Behavioral Targeting Regulation
Behavioral Targeting Regulation
ABSTRACT
Behavioral targeting allows advertisers to know what the web user is interested in,
but also raises privacy concerns. Advertising industry tries to avoid Federal regulation.
Searching For a Behavioral Targeting Regulation Xurxo Martínez
Table of Contents
INTRODUCTION.................................................................................................................. 3
Definitions.................................................................................................................................. 4
Groups looking for a regulation.......................................................................................... 6
Energy Subcommittee on Communications, Technology, and the Internet................6
FTC........................................................................................................................................... 6
Advertising Industry............................................................................................................. 7
Privacy Advocates................................................................................................................. 8
Other key players..................................................................................................................... 9
NOTORIOUS CASES......................................................................................................... 10
Gmail.......................................................................................................................................... 10
Google Buzz.............................................................................................................................. 10
Facebook Beacon................................................................................................................... 11
Facebook Connect.................................................................................................................. 11
Web Coupons........................................................................................................................... 12
PRIVACY AS SOURCE OF CONCERN............................................................................ 13
LIKELY REGULATORY OUTCOMES.............................................................................14
CONCLUSSIONS................................................................................................................ 16
COM 558 U.S. Digital Media Law and Policy MCDM Summer 2010
Searching For a Behavioral Targeting Regulation Xurxo Martínez
INTRODUCTION
Behavioral Targeting—BT—is the most sophisticated system the
Advertising industry has come up with in order to track the activity of
web users, and be able to deliver personalized advertising to those.
The main tools for that purpose—cookies—are not new. But now the
advertisers can use the information from these cookies to build—
supposedly anonymous—profiles of the users, a kind of information very
valuable for advertisers. That new techniques have enabled a whole
market of third parties and middlemen who even get to match that
information with physical databases in order to have a complete picture
of the potential customer.
The quest for the user data is so aggressive, and little known for the
mainstream user, that has arisen questions about its legality and created a
growing feeling of insecurity among many individuals. Those concerns
were expressed first by privacy advocates, then the FTC, and lately users
through national surveys, and even the Congress. The privacy issues
related to popular services as Google or Facebook have made this a
public issue: one that is not quite well explained or understood.
With some delay, the main advertising associations are trying to avoid
Federal legislation through the introduction of a series of self-regulation
principles. Meanwhile, the chairman of the U.S. House Energy
Subcommittee on Communications, Technology, and the Internet, Rep.
Rick Boucher, has submitted a bill in line with the privacy advocacy
groups proposals, and even the FTC—who initially pushed for
advertisers’ auto-regulation—is considering a “Do not track” list in the
vein of the “Do not call” one.
In this paper I’ll also talk briefly about two issues related to BT: web
coupons, and what has been named Deep Packet Inspection.
COM 558 U.S. Digital Media Law and Policy MCDM Summer 2010
Searching For a Behavioral Targeting Regulation Xurxo Martínez
We can talk about first party behavioral targeting—or first party transactions—
when the web site the user is visiting is the one who tracks the activity in order to
offer a product or option inside the same site —i.e. Amazon, Netflix...
- Cookie: Is a text file stored in a user’s web browser. Basically it identifies a web
user in a single browsing session, storing information about the user’s activity. That
allows not only for the advertisers to know about her or his habits, but also permits to
create statistical informs, to personalize the web experience in a specific site, and
contributes to make some of the functionalities of many websites possible.
- Super-cookies: A new bread of cookie-like objects that are harder to locate and
delete and provide even more information about the activity of the user. The main
examples are Microsoft’s “User Data Persistence” and Adobe’s “Local Shared
Objects”, otherwise known as Flash cookies1. The latter are installed when the user
wants to see an online flash video or a flash ad is loaded. As the regular cookies, it’s
primary function is to help the user—i.e. remembering the preferred audio volume
settings—but can also be used to help the tracking of the user and make sure that
advertising-related cookies are installed in the computer.
- Beacon (aka web bugs): An object, embedded in a website or e-mail, that tracks
which user in which computer is visiting a specific web page or reading an email. In
web pages usually works in combination with cookies. Unlike cookies, is not stored in
the user’s computer. That means the user cannot remove it.
- Contextual advertising: A system that reads the text content displayed to the user
and offers related advertisements, usually in text form. The most popular service of
this kind is Google Ad words, present in both Google Search results and Gmail.
COM 558 U.S. Digital Media Law and Policy MCDM Summer 2010
Searching For a Behavioral Targeting Regulation Xurxo Martínez
BT and privacy, any piece of data that is likely to identify one web user: from the
name to an email address, a telephone, financial account number, or persistent online
identifiers as the Internet Protocol address (IP address). It applies also to data that can
reveal racial or ethnic origin, political opinions, sex, or religious beliefs.
- Browser: Application that allows any user to retrieve and present information
located in the World Wide Web. That information can be either a web page or a file—
audio, video, image, and pdf...—. In order to perform its tasks, the browser not only
gets information from web servers, but also sends information—mainly petitions—,
including the web identity—IP—from the user. Most browsers host cookies by
default, enabling the tracking of the user’s activity.
- Publisher: The owner of the web page, video, or document that the user accesses
through the browser. Usually this publisher will get money from the display of web
ads. Usually collects permission from the user to use their information for
advertisement purposes.
- Opt-in: the process through which a web user is offered the option to receive some
specific advertisement, or have his or her personal information shared with a third
party. That means that there won’t be any kind of advertisement delivering without a
previous consent.
- Opt-out: here the user has the option to stop receiving unsolicited advertisement. It
puts the burden on consumers to learn how the privacy polices work, how the data is
collected and shared, and decide if they are ok with that.
2
http://goo.gl/ta3g (National Law Review)
COM 558 U.S. Digital Media Law and Policy MCDM Summer 2010
Searching For a Behavioral Targeting Regulation Xurxo Martínez
FTC
The Federal Trade Commission has as a principal mission to promote the “consumer
protection”. In the last years the agency has lobbied for the online advertisement
industry to self-regulate BT practices and respect the user’s expectancy of privacy.
FTC Chairman Jon Leibowitz has warned the industry that it is facing the “last clear
chance” to avoid specific governmental regulation4.
Right now the FTC is not only thinking about a “Do not track” list—similar to the “do
not call” for telemarketers—, but even to force each site to show a brief summary of
their privacy policy to each user during their first visit. This option would clearly
disclose each site policy, but also become extremely annoying for a new user, or even
one that has changed of ISP5.
3
http://en.wikipedia.org/wiki/Rick_Boucher
4
http://goo.gl/4SSS (Privacy & Security Law Blog)
5
http://goo.gl/c45x (Ars Technica)
COM 558 U.S. Digital Media Law and Policy MCDM Summer 2010
Searching For a Behavioral Targeting Regulation Xurxo Martínez
The FTC has focus their efforts in BT, considering that both contextual advertising
and first party behavioral targeting raise far less privacy issues.
Advertising Industry
This refers to a cross-industry coalition of web advertisers that try to complain with
some of the FTC requisites.
Among the measures the advertisers have already introduced or are willing to, we can
highlight these:
Disclosure data collection and the kind of use that will be done on the
webpage where the ad is displayed—non on the web of a middlemen, as the
user would never know where to look for it—. Some advertisers are starting to
display a behavioral ad icon with a blue square with a lowercase "i" in a circle,
making clear that the ad has been selected through BT.
Let consumers decide whether their data can be transferred or user by another
entity. Some advertisers are even willing to give the users access to their
profile, in order to modify it—and, so, get more accurate ads—, or to decide
what kind of data do they want the advertiser to know about. One example is
the Seattle-based middlemen BlueKai, through their registry7.
Even more, the advertisers have said that they are even willing to cooperate with the
FTC in order to enforce the observance of their rules. An article in Wire explained
that the Council of Better Business Bureau is seeking software to detect targeted ads
that lack these mechanisms, and report non-complying ad networks to the FTC8.
Privacy Advocates
A group of entities and privacy watchdogs have lobbied for a strong regulation of BT,
arguing that is an invasion of privacy, can be used to take advantage of vulnerable
6
http://goo.gl/spKg (Tech IT News)
7
http://tags.bluekai.com/registry
8
http://goo.gl/ezXw (Wired)
COM 558 U.S. Digital Media Law and Policy MCDM Summer 2010
Searching For a Behavioral Targeting Regulation Xurxo Martínez
consumers, or even discriminate them, and that the profiles may be used for purposes
beyond commercial ones9.
Among the members of the coalition we can highlight the Center for Digital
Democracy, the Consumer Federation of America, Electronic Frontier Foundation,
Privacy Lives, or the World Privacy Forum. In September 2009 the groups delivered a
legislative primer to the Congress.
9
http://www.democraticmedia.org/book/export/html/409
COM 558 U.S. Digital Media Law and Policy MCDM Summer 2010
Searching For a Behavioral Targeting Regulation Xurxo Martínez
The web browser vendors. The browsers allow the action of potentially
intrusive cookies. During the design of the Internet Explorer 8, the
development team created a product that prioritized user’s privacy over
commercial interests, considering that the default should be some private
browsing10. That means that if the user wanted to receive/install the cookies
she or he should give consent.
That would have turned the acceptance of cookies from a kind of Opt-out to an
Opt-in model. After some discussion, the final version of the popular
Microsoft browser didn’t make the swift and the users concerned with the use
of their data via cookies need to turn the security options on.
The Media plays a big role in the public perception of privacy and the threats
of Behavioral Targeting. On one side the Media voices out practices that can
be unknown for many Internet users. On the other side they can create alert
over a number of practices.
A recent series of articles by the Wall Street Journal under the generic title of
What They Know11, have been highly controversial. In one of the infographics
they showed how some of the most popular U.S. websites give data about any
individual who visits their site to advertisers12. Some influential bloggers, like
Jeff Jarvis13, have argued that there’s nothing new about advertisers tracking
us, while tracking companies say that portraying cookies as some kind of
spying is misleading14.
The ISPs. The companies that provide access to the Internet obviously also
have control over how their customers browse through the Net. ISPs are
waiting to see what happens with BT and the public privacy concerns before
starting to use the profiles they own to make business—through DPI—and
offer the “best potential clients” to both advertisers and Publishers.
10
http://goo.gl/cIyi (Wall Street Journal)
11
http://online.wsj.com/public/page/what-they-know-digital-privacy.html
12
http://blogs.wsj.com/wtk/
13
http://www.buzzmachine.com/2010/07/31/cookie-madness/
14
http://www.bluekai.com/president20100804.html
COM 558 U.S. Digital Media Law and Policy MCDM Summer 2010
Searching For a Behavioral Targeting Regulation Xurxo Martínez
NOTORIOUS CASES
Now I will review some publicly notorious cases regarding Internet privacy, that
have raised concerns on the general public about the way the data they consider
private can be treated. I’ll also review what can be the next privacy big case: web
coupons and their match of online and offline information on the client.
Gmail
The free email service by Google was, in 200715, one of the very first places where
users could experiment Google Ad words, a contextual advertising service that
scanned the mails in order to find keywords and select automatically a series of text
advertisements. That means that if the text of the mails talks about someone named
Michael from Jordan who likes strawberry Jam, the ads will offer to buy the Space
Jam DVD.
But even though users have accepted the terms and conditions, those still expect their
communications to be safe and private. Google has stated repeatedly that their work is
limited to scan for words that can help to display related advertisement, not literally
“reading” the content. And will not keep a log of which ads went to which users, nor
will it keep a record of keywords that appear often in an individual’s email17.
In the case of case of U.S. v. Warshak—one of the first ones regarding email
communications—the Sixth Circuit ruled that the user has a right to privacy that is
only diminished if the subscriber or user agrees to the ISP’s terms of service18. Finally
the subscriber is receiving a free service that pays through the reception of
advertisement.
Google Buzz
In February 2010 Google launched a new application tied to the Gmail service, called
Google Buzz. In short it was a social networking tool that allowed Gmail users to
share items with all or part of their network, vote on them, or comment. Google failed
at explaining the users how the information about their network would be shared and
how to modify their preferences.
The basic problem was the auto-follow function that Google used to create
automatically a list of “followers” for Google Buzz user, based on the most emailed
contacts list. That made that many users were sharing content inadvertently with
15
http://goo.gl/BBfT (Information Week)
16
http://goo.gl/HoKu (Legal Information Institute)
17
http://www.wired.com/news/business/0,1367,62917,00.html
18
http://goo.gl/pzqr (Law Journal Library)
COM 558 U.S. Digital Media Law and Policy MCDM Summer 2010
Searching For a Behavioral Targeting Regulation Xurxo Martínez
people with whom they had mail relationship but they didn’t necessarily consider
friends, at the time that disclosure to their entire network the mail relationship.
The users of the Gmail who accepted to try Google Buzz never thought that their
contact list would be made public, or that anyone related to, say, their ex-boss, would
be able through Google Buzz to reach their personal e-mail. They expected that
personal data to be something locked in their Gmail account and that wouldn’t be
public through that new networking feature. The company was forced to change the
auto-follow system for one based on recommendations just days after the launch19.
Other than the contacts issue, another of the problems during the early days of the
service was the difficulty for the users to understand and change their default settings.
Facebook Beacon
Starting in November 2007, Facebook allowed information about their users collected
via a beacon to be transmitted from affiliated retailers to Facebook, and even show
this information to the user’s network. Most of the times this happened without the
user being aware. Several newspapers and blogs told the story of a man who bought a
ring online for his wife. The website was affiliated to Facebook, and the news about
the purchase were published in his profile, making it possible for all his network,
including his wife, to know about the supposedly surprise gift20.
After a series of articles in press and blogs attacking the beacon, Facebook changed
its operation for an Opt-in system. But a class action was presented in California,
alleging that the company didn’t sought after the user’s approval before implementing
the beacon21.
Facebook Connect
Facebook has more than 500 million users worldwide. Near one third of them—round
160 million—are in the United States. That means 160 million Americans that have
given them their names, likes, email, list of friends, and interests.
COM 558 U.S. Digital Media Law and Policy MCDM Summer 2010
Searching For a Behavioral Targeting Regulation Xurxo Martínez
Another of the main privacy complaints against Facebook is related to the continuous
changes in their privacy policy. It would be reasonable to ask for a system that would
be clear, easy-to-use and simple. Instead, as a graphic from the The New York Times
showed22, Facebook released in May 2010 a version with 50 settings, more than 170
options, and 5,830 words—more than the United States Constitution, and more than
this paper—.
Web Coupons
During 2009, in part due to the economic crisis, the redemption of coupons grew a
27% v. 200823. Internet coupons still represent a small portion of the whole business
—0.5% of the total number of coupons and 1.5% of the redemptions—, but
redemption rates for Internet coupons are by far the fastest growing in the business,
up 263% from 2008 to 2009. The site Groupon.com grew from 238,000 unique
visitors in July 2009 to 6,491,554 in July 2010, according to Compete.com24. That
means that we are facing a fast growing marketing segment, one that also uses BT
tactics in order to retrieve information about the users.
The issue with this new breed of coupons—as the ones that are sent to mobile devices
—is that when matching the physical person that comes into the shop with the data
provided with regular BT, the retailer—or whichever middleman who can have access
to the data the retailer gets while the redemption of the coupon—can connect the
actual name with the supposedly anonymous online data.
A The New York Times article25 explained recently how a company named RevTrax
operates: they are a third party who displays the coupon ads on the retailer’s site or
any other web page. As they are ‘just’ middleman they don’t need to have a privacy
policy, even when they are the ones who collect the personal information of the users,
including the keywords they used before getting to the coupon—i.e. cheap trekking
boots—.
After the user prints the coupon and redeems it, RevTrax get the information back
from the retailer and can complete the user profile. That way they can also get to the
conclusion that people from, say, Kirkland, is more likely to buy equipment for
outdoor activities through coupons than those in Seattle. The following step would be
to make a better offer to Seattle users—as they are harder to convince—than to those
in Kirkland. This is called ‘online redlining’, and the advocates of online privacy
define it as a form of discrimination.
22
http://goo.gl/3lyo (The New York Times)
23
http://goo.gl/3a5I (Nieman Journalism Lab)
24
http://siteanalytics.compete.com/groupon.com/
25
http://www.nytimes.com/2010/04/17/business/media/17coupon.html
COM 558 U.S. Digital Media Law and Policy MCDM Summer 2010
Searching For a Behavioral Targeting Regulation Xurxo Martínez
In an Annenberg poll conducted between June and July 2009, 66 percent of American
adults indicated they did not want websites or networks targeting advertisements to
them. Even a majority (54%) of younger consumers (18-24) "rejected" behavioral
advertising. In addition, 92% of the respondents said there should be a law requiring
websites and advertising companies to delete stored information if asked to26.
Is very interesting to see that young people is also worried about how their
information is being used. The digital natives are supposed to be far less worried
about privacy. On this vein, a research published in August 2010 shows that young
Facebook users are more interested in privacy issues than what it was believed27. The
study examines "the attitudes and practices of a cohort of 18- and 19-year-olds
surveyed in 2009 and again in 2010 about Facebook's privacy settings". The results
show how even most the occasional Facebook users—79%— modified at least twice
their settings during 2010. This data opposes to the idea that young people is less
concerned about online privacy.
On the other hand, while all the articles and negative buzz about Facebook’s privacy
issues have made them scored pretty low in the 2010 American Consumer
Satisfaction Index—in the lower 5% of all measured private sector companies—28, the
company is continuously growing in number of users. Maybe the concerns of the
users are less important than the benefits they get from the service.
Advertisers and middlemen collect information that is increasingly more specific. One
company, Clearsight has announced that it has enough information to link 65 million
IP addresses to actual email and post mail addresses29. Even more, some companies
are starting to match offline and online data, being able to put name and yearly
income to the users that have a certain cookie installed30.
And if advertisers use that data, could someone else do the same? Family law attorney
Brad LaMorgese thinks so, and plans to use it as evidence in lawsuits:
"It's a great, ready-made source, almost puts the investigation together for you,"
LaMorgese said, noting that how much money spouses spend online and what sites
they visit are crucial details in a divorce case. "If someone is doing all sorts of things
online, why wouldn't a court want to know that?" 31.
26
http://goo.gl/ZdQQ (Broadcasting & Cable)
27
http://goo.gl/CZ4W (UIC)
28
http://goo.gl/971T (Foresee Results)
29
http://goo.gl/K4jb (Mediapost)
30
http://adage.com/digital/article?article_id=142903
31
Advertiser tracking of Web surfing brings suits. The National Law Journal
(March 2, 2009). Gale Document Number:A195138320
COM 558 U.S. Digital Media Law and Policy MCDM Summer 2010
Searching For a Behavioral Targeting Regulation Xurxo Martínez
The Advertising industry position is to let the market and the industry self-
regulate, and see the profits rise.
On the other side, the sectors concerned about privacy issues think that
consumer privacy must be given special and priority consideration when
government “measures” the economic benefits related to any data collection
activity.
The representatives of both positions—the advertisers on one side; and the privacy
advocates, and the Energy Subcommittee on Communications on the other—are
trying to advance each one on their side in order to get a solid regulation. Both know
that time is crucial and are tying to play with that. Now I’ll expose the three more
likely resolutions:
o And they need to do it before the Boucher bill is voted. Because even if it
doesn’t go on but gets a significant amount of support, there will be for
sure some kind of Federal legislation soon.
o Other challenges they need to overcome are the huge privacy crisis that
services as Facebook or Google create, and to make sure that not only the
main advertisers, but also middlemen as RevTrax or even the ISPs, follow
the Guidelines.
3. The Congress doesn’t pass new legislation, but the FTC obtains power to
impose a series of minimum standards
o That would be a compromise where the advertisers would accept to be
sanctioned by the FTC, create some kind of database in order to control the
different companies who engage in BT, and how they use the data; and
follow strictly the Guidelines.
COM 558 U.S. Digital Media Law and Policy MCDM Summer 2010
Searching For a Behavioral Targeting Regulation Xurxo Martínez
In any of the aforementioned scenarios, what will happen for sure is that the internet
user will be able to have a broader control over the information that advertising
companies compile on them.
Also Opt-out formulas will become clearer and more accessible, so those individuals
really worried about how advertisers manage their data will be able to avoid BT and
get the regular non-personalized advertisements.
But if Federal regulation passes, or if the FTC is allowed to regulate tightly the BT
practices, we can face a situation in which consumer privacy measures will be taken
in advance, as prevention. A situation where the FTC would allow a new development
based on its potential ability to threat the privacy rights, more than on its commercial
or inventive values. That will, for sure, decrease the innovation speed in the industry,
and would even threaten the growth of this kind of advertising.
That last possibility raises another question: BT is designed to provide users with
more relevant ads. That should translate in higher profits. Right now the online
content industry—mainly news-related sites—is unable to become profitable offering
free content that is paid just with the money they receive from regular advertising. If
now BT don’t replace the classic random ads system and provides them with more
profits, the Publishers will be likely to start charging for the content, or at least for the
experience of browsing their content without seeing any kind of ad, damaging the
ecommerce sector.
COM 558 U.S. Digital Media Law and Policy MCDM Summer 2010
Searching For a Behavioral Targeting Regulation Xurxo Martínez
CONCLUSSIONS
As technology guru Tim O’Reilly has stated, personal data collection can be key for a
number of good purposes, foster invention and help to solve complex problems32. His
point is that, in today’s world, technology is driving us to collaborate in ways that
were previously impossible. And the sharing of data is one of the main ways in which
this collaboration can really happen.
Is important to find a balance between innovation and the privacy concerns, because
the later can even prevent some users to buy online or surf freely the Internet.
The users should be aware of how the bargain works—the advertising pays for the
free content—, and the advertisers be more transparent about their activities. Also the
publishers should be clear about whom do they track information for, or whom do
they permit to track users from their websites.
Regarding the debate about the Opt-in and the Opt-out, it seems clear that any user
should be able to easily and effectively Opt-out from receiving behavioral
advertisement. The same way, there should be some kind of acceptance when anyone
is about to gather from the user the kind of information that we have defined as
sensitive or personally identifiable information.
Another restriction for the advertisers should be to use that sensitive and personal data
only for the purposes that it was given by the user. A different use of the data should
be subject to a new consent.
Is dangerous to offer a “Do not track” list, at least with that denomination. And is
dangerous because there is a big difference between BT and the telemarketing
practices that the “Do not call” list tried to avoid: in BT the individual who would ask
to be in that list won’t receive less advertisement because of that, but just will see
random ads when browsing. Even more, it is possible that, as BT ads are more
profitable, this person will get more ads than a web user who won’t sign for the list.
Regarding privacy policies, companies should be clear and simple. The user shouldn’t
face such an amount of choices that would cause paralysis. The policies should be
appropriate for the average user of the site. That means that a site for teenagers should
have a privacy policy much simpler than a Forum for Linux programmers.
The alternative to BT will be probably to pay in order not to have ads at all or to
suffer more regular ads when browsing the web, as the profit advertisers and
Publishers get for today’s banners is decreasing, and even contextual advertising is
stuck and not growing.
Summarizing, the privacy concerns should provoke some kind of regulation of BT,
but always keeping in mind the advantages that this kind of advertisement brings.
32
http://goo.gl/bRiN (Readwriteweb)
COM 558 U.S. Digital Media Law and Policy MCDM Summer 2010