Newsroom

More than 40 groups sent a letter to President Obama today on the second anniversary of the Administration's promise it would seek a new "Consumer Privacy Bill of Rights." Although the President said in 2012 that "we can't wait" (link is external) for such new safeguards, so far the Administration has failed to deliver proposed legislative language. Civil rights, civil liberties, consumer, privacy and child advocacy groups signed the letter, which urged the President to now fulfill its commitment to advance enforceable rights for the public. The letter is attached. The New York Times editorial board also called (link is external) on the White House to deliver "specific legislative proposals."

Center for Digital Democracy Leads Coalition of Children’s, Health, and Consumer Advocates in Challenging District Court Decision Friend-of-the-Court Brief Urges Stronger Privacy Protections for Teen Facebook UsersWashington, DC: The Center for Digital Democracy, joined by a coalition of public health, children’s advocacy, and media justice groups, today filed an amicus curiae (“friend of the court”) brief in a case concerning teen privacy online. In Fraley v. Facebook, the social networking company was sued for violating the privacy of users of all ages, and the company settled with class-action attorneys before going to litigation. Facebook’s proposed settlement, which was eventually approved by the U.S. District Court, does not protect teen users from appearing in sponsored advertisements on Facebook, even though seven states forbid this kind of appropriation without parental consent. Although numerous parties have objected to the settlement, CDD’s brief specifically supports the objection of six families represented by Public Citizen, a leading consumer protection organization.CDD’s brief covers the many strong policy arguments in favor of having enhanced privacy protections online for teens. The settlement, and Facebook’s current policy, does nothing to account for teen development, or for the differences in how teens use and understand social media. The broad coalition of groups joining in the brief shows what an important case this is for the work of public health, digital-consumer rights, and childhood-obesity experts. Joining the brief are the American Academy of Child and Adolescent Psychiatry, American Academy of Pediatrics, Berkeley Media Studies Group, Center for Global Policy Solutions, Center for Science in the Public Interest, Children Now, Consumer Watchdog, First Star, Media Alliance, Media Literacy Project, Pediatrics Now, Public Health Advocacy Institute, Praxis Project, and Yale Rudd Center for Food Policy and Obesity.The proposed settlement was deemed so inimical to the privacy rights of teens that another nonprofit organization, Campaign for a Commercial-Free Childhood, rejected nearly $300,000 in compensation in order to come out against it and to support Public Citizen’s objection. “All of our organizations hope that the Ninth Circuit will see through a deal that was bad for teens and that tramples states’ legal protections of minors. The court has a great opportunity to respect states’ laws and the parents’ role simply by throwing the settlement out,” said Hudson Kingston, CDD’s legal director.A copy of the coalition’s brief is attached. See too the Appeal by our friends at the Children's Advovacy Institute.

Feb. 13, 2014 Facebook Settlement Endangers Kids and Breaks Law in Seven States, Public Interest Groups, Parents Tell 9th Circuit Children’s Privacy Organization Denounces Settlement, Refuses Money WASHINGTON, D.C. – Consumer, children’s safety, digital privacy groups and parents are urging a federal appeals court to toss out a settlement agreement that permits Facebook to use kids’ pictures in ads without the consent of their parents – which is illegal in seven states. In a brief filed today with the U.S. Court of Appeals for the Ninth Circuit, several parents, on behalf of their teenaged children, called on the court to vacate the settlement. “This settlement authorizes Facebook to continue doing what California and six other states specifically prohibit by law: use children’s images for advertising without their parents’ consent,” said Scott Michelman, attorney with Public Citizen, which is representing the parents in challenging the settlement. The other states are Florida, New York, Oklahoma, Tennessee, Virginia and Wisconsin. Margaret Becker of Brooklyn, N.Y., is one of the parents Public Citizen represents. She explained, “I’m fighting this settlement because Facebook shouldn’t be permitted to use my teenage daughter’s image for profit without my consent. The Internet compromises children's privacy in many ways that we parents must grapple with. But this settlement lets Facebook make my daughter a shill and leaves me powerless to stop it.” Added Hudson Kingston, legal director of the Center for Digital Democracy, which is filing an amicus brief supporting the challenge to the settlement, “Teens are unprepared to address the consequences of Facebook’s practice of creating ads with profile information but without their knowledge. If this settlement stands, teens face a serious loss of their privacy and a damaged reputation continuing into adulthood. Research proves teens are not ready for this kind of exposure, and parents’ consent for commercial appropriation is a necessary protection.” Also today, one of the groups designated in the settlement agreement to receive money, the Campaign (link is external)for a Commercial-Free Childhood (CCFC), announced that it was rejecting the money because it opposes the agreement. The group was to receive approximately $290,000 in a “cy pres” award – settlement money distributed to a public interest group whose work relates to the subject of the lawsuit. In a statement, the CCFC explained that the settlement’s supposed protections for minors were “hollow” and “meaningless.” “While we always understood the Fraley settlement agreement as a compromise, we came to understand that it’s worse than no settlement,” said CCFC Director Susan Linn, “Its purported protections are largely illusory, and it will undermine future efforts to protect minors on Facebook. We could do a lot of good with $290,000, but we cannot benefit from a settlement that we now realize conflicts with our mission to protect children from harmful marketing.” The case began with a lawsuit (link is external) filed in 2011 by some Facebook users over the use of their images in ads without their consent and the use of their children’s images without parental consent. If a user “likes” a company that advertises on Facebook, or if she “checks in” (identifies her location) at a restaurant, or uses an application associated with that company, her image may appear next to an ad for the business on Facebook, with text suggesting that she endorses that business. It is unlikely the children or the parents will know it’s going to happen until after it has occurred. Under a settlement that a federal district court approved in August, Facebook will include new language in its terms of service stating that users under age 18 “represent” that their parents consented to the use of the children’s names and images in advertising. The settlement does not require Facebook to obtain consent from the parents. “The capture and republication of teen postings by Facebook is a pernicious assault on their rights to decide where their messages should go,” said Professor Robert Fellmeth, director of the Children’s Advocacy Institute at the University of San Diego School of Law, which is representing another challenger to the settlement.

This letter was sent today to John Holdren, the director of the White House Office of Science and Technology Policy, and was signed by 25 groups. It calls on the White House to include a public comment period as part of its current 90-day "Big Data" review announced by the President during his speech on NSA reforms. It coincides as well with a meeting planned today on the issue led by John Podesta.

Today, CDD filed Comments (link is external) in the FTC's forthcoming (link is external)"Mobile Device Tracking" workshop (link is external) (Feb. 19) on mobile and retail tracking. As we explain (excerpt): While it is important to examine the individual components of what is an increasingly pervasive and unregulated source of commercial surveillance in the “Big Data” era, such as in-store tracking of consumers, the Federal Trade Commission (FTC) must place this one use of mobile tracking in a larger context. Such tracking is but one part of a more elaborate and increasingly seamless “always-on” collection apparatus that operates across devices and user experiences. This surveillance is invisible to most consumers and connected to a range of other practices such as “hyper-local” targeting, multi-screen tracking, and data broker-driven offline and online “connected recognition” and data on-boarding services. Current self-regulatory approaches are ineffective and do a disservice to consumers by falsely claiming to provide privacy protection and user control. The FTC should issue a set of recommendations to govern cross-platform marketing that includes mobile devices. This is urgently required as intrusive geo-locational data-gathering practices, some of which raise concerns about the potential for new forms of “digital redlining” and other discriminatory practices, dramatically expand during the next few years. We believe it is especially important for the FTC to examine how geo-location tracking is being used to identify people by race, ethnicity, economic class, and by their age (such as young people and seniors). The FTC should also reiterate its call for Congress to enact meaningful omnibus privacy legislation.... Today, consumer profiles are developed that include so-called first-, second-, and third-party data, linking our online and offline selves. This filing will not address the purposeful and disingenuous claim that such data profiles of individuals are “anonymous.” It is not the case, and the commission should reject such absurd claims. Companies say much of what they now do is “privacy compliant,” hiding behind the falsehood that cookies and all the other ways they collect and analyze data aren’t linked to an actual person. Such distortions should not be tolerated. Real people are being tracked and targeted.... The growth of hyper-local targeting is spurring new forms of segmentation of individuals and their distinct communities. The country is being broken up into highly discrete areas that are mapped to identify unique characteristics—beyond actual location. The use of these so-called “tiles” raises profound concerns. For example, PlaceIQ explains that “What we do is map data from multiple sources onto a grid of tiles that cover every square foot of the US. Each tile is 100 meters by 100 meters, and we inject third-party demographic information about that area into the tile, as well as data on what’s physically located there—points of interest like parks and airports, tourist attractions, retailers, stadiums, and so forth. Then, we connect that data with where a mobile device is in real time, or where it has recently been, to build unique audience segments for brands to target.”... The use of geo-fencing, “geobehavioral targeting,” “geo-cookies” and the role of location analytics, especially when integrated into broader data gathering, requires action by the FTC. As we will document for the forthcoming “Alternative Scoring Products” workshop, geo-location data are being made actionable at real-time events as well as used to make a range of critical decisions about an individual (whether they are credit worthy, seeking some product or service linked to sensitive concerns, etc.). These privacy and consumer-protection concerns extend beyond the individual to their communities and neighborhoods as well. The commission should examine the impact location-driven data gathering has on the financial health and consumer well-being of distinct communities, especially those in which its residents may suffer economically or due to other factors (such as age). CDD will soon be filing on Alternative Scoring Products (e-scores, lifetime value predictaors, etc) for the FTC's March 19th workshop. Today's Comments are attached.

When Facebook proposed (link is external) to change its data use practices late last August, we wrote a number of papers to help the FTC. This is one of them, which discusses the company's ad practices and its relationship to its privacy claims. This paper addresses a number of Facebook data use and digital marketing strategies, and their impact on user privacy.

“The Federal Trade Commission’s investigation of Apple sheds light on a growing practice that poses risks to children and families,” commented Jeff Chester, Executive Director of the Center for Digital Democracy. “Children are spending increasing amounts of time with mobile apps, generating potentially huge profits for the rapidly expanding gaming and app industries. In-app purchasing is becoming the dominant business model in many online games and other children’s entertainment content on mobile phones, tablets and gaming devices. Yet the techniques used to trigger these purchases are, in many cases, unfair and deceptive, taking advantage of children’s vulnerabilities. CDD commends today’s action by the commission. However, the agency should conduct a broad investigation of emerging techniques that target children on mobile, gaming and other platforms, and identify a set of industry-wide fair marketing guidelines.” “Today’s decision should be viewed as a first step in a wider initiative to develop clear government rules for protecting children and their families across a spectrum of digital devices,” said Dr. Kathryn Montgomery, Professor of Communication at American University, who led the campaign to enact the Children’s Online Privacy Protection Act (COPPA). “Just as we have principles and rules for safeguarding children’s privacy online, we need a policy for protecting young people and their families from covert and manipulative in-app marketing practices,” she explained. “Requiring app developers to secure informed parental consent before in-app purchases can be made will only address part of the problem. We need a comprehensive set of rules that take into account the cognitive and other developmental needs of children and their vulnerabilities in the digital marketplace.”

U.S. online marketing companies are pioneering the dramatic expansion of data collection throughout the world, as they gather, analyze, and make actionable all of our information. Giants such as Google and Facebook effectively become “private NSAs”—tracking us on social media, mobile devices, search engines, online games, and increasingly even when we are in the grocery or department store. Telephone companies involved with the NSA’s “bulk” data-collection program are expanding their own data gathering on the Internet and mobile devices as well. This information is used to create dossiers—online targeting profiles—on individuals. While U.S. online data companies will claim that all this information is used primarily for selling and interactive advertising, in reality it’s connected to a powerful system that uses personal data to make decisions about us in order to influence our behaviors. This handout is designed for a "Teach-in" held on December 17" on the impact of the Transatlantic Trade and Investment Partnership (TTIP). It discusses the relationship between NSA and U.S. commercial online data company practices.

A report written by Ed Mierzwinski of USPIRG and Jeff Chester of CDD.

CDD, joined by the Electronic Privacy Information Center, filed comments at the FTC yesterday opposing the request by AssertID that the commission approve a new method of verifiable parental consent under COPPA (Children's Online Privacy Protection Act). The proposed method would mine parents’ online social network information and ask third parties to judge whether that information is truthful or not, a method based on a “trust score” algorithm that the company claims is confidential and secret from the public. CDD asked the commission to oppose the application because it lacked information that explains how it assures that consenting parties are parents, and it leaves big questions about what the company is going to do with information it requires from parents. “This proposed method would take a parent’s personal information (including their location, photos, and full friends list from Facebook) and sensitive information on their child, without first telling parents that they had a right to refuse consent – parents have to pay out their own privacy in order to protect their children’s. This turns the regulations on their head by undercutting families’ privacy, and this method should not be approved by the FTC without significant changes in the application,” said CDD’s Legal Director, Hudson Kingston. The request (link is external)to approve a new parental consent mechanism is the first COPPA proceeding under the stronger children's privacy rules that went into effect last July. Jeff Chester, CDD's executive director, noted that this filing launches an expanded effort to ensure that online and mobile commercial sites and services are in compliance with COPPA's enhanced safeguards. "CDD has added legal, public outreach and technical resources designed to protect kids and empower parents and caregivers," he explained. The Institute for Public Representation at the Georgetown University Law Center, under the direction of Prof. Angela Campbell, collaborates with CDD on this child-protection initiative.

The Center for Digital Democracy (CDD) closely analyzes Facebook’s privacy and marketing policies. In partnership with other child advocacy, health and consumer organizations, we are in an on-going discussion about Facebook's data collection and marketing policies and its impact on children and teens. As part of our public outreach work, CDD is releasing “5 Reasons Why Facebook is Not Suitable for Children Under 13." The guide lays out some of the key problematic business and marketing practices that makes Facebook own data-driven marketing practices of concern for children. For example, it discusses how Facebook's marketing practices take advantage of children's cognitive, social and developmental vulnerabilities.CDD and our partners plan to expand the public conversation on children and Facebook to include issues related to the platform's extensive data collection, profiling and marketing practices. These issues compound existing concerns about children's risks involving cyberbullying, harmful content, or the activities of predators while on Facebook.The guide can be found below:

Earlier today, the Digital Advertising Alliance (DAA (link is external)) sent an email to the WC3 Tracking (link is external) Protecting list withdrawing from the group. Its email, along with one from the IAB and from former WC3 co-chair Peter Swire, follows CDD's statement: The DAA's opposition to a Do Not Track system that actually placed consumers in control is one of the key reasons the WC3 process has floundered. If the DAA power brokers--Google, Yahoo, and the ad giants, had really wanted to deliver new privacy protection clout to consumers, our work would have successfully finished a year ago. The DAA has not yet developed a serious (link is external) way to fulfill its promise (link is external)made to the White House in 2012--that they would give consumers the power to control data tracking. It's time for the White House to urge passage of consumer privacy safeguards that gives real ways online users can decide about how best to protect their privacy. Online consumers urgently require privacy safeguards, as they confront a Big Data powered data collection machine that closely tracks them wherever they are--whether on their mobile phones or in front of a personal computer. The DAA members do not want to face a rival Do Not Track system emerging from the WC3--especially one that exposes the inadequacy of its approach. We found it disingenuous for the DAA to claim, as it does, that among its rationale for leaving the WC3 is the failure to reach consensus on "Defining a harm or problem it seeks to prevent," and "Defining the term “tracking." This is merely an excuse, since the DAA and most of the data collection companies comprising the WC3 group know very well the range and applications of their own tracking systems. They have even claimed that such tracking should be exempt (link is external) from the very DNT process as well! Now we are going to have dueling DNT initatives. The DAA wants to meet with consumer and privacy groups, among others, on its plans moving forward. The WC3 will likely continue its work, although many participants (including CDD) believe it cannot deliver a consumer privacy friendly approach for DNT. Work to offer consumers some modest control over third-party data tracking--which is at the core of the current and limited DNT scheme--illustrates why we cannot rely on multistakeholder processes dominated by data collection companies to deliver better privacy for consumers. They have no incentive to do so; indeed, the expansion of data collection on individual users is occuring at an alarming rate. (link is external) CDD will continue, however, to play a role at the WC3 and its DNT work as long as it can help ensure a better outcome. We will also meet with the DAA. But this sad episode in the annals of privacy underscore why both the EU and U.S. need to enact strong safeguards on data protection. Here's the DAA email: Dear Mr. Jaffe: After serious consideration, the leadership of the Digital Advertising Alliance (DAA) has agreed that the DAA will withdraw from future participation in the World Wide Web Consortium (W3C) Tracking Protection Working Group (TPWG). After more than two years of good-faith effort and having contributed significant resources, the DAA no longer believes that the TPWG is capable of fostering the development of a workable “do not track” (“dnt”) solution. As we depart W3C and TPWG, DAA will focus its resources on convening its own forum to evaluate how browser-based signals can be used meaningfully to address consumer privacy. During more than two years since the W3C began its attempt at a dnt standard, the DAA has delivered real tools to millions of consumers. It has grown participation; enhanced transparency with more than a trillion ad impressions per month delivered with the DAA’s Icon making notice and choice information available within one-click of the ad; educated millions of consumers and provided browser-based persistent plug ins. The DAA has also succeeded in applying its principles to all of the participants in the digital ecosystem. Furthermore, we have expanded these consumer safeguards into 30 countries and clarified how the DAA’s Principles apply in the mobile Web and app environments. Going forward, the DAA intends to focus its time and efforts on growing this already-successful consumer choice program in “desktop,” mobile and in-app environments. The DAA is confident that such efforts will yield greater advances in consumer privacy and industry self-regulation than would its continued participation at the W3C. Despite extension after extension of its charter year after year by the W3C, the TPWG has yet to reach agreement on the most elementary and material issues facing the group. These open items include fundamental issues and key definitions that have been discussed by this group since its inception without reaching consensus, including: · Defining a harm or problem it seeks to prevent. · Defining the term “tracking”. · Identifying limitations on the use of unique identifiers. · Determining the effect of user choice. Concerned about the TPWG’s inability to resolve such basic issues, the DAA wrote a letter to you on October 2, 2012, expressing its strong concern with the W3C’s foray into setting public policy standards. In particular, the letter noted that the W3C “has been designed to build consensus around complex technology issues, not complex public policy matters.” In response, despite the turmoil evident at that time, you personally assured us that appropriate procedures and policies would be applied to the process and the W3C’s retention of Professor Swire would settle and bring legitimacy to the process. In the ensuing eight months that led up to the July 2013 deadline imposed on the TPWG, the DAA worked in good faith with other stakeholders, supporting proposals consistent with recommendations from the U.S. Administration and the former chairman of the Federal Trade Commission. Unfortunately, these efforts were rejected out of hand by TPWG co-chair Peter Swire, who jettisoned the long-accepted W3C procedure in order to anoint his own path forward. As others in the working group have substantiated, as a result of Swire’s actions there is no longer a legitimate TPWG procedure. Jonathan Mayer, commenting on the working process, stated, “We do not have clear rules of decision. And even if we were to have procedural commitments, they could be unilaterally cast aside at any time. This is not process: this is the absence of process.” Roy T. Fielding, Senior Principal Scientist at Adobe, highlighted the dictatorial approach taken by chairs who have eschewed participant input and subrogated participants’ right to vote on issues. In recent weeks, you have indicated to TPWG participants that you have no intent to revisit acts or processes (or the lack thereof) that occurred leading up to July 2013, and instead plan to move forward. However, it is not possible to move forward without an accounting for the previous flagrant disregard for procedure. Today, parties on all sides agree that the TPWG is not a sensible use of W3C resources and that the process will not lead to a workable result. For example, Jonathan Mayer, in his recent letter of resignation from the TPWG, stated: “Given the lack of a viable path to consensus, I can no longer justify the substantial time, travel, and effort associated with continuing in the Working Group.” John Simpson, the director of the Consumer Watchdog’s privacy project, commented on the news of the departure of TPWG co-chairman Professor Swire: “Peter Swire gave it a good shot, but I don’t think that he or anybody can get this group to a general consensus.” These participants and others who previously supported the TPWG now conclude that the process has devolved into an exercise in frustration on all sides without any meaningful increase in consumer choice or transparency. The DAA agrees with these parties on this matter. Therefore, rather than continue to work in a forum that has failed, we intend to commit our resources and time in participating in efforts that can achieve results while enhancing the consumer digital experience. The DAA will immediately convene a process to evaluate how browser-based signals can be used to meaningfully address consumer privacy. The DAA looks forward to working with browsers, consumer groups, advertisers, marketers, agencies, and technologists. This DAA-led process will be a more practical use of our resources than to continue to participate at the W3C. With the departure of the latest TPWG co-chair as well as a key staff member, and no definitive process to move forward, the DAA recommends that that the W3C should not attempt to resurrect a process that has clearly reached the end of its useful life. The DAA will continue to move forward in its own area of expertise, advancing consumer control, transparency, and other critical practices through its own program. Lou Mastria, CIPP, CISSP Managing Director Digital Advertising Alliance This email was sent by IAB to the WC3 list on September 13, 2013 and is related: Dear TPWG Chair, W3C Staff, and fellow TPWG Members, In accordance with the September 13th deadline for feedback on "the proposed plan", I respectfully provide the following feedback on the proposed plan and process: IAB, DAA, DMA, and NAI incorporates by reference, their objections submitted on July 12, 2013. See http://www.w3.org/2002/09/wbs/49311/datahygiene/results (link is external). In addition to renewing their objections to the use of the Editors' draft as the basis for moving forward, IAB, DAA, DMA, and NAI also respectfully submit the following feedback in opposition to proceeding with the proposed plan: 1. Genuine Working Group consensus cannot be achieved through the proposed plan and it remains entirely unclear what "consensus" means or how it is reached. The W3C contends that "[t]he Editors' Draft (based on the June draft) represents the most promising path toward consensus of the Working Group on the Tracking Compliance document." (Sep. 3, 2013 email from M. Schunter to public-tracking@w3.org (link sends e-mail)). But it is clear from the TPWG's unsuccessful efforts in June and July to reach consensus with the June draft that the June draft does not present a viable document from which to reach consensus. Although the term consensus is often used, it is unclear as to exactly what that term means or what is actually required to reach consensus. In conjunction with moving forward with a document that cannot create consensus, the W3C has also expressed its intention to close one issue per week starting in October. Id. "If there is no consensus, then the Chairs will issue a Call for Objections. In this case, the resolution will be based on the Chairs' assessment of the relative strength of the arguments. Working Group decisions made through a Call for Objections are also documented in a revision of the Editors' Draft." Id. This process of arbitrary decision making will likely create a disjointed patch-work document that would be neither the product of the working group nor a cohesive compliance document that could be adopted. Mr. Fielding, who has significant W3C experience, has expressed similar concerns with the co-chairs taking over the decision making process for the working group: In general, W3C staff have often (over 15+ years) made the mistake that they can speed the process of a working group by making decisions for the WG in the form of "simplifying". In all such cases, the WG derails ... making decisions for the WG means that there is no reason to have a WG, since you aren't letting us make the decisions that matter. Hence, in the future, stop trying to wag the dog -- let the group make its own decisions and act as a facilitator, not a judge. Found at http://www.w3.org/2013/09/04-dnt-minutes (link is external). 2. The Due Dates suggest that the Poll is an exercise in futility. Because the W3C is proceeding with Option 1 prior to the opening of the poll to discuss other options, it is apparent that the W3C is intent on moving forward with the proposed plan regardless of the outcome of the Poll. "The clear recommendation from the Chair/Staff is to make progress with Options 1 or 2." (Sep. 3, 2013 email from M. Schunter to public-tracking@w3.org (link sends e-mail)). We note that Option 2 only pushes out the hard issues to a later version of the standard. Unfortunately, the hard issues, those that cannot find consensus, are at the heart of the standard itself. Indeed, the W3C has suggested that the technology is not ready for a DNT standard: "Thus, we are focused on the appropriate DNT solution for release in 2013-14 which we call DNT 1.0. As technology and user references evolve, we fully expect that there will be further releases that address scenarios that are not well addressed today." (Sep. 3, 2013 email from M. Schunter to public-tracking@w3.org (link sends e-mail))(emphasis added). DAA, IAB, NAI, ANA, AAAA, DMA object to the W3C's approach of moving forward before the analysis of the poll results. 3. Move the issue closing process to one based on membership voting. This would fast track the process and could still allow for a formal objection process to follow. This mirrors the escalation structure to ACRs and has been discussed in the past. This process would be limited to W3C membership as they represent actual implementers of standards. 4. Consensus and decision-making o What exactly is the standard for consensus? o If the standard is "least strong objections," then please clarify what this means? Does it mean least strong substantively, or least strong in terms of the vigor of the objection, e.g. "my business will be killed by this and I can't live with it!" o Whose opinions count in weighing consensus, e.g. invited experts or multiple reps from a single organization? 5. Participation a. Who is an invited expert and how are they chosen? b. Third parties are the primary target of this standard, and the companies likely to be most impacted economically. Why are so few represented directly in the working group, and what will be done to increase their participation? c. Understanding that there should be a periodic review of invited experts per W3C rules (http://www.w3.org/2004/08/invexp (link is external) "Principles Guiding Invitations and Periodic Review"), can you please disclose when such reviews have occurred, if ever, on which invited experts, the determination of those reviews, and the rationale used for such determination? If no such review has been conducted, can you please supply the rationale for not conducting the reviews and indicate when such reviews will take place? d. In our opinion, most of the "invited experts" represent organizations "which have significant business interest in the results from W3C" noting that the W3C rules themselves state "this might even include some not-for-profit organizations." e. At least two invited experts have submitted their formal resignation from the working group, but have not yet been removed from the TPWG official roster. 6. Charter a. What is the meaning of "The Working Group will not design mechanisms for the expression of complex or general-purpose policy statements." b. What is the intent of this limitation? c. What is the meaning of "The group will actively engage governmental, industry, academic and advocacy organizations to seek global consensus definitions and codes of conduct." d. See participation above. What has the group done to ensure active engagement with /all/ relevant stakeholders, especially those who will likely be most impacted by this standard? 7. What are the criteria and milestones for continuing or winding down the group, if progress is not made? 8. W3C process requires an implementation and testing phase. How will this apply to the compliance specification? Can elements of the compliance spec become "features at risk"? What about crucial elements of the technical spec that are closely coupled with the policy? 9. Provide detailed timelines and decision criteria for each Formal Objection being considered prior to requesting WG input. 10. More firmly state within the updated plan that driving towards a standard that will achieve broad industry adoption is a core goal (otherwise, why are we here?). 11. We need clear criteria for reopening issues. The "new information" standard is overly vague and inconsistently applied. 12. We need assurances about the process for closing issues, including addressing the problem of having to continually raise and re-raise issues. We need a predictable, rational process for bringing issues to close. 13. What is the status of the global considerations effort? 14. Who is the new co-chair? It is impossible to express our faith or lack of it in the poll without knowing who will co-lead the group going forward. 15. What is the status of FTC participation, and who is speaking for the FTC? Is Ed Felton speaking for FTC? Or Paul Ohm? 16. What is the status of the PAG? Respectfully submitted on 9/13/2013, on behalf of the DAA, IAB, NAI and DMA, Chris Mejia, DAA & IAB Finally, one sent on 17 September from Peter Swire: To the Working Group: I note with sadness but not surprise the decision today by the Digital Advertising Alliance to withdraw from the Tracking Protection Working Group of the World Wide Web Consortium. In announcing their departure, they chose my actions as the most convenient excuse for leaving the process: “Unfortunately, these efforts were rejected out of hand by TPWG co-chair Peter Swire, who jettisoned the long-accepted W3C procedure in order to anoint his own way forward.” I share the frustration in the DAA message with the inability of the Working Group to achieve better results. I believe a fair review of the history, however, shows that the views of the DAA and its members were valued and included in months of hard work together in the Group: (1) I met individually with the leadership of each DAAmember during the “listening tour” in late 2012, after I was named co-chair. (2) A major part of the agenda at the February Face-to-Face, in Cambridge, was based on the DAA proposal concerning ways to limit access to a user’s lifetime browsing history. (3) DAA proposals and language were discussed in detail during weekly teleconferences for the next several months. Indeed, a repeated theme on the list during this period was the concern from consumer advocates that a disproportionateamount of time of the Group was being spent on DAA proposals. (4) In the lead-up to the May Face-to-Face in California, there were intensive negotiations on what became known as the Draft Framework, which became the agenda for our three-day meeting. The DAA was deeply enough involved in these negotiations that its General Counsel, Stu Ingis, presented the Draft Framework to the Group in one of its calls. (5) Coming out of the May meeting, the full group, including the DAA, issued a consensus document that enough progress had been made that we should continue to work toward the long-agreed Last Call deadline of the end of July. (6) As an effort to have one clear text that would be the focus of the Group’s efforts, we then had the summer process to create proposed language and then comments on a base text. Among the change proposals, by far the greatest amount of time on the Group calls was devoted to the text proposed by the DAA and those associated with it. (7) Both co-chairs, supported by W3C staff, then issued approximately 40 single-spaced pages of decision documents. These documents contained a massive number of footnotes and citations to the comments submitted by Working Group members. Based on the record developed by the full Group, these documents explained reasons why the June Draft would remain the base text rather than the proposal submitted by the DAA and those associated with it. In brief, the criteria for a standard that we discussed in Cambridge, based on the overall record, would not be met by the proposal submitted by the DAA and others. Based on this history, the DAA views were simply not rejected “out of hand.” My own view is that the Working Group does not have a path to consensus that includes large blocs of stakeholders with views as divergent as the DAA, on the one hand, and those seeking stricter privacy rules, on the other. I devoted my time as co-chair to trying to find creative ways to achieve consumer choice and privacy while also enabling a thriving commercial Internet. I no longer see any workable path to a standard that will gain active support from both wings of the Working Group. When participants don’t get the outcome they want on substance, they often blame the procedure. As an imperfect human being, and one working within the W3C processes for the first time, I am sure that I could have done better at various points on procedure. The actual procedure that led to the July decision came directly from my close discussions with W3C staff, and used the mechanism for resolving a disputed issue that the Working Group established and used before I became co-chair. I intensely share the frustration that all the hard work by members of the Working Group has not created a consensus path forward. I believe there is consensus in the Working Group that members have worked very hard, and I worked very hard, to find apath forward. I put almost all of my other professional work on hold, at financial cost to myself, to try to find a solution on Do Not Track. Going forward, there are cogent reasons for stakeholders to continue to work, inside and outside of W3C, to develop standards and good practices for commercial privacy on the Internet. We knew coming in that this was a hard problem. It remains a hard problem. The procedures at W3C this summer are not the reason that it became hard. With best wishes to all of you, Peter

Washington, DC: Over 20 public health, media, youth, and consumer advocacy groups sent a letter to the Federal Trade Commission (FTC) today objecting to Facebook’s recent proposed changes to its privacy policy. The groups raised concerns about the potential negative impact of these changes on teens. In a letter to the Federal Trade Commission’s Chairwoman Edith Ramirez, groups working on teen-related issues—including American Academy of Pediatrics, Consumers Union, Public Citizen, Consumer Watchdog, Pediatrics Now, and the National Collaboration for Youth—challenged changes to the “Statement of Rights and Responsibilities” that give Facebook permission to use, for commercial purposes, the name, profile picture, actions, and other information concerning its teen users. The groups also objected to new language directed at 13-17 year-old users that states that teens “represent that at least one of their guardian’s or parent’s have given consent for this use of their personal information on their behalf.” As groups with a broad range of expertise and years of research in issues related to marketing, media, public health, consumer rights, and youth, the concerns in the letter addressed—among other issues—the ways in which Facebook’s proposed changes would expose teens to the same problematic data collection and sophisticated ad-targeted practices that adults currently face. “These new changes should raise alarms among parents and any groups concerned about the welfare of teens using Facebook,” observed Joy Spencer, who runs the Center for Digital Democracy’s digital marketing and youth project. “By giving itself permission to use the name, profile picture and other content of teens as it sees fit for commercial purposes, Facebook will bring to bear the full weight of a very powerful marketing apparatus to teen social networks.” Dr. Gwenn O’Keefe at Pediatrics Now also expressed concern. “Given the number of teens who are legally on Facebook and pre-teens who are on there posing as teens,” she declared, “it’s in everyone’s interest that Facebook create an environment that is appropriate and healthy for the development of teens.” Citing the FTC’s 2011 Consent Decree with Facebook, the letter asked the agency to hold Facebook accountable, redress the changes, and protect the interests of teens. (A list of the 27 signatories is attached.) ### African American Collaborative Obesity Research Network American Academy of Child and Adolescent Psychiatry American Academy of Pediatrics Benton Foundation Berkeley Media Studies Group Campaign for a Commercial-Free Childhood Center for Digital Democracy Center for Global Policy Solutions Center for Media Justice Center for Science in the Public Interest Children’s Advocacy Institute Children Now Consumers Union Consumer Watchdog Corporate Accountability International Pediatrics Now Prevention Institute Public Citizen Public Health Advocacy Institute Public Health Institute Media Alliance Media Literacy Project Mercy Hospital’s Young People’s Healthy Heart Program National Collaboration for Youth Shaping Youth United Church of Christ, OC Inc. Yale Rudd Center for Food Policy and Obesity

The coalition's letter is attached. Facebook is violating the terms and spirit of its 2011 Consent Decree (link is external) with the Federal Trade Commission (FTC). As we have explained to FTC officials, the new policies planned by Facebook are designed to further expand its wide-ranging data collection and targeting apparatus. Facebook must be required to be candid and specific to its U.S. users on how its new data use policies reflect what it sells to marketers and advertisers (its various ad products, data techniques, focus on mobile, etc.). Without such candor and transparency, Facebook is fundamentally in violation of the 20-year committment it made to the American public via the FTC. The FTC has to stand up for the rights of U.S. consumers and make the Consent Decree--which the agency has repeatedly said has created new privacy safeguards for Internet users around the world--mean something. The agency has claimed (link is external) that its Facebook order "alone protects the privacy of more than a billion people world-wide." That has largely been a fiction--something anyone who follows Facebook (as we do at CDD) know. It's time for the FTC to take Facebook to court for violating its agreement. Facebook's new policy on its 13-17 year old users is especially alarming. It wants to target teens with an aggressive mix of data collection, profiling and tracking--without any safeguards.Here's what CDD's attorney Hudson Kingston said to us about Facebook's new tactic on teens: "Across the United States, states' laws don't allow minors to definitively bind themselves with a contract. Through legal fictions Facebook's new policy tries to bind both minors and their parents to consent to ongoing invasions of privacy, based only on the nonaction of teenage users. This violates the FTC 2011 Facebook Order's requirement of affirmative consent before the company undercuts privacy, as well as basic concepts of capacity to consent." Joy Spencer, who runs CDD's project on digital food marketing and youth, said: "Teens spend their lives online 24/7, especially on social media platforms like Facebook. They use Facebook to socialize and share critical information that often spreads quickly and has great power and influence within tight and trusted social networks. By changing its Statement of Rights and Responsibilities and Data Use Policy to grant itself permission to use the name, profile picture, content and other actions of teen users for commercial purposes and without their express consent or compensation, Facebook is definitely stepping over the line. Most teens do not share their personal photos and personal views on Facebook with the expectation that brands can take their pick of their images and actions to digitally market commercial products. What is most disturbing here is that Facebook is taking advantage of teens while they socialize with peers and exploiting their rightful need for self-expression in order to make a profit. The FTC should definitely step in to make sure this does not happen. " Facebook's redlined changes is attached in the FBSRS document. Here's what it says (my bold): 10. About Advertisements and Other Commercial Content Served or Enhanced by Facebook Our goal is to deliver advertisings and other commercial or sponsored content that are is valuable to our users and advertisers. In order to help us do that, you agree to the following: 1. You can use your privacy settings to limit how your name and profile picture may be associated with commercial, sponsored, or related content (such as a brand you like) served or enhanced by us. You give us permission to use your name, and profile picture, content, and information in connection with commercial, sponsored, or relatedthat content (such as a brand you like) served or enhanced by us, subject to the limits you place. This means, for example, that you permit a business or other entity to pay us to display your name and/or profile picture with your content or information, without any compensation to you. If you have selected a specific audience for your content or information, we will respect your choice when we use it. If you are under the age of eighteen (18), or under any other applicable age of majority, you represent that at least one of your parents or legal guardians has also agreed to the terms of this section (and the use of your name, profile picture, content, and information) on your behalf.

Washington, DC: A report released today by the Center for Digital Democracy (CDD) criticizes the Obama Administration’s recent effort to establish new privacy safeguards for the Digital Era. The more than yearlong proceeding led by the Department of Commerce’s National Telecommunications and Information Administration (NTIA) to further the Administration’s proposed “Consumer Privacy Bill of Rights” failed to ensure that the public can be protected from the array of sophisticated mobile “app” data-gathering practices. The detailed, 34-page report, “Head in the Digital Sand,” argues that the lobbyist-dominated process failed to examine the actual operations of the mobile app industry and its impact on the ability of consumers to protect their privacy effectively. Among the most disturbing revelations is the growing use of real-time tracking and surveillance of individual mobile app users. Industry practices requiring investigation by the FTC are identified, including apps that stealthily eavesdrop on consumers to ensure they spend more on virtual goods and other services—moving them up, in industry parlance, from “minnows” to “dolphins” and then to big cash-generating “whales.” The report examines other mobile and app-related data collection practices, including the ways users are being tracked from device to device; how app developers “acquire” and target users; the role of so-called “ad exchanges” that auction off mobile consumers to advertisers in milliseconds, through the use of data-rich profiles; so-called “monetization” practices relied on by developers; and industry research on the unique personal relationship users have with mobile devices and content. In 2012, the White House released a privacy “blueprint” with seven “rights” that all consumers should be guaranteed, and urged Congress to enact legislation. The NTIA was also tasked with bringing industry, nonprofit organizations, and others together to develop so-called voluntary but enforceable codes of conduct to implement consumer privacy rights. However, as CDD’s report describes, the so-called “stakeholder” process failed to deliver meaningful and effective privacy safeguards. “There was an assumption that consumers would be willing to dispassionately analyze how an app uses their data before they try it out,” explained CDD Executive Director Jeff Chester. “But as our report reveals, there is already a sophisticated app marketing system in place that actually uses existing data, along with a host of interactive marketing tactics, to influence consumer decisions. Before they download an app, consumers need to know more than just what data that app may collect or share with sponsors or third parties,” he added. “They need to be told how the app really operates—whether it spies on them, whether the app experience will change in order to promote the sales of goods and virtual products, and precisely how any personal data might be used for purposes related to finances, health, their race or age, for example.” Last month, the NTIA hailed the work that led to a proposed “Short Form Notice Code of Conduct to Promote Transparency in Mobile App Practices.” On Thursday, August 29, the NTIA convenes a forum to address “lessons learned” about the work that produced the mobile app code and how that process should be structured for future work. CDD called on the Administration to release its long-promised legislation on consumer privacy, and to replace the NTIA with the Federal Trade Commission as the lead agency proposing new privacy rights for Americans. “The Administration has told the European Union that it has its privacy house in order,” said Chester. “But this initial effort, as well as the revelations of NSA surveillance, raises questions about how well the privacy of Europeans will be protected as a new Transatlantic trade deal (TTIP) is negotiated.” A copy of CDD’s new report on mobile apps and consumer privacy is available at www.democraticmedia.org The Visual Appendix can be downloaded via: https://www.hightail.com/download/bWJvblFOdENOQndVV01UQw (link is external) CDD works to protect the interests of consumers in the digital era, focusing on issues related to consumer privacy, public health, children and youth, and financial services.

Center for Digital Democracy Adds Legal Director Focusing on Youth Privacy and Digital Marketing Issues CDD Begins Industry Review to ensure new COPPA Rules are Enforced Washington, DC: Hudson Kingston has joined the Center for Digital Democracy (CDD) as its new Legal Director. Mr. Kingston will oversee CDD’s regulatory and industry initiatives to ensure that the Children’s Online Privacy Protection Act (COPPA) rules, recently updated by the Federal Trade Commission (FTC), protect children effectively. Under the new regulations, which went into effect in July 2013, a child’s privacy is better protected when they use mobile devices, social media, “Apps,” or online games. There are also new safeguards regulating marketing practices such as online behavioral targeting. CDD spearheaded a coalition of consumer, child advocacy, and public health groups during a four-year campaign to press the FTC to bring its COPPA rules up to date. “Hudson’s strong commitment to consumer protection and public health will help CDD represent the interests of young people in the digital era,” said executive director Jeff Chester. With a background in human rights and environmental law, Mr. Kingston worked on consumer protection issues at the Center for Food Safety, and also focused on national environmental policy at the White House Council on Environmental Quality. Hudson earned his J.D. from the University of Iowa and LL.M. degrees from both New York University and the National University of Singapore. He is a member of the New York and D.C. bars as well as the Federal District for D.C. Kingston has also worked on legal projects in Laos and India. “Now that the revised COPPA rules are in force, CDD intends to closely monitor the children’s online marketplace to help promote compliance,” explained Chester. “We are also stepping up our examination of data collection and interactive marketing practices targeting teens. Hudson will be working closely with the FTC and other policymakers and will be spearheading our regulatory efforts,” he noted. “Parents, as well as most Americans, believe children should be able to use the Internet without being surreptitiously tracked,” said Hudson. “I look forward to leading CDD's expanded efforts on COPPA and protecting minors from privacy and health threats.” CDD works to protect the interests of consumers in the digital era, including on issues related to public health, children and youth, and financial services.

The United State Trade Representative (USTR) holds hearings today for stakeholders to address issues related to the EU/US negotiations on the Transatlantic Trade and Investment Partnership (TTIP). CDD has been invited to testify. Here's a summary: EU and U.S. consumer groups, through the Transatlantic Consumer Dialogue, have already gone on record with USTR urging that data protection and data flow-related issues not be addressed in the TTIP negotiations. Both in the U.S. and the EU, policymakers are in the process of reviewing and potentially revising their respective privacy frameworks, making any trade agreement on the issue premature. However, the recent revelations of widespread data gathering by the U.S. and also European governments reported by the news media require a new approach for addressing digital products and e-commerce services, data flows, and data protection. We urge the USTR to call on the newly formed U.S. and EU review on privacy- and national security-related issues, which is now operating parallel to the start of the TTIP negotiations, to report its findings to the public. A thorough understanding of what data on citizens have been collected, and by whom (including by commercial entities), is required. Finally, digital products and services require a separate approach outside of the TTIP process. The civil liberties of individuals, including their right to privacy, should not be treated as just another commodity to be traded through negotiation.

The new FTC rules designed to better protect children's privacy kick-in on July 1, 2013. CDD and colleagues led a four-year campaign to help create these safeguards. The new rules better protect kids from stealth online tracking, the collection of their geo-location information by apps and mobile devices, data gathered by social media, etc. Here's a guide for parents to help them understand how to make COPPA work for them. Groups interested in learning how they can monitor online sites to ensure they are following the new safeguards, as well as file complaints with the FTC, can email us for a free COPPA compliance guide.