Group items tagged

OPT-OUT becomes untenable when users have to visit 40 - 50 or more sites to do it.

The online advertising industry and U.S. policy makers need to give online users more control over the collection of personal data and surfing habits beyond the traditional opt-out approach, some privacy advocates said Wednesday. Dozens of online ad networks allow users to opt out of being tracked as a way to deliver behavioral advertising, and in most cases, the opt-out is stored in a cookie that goes away every time the users clear their browser cookies, privacy advocates said during a discussion of online advertising at the Computers, Freedom and Privacy Conference in Washington, D.C. Some advertisers require that people opt out of targeted advertising every month, and some advertisers make the opt-out link difficult to find, said Christopher Soghoian, a fellow at the Berkman Center for Internet & Society at Harvard University. Some opt-out mechanisms aren't even functional, he said. Soghoian, while creating a single opt-out mechanism for the Firefox browser, found more than 40 advertising networks, he said. "How can we expect consumers to visit 40 or 50 different online advertisers, opt out, then revisit these sites every six months or every year, and then, when they delete their cookies, go back again?" he asked.

The head of Calgary's Drop-In Centre says he is astounded by the controversy surrounding the shelter's use of a handprint-based security system, with the latest salvo coming from the province's privacy commissioner on Friday. "People . . . have no idea what we're going through here,"said the centre's executive director Dermot Baldwin, adding he now has three staff off work because of beatings. "We're going to (take) the measures necessary to make this place safe, secure, a good place to come . . . but in order to do that, I've got to keep the bad guys out." The comments came after Alberta's privacy commissioner said he's concerned about a new security system the Drop-In Centre is testing, which includes the scanning of clients' handprints to confirm their identification. Frank Work said Friday the home-less shelter's system of scanning and collecting handprints will likely lead to the creation of a database that will store that information.

Social networking sites are often used by government ministers as an example of the profound way attitudes to privacy have changed. They argue that the young generation invade their own privacy to a far greater extent than the government ever would. The implication is that the older people who object to government intrusion are living in the past. The response to this is that people who use social networking sites voluntarily reveal things about themselves and have a degree of control of over how long information and photographs stay in the public domain, while the government collects and stores information without permission and allows the subject no access to the data held. There is no obvious comparison between the two activities. But this doesn't let the social networking sites off the hook. Most internet companies claim a kind of morality free status when it comes to such issues as privacy and copyright, and Web 2.0 sites are no different. A study published this week by Cambridge PhD students shows that nearly half of all social networking sites retain copies of photographs after being "deleted" by users. The study examined 16 popular websites that host user-uploaded photos, including social networking sites, blogging sites and dedicated-photo-sharing sites. Seven of the 16 sites surveyed were still maintaining copies of users' photos after they had been deleted by the user. The researchers - Jonathan Anderson, Andrew Lewis, Joseph Bonneau and lecturer Frank Stajano - found that by keeping a note of the URL where the photo is actually stored in a content delivery network, it was possible for them to access the photo even after it had been deleted.

Is it time for Web publishers and their users to have the privacy talk? At most Web sites, privacy policies are ridiculously long and convoluted scrolls of legalese that only a hearty privacy watchdog would read. For most users it remains a mystery just how publishers collect, use and share the data trails consumers leave behind while traversing a site. But publishers now are partnering more deeply with third party ad networks who plant their own cookies in their users' browsers and hit them again with ads out on their own networks with other publishers. How should a site broach the topic of privacy and ownership of data with its own customers? The industry-funded Future of Privacy Forum is hoping to get at this issue in a new research initiative that explores different ways sites can communicate with users about their online advertising experience and how a use's data trail is recorded and used. The study will try to find ways that publishers can raise user awareness about the use of online behavioral data and be more transparent about how it is harvested and shared.

The FBI and Virginia State Police are searching for hackers who demanded that the state pay them a $10 million ransom by Thursday for the return of millions of personal pharmaceutical records they say they stole from the state's prescription drug database. The hackers claim to have accessed 8 million patient records and 35 million prescriptions collected by the Prescription Monitoring Program. "This was an intentional criminal act against the commonwealth by somebody who was trying to harm others," Gov. Timothy M. Kaine (D) said. "There are breaches that happen by accident or glitches that you try to work out. It's difficult to foil every criminal that may want to do something against you." Although the hackers had threatened to sell the data if they did not receive payment by Thursday, the deadline passed with no immediate sign that they followed through. ad_icon State officials say it is unclear whether the hackers were able to view the patient records, as they have claimed. If the theft is real, it would be the most serious cybercrime the state has faced in recent history.

Should individual states mandate that businesses comply with the Payment Card Industry's Data Security Standard (PCI DSS)? The answer is "yes," according to Nevada, which has passed a new law that, as of next year, requires businesses to comply with PCI when collecting or transmitting payment card information. Nevada is the first state to mandate full PCI compliance for businesses. Minnesota in 2007 incorporated only a portion of PCI in its Plastic Card Security Law. According to Nevada's new law, if a data collector doing business in that state accepts a payment card in connection with a sale of goods or services, the data collector shall comply with the current version of PCI DSS, as adopted by the PCI Security Standards Council or its successor organization, with respect to those transactions, not later than the date for compliance set forth in the Payment Card Industry (PCI) Data Security Standard or by the PCI Security Standards Council or its successor organization. Is it a Game-Changer? As states rush to adopt or strengthen privacy legislation, Nevada's move is seen by some observers as a potential "game-changer." But they question whether states should be in the business of mandating compliance with an industry standard.

Following complaints from Republicans, the White House has shut down a two-week-old e-mail tip line launched to take reports from citizens of "disinformation about health insurance reform." "An ironic development is that the launch of an online program meant to provide facts about health insurance reform has itself become the target of fear-mongering and online rumors that are the tactics of choice for the defenders of the status quo," wrote White House new media director Macon Phillips in announcing the change. "The White House takes online privacy very seriously," he added. The e-mail tip line, flag@whitehouse.gov, was launched Aug. 4 as part of the White House's Health Insurance Reform Reality Check effort, a campaign-style rapid-response effort reminiscent of the war room Obama for America launched in the summer of 2008 to fight online rumors about the then-senator's patriotism and religion. But coming from the head of state, rather than a political candidate, the new effort quickly sparked concern among Republicans about the propriety of government collecting information on private citizens' political speech.

A recent talk by some Federal Trade Commission officials confirms that the agency is taking a hard look at online advertising practices. Speaking at an American Bar Association conference, new consumer protection chief David Vladeck had harsh words for the behavioral targeting industry's current privacy practices. The "current approach is not working," he said, according to the law firm Arnold & Porter, which blogged about the speech. Vladeck reportedly said many companies' current practice of notifying users about online ad targeting and allowing them to opt out is inadequate, largely because people don't understand the policies. He's not the first to make this observation. Advocates and policymakers have said for years that privacy policies are incomprehensible even to sophisticated users. A recent study by UC Berkeley School also shows that the policies are filled with enough loopholes as to be meaningless. Meanwhile, consumer protection deputy Eileen Harrington, who also talked at the same event, reportedly called deep packet inspection the most dangerous form of data collection, according to a blog post by the law firm Perkins Coie.

Hunch.com helps users search for answers -- but first, it performs a detailed search on the users themselves. Launching today after a year in development, Hunch aims to supply users with computer-generated advice on thousands of lifestyle and consumer questions: What kind of dog should I buy? What should I get dad for Father's Day? Which book by George Orwell would I like? Most important, though, Hunch is not a search engine. Rather than scouring the open Web for information, as Google, Microsoft's new Bing and scores of others do, or collating written opinions, as Amazon.com does, Hunch computes answers by comparing what it knows about you to what it knows about people like you. "Ultimately, what we're doing is providing a kind of shortcut through human expert systems," said Hunch founder Caterina Fake, who also started Flickr.com, the popular photo-sharing site that was acquired by Yahoo in 2005. By first inviting users to answer as many as 1,500 questions about themselves -- an addictive kind of personality test that involves such diverse questions as political orientation, relationship status and whether you believe in UFOs and keep your closet organized -- Hunch looks to assemble a demographic profile whose depth could rival anything in the commercial universe. The New York company also believes that users stand to benefit from this kind of large-scale data farming -- not just from getting better answers, but also from discovering the many microdemographics to which they belong. Hunch also says it will not sell user data to marketers. But this promise, written into the site's privacy policy, is not precisely a legal contract, said Siva Vaidhyanathan, a new-media scholar at the University of Virginia, and the difference leaves the data it collects in a fuzzy domain.

Another test of who owns what data, what can be done with it and the power of State's Rights.

IMS Health (RX) has built a lucrative niche collecting data on which drugs physicians prescribe, then selling the information to pharmaceutical companies. But legislators in more than 20 states have questioned whether the company has a constitutional right to do so. The Supreme Court could shine a spotlight on this topic in the next few weeks if it decides to hear a closely watched case IMS has been fighting in New Hampshire. The court's ruling would quickly reverberate beyond the pharmaceutical industry, affecting virtually any business that uses information about consumer buying behavior to guide its sales strategies.

Visit the Amazon.com site to buy a book online and your welcome page will include recommendations for other books you might enjoy, including the latest from your favorite authors, all based on your history of purchases. Most customers appreciate these suggestions, much the way they would recommendations by a local librarian. But, what if you visited an investment site, only to find advertising messages suggesting therapies for your recently diagnosed heart condition? Chances are that you would experience what Fran Maier calls the "creepiness" factor, a sense that someone has been snooping into a part of your life that should remain private. Maier is the Executive Director of TrustE, a nonprofit that sets guidelines for online privacy and awards a seal of approval to companies meeting those guidelines. She was a speaker at the recent Supernova conference, an annual technology event in San Francisco organized by Wharton legal studies and business ethics professor Kevin Werbach in collaboration with Wharton. Creepiness Factor The creepiness factor is a risk inherent in so-called behavioral targeting. This practice is based on marketers anonymously observing a user's behavior on the Internet and compiling a personal profile based on interests and behavior -- sites visited, searches conducted, articles read, even emails written and received. Based on their profiles, users receive advertising targeted specifically to them, regardless of where they travel on the web. Consumer advocates worry that online data collection and tracking is going too far. Marketing executives counter that consumers benefit from seeing advertising relevant to their interests and contend that relinquishing some personal data is a reasonable trade-off for free access to Internet content, much of it supported by advertising.

Privacy is a central element of the FTC's consumer protection mission. In recent years, advances in computer technology have made it possible for detailed information about people to be compiled and shared more easily and cheaply than ever. That has produced many benefits for society as a whole and individual consumers. For example, it is easier for law enforcement to track down criminals, for banks to prevent fraud, and for consumers to learn about new products and services, allowing them to make better-informed purchasing decisions. At the same time, as personal information becomes more accessible, each of us - companies, associations, government agencies, and consumers - must take precautions to protect against the misuse of our information. The Federal Trade Commission is educating consumers and businesses about the importance of personal information privacy, including the security of personal information. Under the FTC Act, the Commission guards against unfairness and deception by enforcing companies' privacy promises about how they collect, use and secure consumers' personal information. Under the Gramm-Leach-Bliley Act, the Commission has implemented rules concerning financial privacy notices and the administrative, technical and physical safeguarding of personal information, and it aggressively enforces against pretexting. The Commission also protects consumer privacy under the Fair Credit Reporting Act and the Children's Online Privacy Protection Act.

The Federal Trade Commission is planning three public discussions, starting in December, devoted to technology and consumer privacy. According to the FTC, the roundtables will address topics such as social networking, cloud computing, online advertising and mobile marketing, the goal being "to determine how best to protect consumer privacy while supporting beneficial uses of the information and technological innovation." Behavioral advertising, in particular, has come under fire by privacy groups. Earlier this month, Electronic Frontier Foundation, Consumers Union and other related organizations called for stronger rules limiting what kinds of personal information are collected by marketers and how long they can hold on them.

A few weeks ago, I was very relieved to find out I had passed the IAPP exam to be a "Certified Information Privacy Professional" or CIPP. I got this certificate and even a pin, which is more than I ever got for passing the bar exams of New York and California. So what exactly did I need to know to become a CIPP? To be certified in corporate privacy law, you're expected to know what's covered in the CIPP Body of Knowledge, primarily major U.S. privacy laws and regulations and "the legal requirements for the responsible transfer of sensitive personal data to/from the United States, the European Union and other jurisdictions." You're also expected to pass the Certification Foundation, required for all three certifications offered by IAPP. That covers basic privacy law, both in the U.S. and abroad, information security principles and practices, and "online privacy," which includes an overview of the technologies used by online companies to collect information and the particular issues to be considered in this context. So what do you think? Should you be able to pass an all-objective, 180 question, three-hour exam (counting the CIPP and Certification Foundation exams together) on the above topics and be able to call yourself a "privacy professional"?

Tax deadbeats are finding someone actually reads their MySpace and Facebook postings: the taxman. State revenue agents have begun nabbing scofflaws by mining information posted on social-networking Web sites, from relocation announcements to professional profiles to financial boasts. In Minnesota, authorities were able to levy back taxes on the wages of a long-sought tax evader after he announced on MySpace that he would be returning to his home town to work as a real-estate broker and gave his employer's name. The state collected several thousand dollars, the full amount due.

The Federal Bureau of Investigation is expanding beyond its traditional fingerprint-focused collection practices to develop a new biometrics system that will include DNA records, 3-D facial imaging, palm prints and voice scans, blended to create what's known as "multi-modal biometrics." Slideshow: The changing face of biometrics How the Defense Department might institutionalize war-time biometrics "The FBI today is announcing a rapid DNA initiative," said Louis Grever, executive assistant director of the FBI's science and technology branch, during his keynote presentation at the Biometric Consortium Conference in Tampa. The FBI plans to begin migrating from its IAFIS database, established in the mid-1990s to hold its vast fingerprint data, to a next-generation system that's expected to be in prototype early next year. This multi-modal NGI biometrics database system will hold DNA records and more.

"As Congress makes headlines on healthcare and financial industry oversight reform, online data privacy watchdogs are hammering away behind the scenes on the Hill. A joint hearing on online and offline data collection scheduled for later this week, and a planned series of Federal Trade Commission data privacy events have advocacy groups from as far away as California visiting Washington to make sure their voices are heard. "What we're concerned about is the amount of surveillance and tracking going on without consumer consent," said Lee Tien, senior staff attorney at the San Francisco-based Electronic Frontier Foundation. Though often skeptical of government regulation, EFF recently joined lobbying groups including Center for Digital Democracy in recommending that Congress pass clear consumer privacy legislation. "

"The school's policy seems to violate the Genetic Information Nondiscrimination Act (GINA), says Susannah Baruch of the Genetics and Public Policy Center at Johns Hopkins University. "Most generally," she says, "GINA prohibits health insurers and employers from using your genetic information against you." The law went fully into effect Nov. 21, and it prevents health insurers from collecting genetic information to make decisions about the insurance people get or how much it costs. The law also says an employer can't use it to make decisions about hiring, firing or job promotions. There are a few exceptions. The law doesn't apply to employers with fewer than 15 workers. And while it covers health insurance, it doesn't apply to life or long-term care insurance."

"The Electronic Frontier Foundation said it sued the Justice Department and other U.S. agencies to get information about their policies for using social networks including Facebook and Twitter in investigations, data collection and surveillance. The civil rights group said in a complaint filed yesterday in federal court in San Francisco that the government has used social-networking sites in conducting investigations and hasn't clarified the scope of that use or whether there are any restrictions or oversight to prevent abuses. The EFF said in its complaint that it is seeking the information to "help inform Congress and the public about the effect of such uses and purposes on citizens' privacy rights and associated legal protections." It cited news articles that reported police searching Facebook photos for evidence of underage drinking and an FBI search of an individual's home after the person sent messages on Twitter during the G-20 Summit notifying protesters of police movements. Facebook, based in Palo Alto, California, is the world's largest social networking site with more than 300 million users who post photos, messages and other information on their own free Facebook pages. Twitter, based in San Francisco, is a free Web service with 58 million users that lets people send 140- character messages, called "tweets," to multiple followers. EFF, also based in San Francisco, filed Freedom of Information Act requests with federal agencies in October. None of the agencies had completed processing the requests by the applicable 20-day deadline, according to the complaint. The lawsuit seeks a court order for the government to process the requests and produce documents."

"If you use a Groupon mobile app and you allow sharing through your device, Groupon may collect geo-location information from the device and use it for marketing deals to you (and for other purposes listed in the 'How Groupon Uses Personal Information' section of the Updated Privacy Statement)," the email states. Groupon adds that the changes also address some new types of business relationships the company is forging and new technologies it is implementing or may use.