Group items tagged

The Federal Trade Commission, continuing its focus on behavioral advertising practices and online consumer privacy, has hired Harvard researcher Christopher Soghoian as a technical consultant. Soghoian, currently with Harvard's Berkman Center for Internet & Society and a noted researcher and blogger on online privacy, will work with the FTC's Bureau of Consumer Protection, Division of Privacy and Identity Protection. He has been particularly critical about the length of time major Internet service providers and companies keep and use customer data Last month, several marketing and advertising industry associations, including the Direct Marketing Association and the American Association of Advertising Agencies, issued self-regulatory principles to govern the online practices of their members, in an attempt to stave off federal regulation of behaviorally targeted advertising.

"I heard a rumor that I hope isn't true. Specifically, I heard that opting out of behavioral profiling may not stop advertising companies from tracking you as you travel across the Web. Rather, according to the rumor, in many cases you merely opt out of seeing the tailored ads your web history might otherwise trigger. The ability to opt out of behavioral profiling essentially underpins the argument for self-regulation by the industry. The idea is that (1) people like tailored ads and (2) those that worry about the practice, for instance, from a privacy perspective, can opt out of it. Setting aside the apparent frailty of cookie-based opt out (when you delete your cookies, you delete your opt out as well) and the availability of other means to track users (like flash cookies), this seems pretty straightforward and convincing. But what does "opting out" mean, exactly? A close look at the Network Advertising Initiative website, which offers an opt out tool on behalf of most major online advertisers, turns up no guarantee that opting out will stop a company from logging where a user has traveled."

This post is one in a series on Privacy & Security, and covers some of the intersections of these domains for those who are not practitioners with in-depth understanding of the associated disciplines.
Behavioral Targeting
The tracking of consumers as they surf the Web to deliver targeted a

"Despite concerns from some privacy groups and U.S. lawmakers about behavioral advertising, most large advertising networks generally comply with a set of privacy and data-handling standards adopted by the Network Advertising Initiative a year ago, the NAI said in a report released Wednesday." ...NAI, whose members include Google, Yahoo and Advertising.com, should be praised for doing a compliance report after skipping it for several years, said Ari Schwartz, vice president and chief operating officer CDT. However, the group should consider using a third party to audit compliance of its privacy guidelines, instead of having NAI staff do the audits, he said. In addition, while NAI members appear to be following most of the guidelines, some of the privacy safeguards are "weak," including the data retention standard, he said. "There's no maximum for data retention -- they just have to state what their data retention policy is," Schwartz added. The NAI report doesn't lessen the need for new privacy laws, Schwartz said. Several online advertising networks are not members of NAI, and the recent public pressure has led to the NAI updating 8-year-old guidelines last year and issuing a compliance report for the first time in several years, although the group had promised regular reports, he said. "It seems that when there's regulatory pressure, they actually do comply with what they said they were going to do," he said. "We certainly wouldn't want to see any regulatory pressure lifted."

Worth a read. The story changes quite a bit from the top to bottom of the story.

The PCI DSS standard was released back in December 2004 and was quickly hailed as one of the most important private-industry data security standards ever developed. Over the past few years, however, amid a steady stream of news about breaches and thefts, the PCI DSS standards has been roundly criticized. At a congressional hearing this month, one congresswoman said, "I do want to dispel the myth once and for all that PCI compliance is enough to keep a company secure." Many would agree. A case in point noted by Network World: The breach at Hannaford Brothers, where hackers installed malware on the grocery store chain's internal servers to seize card numbers as they were swiped by customers. Hannaford was certified a PCI DSS-compliant company as the scam was in progress. Heartland Payment Systems, before its scam broke in the news, was also certified compliant by Visa. Visa defends the standard as a way to minimize theft if properly implemented, and you certainly can't blame PCI DSS entirely for recent thefts. For all we know, there would have been many more if not for the standard. Still, the general view is that the PCI DSS standard has become overly complex and has done little thus far to stop fraud, as fraud artists get sophisticated technologically.

Visa Inc.'s top risk management executive today dismissed what she described as "recent rumblings" about the possible demise of the PCI data security rules as "premature" and "dangerous" to long-term efforts to ensure that credit and debit card data is secure. Speaking at Visa's Global Security Summit in Washington, Ellen Richey, the credit card company's chief enterprise risk officer, insisted that despite recent data breaches at two payment processors, the Payment Card Industry Data Security Standard (PCI DSS) "remains an effective security tool when implemented properly." Richey added that breaches such as the ones at Heartland Payment Systems Inc. and RBS WorldPay Inc. were shaping public opinion and obscuring what otherwise has been "substantial progress" on the security front over the past year. "I'm sure that everyone in this room has read the headlines questioning how an event of this magnitude could still happen today," Richey said, referring to the Heartland breach. "The fact is, it never should have" - and indeed wouldn't have if Heartland had been vigilant about maintaining its PCI compliance, according to Richey. "As we've said before," she continued, "no compromised entity has yet been found to be in compliance with PCI DSS at the time of a breach." Pointing to Visa's decision last week to remove both of the breached payment processors from its list of PCI-compliant service providers, Richey said that Heartland would face fines and probationary terms that were proportionate to the still-undisclosed magnitude of the breach. "While this situation is unfortunate, it does not make me question the tools we have at our disposal," she said of the PCI rules.