Publishings

Facebook engaged in a "Thanksgiving surprise" last week (link is external), announcing changes to its "Rights and Responsibilities" system of involving users in its decisions on data collection and privacy. It also announced plans designed to make additional collection of data readily available for them to use, including from so-called affiliates. Through its Facebook Exchange (link is external)and other data-enabled marketing (link is external) services--especially designed to bolster its ability (link is external)to monetize (link is external) through mobile devices--the social media behometh is pushing the privacy envelope. EPIC and CDD's letter asks Mr. Zuckerberg to reverse course. Stay tuned for further action. PS: Take a look at this clip (link is external)from Citizen Kane, when he signed his "Declaration of Principles." Remember when you see it that Kane--as he becomes successful as a media mogul--abandons them.

CDD and EPIC (link is external) submitted this letter to the FTC today. Both groups have had a long history of monitoring Facebook's privacy and online data-related marketing practices. We have both worked to ensure that the FTC and other regulators engage in the due diligence required to ensure Facebook respects the privacy rights of its users. Over the last several months, we have especially analyzed Facebook's growing (link is external)use of user data (link is external) as part of its ad exchange (link is external), including Datalogix (link is external). There are a range of data partners (link is external)that raise critical concerns. Here are some of Datalogix's data collection and user targeting affiliates--a never ending data daisy chain: Admeld (link is external), adnetik (link is external) (Digilant), appnexus, (link is external) Audience Science (link is external), bluekai (link is external), Cadreon (link is external), DataXU, (link is external) eXelate (link is external), invite media, (link is external) jumptap (link is external), Lotame (link is external), Mediamat (link is external)h, netmining, resonate, Rocket Fuel, (link is external) Tribal Fusion, TURN, (link is external) ValueClick, Vivaki, (link is external) X+1 (link is external) and Xaxis. The letter is attached.

Continuing its work to protect the privacy of children under 13 in the "Big Data" era, a coalition of leading groups just filed Comments with the Federal Trade Commission on its proposed new rules under the Children's Online Privacy Protection Act (COPPA). Many of these groups worked to get the law passed back in 1998. Even back then the kinds of personalized data collection commonplace today was part of our design for COPPA (since the basic "one-to-one" data collection model has remained a dominant paradigm). Under the proposed FTC rules, parents would be empowered for the first time to make decisions about whether online marketers, including on mobile devices, can stealthily use "cookies" and other unique and persistent identifiers to track and target a child. The filing explains how companies such as Viacom (Nick.com, etc), Time Warner/Turner (Cartoon Network) and Disney (Disney XD, etc) are using advanced state of the art data collection tools to track, profile and target users online. It discusses documents and other information we uncovered during our investigation for this filing that raise serious concerns about the commitment of many online companies to protect the privacy of kids and ensure parents are in charge. Groups filing these comments with CDD include: American Academy of Child and Adolescent Psychiatry, Berkeley Media Studies Center, Campaign for a Commercial Free-Childhood, Center for Media Justice, CSPI, ChangeLab Solutions, Children Now, Consumer Action, Consumer Federation of America, Consumers Union, the advocacy and policy division of Consumer Reports, Consumer Watchdog, National Consumers League, Privacy Rights Clearinghouse, Public Citizen, Public Health Advocacy Institute and The Praxis Project. The FTC filing was written by Prof. Angela Campbell and Fellow Laura Moy at the Institute for Public Representation, Georgetown Law Center. She was assisted by her able law students. CDD provided research and analysis.

CDD statement on today's FTC COPPA (link is external) proposal. Today, the FTC took a giant step to protect children's privacy by proposing that the online data broker industry be required to comply with the Children's Online Privacy Protection Act (COPPA). Children--like adults--confront a pervasive data collection and targeting system made up of ad networks, data exchanges, and other digital marketing companies able to target anyone in real-time. The FTC's proposal ensures that parents will have control over how information can be collected from their children via mobile phones, online games and when they use computers. In addition, the commission will also rein in the data brokers targeting kids who use social media, so-called "plug-ins," to gather information on a child and their friends. Consumer, child advocacy, privacy and public health groups have called on the FTC to ensure that COPPA protects kids and empowers parents in today's data collection intensive, targeting 24/7 online environment. This proposal will help accomplish this. We are concerned, however, about the lobbying of the Walt Disney Company and others to secure an exemption for so-called family websites. We will be reviewing the commission's proposal and industry practices on such sites.

When CDD reviewed the proposed Facebook Sponsored Stories (link is external) settlement it was clear it failed to address how marketing and targeting on the social network really works. It also didn't do anything to ensure that parents and teens have the control they require over the Sponsored Story process (link is external) and its inter-related series (link is external)of premium ad products. Clearly, Facebook users require a settlement that protects their privacy and rights. As Sponsored Stories is deployed on the mobile p (link is external)latform, and Facebook users confront new privacy threats from the Facebook Exchange ad targeting (link is external) service, as well as new measurement (link is external) capabilities, policies need to be enacted to protect users (especially adolescents and other youth). We revised our letter of objection, now that a new Judge has been assigned to the case.

This letter was sent today to Lawrence Strickling, Ass't Sec of Commerce, as well as The White House. Despite our best efforts (link is external) to encourage the Commerce Department to ensure that people across the country can meaningfully participate in the first key stakeholder meeting scheduled for 12 July, the agency has failed to embrace an effective means to do so. Over the last few weeks we did get the Commerce people to change their plans to allow some outside of the Beltway involvement--but in a very limited way. The groups previously submitted a set of principles (link is external) last February to help govern the negotiations and ensure equitable representation and deliberation. Today's letter is attached. See too Consumer Federation of America press statement. (link is external)

Today, CDD, Consumers Union and a coalition of leading child advocacy, health, consumer and privacy groups sent a letter to Facebook CEO Mark Zuckerberg. The letter discusses the safeguards required to ensure Facebook `does no harm' to young people if it decides to open its platform to children (in order to comply with COPPA, etc).

Today we filed Comments on the Obama Administration's privacy plan via the Dep't of Commerce proceeding. Highlights below. Need for Legislation: We have said from the beginning of this process that the reliance on multi-stakeholder negotiations to effectively protect consumer welfare, including privacy, is a flawed approach....what is required is more courageous action by the Obama Administration: the submission to Congress of draft legislation that implements the CPBR principles. Multi-stakeholder Negotiations Must Address the Full Scope of the CPBR Principles at Each Stage: In order for any “code of conduct” to be developed, each issue (such as mobile applications, ethnic/racial digital profiling, youth online marketing, real-time targeting) must reflect all of the administration’s Privacy Bill of Rights. Stakeholders Should Decide the Topics, not the Administration: The administration should respect the independence of the multi-stakeholder process to identify issues for negotiation. Commit to the W3C’s Do-Not-Track Multi-stakeholder Process: The administration should clarify that it fully supports the multi-stakeholder process now underway by the World Web Consortium’s Tracking Protection Working Group. The support by the White House of the Digital Advertising Alliance’s closed-door, non-transparent, and non-representative work on Do-Not-Track suggests there is a lack of serious commitment to an independent and participatory multi-stakeholder process. The Department of Commerce should immediately recognize that the WC3’s work on Do-Not-Track is part of the development of meaningful new codes of conduct... All Issues Must Be on the Table, with No Exemptions for Self-regulatory Codes: Some digital data collection trade groups have suggested, in recent Congressional testimony, that the multi-stakeholder deliberations “should target only those issues that are not subject to existing statutory regimes or self-regulatory programs..." The administration should reject such a self-serving suggestion, which would deprive U.S. consumers of having fairly negotiated codes of conduct. Industry self-regulatory codes have been developed without public input, and already have drawn criticism from leading scholars. All issues must be addressed if this process is to have credibility Ensuring a Transparent and Open Process: these deliberations must be public...We urge that they be Webcast, and that there is a robust mechanism put in place for both the news media and the public to be informed of the proceedings... Issues related to both Children and Adolescents Should Be Addressed in Every Topic Identified for a Code of Conduct: Rather than addressing young people under a separate code of conduct, we support identifying the child and adolescent issues raised by each issue Concerns on the International Role for the Multi-stakeholder Negotiations and Codes of Conduct: We have grave reservations about the U.S. attempting to negotiate a “code of conduct” as the equivalent of formal law (such as in the EU) or where effective new consumer protection laws are required (such as in South America or the Asia Pacific markets). There isn’t a one-size-protects-all privacy regime that can be exported from the U.S Ensuring an Informed Discussion About the Digital Data Collection Landscape: One cannot easily choose a small piece of the puzzle (such as the “low-hanging fruit” of mobile privacy) to tackle, because all types of data collection and analysis are intrinsically connected to the fundamental forces shaping privacy in the commercial digital era. Ensuring Civil Society Participation, Especially Independent NGOs: We support the “Principles for Multi-Stakeholder Process” endorsed by leading NGOs on February 23, 2012 (with the leadership of the World Privacy Forum)... There must be robust civil society involvement in each deliberation, with sufficient levels of participation to ensure an effective—not marginal—contribution.

FTC Makes Advances Protecting the Privacy of Americans in Big Data Era, with Call for Congress to Rein-in Data Brokers But major concerns loom as report leaves consumers vulnerable to widespread data collection and tracking. Battles ahead as consumer group presses for action Statement of Jeff Chester, Executive Director, Center for Digital Democracy The Commission’s new privacy report zeros in on one of the most glaring threats to consumers today—the growth of the online-merged with-offline data collection complex. In its call for Congress to enact legislation to rein in the data broker industry, the FTC has opened up an important new ‘front’ in the battle to protect consumer privacy. Today, consumers face an ever growing and largely invisible data apparatus that collects and pools their information 24/7. The harvesting and sale--often in real-time--of our valuable data, including about our financial and health interests, poses a major threat to consumers. The FTC’s call for legislation is a digital wake-up call to Congress. The commission’s recommendation that Do-Not-Track means do not collect, potentially could help create a powerful new privacy tool for consumers. Overall, the FTC’s call for ensuring the public has greater control over how their data is collected and used online, should prompt industry leaders to rethink how they address protecting consumer privacy. The FTC's further clarification of what is considered personally identifiable information is also a step forward. However, we call on the FTC to specifically spell out how to ensure consumers have meaningful “choice” to control the collection and use of their information. The commission’s overall support for industry self-regulation (such as the largely invisible “icon” placed on ads) is disappointing, and reveals a FTC still too often constrained from effectively protecting the public. We see this report and the recent White House Consumer Privacy Bill of Rights endorsing what consumer groups have been warning about for years--that the Internet's growing focus on the tracking of individuals, along with the sale of their data by a largely out of view digital marketing industry, requires 21st Century consumer protection safeguards. Other key elements in the report: The commission’s proposal on affiliates and third-parties also helps rein-in a dizzying digital-consumer tracking daisy chain. Websites that share data with other parts of their company or ad networks require new safeguards. Requiring affirmative consent for the collection and use of sensitive information, including on first and third party sites. This is a positive step forward as consumers increasingly are targeted by financial and health marketers. But if consumers are to be protected, the FTC (and for financial, the CFPB) must engage in serious enforcement efforts. Called on the online ad industry (Digital Advertising Alliance, DAA) to work “within the W3C process” on Do-not-Track. The World Wide Web Consortium's (W3C) work on Do-not-Track is being potentially undermined by a separate effort organized by the DAA. Today, the FTC sent a message that it expects the online ad industry to work with the “multi-stakeholder” process established by W3C. [CDD is a member of the W3C Tracking Protection Group]. The commission resisted calls from the telephone and cable lobby to endorse the controversial Deep-Packet Inspection (DPI) surveillance system. The FTC plans to hold a workshop and conduct further study on this critical privacy and civil liberties issue, which is prudent. The report calls for greater protections for teens when they are targeted, something CDD has urged. The commission will expand its focus on mobile privacy, including applications and transactions.

This letter was sent today to US and EU policymakers.

This letter from the US/EU consumer group organization (link is external)Trans Atlantic Consumer Dialogue, which formally advises both the EU and US, calls on Google to suspend its planned privacy changes.

CDD has made a commitment to the White House that it will work on “multi-stake holder” negotiations to help develop new consumer online privacy safeguards. We recognize that in the absence of federal legislation, the inability of the FTC to issue regulations, and the ever-increasing digital data collection system, some progress must be made to protect consumers. Increasingly, consumers face a daily whirlwind of data collection, confronting a vast and largely uncontrollable apparatus that tracks their every move. Whether we are using a PC, a mobile device, playing a video game or even listening to music, our information is being stealthily packaged into personal data profiles. Our financial, health, political, and family data are sold to the highest online bidder, whether they are marketers, financial companies or even political parties. The White House’s new framework for protecting privacy, especially its Bill of Rights, is an important development to protect consumers in the digital age. Consumers require a “Bill of Rights” that ensure they are in control over their personal information—not the digital data companies. As the public increasingly relies on the Internet to make purchases and other financial decisions, they also should have 21st Century consumer protection safeguards. However, the new framework largely depends on the development of voluntary codes of conduct, to be negotiated between consumer groups and companies like Google, Facebook, Microsoft, Yahoo and others. Consumers groups, such as CDD, will engage in these negotiations in good faith. But we cannot accept any “deal” that doesn’t really protect consumers, and merely allows the data-profiling status quo to remain. Instead of negotiations, CDD would have preferred the White House to introduce new legislation that clearly protected consumers online. Two, we are very concerned that the Administration’s new privacy plan is designed to undermine the European Union’s rights-based approach protecting privacy. The U.S. online data companies are the global leaders in digital advertising, especially Google and Facebook. These companies increasingly feel threatened by a EU approach that protects its citizens from pervasive and unaccountable data collection. We will not support an effort by the U.S. to secure a trade agreement with the EU and the Asia Pacific region that permits digital marketers to collect user data unabated. A voluntary code of conduct should not be the basis of a global trade deal designed to bolster Google and Facebook profits. Finally, we are also concerned about today’s announcement by the Digital Advertising Alliance (DAA), including Google, that they will develop its own Do-Not-Track system. The plan by the DAA to add Do-Not-Track to its self-regulatory system could derail a promising privacy effort by the Worldwide Web Consortium standards group (W3C) that is being designed to give consumers greater control over data collection. The new DAA scheme will enable companies to continue to collect profiling data on users, and merely prevent the delivery of targeted ads. DAA members are terrified about the development of a DNT system with teeth, which would stop so much data collection, profiling and tracking. The White House and the FTC should ensure that consumers can receive the benefits of a robust, uniform and independent DNT service. We should not allow Do-Not-Track to be hijacked by the data collection industry

The attached complaint was sent today to the FTC, including the following to the Secretary, Commissioners, and staff: The Center for Digital Democracy submits this complaint regarding the failure of Google, Inc. to abide by the commission's Consent Decree in the Google "Buzz" case (Docket No. C-4366). We respectfully urge the FTC to find Google in violation of the Consent Decree for its failure to accurately and honestly inform users the real reasons it is changing its privacy policy. This petition provides data and analysis showing how Google's business practices, especially those announced or implemented in 2011, are the real reasons why it is now altering its consumer privacy practices. CDD also seeks to have the FTC request that Google postpone the launch of its new privacy policy on March 1, 2012, pending the outcome of its investigation. Here's an excerpt: We believe that an analysis of Google’s business operations over the last year will demonstrate the true rationale for the changes to its privacy policy—which has nothing to do with making it “easier” or “more convenient” for users. We fail to see where Google has provided to users—as it claims to have done in its “Compliance Report” submitted to the commission—“clear information in order to exercise meaningful choice regarding their continued use of Google services….” In particular, Google fails to inform its users that the new privacy regime is based on its own business imperatives: to address competition from Facebook; to grow its capacity to finely profile and target through audience buying; to collect, integrate, and utilize a user’s information in order to expand its social media, social search, and mobile marketing activities (through YouTube, Google+, and Admob, for example); to extend the length of time during which users are subject to targeting and real-time auctions via its DoubleClick Ad Exchange and Display Network; to provide additional data points for its Teracent, Invite Media, and Admeld operations; and generally to expand its DoubleClick operations. Finally, Google should have explained to consumers what it told a private industry meeting—that to help fulfill its February 2011 prediction that display advertising will be a $200 billion dollar global industry, it would need to better integrate user data across platforms and application using digital ad marketing automation.

Here's the abstract.Powerful new digital marketing techniques permit beer and alcohol companies to deeply penetrate into the hearts and minds of consumers, and their social networks of friends. The growing sophistication and capabilities of online marketing, increasingly integrated into the lifestyles of youthful and Internet connected consumers throughout the world, pose potential public health concerns—as well as opportunities. Marketing today has been transformed from the viewing of a single advert on television or in print, into experiencing interactive and highly personalized content that influences what we consume and purchase. Alcoholic beverage companies are winning global awards for their campaigns, including those launched in the Asia Pacific, EU, North and South America markets.Today, a single user can be stealthily tracked and profiled throughout their “online journey”—including their visits to many websites and they actions they take--as their information is collected and analyzed. Then so-called online “behavioral” advertising takes this profile data to target an individual user more precisely.. Mobile phone and location marketing permit marketers to “geo-target” users in specific geographic areas and at defined times. Digital advertising can operate across so-called multiple platforms—following a single consumer whether they are in front of the personal computer, using a mobile device, or even soon while watching television. Super-fast computers are able to identify a single individual who might be a suitable target for an online alcohol ad—and sell them in real-time to the highest bidder.Facebook and other social media enable marketers to go beyond the targeting of individuals to also influence and “activate” ones network of friends. The goal for much of social media marketing is to encourage consumers to do the marketing for the brand, through new forms of viral and other “peer-to-peer” endorsements. Millions of Facebook members are now regularly reached by alcoholic beverage companies.Online marketers are increasingly relying on the use of “neuromarketing” to create ads and other content expressly designed to penetrate the subconscious minds of users. Through the use of “immersive” online content, including entertainment, digital marketers are creating new forms of story-telling designed to increase brand loyalty and sales.

Facial recognition technologies are now a part of the commercial digital marketing "complex," providing additional data and "activation" techniques designed to trigger engagement and commercial behavior. The Federal Trade Commission requested comments on the issue. Although CDD is concerned about the use of Facial Recognition on all consumers/citizens, inc. adults, we focused on the need for child and adolescent safeguards. Facial Recognition tactics have already become a part of youth marketing, inc, for food (link is external)and beverage (link is external) products. Here's an excerpt with filing attached: The growth of real-time targeting, with the routine merging of offline and online data for profiling-based user ad sales, is the context for the FTC to develop safeguards related to FR. Physical data will be added to the plethora of information layered to target users (which now also includes increasingly neuromarketing-derived data. The commission must also address how FR is designed to identify and target multicultural youth. Today, digital marketers engage in a range of ethnic and racial targeting, including children of color. African-American, Hispanic/Latino and Asian-American children and adolescents are the focus of wide-ranging data collection, profiling, and targeting applications. The use of FR to identify race/ethnicity without COPPA or new adolescent digital marketing rules requires proactive policy action by the commission... The commission must take into consideration, in its work to address FR, the current state of behavioral advertising and related digital direct marketing applications—including cross-platform. FR cannot be viewed in isolation, and an effective and comprehensive set of safeguards are required in the youth digital marketplace... CDD urges the FTC to issue appropriate rules, under its current COPPA proceeding, that place decisions about the use of FR under the control of a parent or appropriate adult guardian. It also must recommend new safeguards for adolescents, giving them greater information and control over how interactive marketing applications and data collection, including FR, are used in targeting. Specifically, we ask that: 1. The commission issue a regulation, under the COPPA rule, stipulating that the results of facial recognition applications are inherently personally identifiable information, and thus cannot be collected or used without parental consent. 2. For teens, companies must have a clear opt-in structure in order to undertake FR. 3. The commission oversee the development of a set of Fair Marketing Practices for all digital marketing targeting both children and teens, which should address how the overall use of facial recognition will be governed.

This draft document represents the current consensus views of the following organizations: ACLU, Center for Digital Democracy, Center for Media and Democracy, Consumer Federation of America, Consumers International, Consumers Union, Consumer Watchdog, Electronic Frontier Foundation, Fundacja Panoptykon, Privacy Rights Clearinghouse, and World Privacy Forum. The full document is attached.

Statement of Jeff Chester: Washington, November 29, 2011: "Since 2007, the social media giant has purposefully worked to erode the concept of privacy by disingenuously claiming users want to share all their personal information. But very few of Facebook’s more than 850 million users understand—let alone can control—the vast amounts of data mining used to propel its advertising business (in 2011, Facebook is predicted to top $4 billion in ad revenues). Facebook’s drive to reap the rewards of a potentially ground-breaking IPO next Spring has also helped unleash a range of data practices that stealthily monetizes the actions and interests of users and their networks of friends. For example, there are now a complex of Facebook tools designed to help marketing campaigns trigger a range of “experiences” and actions tied to measureable events. Facebook has also increasingly focused on a “social by design” concept in an effort to help its advertisers utilize “profile data.” Once the FTC consent decree (link is external)is finalized, Facebook users will have new tools at their disposal to help ensure their privacy is better protected. If Facebook makes any claim that is found to be untrue, they can press the FTC to conduct a review, order a correction and require the imposition of financial penalties. We applaud the FTC for conducting a much-needed investigation of Facebook and diligently pursuing this settlement. CDD joined with the Electronic Privacy Information Center and other groups petitioning the FTC to investigate Facebook’s privacy practices. We will work to ensure that Facebook’s further expansion into mobile marketing, social commerce and online gaming doesn’t come at the expense of user privacy. However, this proposed settlement also requires leadership changes at Facebook. They misled consumers and should pay a price beyond a 20 year agreement to conduct their business practices in a more above-board fashion. We call on Mark Zuckerberg and the Facebook board of directors to accept responsibility for this breech of conduct. They should resign and be replaced by officials that have strong pro-privacy credentials."