The Lows and Highs of FTC Chair Leibowitz’s Privacy Framework Outlay

Inplace #2

ADOTAS – It was kind of a shame. Federal Trade Commission Chair Jon Leibowitz’s speech (PDF) last Tuesday at the National Press Club in DC — for an event sponsored by a large posse of privacy advocates publicizing the launch of a report that was supposed to finally dispel the “myth” that online data collection is anonymous (you can be the judge of whether it succeeded) — that will mainly be remembered for its introduction, which was filled with overly paranoid rhetoric and the introduction of the derogatory term “cyberazzi” for data collectors. Yet the meat of the speech detailed the FTC’s forthcoming privacy framework, which sounds like a quite balanced plan to ameliorate both privacy and industry concerns.

As Bizo CEO Russell Glass explained last week, Leibowitz’s examples of how collected browsing and purchasing data could come back to harm consumers in non-online situations “involve the healthcare industry, the finance industry or potential employers. Each of these industries and constituents have rules and regulations which prevent this very activity that Lebowitz is trying to prevent – discriminating against consumers unfairly. In addition, the FTC has rules in place and there are clear practices that are allowed and disallowed.”

As for cyberazzi, which the online privacy brigade hopped on immediately, it compares a large industry that arguably adds great value to the online consumer experience with a group of pesky gnats that represent the dregs of the media world.

While Leibowitz called online targeted advertising “beneficial — or at worst innocuous,” the services of the so-called cyberazzi are often used to improve the quality of Internet content. In the report released by the Stanford Law School Center for Internet and Society, a great deal of the leaked user login data was sent back to its source via intermediaries comScore and Google Analytics — these cookies were likely being used internally to judge site performance. (Whether these tools actually improve publisher content really depends on how the data are interpreted.) But it’s a main industry argument against DNT — tracking cookies are invaluable for assisting a publication understand their audience and performance (which in turn is necessary for monetizing the publication).

It’s a Framework, All Right

I actually stopped watching the live stream at that point — Leibowitz’s speech looked like it was going to be 30 minutes of more blustery rhetoric designed to frighten Internet users and pump up the privacy crowd. Yes, the FTC is supposed to be on the consumer’s side, but trying to scare the bejesus out of them for positive press isn’t doing American consumers any favors. (Publicly investigating Facebook to offer third-party transparency regarding the social network’s data collection and use practices, on the other hand, would be.)

I’m glad I waited (not more than an hour) for the agency to release the transcript, which I’ve been poring over for a few days. I was all set to get my snark on with the line “If only the FTC spent as much time developing a regulatory framework for OBA and consumer privacy as they do coming up with clever analogies and snappy phrases,” but after the initial data marketplace flogging, Leibowitz actually did illustrate the long-awaited FTC online privacy framework, and… It seems pretty good.

It’s a three-pronged approach. First off is industry self-regulation: “Companies that collect consumer data should do so only for a specific business purpose, store it securely, keep it only as long as necessary to fulfill its legitimate business need, then dispose of it safely,” it reads.  “The more sensitive the data, the stronger the protections should be. To its credit, much of industry is embracing this approach – even before we issued the draft report.”

Second is transparency — an intuitive platform for displaying data collected while giving the ability to opt out of data collection. Several data collectors already offer this — check out the BlueKai Registry. The FTC as a third-party watchdog would offer great validity.

And for consumers that want no data collected at all, the final leg is Do Not Track functionality, which Leibowitz admitted has been “overexposed” in the public space (ahem, thanks media). Unlike the Do-Not-Call protocol, the FTC does not think DNT should by managed by the government. It appears the agency is looking toward browsers, as Leibowitz applauded Microsoft, Apple and Mozilla’s DNT options. He mentioned that FTC chief technologist Ed Felten is part of standardization setter World Wide Web Consortium’s (W3C) group assembling technical standards for DNT.

Gotta admit — taken together, it sounds like a pretty reasonable framework. Industry associations and companies have established forays into the first two arms, and judging from all the media mentions, Mozilla’s DNT capability is at the forefront of the third. It actually sounds like the best for all worlds — but does that necessarily mean all worlds will like it?

As for the paranoid and industry-bashing beginning, part of me wants to give Leibowitz a break for knowing his audience. I’ve seen other FTC members start their speeches at industry gatherings with the “no one wants to kill the golden goose” cliche. In a room full of privacy advocates, Leibowitz played up the data-collectors-as-stalkers angle in a fashion that was too cute by half.