No Easy Answers For Data Privacy

Annenberg Washington Series

WASHINGTON — In the great Internet privacy wars, where so much of the debate takes place through prepared statements, official filings and carefully scripted comments, it’s a rare moment when concerned parties from each side of the aisle sit down to engage in a public discussion.

At a National Press Club gathering here, representatives from consumer advocacy groups, Google, AOL and several universities cracked open the kernel of the debate: whether consumer education is an effective and viable solution to ensure that consumer privacy is not trampled upon.

More questions were asked than answered at this panel, hosted by the Annenberg Schools for Communication.

In the debate, the battle lines haven been broadly drawn between those who insist on government intervention to protect consumer privacy in the face of massive data collection, and companies and trade groups representing the industry, which typically argue that business models and supporting technologies are evolving at such a rapid rate that any laws enacted would inevitably stifle innovation.

The discussion comes as government authorities, foreign and domestic, are becoming increasingly interested in the issue. Last Friday, the U.S. Federal Trade Commission collected its final comments from concerned parties about its proposed self-regulatory principles for behaviorally targeted ads.

Commissioner Pamela Jones Harbour, one of the regulators who has been reviewing those comments, was on hand to offer a preamble to the discussion.

“Those providing comments reminded us about the free content and services consumers enjoy as a result of online advertising, adding that undue regulation would hurt marketers and would hamper publishers’ ability to offer free content,” she said. “So we must approach this issue with a careful balancing, acknowledging the realities of the changing business model, but demanding that the model respect the needs of consumers.”

Harbour cast the lone dissenting vote in the five-person Commission’s decision to bless Google’s acquisition of DoubleClick with unconditional approval. Privacy advocates had lobbied ardently against the merger, and blasted the approval for failing to impose restrictions on the pooling of the two companies’ data sets.

The two industry representatives, Jane Horvath, Google’s senior privacy counsel, and Jules Polonetsky, AOL’s chief privacy officer, seized the opportunity to showcase the privacy education initiatives their respective companies have undertaken.

Horvath gave nearly all her time allotted for prepared remarks to playing a video from Google’s privacy channel on YouTube. In the clip, a Google engineer described in very simple language how search queries are routed across the Internet, and what data that process delivers to Google.


Polonetsky showed slides from AOL’s latest educational campaign, where banner ads offer an explanation of how cookies work while describing a penguin’s humorous travels across the Internet (the penguin visits, and, miraculously, an ad for anchovies later appears when visiting the Penguin Times news site!).

They admitted that initiatives such as these are only a start, but they said that they signal an important step toward the evolution of the privacy policy as an educational tool. They are also meant to reinforce the linchpin of the argument for self-regulation: Alienating customers with deceptive practices is bad for business.

“Privacy protection is of course fundamental to consumer trust,” Horvath said. “We believe that if we lose consumer trust people are one click away from leaving our service.”

To the more severe critics, Web companies’ educational efforts look more like a cynical ploy to stave off any regulatory affront to an extremely lucrative business model.

Next page: The Nader Effect

Page 2 of 2

Marc Rotenberg, executive director of the Electronic Privacy Information Center, offered the famous example of Ralph Nader’s crusade to enact laws requiring automakers to include seat belts in cars in the 1960s. Testifying before Congress, one automobile executive said he had become accustomed to reaching out his right arm to brace the passenger when he sensed he might be headed for an accident, Rotenberg said, recounting Nader’s description. Other attendees of that hearing nodded in agreement as the executive demonstrated the motion, and concurred when asked by the legislators if they were using similar education methods to protect their families on the road.

“I think we’re having a similar discussion this morning,” Rotenberg said. “I think we do not yet understand the responsibility that properly falls on America business when it collects and uses personal information about American consumers.”

The Web companies, as they roll out new educational campaigns, are acknowledging that the old model of a privacy policy is not an effective way to inform all consumers about how their data are being used. In its FTC filing, AOL said that different people have different levels of interest in what companies are doing with the data they collect. In that sense, a detailed, highly technical policy is useful for some consumers, while for others, a superficial understanding of cookies and IP addresses is enough.

But those companies get it from both sides. To the critics, campaigns like AOL’s penguin are reductive, sweeping aside a serious issue with cute animation and brash oversimplifications.

Then the privacy policies fall short, too, on the count of false advertising. Joe Turow, a communication professor at the Annenberg School at the University of Pennsylvania who moderated the panel, offered data from several studies he has participated in that found that a majority of people believe that a privacy policy means that companies don’t share the consumer data they collect.

Creating a false sense of protection gets into a murky legal territory, said Peter Swire, a law professor at Ohio State University.

“We know in consumer protection law that when people advertise ‘free’ that that’s a big deal and there needs to be care around that,” Swire said. “What Joe’s study showed is that the term ‘privacy policy’ is a lot like the word ‘free.’ To people it means that you’re promising privacy, and if that’s what consumers are seeing — [even if] that’s not necessarily what some of the privacy policies are saying — that’s a big deal going forward for industry to address. That response from industry hasn’t happened yet.”

For all the aspersions of consumer deception and legal ambiguity, there still remains the fact that targeted ads are good for business. Then, too, most people prefer to see relevant ads over what some describe as “ad spam.”

For those who are adamant about keeping themselves invisible to the data aggregators, the technical solutions are still imperfect. The Network Advertising Initiative, a consortium of ad companies that includes AOL’s Tacoda and Google’s DoubleClick, offers on its Web site a one-click opt-out to avoid having advertising cookies placed from Web sites in the participating networks. The only problem is that to opt out of cookies requires a cookie to be placed on the user’s computer. Then, antispyware software that regularly clears cookies, as many users manually do themselves, will clear away the opt-out cookie with all the others.

Polonetsky said that engineers at Tacoda had developed a technical work around using a computer’s cache to remember a user’s privacy preferences without relying on a cookie, and that AOL was trying to convince Microsoft to include the feature in its Internet Explorer browser.

In the meantime, Rotenberg worries that the bargain of offering a limited amount of data in exchange for free Web content and services — an easy sell for many consumers — is leading down a slipper slope. As the business model of the traditional entertainment company collapses under the weight of free online content, “the money will reside with companies like Google and Yahoo that are sitting on all this valuable consumer data,” Rotenberg predicted.

“And it won’t just be used for advertising. It will be used for employment determination and insurance determination and any other interest that business will express for the production of this data,” he said. “People are going to look back and they’re going to say, ‘My goodness, how were they allowed to acquire all this information?’ and ‘Why weren’t there any laws in place?’ and ‘Why didn’t consumer know what they were giving up?’ And it’s going to be because we all went through this period of consumer education.”

Where education has fallen short, one of the academic panelists argued, is in the generalized assumptions it makes about people’s understanding of the basic workings of the Internet. Ezter Hargittai, a professor at Northwestern University who has spent a decade studying online user skill, said that while young people tend to have a stronger proficiency in navigating applications on the Web, their understanding of the processes at work under the surface is comparatively poor. Nevertheless, many teachers are reluctant to offer media instructions for the assumption that their students know more about the subject than they do.

Further, the people who make privacy policies and study privacy issues — the technical elite — tend to project onto others what they know, which Hargittai said leads to an inflated expectation of user skill level and understanding.

“Can privacy education help consumers?” Hargittai asked, indulging in a rhetorical exercise that captured the spirit of the panel. “We better hope so, but it’s not clear if it can. We are going to need to put a lot of effort into it, because we don’t have any solutions for it yet.”

News Around the Web