During last week’s Online Trust Alliance’s Online Trust & Brand Protection Summit in Philadelphia, Maneesha Mithal, assistant director of the Federal Trade Commission Division of Identity Protection, outlined three key challenges around data practices and privacy online.

“We’re used to dealing with black and white,” Mithal noted. “In the privacy area it’s definitely more nuanced.”

First, there is a lack of consensus on what consumers want in terms of online privacy and protection. Second, the FTC does not want to curb technology and cripple online services. And the third challenge Mithal identifies is the tension between predictability and flexibility. Consumers would like to anticipate a predicted outcome for an online action and websites and service providers would like the flexibility to innovate.

“We will encourage and support innovative ways to present disclosures to consumers. The long privacy policies are not effective,” said Mithal.

To address these challenges, the FTC is hosting a series of roundtable discussions starting in December titled “Exploring Privacy”. The roundtable will “explore the privacy challenges posed by the vast array of 21st century technology and business practices that collect and use consumer data.”

The FTC would like to permit and not interfere with beneficial data practices, and incentives may be provided for data practices and disclosure that are understandable and effective.

As the Internet has grown, so have the responsibilities of companies that engage in online business. At the heart of these responsibilities is consumer data management — collection, use, storage and protection. Many organizations do not have the necessary infrastructure and policies in place to safeguard consumer data, which is evident by the growing number of data breaches and cases of data misuse.

To encourage business accountability, the Online Trust Alliance (OTA) has developed Trust Principles, which reflect the consensus of OTA member companies around the globe. The OTA Trust Principles underscore the need and opportunity for increased business accountability, data stewardship and practices to improve consumer choice, preferences and control of data.

The Trust Principles are broken down into three main categories: system infrastructure, data-loss prevention, and user choice, control and privacy. And while the Trust Principles complement self-regulation principles released by other organizations, the OTA plans to apply a compliance measurement framework to strengthen self-regulation. This framework will include tracking and public reporting, similar to OTA scorecards for email authentication and adoption of EV SSL Certificates.

Advertisers, service providers and site publishers are encouraged to review and adopt the applicable principles. By following these best practices, your company will be better prepared should there be stronger enforcement measures.

Key indicators of stronger enforcement:

– David Vladeck, head of the Bureau of Consumer Protection at the FTC, has stated “We’re happy to see industry trying to police itself, but I don’t think that’s sufficient.”

– Rep. Rick Boucher (D-Va.), chairman of the House Commerce Committee’s Subcommittee on Communications, Technology and the Internet, is drafting a bill that would impose broader rules on websites and advertisers to give consumers more control over their information.

– The FTC is hosting a roundtable series beginning in December titled “Exploring Privacy.”

How confident are you that your current business practices would pass regulatory scrutiny? If you are not confident in your business practices, use the Trust Principles as a self-assessment guide to audit your policies. A few changes could help you avoid a crippling data breach or prevent a hefty fine.

The Online Trust Alliance (OTA) is hosting the Online Trust and Brand Protection Summit on Oct. 29 in Philadelphia in collaboration with organizations like the Council of Better Business Bureau (BBB), the Anti-Phishing Working Group (APWG) and the Merchant Risk Council (MRC). The goal of the event is to educate online merchants, banks and brand marketers about the importance of data governance and consumer choice.

“Consumers’ choice and control of their personal data, and respect for their preferences are critical issues,” said Craig Spiezle, executive director of OTA. “Left unchecked we risk a consumer trust meltdown. The summit will elevate critical business practices that show promise toward protecting consumers and the long-term vitality of the Internet.”

The timing of the day-long summit is ideal.  It marks the final days of National Cyber Security Awareness Month (NCSAM) and it ushers in the holiday season, during which online shopping activity and revenue are expected to grow beyond last year’s figures.

It is more imperative than ever for online businesses to take action and protect consumers from online threats. As marketing leaders prepare to execute clever promotional strategies during the months ahead, the leaders in the fraud economy are preparing too. Practitioners of cyber crime have spent this summer recruiting and training, and their teams are prepared to probe, exploit and steal consumer data.

In a recent study conducted by Memolink.com, a loyalty program and online shopping resource, 41% of the 4,857 respondents said that it was difficult or very difficult to determine if a site or online business was legitimate.

Do you know if someone is typosquatting on your brand’s domain? What is the likelihood that your business will be targeted for a phishing scheme? Is your company prepared?

The summit’s programs will help organizations prepare by providing an insider’s view of consumer trust perceptions and real-world examples of how companies fight against the forces eroding the online ecosystem. Keynote addresses will be given by Maneesha Mithal, assistant director of the Federal Trade Commission Division of Identity Protection, and Peter Blackshaw, executive vice president of Nielsen Online and chairman of the Council of Better Business Bureaus.

ADOTAS – You may already know that October is National Cyber Security Awareness Month, organized by staysafeonline.org, and that the focus of this awareness program is to educate and protect consumers. What you may not be aware of is that the spirit of this awareness month affects you at your job as much as it affects you as a consumer shopping online.

In a time of data breaches, data misuse, cyber crime and diminishing consumer trust, individuals and organizations are saying “no more.” No more disregard of potential security exploits, no more software and applications that fail to protect personal information and no more excuses.

At the core of this “no more excuses” movement is a group of businesses that recognize the link between protecting consumers and protecting their bottom line. And inside these businesses are marketers that realize their roles have evolved to include the responsibilities of security and privacy advocates.

How can you participate? There are numerous ways to get involved. If your business involves consumers, consider educating them. For example, if your customer service team responds to inquiries via email, ask customer service to edit their email signatures to include a link to the safety tips that staysafeonline.org promotes. Memolink.com, Adperio’s loyalty program, chose to focus on the importance of keeping web browsers up to date and created a Consumer Protection Information page to which a section of the privacy statement links.

These low-cost ideas won’t distract consumers from a purchase or other revenue-generating action.

Bottom line: You don’t have to forgo revenue to build trust.

You may recall in an earlier piece my anecdote about a Chinese businessman who proclaimed that he was turning white hat. He had offered his assistance in identifying fraudulent publishers from China, and, of course, he wanted money in return for the intel he provided.

Editor’s note: This is the last in a series from Dianna Koltz, director of best practices and email marketing at Memolink, on how to use business standards to combat online fraud. She can be reached at dkoltz@memolinkcorp.com

Readers have been reaching out to me asking “Why didn’t you take him up on his offer?” One of three things would have happened as a result of my taking advantage of this pseudo-opportunity: We potentially could have been doubly duped, the fraudsters could have collected more information about our process, or the tactics could have changed as soon as we received the information.

First, the deal that was proposed did not guarantee any legitimacy of the information. I may have negotiated a payment method that allowed me to stop payment, but I doubt that he would have agreed to providing me information without first having money in hand. We would have been in perpetual deadlock.

The gentleman could have conducted deuce diligence, a term my team has coined to describe the process a fraudster uses to reverse engineer our due diligence process. It is an intense cat and mouse game. Or, discovering that their buddy had sold them out, the fraudsters may have immediately changed tactics. The patterns of fraud we had been tracing would mark a dramatic shift and become more aggressively covert.

Beyond my hypothesis of what might have happened had I gone that route, let me tell you a secret: His secrets are anything but secret. Sshh, don’t tell anyone.

How does my team identify the fraudulent publishers from China and elsewhere? My compliance analysts make the difference in the process; they are experts at what they do. The people are what set a great due diligence program apart from a good due diligence program, and we are extremely disciplined with the execution of The Best Practice Approach.

What does my team analyze in order to identify the fraudulent publishers? Here are a few data points and current trends that we monitor:

1. International criminals are recruiting U.S.-based individuals via industry web forums to act as their front men. The U.S.-based identity-for-hire will register a website in his or her name, then sign up for advertising networks. The fraud operation is handled by the international business associate and the identity-for-hire sits back and receives a 50% cut. What this means for you: All of the information in the publisher application will appear legitimate, and he or she most likely will pass all of the other checks you do.

2. Identity theft is the number one complaint online according to the FTC, and it ranks toward the top of our list too. What this means for you: In order to validate identity you may need to request additional sensitive information, like a social security number or a government-issued ID. Anytime you are dealing with personal information, privacy is a concern. Make sure you have someone on staff that is trained on how to handle this type of data appropriately.

3. It is not uncommon to find that a telephone number provided to you by a prospective partner is the number for “Big John’s Rib Joint.” These invalid phone numbers are easy enough to identify, but how do you know when a domestic number is forwarding to an international number? The latest trend in fraud related to telephone numbers is call forwarding, and fraudulent individuals use this tactic along with masking their IP address to fake their business location.

What this means for you: Telephone verification vendors have not developed the technology to determine if a call is being forwarded (if you know of a vendor that does, please let me know). The good news? The other checks you run will flag this publisher as fraudulent 99.9% of the time.

I have been comparing notes with representatives from other advertising networks, and many of the checks conducted are the same, but how we do what we do differs. For example, one major flaw in the process our counterparts use is the timing of their due diligence execution.

Many are waiting to identify the fraudulent individuals until after they enter the network. Would you allow a stranger into your home, sit them down in the living room, offer them a cup of tea, and then ask who they are? You would not risk putting yourself or your family in harm’s way, so why in business would you expose your partners to this kind of harm when it can be avoided?

 If you would like to join in on the dialogue, please contact me, my information is in my bio.

Advertisers may be conditioned to scream “Fraud!” instead of “Bad Quality!” like the public was trained to yell “Fire!” instead of “Help!” when attempting to attract attention.  Are advertisers crying wolf when it comes to fraud? Or, is the fraud simply bad traffic?

An advertiser’s fraud claim demands attention because chances are a liability has been created for the advertiser or the partner, or both. Whereas, an advertiser’s claim that the traffic is not backing out for them may command less of their partner’s attention. The former is an elephant and the latter is an ant.

As an advertiser,  I have experienced first-hand a lack of partner response when I have communicated quality concerns, in my case new member quality for our loyalty program Memolink.com. Here’s how those conversations would unfold:

Me: Our click to conversion rate is quite low.
Partner: Maybe your landing page needs to be optimized.
Me: The return on investment and activity level of these new members is low.
Partner: It is only my responsibility to provide you the member; it’s up to you to monetize them.

At the time, had I known that using the “F” bomb would have been a powerful enough call to action, I may have just dropped it. In this example, the traffic I received was bad, but perhaps the new members I received came from a sub-publisher three levels away and the pattern of bad traffic was actually an indication of fraud. Could I have made changes and tested landing pages to improve conversions? Yes. Could I have spent more time monetizing the leads I was receiving? Yes. Could the traffic have been fraudulent? Yes. All I really wanted from my partner was a commitment to investigate, and I did not receive that.

On the flip side, the experience my organization has as an advertising network working with advertisers has provided me with a glimpse into a bigger issue. We do not share a common definition of fraud. The following is a snapshot of new clients that were on-boarded last week and the definition of fraud each of these clients provided:

Monday’s Fraud Definition: Duplicates
Tuesday’s Fraud Definition: Invalid credit card
Wednesday’s Fraud Definition: Cancellations on orders
Thursday’s Fraud Definition: Returns
Friday’s Fraud Definition: Numbers in names, etc.

It is important that we come together as an industry and collaborate on the real definition of fraud as it relates to what we do and the challenges we face. Each lead, sale, or transaction can be placed into one of three categories: Valid, Invalid or Fraud. Too often the invalid leads are being placed in the fraud category. The way to prevent and detect fraud is to first understand what fraud is.

Many B-to-C and B-to-B companies have expanded or are looking to expand their business overseas and capture global customers and clients. The potential risks and rewards of expansion into the BRIC markets are high.

China, the most populous country in the world, is predicted by ZenithOptimedia to be the fourth largest advertising market by 2010, while Russia will rank sixth, Brazil seventh, and India thirteenth. Not only is China’s ad expenditure growing but also the country’s total number of Internet users. China surpassed the U.S. as the biggest user of the Internet last June, and last month the official China Internet Network Information Center said that the number of Internet users in China has reached 298 million. According to the U.S. Census Bureau our population was 305,762,073 on February 6.

About two weeks ago, I received an email from a businessman in one of these developing regions, an excerpt from that email follows:

“Hello, I am an affiliate from China. I know that almost all CPA network hate Chinese affiliates, because they are almost all fraud. I was also a fraud before, I earn some money from some CPA network with my fraud activity.

But now I do not want to fraud because it’s too tired, and very dirty, and the account often be terminated. Even so, there are a lot Chinese “affiliate” do the fraud activity to all CPA network everyday, and they have a lot of experience, so they can escape the punishment from the CPA network. Of course, they earn a lot of money. But it’s dirty.

So I want to cooperate with you. Every month as long as you give me a certain degree of rewards, I will reveal to you all the Chinese fraud affiliates, and every month I will reveal new ones to you. I believe that through my efforts, you and the advertiser will restore hundreds of thousands of economic losses.

So I can get clean money from you, and you can restore economic losses. I think this is a win-win model.

If you have the intention, please contact me …”

Needless to say, I did not respond. Fraudulent individuals will mask their locations and often steal a citizen’s identity from a developed country as a tactic to attempt entry into an affiliate network.

As your organization expands, how will you control the quality of your customers and clients? How will you keep fraud levels low? And how will you manage your reputation on a global stage? The Best Practice Approach will guide you through your decision-making process and help manage your reputation.

Editor’s note: This is a series from Dianna Koltz, director of best practices and email marketing at Memolink, Inc., on how to use business standards to combat online fraud

– Express your opinion, comment below.

Securing information and providing appropriate data access can help limit your risk. The Association of Certified Fraud Examiners says the five most effective fraud prevention tactics are: implementing strong internal controls; background checks for new hires; anti-fraud policies; ethics training; and surveillance.

When I first began to implement the Best Practice approach over a year ago, I focused on the first tactic the ACFE recommends and evaluated our data access controls. Much of our data was accessible by many different roles inside our organization. The lack of access variance between an entry-level employee and an executive had been carried over from the days when our organization had fewer employees.

It is common in smaller companies for an employee to have multiple responsibilities that grant him access to more information systems. Many of you in this fast-paced industry can relate: The individual who edits your website also sends out your email newsletter and invoices at the end of the month. In this scenario, the smaller businesses make the decision to absorb the risk, but how do you appropriately limit access as your company grows?

In Memolink’s case, the data access audit was conducted by asking one question and compiling the results for review: Who had access to what type of information, and for what purpose? It also helped to evaluate the audit findings juxtaposed with the goals and motivations of each department and employee. By looking at the results in this manner, I was able to remove the context for internal staff abuse.

For example, when my company separated publisher vetting and the fraud identification and reporting processes from the publisher sales and account management team, it was natural to also secure the information related to these processes. Publishers who join the CPA Storm network are interviewed by a Best Practice compliance analyst and only those who meet our standards are accepted as a business partner. We do not share the finite details of our vetting process.

If you asked any one of our account managers, “As a publisher looking to join your network, what do I need to do or say to be accepted?” not one of them would be able to tell you. The only individuals who know the details of our acceptance policy are inside the Best Practice Division or in the top two positions in our company (CEO and EVP).

I limit the information so the fraudsters cannot reverse engineer or social engineer their way into our circle. An individual looking to do harm can attempt to reverse engineer the process by going through the vetting process countless times, each time learning a detail about the technology that we use. The technology we use is home grown, and like any technology, it is not perfect, which is why we have humans who make the final decisions.

A fraudulent individual could also weasel their way in through the use of social engineering, which essentially means that an individual manipulates another person in order to get information, like a password, or confidential information about your business. This is often done by becoming “buddies.”

Many of us use LinkedIn and other social websites like Facebook to stay connected and conduct business. The potential fraudsters know this. Using myself as an example, they see my profile on LinkedIn or on my Facebook page, and are able to deduct that I enjoy watching basketball, drink a lot of Pepsi, went to Drake University (go Bulldogs!), and I worked for Meredith Corporation for several years.

They use this information to gain my trust, “Do you think that the Drake men’s basketball team will make it to the Sweet Sixteen this year?” I am put at ease by this conversation and others that follow, and then they proceed to extract whatever information they need. If I were in the role of an account manager and knew the details for publisher acceptance, I may share this with my new buddy without even realizing the potential harm. Thus, by limiting access, we have removed the risk of our sales team being in a precarious situation like the one described here.

Editor’s note: This is a series from Dianna Koltz, director of best practices and email marketing at Memolink, Inc., on how to use business standards to combat online fraud. The links of past stories are to the left.

– Express your opinion, comment below.

If you wait for your affiliates to begin the dialogue, you may be waiting a long time. Maybe your partner is waiting for you to make the first move? If we all wait on one another, when will the time come for real change in the industry?

While many corporations embrace the idea and morality behind full visibility, very few practice what they preach. The affiliate marketing industry has been known for a long tail of young, savvy, and aggressive marketers. You may have seen one at a recent conference valet parking his Ferrari. These individuals have made a pile of cash, some legitimately, and some through less ethical–and perhaps illegal–means. How can you determine which leaders and organizations have your best interests in mind and which are conflicted by their desire to earn more for themselves and their investors?

The Best Practice approach to partner vetting will help you weed out the bad. To vet means to check. Implementing a vetting program for your company is as simple as formally asking each partner a variety of questions prior to conducting business. For example:

- How long have you been in business?

- Has your company received venture or institutional money?

- How long has your current leadership been in place?

- Have you ever been the subject of a lawsuit or investigation relating to your advertising, marketing, privacy or data security practices?

- Do you have a formal due diligence procedure to vet your vendors and affiliates? (Inquire about the details of the process.)

- Who is responsible for setting compliance policy at your organization?

- Who will be my daily operational contact for fraud- or compliance-related issues?

- What are your company’s best practice standards above and beyond what the federal law requires?

Depending on your company’s risk tolerance, a quarterly or annual audit may also be appropriate to ensure that the affiliate’s practices are still in line with what was disclosed during vetting.

Who executes the vetting and auditing programs at your company may be even more important than the questions that are asked. The associate responsible for partner selection and monitoring should not receive commissions based on sales or volume goals.

Should you require your partners to disclose the details of their business relationships? In general, no; organizations should be able to keep the identity of vendors and affiliates private. In cases where fraud has occurred or a liability risk exists, it is reasonable to request full disclosure. This type of open communication during the vetting, monitoring, and incident response processes will raise the standards for online business and improve the entire ecosystem. How you choose to execute these processes will set you apart from others.

Editor’s note: This is a series from Dianna Koltz, director of best practices and email marketing at Memolink, Inc., on how to use business standards to combat online fraud. Here are the past stories.

– Express your opinion, comment below.

Two consumer advocacy groups, the Center for Digital Democracy and the U.S. Public Interest Research Group, have asked the Federal Trade Commission to investigate behavioral targeting practices aimed at mobile phone users. The day the FTC received the request and one week before the Obama administration took office, four marketing and advertising associations announced their intent to create an enhanced set of self-regulatory principles for online behavioral advertising.

The American Association of Advertising Agencies, Association of National Advertisers, Direct Marketing Association and Interactive Advertising Bureau are said to be reviewing the areas for self-regulation set forth in the FTC’s proposed self-regulatory principles issued in December 2007.

As marketers, our boundaries for targeting campaigns continue to widen as technology improves. We collect more information than ever before. This, along with the fear of federal regulation, may create a trend for more marketers to take on a dual role as a privacy professional. The International Association for Privacy Professionals (IAPP, https://www.privacyassociation.org/) provides privacy education and certification for privacy professionals.

While privacy responsibilities fall under the IT or legal umbrella for many organizations, more marketers should understand privacy best practices. In smaller organizations without in-house counsel and a strapped tech department, no one may be held responsible for data privacy.

Marketers may financially benefit from taking on this role in their organization. The 2006 “Privacy Professionals’ Role, Function and Salary Survey” conducted by the IAPP and Ponemon Institute reports that a Certified Information Privacy Professional (CIPP) earns 12% more on average than their non-CIPP counterparts.

A firm understanding of privacy principles is the foundation upon which my Best Practices team recognizes areas of potential risk for us and our clients. For example, we have turned down new business with publishers who own websites and collect consumer information during registration without disclosing how the information will be used.

Data privacy and security is also vital as we address fraud in the online industry. Identifying fraud requires data analysis, and preventing fraud in the future could require companies to capture more information. In many cases, expanding the data set analyzed will improve the likelihood of identifying fraudulent patterns.

The consumer’s risk of identity theft increases as more data is collected and stored. Fraud trends would indicate that the number of identity theft complaints the FTC received in 2008 will be greater than the total from 2007 (258,427). The 2008 report should be released in the next month. If you should experience a data breach, maneuvering through the data breach notification laws for each state would be costly.

Take steps now to become a privacy-minded organization by conducting a full audit of your company’s practices. It is an investment that could prevent an investigation by a regulatory body in the future.

Editor’s note: This is a series from Dianna Koltz, director of best practices and email marketing at Memolink, Inc., on how to use business standards to combat online fraud. Here’s part one,  part two, and part three.

– Express your opinion, comment below.