CDD

News

  • U.S. online marketing companies are pioneering the dramatic expansion of data collection throughout the world, as they gather, analyze, and make actionable all of our information. Giants such as Google and Facebook effectively become “private NSAs”—tracking us on social media, mobile devices, search engines, online games, and increasingly even when we are in the grocery or department store. Telephone companies involved with the NSA’s “bulk” data-collection program are expanding their own data gathering on the Internet and mobile devices as well. This information is used to create dossiers—online targeting profiles—on individuals. While U.S. online data companies will claim that all this information is used primarily for selling and interactive advertising, in reality it’s connected to a powerful system that uses personal data to make decisions about us in order to influence our behaviors. This handout is designed for a "Teach-in" held on December 17" on the impact of the Transatlantic Trade and Investment Partnership (TTIP). It discusses the relationship between NSA and U.S. commercial online data company practices.
  • A report written by Ed Mierzwinski of USPIRG and Jeff Chester of CDD.
  • CDD, joined by the Electronic Privacy Information Center, filed comments at the FTC yesterday opposing the request by AssertID that the commission approve a new method of verifiable parental consent under COPPA (Children's Online Privacy Protection Act). The proposed method would mine parents’ online social network information and ask third parties to judge whether that information is truthful or not, a method based on a “trust score” algorithm that the company claims is confidential and secret from the public. CDD asked the commission to oppose the application because it lacked information that explains how it assures that consenting parties are parents, and it leaves big questions about what the company is going to do with information it requires from parents. “This proposed method would take a parent’s personal information (including their location, photos, and full friends list from Facebook) and sensitive information on their child, without first telling parents that they had a right to refuse consent – parents have to pay out their own privacy in order to protect their children’s. This turns the regulations on their head by undercutting families’ privacy, and this method should not be approved by the FTC without significant changes in the application,” said CDD’s Legal Director, Hudson Kingston. The request (link is external)to approve a new parental consent mechanism is the first COPPA proceeding under the stronger children's privacy rules that went into effect last July. Jeff Chester, CDD's executive director, noted that this filing launches an expanded effort to ensure that online and mobile commercial sites and services are in compliance with COPPA's enhanced safeguards. "CDD has added legal, public outreach and technical resources designed to protect kids and empower parents and caregivers," he explained. The Institute for Public Representation at the Georgetown University Law Center, under the direction of Prof. Angela Campbell, collaborates with CDD on this child-protection initiative.
  • Earlier today, the Digital Advertising Alliance (DAA (link is external)) sent an email to the WC3 Tracking (link is external) Protecting list withdrawing from the group. Its email, along with one from the IAB and from former WC3 co-chair Peter Swire, follows CDD's statement: The DAA's opposition to a Do Not Track system that actually placed consumers in control is one of the key reasons the WC3 process has floundered. If the DAA power brokers--Google, Yahoo, and the ad giants, had really wanted to deliver new privacy protection clout to consumers, our work would have successfully finished a year ago. The DAA has not yet developed a serious (link is external) way to fulfill its promise (link is external)made to the White House in 2012--that they would give consumers the power to control data tracking. It's time for the White House to urge passage of consumer privacy safeguards that gives real ways online users can decide about how best to protect their privacy. Online consumers urgently require privacy safeguards, as they confront a Big Data powered data collection machine that closely tracks them wherever they are--whether on their mobile phones or in front of a personal computer. The DAA members do not want to face a rival Do Not Track system emerging from the WC3--especially one that exposes the inadequacy of its approach. We found it disingenuous for the DAA to claim, as it does, that among its rationale for leaving the WC3 is the failure to reach consensus on "Defining a harm or problem it seeks to prevent," and "Defining the term “tracking." This is merely an excuse, since the DAA and most of the data collection companies comprising the WC3 group know very well the range and applications of their own tracking systems. They have even claimed that such tracking should be exempt (link is external) from the very DNT process as well! Now we are going to have dueling DNT initatives. The DAA wants to meet with consumer and privacy groups, among others, on its plans moving forward. The WC3 will likely continue its work, although many participants (including CDD) believe it cannot deliver a consumer privacy friendly approach for DNT. Work to offer consumers some modest control over third-party data tracking--which is at the core of the current and limited DNT scheme--illustrates why we cannot rely on multistakeholder processes dominated by data collection companies to deliver better privacy for consumers. They have no incentive to do so; indeed, the expansion of data collection on individual users is occuring at an alarming rate. (link is external) CDD will continue, however, to play a role at the WC3 and its DNT work as long as it can help ensure a better outcome. We will also meet with the DAA. But this sad episode in the annals of privacy underscore why both the EU and U.S. need to enact strong safeguards on data protection. Here's the DAA email: Dear Mr. Jaffe: After serious consideration, the leadership of the Digital Advertising Alliance (DAA) has agreed that the DAA will withdraw from future participation in the World Wide Web Consortium (W3C) Tracking Protection Working Group (TPWG). After more than two years of good-faith effort and having contributed significant resources, the DAA no longer believes that the TPWG is capable of fostering the development of a workable “do not track” (“dnt”) solution. As we depart W3C and TPWG, DAA will focus its resources on convening its own forum to evaluate how browser-based signals can be used meaningfully to address consumer privacy. During more than two years since the W3C began its attempt at a dnt standard, the DAA has delivered real tools to millions of consumers. It has grown participation; enhanced transparency with more than a trillion ad impressions per month delivered with the DAA’s Icon making notice and choice information available within one-click of the ad; educated millions of consumers and provided browser-based persistent plug ins. The DAA has also succeeded in applying its principles to all of the participants in the digital ecosystem. Furthermore, we have expanded these consumer safeguards into 30 countries and clarified how the DAA’s Principles apply in the mobile Web and app environments. Going forward, the DAA intends to focus its time and efforts on growing this already-successful consumer choice program in “desktop,” mobile and in-app environments. The DAA is confident that such efforts will yield greater advances in consumer privacy and industry self-regulation than would its continued participation at the W3C. Despite extension after extension of its charter year after year by the W3C, the TPWG has yet to reach agreement on the most elementary and material issues facing the group. These open items include fundamental issues and key definitions that have been discussed by this group since its inception without reaching consensus, including: · Defining a harm or problem it seeks to prevent. · Defining the term “tracking”. · Identifying limitations on the use of unique identifiers. · Determining the effect of user choice. Concerned about the TPWG’s inability to resolve such basic issues, the DAA wrote a letter to you on October 2, 2012, expressing its strong concern with the W3C’s foray into setting public policy standards. In particular, the letter noted that the W3C “has been designed to build consensus around complex technology issues, not complex public policy matters.” In response, despite the turmoil evident at that time, you personally assured us that appropriate procedures and policies would be applied to the process and the W3C’s retention of Professor Swire would settle and bring legitimacy to the process. In the ensuing eight months that led up to the July 2013 deadline imposed on the TPWG, the DAA worked in good faith with other stakeholders, supporting proposals consistent with recommendations from the U.S. Administration and the former chairman of the Federal Trade Commission. Unfortunately, these efforts were rejected out of hand by TPWG co-chair Peter Swire, who jettisoned the long-accepted W3C procedure in order to anoint his own path forward. As others in the working group have substantiated, as a result of Swire’s actions there is no longer a legitimate TPWG procedure. Jonathan Mayer, commenting on the working process, stated, “We do not have clear rules of decision. And even if we were to have procedural commitments, they could be unilaterally cast aside at any time. This is not process: this is the absence of process.” Roy T. Fielding, Senior Principal Scientist at Adobe, highlighted the dictatorial approach taken by chairs who have eschewed participant input and subrogated participants’ right to vote on issues. In recent weeks, you have indicated to TPWG participants that you have no intent to revisit acts or processes (or the lack thereof) that occurred leading up to July 2013, and instead plan to move forward. However, it is not possible to move forward without an accounting for the previous flagrant disregard for procedure. Today, parties on all sides agree that the TPWG is not a sensible use of W3C resources and that the process will not lead to a workable result. For example, Jonathan Mayer, in his recent letter of resignation from the TPWG, stated: “Given the lack of a viable path to consensus, I can no longer justify the substantial time, travel, and effort associated with continuing in the Working Group.” John Simpson, the director of the Consumer Watchdog’s privacy project, commented on the news of the departure of TPWG co-chairman Professor Swire: “Peter Swire gave it a good shot, but I don’t think that he or anybody can get this group to a general consensus.” These participants and others who previously supported the TPWG now conclude that the process has devolved into an exercise in frustration on all sides without any meaningful increase in consumer choice or transparency. The DAA agrees with these parties on this matter. Therefore, rather than continue to work in a forum that has failed, we intend to commit our resources and time in participating in efforts that can achieve results while enhancing the consumer digital experience. The DAA will immediately convene a process to evaluate how browser-based signals can be used to meaningfully address consumer privacy. The DAA looks forward to working with browsers, consumer groups, advertisers, marketers, agencies, and technologists. This DAA-led process will be a more practical use of our resources than to continue to participate at the W3C. With the departure of the latest TPWG co-chair as well as a key staff member, and no definitive process to move forward, the DAA recommends that that the W3C should not attempt to resurrect a process that has clearly reached the end of its useful life. The DAA will continue to move forward in its own area of expertise, advancing consumer control, transparency, and other critical practices through its own program. Lou Mastria, CIPP, CISSP Managing Director Digital Advertising Alliance This email was sent by IAB to the WC3 list on September 13, 2013 and is related: Dear TPWG Chair, W3C Staff, and fellow TPWG Members, In accordance with the September 13th deadline for feedback on "the proposed plan", I respectfully provide the following feedback on the proposed plan and process: IAB, DAA, DMA, and NAI incorporates by reference, their objections submitted on July 12, 2013. See http://www.w3.org/2002/09/wbs/49311/datahygiene/results (link is external). In addition to renewing their objections to the use of the Editors' draft as the basis for moving forward, IAB, DAA, DMA, and NAI also respectfully submit the following feedback in opposition to proceeding with the proposed plan: 1. Genuine Working Group consensus cannot be achieved through the proposed plan and it remains entirely unclear what "consensus" means or how it is reached. The W3C contends that "[t]he Editors' Draft (based on the June draft) represents the most promising path toward consensus of the Working Group on the Tracking Compliance document." (Sep. 3, 2013 email from M. Schunter to public-tracking@w3.org (link sends e-mail)). But it is clear from the TPWG's unsuccessful efforts in June and July to reach consensus with the June draft that the June draft does not present a viable document from which to reach consensus. Although the term consensus is often used, it is unclear as to exactly what that term means or what is actually required to reach consensus. In conjunction with moving forward with a document that cannot create consensus, the W3C has also expressed its intention to close one issue per week starting in October. Id. "If there is no consensus, then the Chairs will issue a Call for Objections. In this case, the resolution will be based on the Chairs' assessment of the relative strength of the arguments. Working Group decisions made through a Call for Objections are also documented in a revision of the Editors' Draft." Id. This process of arbitrary decision making will likely create a disjointed patch-work document that would be neither the product of the working group nor a cohesive compliance document that could be adopted. Mr. Fielding, who has significant W3C experience, has expressed similar concerns with the co-chairs taking over the decision making process for the working group: In general, W3C staff have often (over 15+ years) made the mistake that they can speed the process of a working group by making decisions for the WG in the form of "simplifying". In all such cases, the WG derails ... making decisions for the WG means that there is no reason to have a WG, since you aren't letting us make the decisions that matter. Hence, in the future, stop trying to wag the dog -- let the group make its own decisions and act as a facilitator, not a judge. Found at http://www.w3.org/2013/09/04-dnt-minutes (link is external). 2. The Due Dates suggest that the Poll is an exercise in futility. Because the W3C is proceeding with Option 1 prior to the opening of the poll to discuss other options, it is apparent that the W3C is intent on moving forward with the proposed plan regardless of the outcome of the Poll. "The clear recommendation from the Chair/Staff is to make progress with Options 1 or 2." (Sep. 3, 2013 email from M. Schunter to public-tracking@w3.org (link sends e-mail)). We note that Option 2 only pushes out the hard issues to a later version of the standard. Unfortunately, the hard issues, those that cannot find consensus, are at the heart of the standard itself. Indeed, the W3C has suggested that the technology is not ready for a DNT standard: "Thus, we are focused on the appropriate DNT solution for release in 2013-14 which we call DNT 1.0. As technology and user references evolve, we fully expect that there will be further releases that address scenarios that are not well addressed today." (Sep. 3, 2013 email from M. Schunter to public-tracking@w3.org (link sends e-mail))(emphasis added). DAA, IAB, NAI, ANA, AAAA, DMA object to the W3C's approach of moving forward before the analysis of the poll results. 3. Move the issue closing process to one based on membership voting. This would fast track the process and could still allow for a formal objection process to follow. This mirrors the escalation structure to ACRs and has been discussed in the past. This process would be limited to W3C membership as they represent actual implementers of standards. 4. Consensus and decision-making o What exactly is the standard for consensus? o If the standard is "least strong objections," then please clarify what this means? Does it mean least strong substantively, or least strong in terms of the vigor of the objection, e.g. "my business will be killed by this and I can't live with it!" o Whose opinions count in weighing consensus, e.g. invited experts or multiple reps from a single organization? 5. Participation a. Who is an invited expert and how are they chosen? b. Third parties are the primary target of this standard, and the companies likely to be most impacted economically. Why are so few represented directly in the working group, and what will be done to increase their participation? c. Understanding that there should be a periodic review of invited experts per W3C rules (http://www.w3.org/2004/08/invexp (link is external) "Principles Guiding Invitations and Periodic Review"), can you please disclose when such reviews have occurred, if ever, on which invited experts, the determination of those reviews, and the rationale used for such determination? If no such review has been conducted, can you please supply the rationale for not conducting the reviews and indicate when such reviews will take place? d. In our opinion, most of the "invited experts" represent organizations "which have significant business interest in the results from W3C" noting that the W3C rules themselves state "this might even include some not-for-profit organizations." e. At least two invited experts have submitted their formal resignation from the working group, but have not yet been removed from the TPWG official roster. 6. Charter a. What is the meaning of "The Working Group will not design mechanisms for the expression of complex or general-purpose policy statements." b. What is the intent of this limitation? c. What is the meaning of "The group will actively engage governmental, industry, academic and advocacy organizations to seek global consensus definitions and codes of conduct." d. See participation above. What has the group done to ensure active engagement with /all/ relevant stakeholders, especially those who will likely be most impacted by this standard? 7. What are the criteria and milestones for continuing or winding down the group, if progress is not made? 8. W3C process requires an implementation and testing phase. How will this apply to the compliance specification? Can elements of the compliance spec become "features at risk"? What about crucial elements of the technical spec that are closely coupled with the policy? 9. Provide detailed timelines and decision criteria for each Formal Objection being considered prior to requesting WG input. 10. More firmly state within the updated plan that driving towards a standard that will achieve broad industry adoption is a core goal (otherwise, why are we here?). 11. We need clear criteria for reopening issues. The "new information" standard is overly vague and inconsistently applied. 12. We need assurances about the process for closing issues, including addressing the problem of having to continually raise and re-raise issues. We need a predictable, rational process for bringing issues to close. 13. What is the status of the global considerations effort? 14. Who is the new co-chair? It is impossible to express our faith or lack of it in the poll without knowing who will co-lead the group going forward. 15. What is the status of FTC participation, and who is speaking for the FTC? Is Ed Felton speaking for FTC? Or Paul Ohm? 16. What is the status of the PAG? Respectfully submitted on 9/13/2013, on behalf of the DAA, IAB, NAI and DMA, Chris Mejia, DAA & IAB Finally, one sent on 17 September from Peter Swire: To the Working Group: I note with sadness but not surprise the decision today by the Digital Advertising Alliance to withdraw from the Tracking Protection Working Group of the World Wide Web Consortium. In announcing their departure, they chose my actions as the most convenient excuse for leaving the process: “Unfortunately, these efforts were rejected out of hand by TPWG co-chair Peter Swire, who jettisoned the long-accepted W3C procedure in order to anoint his own way forward.” I share the frustration in the DAA message with the inability of the Working Group to achieve better results. I believe a fair review of the history, however, shows that the views of the DAA and its members were valued and included in months of hard work together in the Group: (1) I met individually with the leadership of each DAAmember during the “listening tour” in late 2012, after I was named co-chair. (2) A major part of the agenda at the February Face-to-Face, in Cambridge, was based on the DAA proposal concerning ways to limit access to a user’s lifetime browsing history. (3) DAA proposals and language were discussed in detail during weekly teleconferences for the next several months. Indeed, a repeated theme on the list during this period was the concern from consumer advocates that a disproportionateamount of time of the Group was being spent on DAA proposals. (4) In the lead-up to the May Face-to-Face in California, there were intensive negotiations on what became known as the Draft Framework, which became the agenda for our three-day meeting. The DAA was deeply enough involved in these negotiations that its General Counsel, Stu Ingis, presented the Draft Framework to the Group in one of its calls. (5) Coming out of the May meeting, the full group, including the DAA, issued a consensus document that enough progress had been made that we should continue to work toward the long-agreed Last Call deadline of the end of July. (6) As an effort to have one clear text that would be the focus of the Group’s efforts, we then had the summer process to create proposed language and then comments on a base text. Among the change proposals, by far the greatest amount of time on the Group calls was devoted to the text proposed by the DAA and those associated with it. (7) Both co-chairs, supported by W3C staff, then issued approximately 40 single-spaced pages of decision documents. These documents contained a massive number of footnotes and citations to the comments submitted by Working Group members. Based on the record developed by the full Group, these documents explained reasons why the June Draft would remain the base text rather than the proposal submitted by the DAA and those associated with it. In brief, the criteria for a standard that we discussed in Cambridge, based on the overall record, would not be met by the proposal submitted by the DAA and others. Based on this history, the DAA views were simply not rejected “out of hand.” My own view is that the Working Group does not have a path to consensus that includes large blocs of stakeholders with views as divergent as the DAA, on the one hand, and those seeking stricter privacy rules, on the other. I devoted my time as co-chair to trying to find creative ways to achieve consumer choice and privacy while also enabling a thriving commercial Internet. I no longer see any workable path to a standard that will gain active support from both wings of the Working Group. When participants don’t get the outcome they want on substance, they often blame the procedure. As an imperfect human being, and one working within the W3C processes for the first time, I am sure that I could have done better at various points on procedure. The actual procedure that led to the July decision came directly from my close discussions with W3C staff, and used the mechanism for resolving a disputed issue that the Working Group established and used before I became co-chair. I intensely share the frustration that all the hard work by members of the Working Group has not created a consensus path forward. I believe there is consensus in the Working Group that members have worked very hard, and I worked very hard, to find apath forward. I put almost all of my other professional work on hold, at financial cost to myself, to try to find a solution on Do Not Track. Going forward, there are cogent reasons for stakeholders to continue to work, inside and outside of W3C, to develop standards and good practices for commercial privacy on the Internet. We knew coming in that this was a hard problem. It remains a hard problem. The procedures at W3C this summer are not the reason that it became hard. With best wishes to all of you, Peter
  • Washington, DC: Over 20 public health, media, youth, and consumer advocacy groups sent a letter to the Federal Trade Commission (FTC) today objecting to Facebook’s recent proposed changes to its privacy policy. The groups raised concerns about the potential negative impact of these changes on teens. In a letter to the Federal Trade Commission’s Chairwoman Edith Ramirez, groups working on teen-related issues—including American Academy of Pediatrics, Consumers Union, Public Citizen, Consumer Watchdog, Pediatrics Now, and the National Collaboration for Youth—challenged changes to the “Statement of Rights and Responsibilities” that give Facebook permission to use, for commercial purposes, the name, profile picture, actions, and other information concerning its teen users. The groups also objected to new language directed at 13-17 year-old users that states that teens “represent that at least one of their guardian’s or parent’s have given consent for this use of their personal information on their behalf.” As groups with a broad range of expertise and years of research in issues related to marketing, media, public health, consumer rights, and youth, the concerns in the letter addressed—among other issues—the ways in which Facebook’s proposed changes would expose teens to the same problematic data collection and sophisticated ad-targeted practices that adults currently face. “These new changes should raise alarms among parents and any groups concerned about the welfare of teens using Facebook,” observed Joy Spencer, who runs the Center for Digital Democracy’s digital marketing and youth project. “By giving itself permission to use the name, profile picture and other content of teens as it sees fit for commercial purposes, Facebook will bring to bear the full weight of a very powerful marketing apparatus to teen social networks.” Dr. Gwenn O’Keefe at Pediatrics Now also expressed concern. “Given the number of teens who are legally on Facebook and pre-teens who are on there posing as teens,” she declared, “it’s in everyone’s interest that Facebook create an environment that is appropriate and healthy for the development of teens.” Citing the FTC’s 2011 Consent Decree with Facebook, the letter asked the agency to hold Facebook accountable, redress the changes, and protect the interests of teens. (A list of the 27 signatories is attached.) ### African American Collaborative Obesity Research Network American Academy of Child and Adolescent Psychiatry American Academy of Pediatrics Benton Foundation Berkeley Media Studies Group Campaign for a Commercial-Free Childhood Center for Digital Democracy Center for Global Policy Solutions Center for Media Justice Center for Science in the Public Interest Children’s Advocacy Institute Children Now Consumers Union Consumer Watchdog Corporate Accountability International Pediatrics Now Prevention Institute Public Citizen Public Health Advocacy Institute Public Health Institute Media Alliance Media Literacy Project Mercy Hospital’s Young People’s Healthy Heart Program National Collaboration for Youth Shaping Youth United Church of Christ, OC Inc. Yale Rudd Center for Food Policy and Obesity
  • The coalition's letter is attached. Facebook is violating the terms and spirit of its 2011 Consent Decree (link is external) with the Federal Trade Commission (FTC). As we have explained to FTC officials, the new policies planned by Facebook are designed to further expand its wide-ranging data collection and targeting apparatus. Facebook must be required to be candid and specific to its U.S. users on how its new data use policies reflect what it sells to marketers and advertisers (its various ad products, data techniques, focus on mobile, etc.). Without such candor and transparency, Facebook is fundamentally in violation of the 20-year committment it made to the American public via the FTC. The FTC has to stand up for the rights of U.S. consumers and make the Consent Decree--which the agency has repeatedly said has created new privacy safeguards for Internet users around the world--mean something. The agency has claimed (link is external) that its Facebook order "alone protects the privacy of more than a billion people world-wide." That has largely been a fiction--something anyone who follows Facebook (as we do at CDD) know. It's time for the FTC to take Facebook to court for violating its agreement. Facebook's new policy on its 13-17 year old users is especially alarming. It wants to target teens with an aggressive mix of data collection, profiling and tracking--without any safeguards.Here's what CDD's attorney Hudson Kingston said to us about Facebook's new tactic on teens: "Across the United States, states' laws don't allow minors to definitively bind themselves with a contract. Through legal fictions Facebook's new policy tries to bind both minors and their parents to consent to ongoing invasions of privacy, based only on the nonaction of teenage users. This violates the FTC 2011 Facebook Order's requirement of affirmative consent before the company undercuts privacy, as well as basic concepts of capacity to consent." Joy Spencer, who runs CDD's project on digital food marketing and youth, said: "Teens spend their lives online 24/7, especially on social media platforms like Facebook. They use Facebook to socialize and share critical information that often spreads quickly and has great power and influence within tight and trusted social networks. By changing its Statement of Rights and Responsibilities and Data Use Policy to grant itself permission to use the name, profile picture, content and other actions of teen users for commercial purposes and without their express consent or compensation, Facebook is definitely stepping over the line. Most teens do not share their personal photos and personal views on Facebook with the expectation that brands can take their pick of their images and actions to digitally market commercial products. What is most disturbing here is that Facebook is taking advantage of teens while they socialize with peers and exploiting their rightful need for self-expression in order to make a profit. The FTC should definitely step in to make sure this does not happen. " Facebook's redlined changes is attached in the FBSRS document. Here's what it says (my bold): 10. About Advertisements and Other Commercial Content Served or Enhanced by Facebook Our goal is to deliver advertisings and other commercial or sponsored content that are is valuable to our users and advertisers. In order to help us do that, you agree to the following: 1. You can use your privacy settings to limit how your name and profile picture may be associated with commercial, sponsored, or related content (such as a brand you like) served or enhanced by us. You give us permission to use your name, and profile picture, content, and information in connection with commercial, sponsored, or relatedthat content (such as a brand you like) served or enhanced by us, subject to the limits you place. This means, for example, that you permit a business or other entity to pay us to display your name and/or profile picture with your content or information, without any compensation to you. If you have selected a specific audience for your content or information, we will respect your choice when we use it. If you are under the age of eighteen (18), or under any other applicable age of majority, you represent that at least one of your parents or legal guardians has also agreed to the terms of this section (and the use of your name, profile picture, content, and information) on your behalf.
  • Washington, DC: A report released today by the Center for Digital Democracy (CDD) criticizes the Obama Administration’s recent effort to establish new privacy safeguards for the Digital Era. The more than yearlong proceeding led by the Department of Commerce’s National Telecommunications and Information Administration (NTIA) to further the Administration’s proposed “Consumer Privacy Bill of Rights” failed to ensure that the public can be protected from the array of sophisticated mobile “app” data-gathering practices. The detailed, 34-page report, “Head in the Digital Sand,” argues that the lobbyist-dominated process failed to examine the actual operations of the mobile app industry and its impact on the ability of consumers to protect their privacy effectively. Among the most disturbing revelations is the growing use of real-time tracking and surveillance of individual mobile app users. Industry practices requiring investigation by the FTC are identified, including apps that stealthily eavesdrop on consumers to ensure they spend more on virtual goods and other services—moving them up, in industry parlance, from “minnows” to “dolphins” and then to big cash-generating “whales.” The report examines other mobile and app-related data collection practices, including the ways users are being tracked from device to device; how app developers “acquire” and target users; the role of so-called “ad exchanges” that auction off mobile consumers to advertisers in milliseconds, through the use of data-rich profiles; so-called “monetization” practices relied on by developers; and industry research on the unique personal relationship users have with mobile devices and content. In 2012, the White House released a privacy “blueprint” with seven “rights” that all consumers should be guaranteed, and urged Congress to enact legislation. The NTIA was also tasked with bringing industry, nonprofit organizations, and others together to develop so-called voluntary but enforceable codes of conduct to implement consumer privacy rights. However, as CDD’s report describes, the so-called “stakeholder” process failed to deliver meaningful and effective privacy safeguards. “There was an assumption that consumers would be willing to dispassionately analyze how an app uses their data before they try it out,” explained CDD Executive Director Jeff Chester. “But as our report reveals, there is already a sophisticated app marketing system in place that actually uses existing data, along with a host of interactive marketing tactics, to influence consumer decisions. Before they download an app, consumers need to know more than just what data that app may collect or share with sponsors or third parties,” he added. “They need to be told how the app really operates—whether it spies on them, whether the app experience will change in order to promote the sales of goods and virtual products, and precisely how any personal data might be used for purposes related to finances, health, their race or age, for example.” Last month, the NTIA hailed the work that led to a proposed “Short Form Notice Code of Conduct to Promote Transparency in Mobile App Practices.” On Thursday, August 29, the NTIA convenes a forum to address “lessons learned” about the work that produced the mobile app code and how that process should be structured for future work. CDD called on the Administration to release its long-promised legislation on consumer privacy, and to replace the NTIA with the Federal Trade Commission as the lead agency proposing new privacy rights for Americans. “The Administration has told the European Union that it has its privacy house in order,” said Chester. “But this initial effort, as well as the revelations of NSA surveillance, raises questions about how well the privacy of Europeans will be protected as a new Transatlantic trade deal (TTIP) is negotiated.” A copy of CDD’s new report on mobile apps and consumer privacy is available at www.democraticmedia.org The Visual Appendix can be downloaded via: https://www.hightail.com/download/bWJvblFOdENOQndVV01UQw (link is external) CDD works to protect the interests of consumers in the digital era, focusing on issues related to consumer privacy, public health, children and youth, and financial services.
  • Center for Digital Democracy Adds Legal Director Focusing on Youth Privacy and Digital Marketing Issues CDD Begins Industry Review to ensure new COPPA Rules are Enforced Washington, DC: Hudson Kingston has joined the Center for Digital Democracy (CDD) as its new Legal Director. Mr. Kingston will oversee CDD’s regulatory and industry initiatives to ensure that the Children’s Online Privacy Protection Act (COPPA) rules, recently updated by the Federal Trade Commission (FTC), protect children effectively. Under the new regulations, which went into effect in July 2013, a child’s privacy is better protected when they use mobile devices, social media, “Apps,” or online games. There are also new safeguards regulating marketing practices such as online behavioral targeting. CDD spearheaded a coalition of consumer, child advocacy, and public health groups during a four-year campaign to press the FTC to bring its COPPA rules up to date. “Hudson’s strong commitment to consumer protection and public health will help CDD represent the interests of young people in the digital era,” said executive director Jeff Chester. With a background in human rights and environmental law, Mr. Kingston worked on consumer protection issues at the Center for Food Safety, and also focused on national environmental policy at the White House Council on Environmental Quality. Hudson earned his J.D. from the University of Iowa and LL.M. degrees from both New York University and the National University of Singapore. He is a member of the New York and D.C. bars as well as the Federal District for D.C. Kingston has also worked on legal projects in Laos and India. “Now that the revised COPPA rules are in force, CDD intends to closely monitor the children’s online marketplace to help promote compliance,” explained Chester. “We are also stepping up our examination of data collection and interactive marketing practices targeting teens. Hudson will be working closely with the FTC and other policymakers and will be spearheading our regulatory efforts,” he noted. “Parents, as well as most Americans, believe children should be able to use the Internet without being surreptitiously tracked,” said Hudson. “I look forward to leading CDD's expanded efforts on COPPA and protecting minors from privacy and health threats.” CDD works to protect the interests of consumers in the digital era, including on issues related to public health, children and youth, and financial services.
  • The United State Trade Representative (USTR) holds hearings today for stakeholders to address issues related to the EU/US negotiations on the Transatlantic Trade and Investment Partnership (TTIP). CDD has been invited to testify. Here's a summary: EU and U.S. consumer groups, through the Transatlantic Consumer Dialogue, have already gone on record with USTR urging that data protection and data flow-related issues not be addressed in the TTIP negotiations. Both in the U.S. and the EU, policymakers are in the process of reviewing and potentially revising their respective privacy frameworks, making any trade agreement on the issue premature. However, the recent revelations of widespread data gathering by the U.S. and also European governments reported by the news media require a new approach for addressing digital products and e-commerce services, data flows, and data protection. We urge the USTR to call on the newly formed U.S. and EU review on privacy- and national security-related issues, which is now operating parallel to the start of the TTIP negotiations, to report its findings to the public. A thorough understanding of what data on citizens have been collected, and by whom (including by commercial entities), is required. Finally, digital products and services require a separate approach outside of the TTIP process. The civil liberties of individuals, including their right to privacy, should not be treated as just another commodity to be traded through negotiation.
  • The new FTC rules designed to better protect children's privacy kick-in on July 1, 2013. CDD and colleagues led a four-year campaign to help create these safeguards. The new rules better protect kids from stealth online tracking, the collection of their geo-location information by apps and mobile devices, data gathered by social media, etc. Here's a guide for parents to help them understand how to make COPPA work for them. Groups interested in learning how they can monitor online sites to ensure they are following the new safeguards, as well as file complaints with the FTC, can email us for a free COPPA compliance guide.
  • Today, the United States Trade Representatives convenes two days of hearings (see attached agenda) to help it formulate a negotiating policy for the forthcoming EU/U.S. trade pact--known as the Transatalantic Trade and Investment Partnership (TTIP). CDD is one of the consumer groups that has been asked to brief its Policy Staff Committee.A number of U.S. industry groups, including the "Digital Trade Coalition" (Sidley & Austin) and the Coaltion for Privacy & Free Trade (Hogan Lovells)--in what illustrates how healthy fiction writing is at some law firms--paint a picture of a robust system protecting privacy here (we've attached their comments to USTR as well because they are worth reviewing to illustrate what the online data lobby agenda is). These coalitions want the U.S. to seek a trade deal that would allow our ineffective privacy regime to be considered "interoperable" with the EU's human rights and civil liberties robust approach. As we will explain later today, the U.S. is just at the very beginning in its efforts to protect consumer privacy in the digital era--hampered by many of the very forces these business coalitions represent. A number of U.S. online data companies, for example, are even unwilling to support even a modest Do Not Track standard, or stronger rules to protect youth, let alone serious privacy legislation.Consumer and privacy groups which are also members of the Transatantlic Consumer Dialogue will also speak on the TTIP, including on its impact on health, food safety, IP and other issues.
  • Today, the United States Trade Representatives convenes two days of hearings (see attached agenda) to help it formulate a negotiating policy for the forthcoming EU/U.S. trade pact--known as the Transatalantic Trade and Investment Partnership (TTIP). CDD is one of the consumer groups that has been asked to brief its Policy Staff Committee. A number of U.S. industry groups, including the "Digital Trade Coalition" (Sidley & Austin) and the Coaltion for Privacy & Free Trade (Hogan Lovells)--in what illustrates how healthy fiction writing is at some law firms--paint a picture of a robust system protecting privacy here (we've attached those comments to USTR as well because they are worth reviewing to illustrate what the online data lobby agenda is). These coalitions want the U.S. to seek a trade deal that would allow our ineffective privacy regime to be considered "interoperable" with the EU's human rights and civil liberties robust approach. As we will explain later today, the U.S. is just at the very beginning in its efforts to protect consumer privacy in the digital era--hampered by many of the very forces these business coalitions represent. A number of U.S. online data companies, for example, are even unwilling to support even a modest Do Not Track standard, or stronger rules to protect youth, let alone serious privacy legislation. Consumer and privacy groups which are also members of the Transatantlic Consumer Dialogue will also speak on the TTIP, including on its impact on health, food safety, IP and other issues.
  • Hispanics embrace of digital technologies, such as mobile phones, and their growing economic clout is attracting intense interest from marketers. This report highlights some of the recent recent research and activities aimed at the U.S. Hispanic market. We will be updating this report, including adding links which provide more information on the marketplace (and which raise privacy and consumer protection issues). 6/2/2013 Update: http://www.pulpomedia.com/the-ihispanic-opportunity.html; (link is external) http://www.pulpomedia.com/iHispanic-media.html (link is external) Big Data Hispanic Targeting: http://luminarinsights.com/solutions/customer-decision-engine/ (link is external)
  • In a 4-0 decision, the FTC agreed with CDD and a coalition of consumer, public health, and child advocay groups to reject calls from the online marketing lobby to delay the implementation of the new COPPA rules. The decision can be read here. (link is external)Our coalition's oppostion to the industry request played an important role in the commission's decision. It can be reviewed here. (link is external)The commission's action sent an important message that protecting the privacy of children and empowering parents/caregivers is a core value which must be respected.
  • This EU-commissioned report--"Assessment of Young people's exposure to alcohol marketing in audiovisual and online media" analyzes the role of Facebook and other social media. It was written by Rand Europe (and CDD is cited, among many others).
  • The leading U.S. consumer groups and many others filed this today at the Federal Trade Commission asking for the new children's safeguards to go into effect as planned this July. It's in response to requests made last week by the trade groups Interactive Advertising Bureau (see attached) and Application Developers Alliance (link is external). The filing well-documents why the new rules better protecting children online and empowering parents are needed now. It also serves as a counter-point to the Direct Marketing Association (link is external) and media business lobby FTC filing also seeking a delay of the rules.
  • Second in a series from leading U.S. privacy and consumer NGOs on the failure of U.S. law and regulation to protect privacy.
  • A series of the failure of U.S. privacy policies to protect consumers. The first paper was written by CDD on the failure of self-regulation. The second was written by the ACLU and Friends of Privacy, USA.
  • CDD and U.S. PIRG Education Fund filed comments yesterday with the FFIEC (link is external), the federal body which develops policies for the Consumer Financial Protection Bureau, Federal Reserve, FDIC, etc. We called for a set of strong safeguards to protect consumers from largely opaque and unfair social media marketing practices used in the financial marketplace. It especially called for regulation with the growing use of predictive "scoring (link is external)" products that evaluate how a financial service can view the creditworthiness of a consumer. The filing also called for an investigation into how Facebook's marketing appartus is used in the consumer financial marketplace, and the need to closely scrutinize the growing role of mobile devices.