A Modest Privacy Proposal

The Senate Commerce, Science & Transportation Committee is holding a hearing tomorrow on Privacy Implications of Online Advertising. Appearing before the committee headed by long-time Senator Daniel K.
Written by Tom Steinert-Threlkeld on

The Senate Commerce, Science & Transportation Committee is holding a hearing tomorrow on Privacy Implications of Online Advertising. Appearing before the committee headed by long-time Senator Daniel K. Inouye (D-Hawaii) are lawyers for Google and Microsoft, as well as Facebook's chief privacy officer -- and Robert R. Dykes, the chairman and CEO of NebuAd, Inc.

NebuAd has been taking a hammering for trying to bring "'behavioral targetting" to cable and telephone companies which provide access to the Internet. Its software would allow companies who act as Internet service providers to track pretty much every movement on the Web. Not just searches, which has gotten Google and Yahoo a fair amount of flack. Google only this week finally put a link to its privacy policy on its home page, after a judge ruled that it must turn over YouTube user information to Viacom, in their billion-dollar fight over intellectual property rights for online video content. The link is now the last word on the page.

Also see: YouTube vs. Viacom: Google’s IP wins; Users lose

For its part, NebuAd said that it was now prepared to deliver two new options for Internet service providers to tell Web surfers that their movements are being tracked: Direct online notification and a "network-based opt-out mechanism."

So far, NebuAd has not made it clear how these two techniques will work. Sure, it releases its "breakthrough" announcement the day before the Senate hearing. But, because of the hearing, its primary spokesman, Dykes, is not making himself available for an explanation. And the company, so far, can't find a backup who can provide a walk-through.

But if you read between the lines, NebuAd has no intention of making these two new techniques for disclosing what's going on mandatory. Its customers get to choose whether to provide the online notification or the opportunity to opt out of being tracked.

Specifically, NebuAd's release says it has:

"developed a means to offer consumers direct, initial online notification and periodic reminders - thereby equipping users with more opportunities to make informed decisions about their web experience."

But it signals that it is not going to make a big deal out of it, when, in the next breath it says:

"current mail and email notification practices remain the most reliable and acceptable means of ensuring consumer awareness for many companies."

The online notice is just "another method of direct communication that NebuAd's partners may find appropriate in a variety of circumstances."

As for the option to opt-out, NebuAd said it is "developing a network-based opt-out mechanism that is not reliant on web browser cookies."

And its ISP customers "can offer" this to their subscribers " in order to honor their opt-out choices in a more persistent manner than current systems widely used today."

Thank you very much.

With such commitment to upfront disclosure of how an Internet service provider is tracking its customers, it's no wonder that Dykes is appearing in Washington, D.C., to explain what his company is doing.

Now, Dykes seems to have sorted out issues pretty well, in the past. NebuAd tracks users by a number that it assigns, rather than the user's Internet address. And the company does not, it says, record visits to pornography or gaming sites. It's also careful about recording interests in sensitive areas, such as interest in medical conditions or personal bankruptcy.

But you can't help but feel that there you can't cover all bets, a priori, if you institute tracking of all or nearly all movements on the Web. There will be a request for data from a third party -- like a government, somewhere -- that couldn't be anticipated, the onions will get turned over and the layers peeled back.

Yahoo, after all, took it on the chin in China in 2005, for its role in the imprisonment of a journalist and for agreeing to restrict access to sensitive subjects like democracy or Taiwanese independence.

The big telcos -- Verizon and AT&T -- in 2007 lit up a similar furor, by turning over customers' telephone records to federal authorities, without court orders to do so.

Verizon and AT&T, of course, want to be everyone's Internet service providers. Charter Communications, the fourth largest cable operator, was going to use NebuAd's tracking software, but pulled back.

Doing away with tracking is not an option. Because the Internet is almost entirely advertising supported. And do you really want to pay (or not pay) for the alternative?

A would-be Google rival calledMyWay.com uses "No Banners. No Pop-Ups. No Kidding." as its pitch to grab users. But do a search on, say, "online privacy issues" and see if you can see the first result on you screen. You can't. You have to scroll down past 10 sponsored links before you get to the first of 10 unsponsored links.

Then there's the basically unknown Cyberfinder engine, which touts its ad-free searching. Its top listing on "Alex Rodriguez Madonna" is a rumor posting in a blog on June 30. And there's no way to limit the search to the last 24 or 48 hours. There's a reason Google lets you search on "news" for any topic. You get ... new articles. What a concept.

So here's a modest proposal to the Congress, starting with the Senate Commerce, Science & Transportation Committee.

Require upfront notices to Web surfers that appear on their screen the first time they visit any site that issues a cookie or uses any other technology to keep a record of their activity on that site. This would apply to any site, not just search sites.

The notice would lead directly to the privacy policy of the site.

And, instead of making the policy so long and indecipherable that the user just clicks on an "I Accept" button to get past the screen, the specific information (Internet address, pages visited, search terms used, etc.) that would be gathered would have to be disclosed in the first two paragraphs. ("Be it known that to support the business operations of this site, we gather this information about you each time you visit: ...)

A limit on overall length would be in keeping with real disclosure of real information. A standard format, akin to the nutrition information found on all packaged food in this country, would be even better.

As for Internet service providers, who have access to any keystroke made on a connected computer, the requirement should be not "opt out," but "opt in." Internet access providers get paid for providing access. If they want to get into online advertising, let them get consent.


Editorial standards


How to use your phone to diagnose your car's 'check engine' light
BlueDriver Bluetooth dongle

How to use your phone to diagnose your car's 'check engine' light

Don't let Janet Jackson's 'Rhythm Nation' crash your old laptop

Don't let Janet Jackson's 'Rhythm Nation' crash your old laptop

Elon Musk drops details about Tesla's humanoid robot

Elon Musk drops details about Tesla's humanoid robot