that the Twin Cities was a major player in making commercials and industrial films.) One of the best commercials around is one developed by AMC Theaters, to show moviegoers what they might experience in an outdoor theater on another (M-star) planet!

I looked over again the FTC document (link given here Dec. 2) suggesting a “do not track” capability. I’m struck by how much of this discussion has involved “apples and oranges”.

Let me back up for a moment and note that as a webmaster who has maintained free sites (no advertising, no credit cards) of political content for a number of years (hppub.com, doaskdotell.com, billboushka.com) that I’ve been aware of possible privacy implications for all these years. I get Urchin reports on my sites and particularly access logs which list IP addresses associated with searches and page requests on my sties. In a few cases, it is possible to see who may have visited the site (from the logs). In analyzing an incident in 2005 with possible legal implications, these logs were useful to me (more details here July 27, 2007). From an ethical perspective, looking at these logs might seem like the equivalent of knowing who bought your book or saw your movie. You actually don’t have the right to know that. That’s part of what “publication” means.

With my blogs (16 other them, as accessed through Blogger profile), there is “behavioral advertising” as explained in the “Privacy Policy” at the physical bottom of the page of this blog. There are links (admittedly in small print) there that show the visitor how to regulate his own experience. Visitors have quite a bit of power now to make choices as to how “visible” they are; learning to use the Web is a bit learning to drive a car; you need to know the rules of the road and about safety.

All this said, I still think it’s appropriate that the FTC (along with Congress) wants the Web community to do a bottom up review of its practices with respect to interacting with consumer data. But it’s important to keep a number of these issues in perspective.

First of all, it’s true that most of our “privacy regulation” so far has dealt with predictable or known avenues of specific harm. The personal data is in a “Cloud.” Normally, it isn’t readily accessible for malicious purposes. And, unlike the case with telephone telemarketing, its collection was non-intrusive.

But in the long run, as the FTC points out, “harm” may become more subjective or elusive than before, It seems to be more of a social than technical concept, more about “online reputation” and the idea that reputation tends to be socially “contagious”, especially within families, whether we like to admit it or not. Part of the deeper problem is that as human beings we vary so much as to our notions of autonomy and need for interdependence. Protection of minors is certainly part of this.

It certainly is true that certain kinds of sites, that like to aggregate preference information (Netflix, Amazon, imdb, etc) could pose certain risks (to misuse by hackers or by future abusive governments). I don’t worry that anyone cares about my movie preferences (after all, I have a movies blog), and I don’t think that in a real world that Metro would try to deduce my sexual orientation from the way I use my Metro Smart Card. But one cannot be sure what a future totalitarian government could do (let’s say,if it could track citizens by global positioning on their mobile devices). But inevitably, most companies collect consumer information, at least internally, and must respect employees to keep it in confidence and not abuse it. Imagine an employee going through an insurance company’s records to look for military servicemembers with HIV.

But it’s probably easier for large retail sites (like Amazon) to put in consumer-friendly tools than it is for sites that publish free content (that is, most newspapers and bloggers) and who may be dependent on “marketing” – yup, the way broadcast television depends on commercials – and where behavioral “targeting” is economically important

But for “free content” sites as above, it seems that the FTC says, on page vi, “The most practical method of providing such universal choice would likely involve the placement of a persistent setting, similar to a cookie, on the consumer’s browser signaling the consumer’s choices about being tracked and receiving targeted ads.” On p 65 the FTC writes similarly “The most practical method of providing uniform choice for online behavioral advertising would likely involve placing a setting similar to a persistent cookie on a consumer’s browser and conveying that setting to sites that the browser visits, to signal whether or not the consumer wants to be tracked or receive targeted advertisements. To be effective, there must be an enforceable requirement that sites honor those choices. Such a mechanism would ensure that consumers would not have to exercise choices on a company-by-company or industry-by-industry basis, and that such choices would be persistent. It should also address some of the concerns with the existing browser mechanisms, by being more clear, easy-to-locate, and effective, and by conveying directly to websites the user’s choice to opt out of tracking.”

The FTC is suggesting that present methods available, somewhat effective, are too hard to find and do not address flash cookies, which seem to be beyond the control of browsers. But the FTC also recognizes that an IP list is not equivalent structurally to a telephone number book, and that unintended consequences could be damaging to companies economically.

Would such an add-on allow different specifications for different advertisers or groupings of advertisers on a particular newspaper or blog-oriented site? That would seem necessary to ensure that informed surfers could still have a rich web experience with free content.

We should indeed be wary of the unintended consequences of chasing too many ghosts with “do not track”, or encouraging web users to become lazy with a carelessly chosen name for what is offered to them.

Mike Schulder has an interesting perspective on CNN, “Go ahead, invade my privacy, I’m honored”, link here.

Riva Richmond has a story in the New York Times, “What is there was a do-not-track list for online browsing?” but the story focuses on the concept of a HTML header (as a well-known component of HTML), as evident in an add-on to Firefox and IE from Taco and Indiana University. The list is here.

But in general, media commentators have presented the “do not track” proposal as scare mongering based on false analogies to other privacy problems and possibly undermining the Internet as a the free speech engine that we value so much.

No comments: