Senators, Tech Giants Seek Answers on Privacy

Data privacy

WASHINGTON — Bob Dykes, CEO of NebuAd, an online advertising and consumer tracking firm, fired back at critics of his company’s practices during a Senate committee hearing here today, amid growing government concern over privacy issues in Internet advertising.

“NebuAd’s systems are designed so that no one — not even the government — can determine the identity of our users,” said Dykes, reiterating the company’s claim that it does not collect any personally identifying information.
“Allegations by others that we do not provide an opportunity to opt out and provide robust notice to users — or that we collect the entire Web traffic of users — are simply not accurate,” Dykes said.

Dykes testified that his company’s technical-filtering system automatically discards Web activities that do not fall into one of the marketing segments it has developed to sort and match ads. He also said NebuAd excludes sensitive areas such as health care and medicine from its market segments.

As legislators and regulators continue to grope for an answer to the question of what role government should play in the online advertising market, Internet companies realize they are fighting an image problem when it comes to stockpiling massive amounts of consumer data.

In today’s hearing, senators and witnesses generally acknowledged a delicate balance in play, namely that advertising enables Web sites to offer content and services for free, and ads are more effective when targeted to consumer interest.

Jane Horvath, senior privacy counsel for Google (NASDAQ: GOOG), and Mike Hintze, associate general counsel with Microsoft (NASDAQ: MSFT), reiterated their companies’ support for self-regulation. “Google supports the passage of a comprehensive privacy law that would establish a uniform framework for privacy and procedures to punish bad actors,” Horvath said.

The two companies advocated a federal privacy law that would apply to all industries’ management of consumer data. However, the law as they envision it would not contain unique requirements for online advertisers.

Although social networking site Facebook didn’t take a stand on privacy laws, it acknowledged the issue. “Though we will not always address user concerns perfectly — no site can — Facebook is committed to empowering users to make their own choices about what information they share, and with whom they share it,” said Chris Kelly, Facebook’s chief privacy officer.

Next page: FTC advocates self-regulation

Page 2 of 2

FTC advocates self-regulation

The FTC has taken heat from parties on both sides of the issue — those who believe it meddles too much in a market that is humming along just fine and those who champion robust privacy protections through a government mandate.

The agency is currently looking over comments it received regarding the self-regulatory principles for behavioral targeting it proposed in December.

Although the FTC supports self-regulation, Leslie Harris, president and CEO of the public-interest watchdog group Center for Democracy and Technology, differed. “Self-regulation is not the answer,” she countered. Harris appealed for the FTC to make its guidelines enforceable — either through its own authority or an act of Congress.

“Existing privacy protections are outstripped by technology, and there is a lack of transparency about behavioral advertising practices, and an absence of meaningful controls to help consumers make informed decisions about the use of their data,” she said.

Consumers prefer relevant ads, and the targeted ad-based model has made much of the Web free, said Lydia Parnes, director of the FTC’s Bureau of Consumer Protection. “At the same time, many consumers express discomfort about the privacy and data security implications of being tracked,” she added. “Without adequate safeguards in place, consumer data could fall into the wrong hands or be used for unanticipated purposes.”

But the rapid evolution of technology in the online ad space is a common argument for opponents of regulation. Sen. Jim DeMint (R-S.C.) asked Parnes how long it would take the FTC to sort through the comments they received and finalize their self-regulatory principles for behavioral targeting. She declined to give a timeframe, but when pressed, said she hoped it would be within a year.

“It would be my hope that you continue to see your responsibility as protecting consumers and not necessarily attempting to manage and regulate different aspects of our economy,” DeMint told Parnes.

Another point of contention was just how much of a threat to privacy is the information that companies are collecting. Google’s Horvath and Microsoft’s Hintze both touted their companies’ privacy controls, which ensure no personally identifiable information could link an individual to search terms or browsing activities.

In one testy exchange, Byron Dorgan, the North Dakota Democrat who chaired the hearing, asked Horvath how Google would protect him from getting outed for the embarrassing search terms (gout, dementia, post-nasal drip) he jokingly suggested he wanted to keep from the rest of the room. Horvath bristled slightly, insisting that Google only records searches on its own site, and even if a Google user was signed in while making the query, the retention of IP addresses and use of tracking cookies could in no way associate the senator with the ailments he later “disavowed.”

To the privacy advocates, the assertion that isolated pieces of computer code collected from people’s Web activities is anonymous does not hold water.

“While each piece of information in a consumer profile may itself not be personally identifiable, the aggregation of this information into rich profiles means that it may be more readily tied into a person’s identity,” the CDT’s Harris said.

Harris is especially concerned with a controversial new ad scheme that seeks to bring Internet service providers into the online advertising revenue stream by redirecting subscribers’ Web activities to a company called NebuAd. Yesterday the CDT released a legal analysis suggesting that ISPs that partner with NebuAd might be violating federal wiretapping laws.

How real is the harm to consumers?

To what extent can companies be trusted as custodians of consumer data? What is the proper role for the government in online advertising? These questions went unanswered.

[cob:Special_Report]In large measure the hearing was a fact-finding mission, and Dorgan promised that there would be more hearings to come. He said that representatives from ISPs all declined the invitation to testify, but said that he expected to hear from them in future hearings on the issue.

“One of the most important elements from this hearing is how little we do understand,” Dorgan said by way of conclusion. “I would hope that every consumer has an opportunity when traveling on the Internet to know how their information is being used.”

News Around the Web