ADOTAS

Meanwhile, as Facebook has figuratively pulled down the window shades, Google Maps just walked in the front door. Android users can download Google Maps 6.0, which now offers floor plans of select airports and retailers, including some major shopping malls.

In other news, eXelate has analyzed the data from billions of online transactions, and it’s decided that while Cyber Monday was a bigger day for online shopping than Black Friday (by 17 percent), it might not have been quite the coup that recent proclamations of the cyberest of all possible Mondays suggests: For the rest of the month, Mondays were already 14 percent more profitable than Fridays for online retailers. Here’s an infographic breaking down where those dollars went (and here’s a link to the original PDF):

“Self-regulation is about creating standards and holding members accountable for those standards,” said Robert Gratchner, chairman of the NAI board. “Having a seasoned and respected FTC attorney take the helm at NAI continues our deep commitment to meaningful self-regulation, effective enforcement of industry standards and further development of best practices in online behavioral advertising.”

As executive director, Groman will leverage over a decade of experience to tackle cutting-edge privacy issues. Groman has a deep knowledge of today’s complex policy debates around online advertising, privacy and self-regulation.

“Marc really understands the privacy issues facing consumers and businesses today, and has remarkable creativity, problem-solving and people skills,” said Jessica Rich, deputy director of the Federal Trade Commission’s Bureau of Consumer Protection. “The NAI is really lucky to get him at this critical time for privacy.”

“NAI member companies, along with the rest of industry, have been doing incredible work to advance consumer choice. In selecting Marc, the NAI has chosen a strong, respected leader who will continue to advance those initiatives,” said Alan Chapell, vice chairman of the NAI.

Groman replaces current executive director Charles Curran, who will continue to serve as an advisor to the NAI. “It has been an honor to have Chuck lead the NAI since 2009,” commented Gratchner. “During the NAI’s rapid expansion to more than 75 member companies, Chuck’s leadership enabled us to make significant progress in implementing credible compliance and best practices for companies engaged in interest-based advertising. As he leaves to pursue new challenges, I want to thank Chuck for his tireless efforts to broaden the scope of self-regulation and enhance consumer transparency and choice.”

Then I was hoping a friend would join me dressed up as a privacy advocate, draped in a robe bearing the “expectation of privacy” segment of the Fourth Amendment to the U.S. Constitution. He or she could scream while pointing me out to the various what I was doing and then beat me with a baseball bat reading “DO NOT TRACK.” At the very least, it could make for a nice piece of performance art.

I kid, I kid — but I can do that because I have a general understanding of data collection issues. A lot of consumers are freaked out about who is taking their data to do what with because they simply don’t get it. And a new academic study (PDF — abstract here) – “Why Johnny Can’t Opt Out: A Usability Evaluation of Tools to Limit Online Behavioral Advertising,” assembled by Pedro G. Leon, Blase Ur, Rebecca Balebako, Lorrie Faith Cranor, Richard Shay and Yang Wang of Carnegie Mellon University — explains that the variety of user data management tools out there are possibly increasing the confusion.

“The research from Carnegie Mellon supports a position that we have long advocated at eXelate – that the industry needs to make opt-out tools less scary,” said David Lundell, vice president of product management at eXelate (the company that tipped me off to the study). “Consumers understand that digital content cannot be free and that advertising must support it. Subsequently, consumers want to be co-participants in the advertising process and manage it in a direct, honest and transparent manner.”

But what may be scarier for third-party data collectors and the behavioral targeting industry – especially since the Federal Trade Commission is no doubt listening — is the researchers’ conclusion that “self-regulation through opt-out mechanisms is fundamentally flawed.”

“Users’ expectations and abilities are not supported by existing approaches that limit OBA by selecting particular companies or specifying tracking mechanisms to block,” the report claims. “Even with additional education and better user interfaces, it is not clear whether users are capable of making meaningful choices about trackers.”

OK — how did they get there? Using 45 participants without knowledge of tracking tools, the researchers tested nine tools for user data management, including third-party cross-network opt-outs (in particular, those provided by Evidon and the Digital Advertising Alliance), browser DNT tools and ad and tracking-blocking browser add-ons. After conducting the research, the academics concluded that none of the tools “empowered study participants to effectively control tracking and behavioral advertising according to their personal preferences.”

The key findings (though the whole report is worth reading):

• No middle ground in terms of explanation of function. ”The tools we investigated tended to present information at a level that is either too simplistic to inform a user’s decision or too technical to be understood.” In addition the report claims that the opt-out mechanisms do not make it clear that consumers are opting out of targeted advertising rather than data collection.

• Participants not only didn’t understand what it meant to be opted out, but also were unsure of whether their opt-outs were working. Same with DNT — how do you know companies are honoring it?

• On the cross-network opt-out service (as well as browser add-ons Ghostery and TACO) and users can’t distinguish between various data collecting services, leaving them unable to set opt-out or blocking preferences meaningfully on a per-company basis. Instead, the researchers found most of the users simply used the same settings for each company listed.

• The report also suggested that the default settings for privacy tools were “inappropriate” for users concerned about their online privacy, since users interested in privacy tools are likely seeking them out to block tracking. The report goes on to say: ”Ghostery and TACO do not block any trackers by default, and enabling tracker blocking involves multiple clicks. Similarly, no advertising companies are selected by default on the DAA and Evidon opt-out sites.”

So perhaps the scarier getup between those two costume choices in the beginning might be the privacy advocate. I could totally don that robe and give some real frights by running around third-party data collectors’ offices with a DO NOT TRACK bat. Boo!

However, a better question may be, can anything satisfy data privacy advocates?

On the day of the press conference, which was publicizing a new study by the Stanford Law School’s Center for Internet and Society, privacy report author Jonathan Mayer tweeted, “A lobbyist for an online advertising company asked me today why I won’t give self-regulation a ‘fair chance.’ Isn’t a decade ample time?”

But, as we went into great detail on last week, Mayer’s report has little to do with online behavioral advertising — it’s more about sloppy user data management on the part of publishers sending data to third parties.

While 61% of the sites studied were sending “personal information” as defined by Mayer as “information that with moderate probability and moderate effort can be used to identify a user,” 39% weren’t. Seventy-two of the 185 publishers Mayer examined were using better data security methods — mainly anonymizing URLs. (Facebook started doing this when The Wall Street Journal discovered it was sending unique IDs to third-parties advertising in social games played on the platform.)

However, Mayer interestingly absolved publishers for this with the line “identifying information leakage is a fact of life on the web, and that identifying information may be shared with third parties.”

I was kind of surprised by how many industry people seemed to shrug off the report given how it was advertised as proving “Yes, They Really Know It’s You.” At the same time, Mayer’s report didn’t really reveal anything new — a recent study with very similar methodology found very similar results.

And Mayer’s research really only supplies half the story — even he admitted his research could not inform what happened to the data after it’s collected. Even the title of the report, “Tracking the Trackers,” is a misnomer as there’s no research about what happens after the data is sent. (“What the Trackers Receive” would have been more appropriate, though not as eyeball-grabbing.)

There’s only an implication of some grand conspiracy of publishers sharing personally identifiable information about their browsers with third parties as part of some kind of silent and illicit agreement. And then those companies build ridiculously detailed profiles for targeted advertising (for now!).

But evidence? None. A commenter on the CIS site read my mind: reputable third-party data companies don’t scrape URLs for possible user info. Why? Basic business good practices — if they were doing that clandestinely and it came out in the press, they’d lose all their publishers (i.e., data sources) in a flash. No publisher in its right mind would want to be associated with that toxic waste dump. (Take a look at how many major publishers suspended their KISSmetrics service after it came out they were using E-Tags as hard-to-delete tracking cookies.)

On the privacy side, there’s a lot of clamor about what data is being sent via what methods, but little talk about how it is actually being used — what goes toward ad functionality (e.g., frequency capping) or internal publisher metrics vs. audience profiling. How is that data processed? Is anonymization a myth?

The FTC’s framework would provide an answer to that missing side of the equation. But it feels like no amount of industry transparency will be enough for online privacy advocates. DNT fever is a hard one to break.

Many in the industry are consoling themselves that the widespread incorporation of browser DNT capabilities (and the grudging acceptance by industry associations and companies) will result in a limited amount of browsers flipping the switch. However, that could be just enough.

As we’ve explained many times before — including in an article covering other controversial claims by Mayer — tracking cookies are not just used for behavioral advertising purposes. They also produce data for ad-serving functionality such as frequency capping, as well as site performance and audience insight.

But consider this: if enough users did turn on DNT, there’s the possibility it could force publishers to introduce an opt-in system for site monetization, in which the “unspoken transaction” of data for content shifts front and center — i.e., sites demanding users either pay with data or cash to view certain online material.

And as we’ve suggested before, device fingerprinting (via technology like BlueCava’s) would be an intuitive way to establish this new system. Want to get a privacy advocate really worked up? Mention device fingerprinting — though it should be noted, AdTruth, the device fingerprinting service from online fraud prevention and detection resource 41st Parameter, announced on its launch that it follows the DNT protocol of Mozilla Firefox.

As Bizo CEO Russell Glass explained last week, Leibowitz’s examples of how collected browsing and purchasing data could come back to harm consumers in non-online situations “involve the healthcare industry, the finance industry or potential employers. Each of these industries and constituents have rules and regulations which prevent this very activity that Lebowitz is trying to prevent – discriminating against consumers unfairly. In addition, the FTC has rules in place and there are clear practices that are allowed and disallowed.”

As for cyberazzi, which the online privacy brigade hopped on immediately, it compares a large industry that arguably adds great value to the online consumer experience with a group of pesky gnats that represent the dregs of the media world.

While Leibowitz called online targeted advertising “beneficial — or at worst innocuous,” the services of the so-called cyberazzi are often used to improve the quality of Internet content. In the report released by the Stanford Law School Center for Internet and Society, a great deal of the leaked user login data was sent back to its source via intermediaries comScore and Google Analytics — these cookies were likely being used internally to judge site performance. (Whether these tools actually improve publisher content really depends on how the data are interpreted.) But it’s a main industry argument against DNT — tracking cookies are invaluable for assisting a publication understand their audience and performance (which in turn is necessary for monetizing the publication).

It’s a Framework, All Right

I actually stopped watching the live stream at that point — Leibowitz’s speech looked like it was going to be 30 minutes of more blustery rhetoric designed to frighten Internet users and pump up the privacy crowd. Yes, the FTC is supposed to be on the consumer’s side, but trying to scare the bejesus out of them for positive press isn’t doing American consumers any favors. (Publicly investigating Facebook to offer third-party transparency regarding the social network’s data collection and use practices, on the other hand, would be.)

I’m glad I waited (not more than an hour) for the agency to release the transcript, which I’ve been poring over for a few days. I was all set to get my snark on with the line “If only the FTC spent as much time developing a regulatory framework for OBA and consumer privacy as they do coming up with clever analogies and snappy phrases,” but after the initial data marketplace flogging, Leibowitz actually did illustrate the long-awaited FTC online privacy framework, and… It seems pretty good.

It’s a three-pronged approach. First off is industry self-regulation: ”Companies that collect consumer data should do so only for a specific business purpose, store it securely, keep it only as long as necessary to fulfill its legitimate business need, then dispose of it safely,” it reads.  ”The more sensitive the data, the stronger the protections should be. To its credit, much of industry is embracing this approach – even before we issued the draft report.”

Second is transparency — an intuitive platform for displaying data collected while giving the ability to opt out of data collection. Several data collectors already offer this — check out the BlueKai Registry. The FTC as a third-party watchdog would offer great validity.

And for consumers that want no data collected at all, the final leg is Do Not Track functionality, which Leibowitz admitted has been “overexposed” in the public space (ahem, thanks media). Unlike the Do-Not-Call protocol, the FTC does not think DNT should by managed by the government. It appears the agency is looking toward browsers, as Leibowitz applauded Microsoft, Apple and Mozilla’s DNT options. He mentioned that FTC chief technologist Ed Felten is part of standardization setter World Wide Web Consortium’s (W3C) group assembling technical standards for DNT.

Gotta admit — taken together, it sounds like a pretty reasonable framework. Industry associations and companies have established forays into the first two arms, and judging from all the media mentions, Mozilla’s DNT capability is at the forefront of the third. It actually sounds like the best for all worlds — but does that necessarily mean all worlds will like it?

As for the paranoid and industry-bashing beginning, part of me wants to give Leibowitz a break for knowing his audience. I’ve seen other FTC members start their speeches at industry gatherings with the “no one wants to kill the golden goose” cliche. In a room full of privacy advocates, Leibowitz played up the data-collectors-as-stalkers angle in a fashion that was too cute by half.

ADOTAS – Federal Trade Commission

Leibowitz emphasized that there are three key principles to protecting privacy of consumers on the Internet. First, companies in the business of collecting and storing data need to build strong privacy policies. Data should be kept only for legitimate business needs and the more sensitive the data is then the more careful they need to be.

Second, there needs to be transparency. If data is being collected then consumers need to be told what is going on in a manner that they can easily understand. Lastly, there needs to be choice for the consumer. Consumers should have streamlined choices about the collection and usage of data based on their online behavior.

Leibowitz said there is a clear need for the development of a do-not-track mechanism for web users, similar to the do-not-call list that has been successful in blocking telemarketing calls. This mechanism would provide web users the ability to opt out of online tracking, which is used to provide targeted advertising based on a person’s online behavior.

Leibowitz emphasized that it is about providing consumers with the choice to not be tracked online, noting that if given the choice himself he would probably choose not to opt out because he enjoys the targeted advertising.

Leibowitz made clear that he does not care who creates this mechanism, but he doesnot think it needs to be administered by the government, though some members of Congress have proposed legislation to create a do-not-track system. (Note that the Interactive Advertising Bureau, a trade group for online advertisers, established a code of conduct that states members should give clear and prominent notice of any online behavioral advertising collection and use. The code went into effect at the end of August.)

Leibowitz applauded Mozilla for going out of their way to provide consumers with the information to decide if they want to opt out of online tracking and said he was hoping other online browsers would soon follow. (Miscrosoft’s IE9 and Apple’s Safari also have do-not-track options.) Leibowitz emphasized that the FTC did not want to interfere with the normal data flow that makes the Internet efficient and did not see the need for the Internet to be a privacy free zone, but still wanted to have a mechanism that allows for consumer protection.

Jonathan Mayer, a graduate student fellow at the Center for Internet and Society at Stanford University, and identifier of the “supercookie” released a new study that showed that information collection from many websites is not as anonymous as many sites claim it is or consumers think it is. Identifying information from consumers was often leaked when the consumers went to various websites, though Mayer said that it was not clear that the leakage by websites was intentional and the study did not attempt to gauge this.

Mayer looked at the top 250 websites and signed up as a member on 185 of those websites. Mayer found that 61% of the websites leaked a user name or a user ID. Mayer stated that once an identity is provided in a pseudonymous system then it can be associated with what that person has done in the past and will do in the future. Full results of the study are available at cyberlaw.stanford.edu.

The talks were sponsored by the ACLU, Center for Digital Democracy, Consumer Action, Consumer Federation of America, Consumers Union, Consumer Watchdog, Electronic Privacy Information Center, Privacy Rights Clearinghouse, US PIRG, and World Privacy Forum.

Georgetown Law student Griffin Finan co-authored this article.

Released yesterday as part of a giant privacy gala in DC that featured a keynote and Q&A session with Federal Trade Commission Chair Jon Leibowitz, the report was advertised in the press release running up to the event as a paper that would debunk “the myth that digital data collection is anonymous.” Whether it achieved that goal is definitely arguable.

What’s Being Sent

I feel pretty secure that when I log into HomeDepot.com, the website is not sending a message from the login page saying to all its third-party buddies, “Hey, guitarsexgod930, who you all know is Gavin Dunaway, just showed up! He’s looking at toilets — I don’t want to think about what he did to the old one. Who’s going to show him an ad for the new America Standard model?”

No, a bunch of data (including my username) has been stuffed into the login URL, which then gets shared with third parties who have deals with the publisher. As will be mentioned many times, the research does not cover what happens when the data is received by those third parties.

Typically this ”identifying information” — which research author and Stanford graduate student Jonathan Mayer describes as “information that with moderate probability and moderate effort can be used to identify a user” – is shoved into the URL to assist with site personalization efforts and only a little work is required to strip out the identifiable meat. Mayer uses this example:

http://example.com/register?username=GoCardinal&name=Leland%20Stanford&email=leland%40stanford.edu
&…

As you can see, a site login, email address and real name can all be derived from that.

The SSL report follows a recent report (PDF) by Balachander Krishnamurthy, Craig Wills and Konstantin Naryshkin using a similar methodology that pretty much found the same results — i.e., 56% of sites studied leaked some kind of identifying information, with 48% leaking a user name in particular.

Mayer’s study expanded the number of sites from 120 to 185 (culling them from the Quantcast 250 based on whether a site offered a signup without requiring a purchase or other qualification, as well as other concerns related to the scope of the research), as well as shifting the focus to “identifying data leakage” and using a public dataset.

While a complete spreadsheet of results can be downloaded here, Mayer singled out these gems:

• Viewing a local ad on the Home Depot website sent the user’s first name and email address to 13 companies.
• Entering the wrong password on the Wall Street Journal website sent the user’s email address to 7 companies.
• Changing user settings on the video sharing site Metacafe sent first name, last name, birthday, email address, physical address, and phone numbers to 2 companies.
• Signing up on the NBC website sent the user’s email address to 7 companies.
• Signing up on Weather Underground sent the user’s email address to 22 companies.
• The mandatory mailing list page during CNBC signup sent the user’s email address to 2 companies.
• Clicking the validation link in the Reuters signup email sent the user’s email address to 5 companies.
• Interacting with Bleacher Report sent the user’s first and last names to 15 companies.
• Interacting with classmates.com sent the user’s first and last names to 22 companies.

Whose Fault Is It Anyway?

All this research shows is what data is going to third parties and what identifying information can be gleaned from it. It doesn’t show what the third parties actually do with this information on reception, which Mayer points out was out of the research’s scope.

“We did not study – and cannot study – what companies do when they receive personal information. It is likely that many of the information leaks we identified were logged. Some third parties may take precautions to prevent logging of identifying information, and we certainly laud such efforts. But for policy purposes, there is a tremendous difference between a tracking ecosystem that is anonymous and a tracking ecosystem that is suffused with identity but promises to ignore it.”

No, the data is not anonymous, but these websites are also not delivering PII right into the hands of third parties — most data collectors will argue that they wouldn’t strip out the personal identification because they don’t want the PII (it causes problems). And it’s not anonymous at the source because the publishers haven’t anonymized it — 72 pubs in this study managed to have systems in place to keep user login data anonymous.

Interestingly, Mayer seems to absolve developers (and by extension publishers) of responsibility by saying this kind of thing just happens.

“Many times, developers are not thinking about privacy issues, and it’s a fact of life that information is going to leak to third parties. I think we have to recognize that’s just the way the Web works,” he said at the press conference.

Further, in the report he writes:

“The better practice for all first-party and third-party websites would be to acknowledge that identifying information leakage is a fact of life on the web, and that identifying information may be shared with third parties.”

And then in The Wall Street Journal, he said:

“The web is suffused with identity. And it’s a fact of life that that identity will get sent to third parties at some point.”

So maybe I’ve been wrong all along — it’s not that Internet privacy is an oxymoron, but that online data security offered by publishers is an oxymoron. Wow, that makes me feel so much better. I’d love to hear industry perspective on Mayer’s suggestion.

It’s kind of an end-run argument, though not a bad one, for Do Not Track functionality (the press conference appeared to be a big pep rally for DNT efforts) — there’s no helping personal information being shared with data collectors, so if you’re worried about it, flip on DNT and cut off the cookies.

At the same time, I can’t help thinking about the Facebook privacy scandal last year in which WSJ discovered social games played within the network were sending Facebook unique IDs to third-party ad servers. It’s a pretty similar case — and WSJ couldn’t find any instances of third-party ad tech firms using the data or associating the IDs with profiles (just companies that refused to).

The ultimate shame fell on Facebook for not using anonymizing data tools when sending information to third-party data collectors — the company had cut a development corner and violated its own privacy policy. Which is pretty much what all of the 113 guilty sites in this study have done.

So shouldn’t the onus fall on the publishers to tighten up the management of personal data — including logins and user names? Not to be too repetitive, but isn’t this a site security issue being stretched into a justification for DNT?

(At the same time, I’m not saying DNT is a bad idea… I’m just being critical, which is why they pay me the big bucks. Maybe some third-party data service can tell you how much.)

A Bold Accusation

Once again, data collectors — the cyberazzi, as FTC Chair Leibowitz would call them — are being vilified without a bit proof. It’s always implied that data collectors are doing nasty things, like building profiles with PII (well, Rapleaf does that, but they’re very transparent). However, Mayer does cite an example of third-party data collectors purposefully grabbing very personal information – and it would be a damning claim if there was corroboration.

Mayer writes:

“In computer security, leakage is a term of art for an information flow – some instances of leakage are entirely intentional. For example, OkCupid, a free online dating website, appears to sell user information to the data providers BlueKai and Lotame, including gender, age, ZIP code, relationship status, and drug use frequency.”

First, Mayer seems to be confusing a data-buying agreement with data leakage. Second, BlueKai and Lotame vehemently deny this claim.

While it is contractually forbidden to disclose all the data categories it receives from a specific partner, BlueKai says it only collects general demographic and interest data (zip code, age and gender were cited) and that none of it is connected to individuals or user names. Consumers are invited to visit the BlueKai Registry to manage their interests and opt outs, as well as see what their cookies say about them.

As of press time, a representative from BlueKai said that they were “working with them to get this corrected.”

UPDATE: Oct. 12, 9:20 a.m. Mayer updated the blog posting on

[Update 10/11: The original version of this post conflated the information OkCupid provides to Lotame and BlueKai. In the interest of complete accuracy, and in response to both a deluge of questions on OkCupid's intentional leakage and a note from BlueKai seeking clarification, I have updated this section with per-company intentional leakage. I have also included the results of a leakage test (with the methodology described below) on OkCupid. My apologies to BlueKai for the incorrect implication that it collects the same sensitive profile data that Lotame does. The amibiguous discussion was solely my error.]

He gives this list of what the companies “appear” to receive — “To learn which profile information OkCupid leaks, I modified each field of a profile and observed how values sent to the two companies changed.”

• Age – Both
• Cats – Both
• Children – Both
• Country – Both
• Dogs – Both
• Drinking Frequency – Lotame
• Drug Use Frequency – Lotame
• Education – Both
• Ethnicity – Lotame
• Gender – Both
• Income – Both
• Job Sector – Both
• Language Proficiencies – BlueKai
• Relationship Status – Lotame
• Religion – Lotame
• Smoking Frequency – Lotame
• State – Both
• ZIP Code – Both

“One day you might print out a CDC fact sheet on alcoholism to help your son with a project for health class. Click. Or you order a box of your mother’s favorite candy to take her when you go visit. Click. Or you buy the book ‘The Winner’s Guide to Casino Gambling’ as a raffle prize for your church’s Las Vegas night. Click.”

He went on to say: “You know you are a dutiful parent, but a potential employer could see a boozy job applicant. You know you are a thoughtful daughter, but a health insurer could see a destined diabetic. You know you are a generous member of the community, but a loan officer could see a risky gambler.”

In his summary of the potential risks of the Internet, he eloquently describes the fears of a few and attempts to stoke the fears of the masses.

He was generally very fair in his assessment of the current situation and his praise for the online advertising industry’s self-regulatory efforts. However, examples like this do more damage than good, and he has to be careful about stoking a fire with examples that not only put the cart before the horse, but have the horse riding in the completely wrong direction.

Note for a second that his examples involve the healthcare industry, the finance industry or potential employers. Each of these industries and constituents have rules and regulations which prevent this very activity that Lebowitz is trying to prevent – discriminating against consumers unfairly. In addition, the FTC has rules in place and there are clear practices that are allowed and disallowed.

If the dawn of the Internet age requires additional protections, we should put those in place. However, by creating blanket rules against tracking, we run the risk of riding in the wrong direction and invoking the law unintended consequences while harming consumers way more than protecting them.

To illustrate, let’s use a few different examples similar to the ones given by Lebowitz:

One day you go to the WebMD website to search for facts on salmonella. Click. Hundreds of others in your town also do the same thing and the CDC (which in partnership with WebMD is watching this clickstream data) anonymously starts to get a sense that there’s an outbreak. They react and save dozens of lives because of how fast they received the information that something was going on – well before anybody even started to register at local doctors and hospital groups with symptoms.

This is a very real example of the powerful use of data in a way that can be helpful to humanity and save lives. If the government prevented this kind of tracking, we would lose the ability to help large groups of people.

Another example:

One day you are surfing the web and you log into Macy’s, your favorite retailer website. Click. They have a dress you love but it’s way too expensive so you leave the site. Later that week, Macy’s puts the dress on sale and anonymously shows you a display ad that tells you the dress is 50% off. Click.

Again, a real example of how consumers are able to significantly benefit from online tracking. If that person hadn’t gone to the site and clicked on that dress, she may have never known that the dress went on sale, and would have missed out on a huge opportunity.

So it becomes clear that the answer isn’t preventing tracking – that is putting the cart before the horse and could lead to significantly more harm than good. The answer is preventing the misuse of the data to harm, and the FTC can and should continue to build whatever constructs are necessary to prevent misuse, fraud or unfair business practices. That would be getting on the horse and riding in the right direction.

In other news, a woman in Michigan is suing the distributor of the recently released movie “Drive” because the trailer suggested it there would be more car chase scenes. I’d suggest the defendants cite “The French Connection” precedent — one great car chase is worth the entire film.

While the latter case will likely be thrown out immediately (if not un-filed in embarrassment), the five against Facebook may not have much of a chance either considering that similar suits brought against online companies for wiretap law violations were summarily dismissed — if not settled first. As Future of Privacy Forum Director Jules Polonetsky explained to MSNBC, in addition to lack of grounds for a wiretapping case, many of these suits get canned because the defendants can’t show harm.

There’s definitely a whiff of ambulance-chasing in the air. One of the suits seeks statutory damages of $100 per day for every member of the class (the lawsuit is trying to certify all 150 million U.S. Facebook members as a class — so $15 billion a day, huh?) or $10,000 per violation, plus punitive damages, attorney fees and court costs.

Evidence disclosed in these lawsuits (if they make it anywhere) could be quite useful in understanding how Facebook maintains collected browsing data, but there’s a third-party not looking for Facebook’s money that could prove to be a better auditor: the Federal Trade Commission. And its findings could shake Internet consumers and tech developers out of our online privacy malaise.

But What’s Facebook Actually Done Now?

Right as the addition of Facebook apps freaked out some users about how much data was headed back to Papa Zuck, Australian developer Nik Cubrilovic illustrated that when you log out of Facebook, nine cookies still hop on your browser including the one with your unique account number. These stay on your browser until deleted (think about if you access the social network from a public computer) and record whenever you hit a site integrated with Facebook (which is like the half the Internet, right?).

Probably because we haven’t had a good Facebook privacy scandal in a while, the story got picked up across the media and Zuck & Crew were forced to answer. First off, they changed the logout rules so the cookie containing the user id (A_USER) was deleted on sign-out, along with A_XS, which is used to stop “cross-site forgery.” Facebook explained that the rest of the cookies are used for security purposes — pretty much challenging hacking attempts by ensuring users are who they claim to be on login.

Well, that explanation hasn’t sat right with everyone. DATR, the cookie that sends data back to Facebook from Facebook-integrated sites whether they’re logged in or not, was first noted by The Wall Street Journal (complete with hyper-paranoid and obtuse/not quite correct headline: “‘Like Button Follows Users”) back in the spring, but DATR was removed before publication of the article.

It’s back now – Stanford Security Lab’s Jonathan Mayer noticed it had begun appearing a few weeks and Cubrilovic asked Facebook just what it’s doing with the data sent from third-party sites:

“Facebook keeps the data collected for up to 90 days and then delete it. I believe them when they say this and that they are not hiding anything, but I also believe that our definitions of tracking differ. If you set a cookie on a users machine from one website, and then read that cookie from that persons machine from another website, that is tracking (emphasis in original)…. [I]t is still tracking and still has the potential to violate the privacy of users simply by being collected.

“At a minimum they are tracking by reading the cookies, and if you look further into some of the patents that Facebook has filed, as well as their business model (advertising), it is not a big leap to make to conclude that Facebook are tracking users and analyzing that data.”

Yep — speculation that it’s being used or could be used for advertising purposes, but no smoking gun. If Facebook is even using the cookie for security purposes, it’s associating browsing data with specific users. However, there’s no evidence such profiling is being used for targeted advertising. All the targeted advertising on Facebook is based on user-submitted/shared information.

Ad Network? Nah…

And Facebook has a great counter to claims it’s building profiles of browsing data: We don’t sell the data to third parties or have an ad network that employs behavioral targeting, and we’re not building one.

Of course, many in the industry are incredulous about that plea. Why? Money: Facebook is reportedly set to bring in $4 billion in ad revenue from on-site advertising, but that’s nothing compared to what Google brings in during a quarter.

And as it hit the 800 million user mark (with about half the U.S. population on the network), questions arose about the future of the network in general — after seeing Badgeville’s easily insertable social layer, I could imagine activity on Facebook the site slowing down. I was impressed with the introduction of apps, which nearly effortlessly connects off-site activities with the social network, but I still wonder if it’s about to hit peak velocity.

At a Federated Media conference during Internet Week, Facebook Vice President of Global Sales Carolyn Everson strongly pushed the (relatively) new Sponsored Stories unit, suggesting that Facebook wanted to “partner with brands” on their advertising. Facebook has long eschewed typical online advertising products (Everson suggested homepage takeovers would never appear on Facebook — but what about sleeves like on MySpace? No on that too?) even when it lead to disasters like Beacon (which also got Facebook sued — successfully).

Sure, Mark Zuckerberg wants to innovate in the online advertising arena, but it’s still hard to believe that Facebook simply won’t take advantage of the huge revenue opportunity staring it in the face – it’s got the data, it’s got the reach, so where’s the behavioral targeting platform and display network?

On the other hand, Zuck may be more concerned about the long-term survival of Facebook the brand and the social network (or possibly as a deeply integrated social layer stretching the Internet) that he won’t take the money and run.

Also, if Facebook was to turn on an ad network tomorrow, the public ire at the about-face could be overwhelming. And now there’s a service around that disenfranchised users could arguably jump to.

Online Privacy Fatigue

I caught a GigaOm piece by Derrick Harris lamenting the lack of media coverage regarding The Wall Street Journal’s privacy policy update that included the use of new registrants’ personal identifiable information in building online profiles — for content purposes only, they swore. (I had an email give and take with a WSJ press person who denied me any clarification on whether profiles built with PII and browsing data would be used in selling Harris’ story targeted advertising.)

One paragraph of particularly grabbed me:

“I don’t particularly care that the WSJ expanded its data mining reach — it’s the company’s right as long as we treat personal data as property that can be contracted away — but I do care what the lack of discussion says about how we think about online data privacy. If this had been Facebook making a similar move — or, actually, making a much less aggressive move — you couldn’t escape the outcry.”

Interestingly, this story was published on Oct. 4, when the outcry over the logged-out cookies was starting to boil. I was one of the proud few who immediately jumped on that story because it sounded like the WSJ network was implementing a profiling system that WSJ reporters had sensationalized in the year prior.(I have no issues with WSJ’s data mining either.)

But I was actually going to leave the latest Facebook “privacy scandal” to sites like ZDNet and Inside Facebook, which have offered great analysis. Truth be told, I just wasn’t that interested in diving into this mess again, painstakingly reading all the coverage and research to figure out what the hell was actually going on — whose claims were overstated, whose were obtuse and what the data actually meant. I just did it with Apple on “locationgate” and Hulu/KISSmetrics in regards to e-tag tracking.

Just like a lot of the ambivalent people (consumers and OBA industry folk) out there that Harris is worried about, I got a bad case of online privacy fatigue. There’s so much back and forth and so many accusations shouted into the media megaphone, but nothing really ever happens. Nothing ever changes. E.g., Facebook shut down the DATR cookie after WSJ got word and now it’s back on duty.

Today a research paper is being released at an event in Washington, DC, sponsored by the ACLU, Center for Digital Democracy, Consumer Action, Consumer Federation of America, Consumers Union, Consumer Watchdog, Electronic Privacy Information Center, Privacy Rights Clearinghouse, US PIRG and World Privacy Forum. The press invite claims it will definitively prove that tracking methods aren’t anonymous. When I sent some feelers out to industry contacts for their takes, I mainly received back yawns. Oh, this shit again.

The keynote at this speech, however, is being given by Federal Trade Commission Chair Jon Leibowitz, who, according to the press invite, will “discuss the proposed FTC framework for protecting consumer privacy and ensure industry can continue to innovate on the Internet.”

It so happens, EPIC joined eight other online privacy advocates (almost all involved in the above event) in writing a letter to the FTC asking the agency to investigate Facebooks use of tracking cookies post-logout. I hope they plead their case again because an FTC investigation is the ideal solution for both examining Facebook’s data collection practices and stirring the online privacy fatigue.

While the evidence disclosed in the suits mentioned at the top could be useful, it’s hard to ignore the ulterior motive — the remuneration demanded (for what harm?) in the lawsuits kind of shoots them in the foot. On the other hand, an unmotivated, third-party auditor could show us just what browsing data Facebook has and what it is doing with it.

And it’s time for the FTC to talk less and act more. For at least two years, the FTC has been fanning consumer fires over privacy controls while promising OBA companies it won’t “strangle the golden goose.” But what’s it actually done? File suit against some affiliate marketers? Great — that totally solved the belly fat ads crisis.

Granted, I’ve gotten used to the speed of digital innovation and forgotten the lurching pace at which Washington moves. But agency members constant tsk-tsking about the industry pulling its act together has only highlighted the lack of progress in an OBA framework.

Well, here’s your chance for action, FTC — to actually show you’re protecting online consumers while insuring a fledgling (relatively) industry can continue to flourish. Investigate Facebook’s use of tracking cookies, give us a detailed report. And please don’t take two years to do it….

The meetup — sponsored by the ACLU, Center for Digital Democracy, Consumer Action, Consumer Federation of America, Consumers Union, Consumer Watchdog, Electronic Privacy Information Center, Privacy Rights Clearinghouse, US PIRG and World Privacy Forum – is being held in the First Amendment Room at the National Press Club in Washington, DC from 8:45 a.m. to 11:00 a.m.; the live webcast can be viewed here.

In addition to general talk about digital privacy, Leibowitz is expected to discuss the FTC’s proposed framework for protecting consumer privacy while allowing online businesses to further innovate. Also speaking is Jonathan Mayer from the Stanford Security Laboratory (who raised the ire of many online ad companies earlier this summer); Christian Fjeld, senior counsel for the U.S. Senate Committee on Commerce, Science and Transportation; and other privacy and civil liberties advocates.