FTC Asks To Regulate Privacy; Doubleclick Hires PR Team

Both the Washington Post and the New York Times have stories about the FTC's decision to ask Congress for the authority to regulate online privacy. The FTC had recently completed yet another privacy survey that showed companies were doing little to protect privacy on the Internet, even after several years of dire warnings. In other news, Doubleclick named a "No-Privacy Board" -- errr, a "Privacy Board." Its members are listed below, along with my notes on their backgrounds.

It is important to keep in mind what this is being billed as: Doubleclick calls this, in their press release, a "Consumer Privacy Advocacy Board." Supposedly this board is set up to, you know, advocate consumer privacy. So, let's take a look at its composition.

Robert Abrams, former attorney general of New York: hired because of his connections in New York State, which threatened to file suit against Doubleclick. His role will be to lobby his buddies in various government agencies to prevent privacy lawsuits.

Robert Litan, vice president and director of economic studies at the Brookings Institution: supports "opt-out" marketing and notification of privacy policies, as opposed to actual privacy. (Which is exactly Doubleclick's position, of course.)

Harriet Pearson, director of public affairs at International Business Machines Corp.: Pearson is one of the people behind the Online Privacy Alliance, a corporate front group working to attack privacy on the Internet. Pearson has moderated seminars on how to profile users without seeming to be Big Brother; her job is to make you feel good about not having any privacy. Every group needs a PR flack.

Lori Fena, chairman of Web privacy organization TrustE: Fena is an advertising executive by trade. And obviously, having her on board means that TrustE won't exactly be cracking down on any of Doubleclick's practices.

Daniel Weitzner, an executive at the World Wide Web Consortium: Weitzner's main job at W3C is promoting P3P, a protocol designed to automatically give out your name, address, phone number, credit card information, Social Security number, and other personal data to Web sites as you browse -- a sort of hyper-invasive universal cookie. Need I say more?

Elizabeth Lascoutx, a director and vice president at the Council of Better Business Bureaus: Lascoutx's work at the BBB used to center around children's advertising -- she sought to have commercial messages on children's Web sites set off from the rest of the content in the same manner as television advertising ("after these messages, we'll be right back").

David Stazer, vice president and co-founder of PlanetOut.com: I don't know of any qualifications Stazer might have with regard to privacy.

Stewart Baker, a partner at the law firm of Steptoe & Johnson: Baker used to be the general counsel of the National Security Agency, probably not the first people you'd think of when you think "privacy"; he's an influential Washington lobbyist now. Baker publicly attacked the efforts to boycott Intel and Microsoft over the Pentium-III processor ID and the GUID embedded in MSOffice documents -- he stated that if all machines on the Internet were authenticated and identified, things like denial of service attacks could be prevented (which is true enough, if you don't mind a total loss of privacy).

No one from EPIC? No one from the ACLU? You can draw your own conclusions about whether this "Consumer Privacy Protection Board" (sic) is intended to actually help Doubleclick change its ways, or whether it is merely intended to help protect the company from lawsuits and adverse governmental action, like, say, the FTC wanting the authority to force companies to respect privacy concerns.

What's wrong with P3P?

[igaborf]

...P3P, a protocol designed to automatically give out your name, address, phone number, credit card information, social security number, and other personal data to websites as you browse...

I'm not intimately familiar with the P3P spec. But according to the P3P guiding principles user agents are supposed to:

• Provide mechanisms for displaying a service's information practices to users.
• Provide users an option that allows them to easily preview and agree to or reject each transfer of personal information that the user agent facilitates.
• Not be configured by default to transfer personal information to a service provider without the user's consent.
• Inform users about the privacy-related options offered by the user agent.

On the surface, at least, that looks pretty reasonable. It certainly doesn't sound like the description given above. What am I missing?

European Privacy Laws

[CaptainZapp]

Sheesh, sounds like quite a panel (even if those folks backgrounds might be pulled out of context). I'm aware the Americans are very weary about regulations of all sorts, especially when it's the govinmint (or one of their designated agencies) regulationg. What I don't quite get is what's so bet to set up privacy laws that are simple and streight forward. Basically they dictate that:

There must be a reason to collect data. This can have quite far reaching consequences. I.e. if an employer asks on an application about religion, sexual preferences or your dope smoking habits, this is verboten. Because this data is not relevant to the application

Data can't be past to third party without explicit consent of the err! victim. Some 235 page click through agreement with a well hidden check box is not considered explicit consent.

Every person has a right to get information what data is stored about her/him and has a right to correct wrong data.

Data may not be collected indiscrimnately

etc...

Personally I'm rather regulated by a govinmint that puts my interests as an individual before those of big business entities, then by some strange privacy advocacy panels set up by corporations whose business model is to violate my privacy. But of course your mileage may vary.

Re:Govt regulation (=loopholes)will eliminate priv

[NMerriam]

The 'net simply moves/changes too fast for legislators and their regulators

I keep hearing this and similar comments over and over, but I don't understand it.

In what way has the Net changed so fundamentally that a privacy policy from 1990, or 1980 would be outdated today? The entire point of good lawmaking is to make a law general enough to be adaptable to new circumstantial details.

If, at the beginning of Compuserve in the 70s, Congress had a made a law saying:

"No one shall, without prior consent of the user, keep records of that user's activities on any electronic network, including personally identifiable information, except such that is necessary for technical or security reasons. This shall in no way limit the use of information provided by a user in any public forum such that a user would not reasonably expect such information to be considered private."

And there would be another paragraph explaining that people with existing/ongoing relationships can store and use such information as is necessary to maintain that relationship (commercial or not). And another one talking about how sharing information with third-parties is subject to other rules, and some final sections with definitions of terms used.

Making law is very much the same as making code -- if you do it high-level enough, you only have to change the details to make it work in entirely new situation.

More regulation from the FTC is not the answer, because clever people always find a loophole or a way around regulations.

So we shouldn't even try? People manage to get around the laws against murder on occassion, but we haven't seen fit to scrap them yet. At the beginning of the Civil Rights Era, the anti-discrimination laws were circumvented with dull regularity. Now you'd be hard-pressed to find a companies who won't do anything to avoid getting in trouble under them.

The point is that yes, people will get around the law but we'll reach a balance point that's a lot closer to provacy than it is right now. We're certainly not going to get more provacy by doing nothing...

Re:Silly paranoia

[jpatokal]

This commentary is so ridiculously biased and paranoid that unfortunately this article tells you almost nothing, except Michael has been watching too many "1984" movies.

Paranoia and albino cats are indeed quite unnecessary, as DoubleClick's actions are backed by sound logic. DC is a for-profit company, and the more information about their customers they have, the more profit they can make. Hence privacy is detrimental to their bottom line, and it's in DC's best interest to fight against it -- as long as the public backlash from doing so doesn't outweigh the gains.

In this light, setting up that wonderfully named Consumer Privacy Advocacy Board is perfectly logical. Create a board so it looks like they care about privacy, and populate it with stooges (carefully selected from other organizations so it doesn't look too obvious) to prevent the board from actually interfering with their operations. Downright brilliant... unless you're a consumer. And without michael's research, would the average /. reader have noticed the "independent" board members' links to DC? I certainly wouldn't have.

Cheers,
-j.

Re:Govt regulation (=loopholes)will eliminate priv

[NMerriam]

If you want your personal information to remain private, the DON'T GIVE IT OUT. DUH!

I'm curious, how did you get a job without telling your emplyer your Social security number and your home address? How do you get medical care without providing billing information to the hospital? How did you get a drivers' license?

How did you get your credit cards? how do you get the things you order online (or offline) without a proper address? How do you pay your phone bill?

I'm fascinated by the idea that anyone who doesn't live in a mud hut is an idiot for "giving out" information that we could so obviously simply keep private. The point is that many people you HAVE to give information to in order to exist have no relucatance whatsoever of selling that information to other people you specifically don't want it to go to.

We're not getting pissed about people using information we gave them knowingly and willingly, but if I give my SS# to the insurance company I don't think they should have any legal right whatsoever to sell it to my gocery store, or Amazon.com, or anyone else.

If the FTC gets in the act they won't just be nice about it, it will become a federal crime

I should hope they wouldn't be "nice about it", otherwise you lose most of the deterrent effect. they aren't nice about it when I break laws, why should companies get a break? Of course, the truth is they generally ARE "nice about it". The FTC will send warnings, demand complaince, do everything but send a singing telegram with flowers before they penalize a company. If anything the FTC is too lenient, because 99% of the time the worst that happens for breaking the law is you get told to stop breaking it. I wish I got such harsh punishment!

It is much easier to deal with a corporation which has it self interest at heart than it is to deal with a government which is hell bent on "helping."

Why doesn't the government (or rather, regulators/politicians) have it's self-interest at heart? Why doesn't the corporation want to help? Ayn always says, check your premises...

I know people hate Microsoft here, but...

[M-2]

If you're using Internet Explorer 4 or Higher, there's the security settings which allow you to set zones. You can then assign websites into zones.

Put *.flycast.com and *.doubleclick.net into the 'high' security zone and watch the problems go away.

And if sites won't let you in 'cause the banner won't load... did you really need them ANYWAY?

I don't know if Netscape 6 has anything like that - I never use alphas on my machine, I like the idea of vague stability. No matter how much of an illusion it may be.
----

Keeping your enemies close

[Money__]

When there is a large public outcry (such as this case of fair use of private information) it's a typical PR move to try and get your enemies on your side. Like micros~1 hiring ambitious programers that threaten their market share (only to stuff the programers into a fruitless cushy R&D job) , Double-click is buying the silence of people that would normally stand against them.

It fits the old saying "keep your allies close, but keep your enemies closer".

Imagine the big three automakers hiring Ralph Nader as a "consultant" back in the 70s. Imagine Richard Nixon hiring Archibald Cox to form an "exploritory panel". Imagine Bill Clinton hiring Ken Star as a "advisor" in the 90s. Would any of these people sell out and join the oposition? I think not.

Not to name names ;) but these people:

Robert Abrams
Robert Litan
Harriet Pearson
Lori Fena
Daniel Weitzner
Elizabeth Lascoutx
David Stazer
Stewart Baker

are all selling out your privacy and their own personal integrity.
___

Re:Silly paranoia

[kevin+lyda]

ok, since you won't research lori fena, i will. and what i found from a google search on her name does question a negative assessment of her commitment to privacy. i'd be interested to see slashdot do an interview of her, and see what her impressions of the privacy board are.

some links follow in case you're too lazy to hit google. but most of these are not current - 1995-1998 seem to be the ranges. this could just be google's problem, but again i think a slashdot interview with her would be in order.

• http://www.eff.org/homes/fena.html
• http://www.annonline.com/interviews/97080 4/
• http://www.script ing.com/davenet/stories/LoriFenaonMcCainKerry.html
• http://www.salon.com/21st/straight07.html
• http://people.aol.com/peop le/970728/features/internet.html

Don't like Doubleclick? Use Junkbuster!

[Frater+219]

Why complain about Doubleclick? Their actions need not have any effect whatsoever on you. You have every right to protect yourself. Are you using the Junkbuster Proxy yet? Do you have a comprehensive blockfile?

Are you a sysadmin? Have you considered setting up a Junkbuster proxy alongside your Squid caching proxy and recommending it to your users? You can save a lot of bandwidth by letting your users opt out of banner ads. Most of them don't like 'em any more than you do.

(If you use Debian on your server systems, Junkbuster is available in both slink (the current stable release) and potato (the current beta release) as the package "junkbuster".

If you use a Macintosh for your home system, as I do, I recommend to you the iCab Web browser, which almost exactly duplicates the image-filtering abilities of Junkbuster -- right there in your browser configuration.)

Advertisers do not have any right to your bandwidth or your private information. However, you need not rely on the FTC or any other branch of government to protect you, your children, or your institution's resources. And if you're only willing to stand up for your rights if government will help you -- then what rights do you really have?

Not quite; check your facts

[CrayDrygu]

The one that it said it would leave and set to OPT_OUT, and then a ASPSESSION one. So they are still tracking you, no matter what they say.

That ASPSESSION cookie is set by any site using IIS and ASP. It's one of the "features" of Microsoft's web server. In order to keep track of things like session variables, ISS sets a cookie in your web browser. There's no way around this, except to not use IIS and ASP.

As proof, I run a web server locally (PWS, the Win98 version of IIS), and occasionally use Lynx (yes, there's a Windows version). I have Lynx's startup page set to localhost, and tell it to ask me about cookies. Every time I start Lynx, I get:

localhost cookie: ASPSESSION=FANJPPAAJCAA Allow? (Y/N/Always/never)

Or some similar string.