Computers, Privacy & the Constitution

View   r8  >  r7  >  r6  >  r5  >  r4  >  r3  ...
JonathanBonillaFirstPaper 8 - 05 Jan 2010 - Main.IanSullivan
Line: 1 to 1
Changed:
<
<
META TOPICPARENT name="FirstPaper"
>
>
META TOPICPARENT name="OldPapers"
 

Online Behavioral Advertising


JonathanBonillaFirstPaper 7 - 26 Apr 2009 - Main.JonathanBonilla
Line: 1 to 1
 
META TOPICPARENT name="FirstPaper"
Changed:
<
<

Online Behavioral Advertising and the Federal Trade Commission

>
>

Online Behavioral Advertising

 
Changed:
<
<
-- By JonathanBonilla - 09 Mar 2009
>
>
-- By JonathanBonilla - 26 Apr 2009
 
Changed:
<
<
As seen in O’Harrow’s No Place to Hide, online data aggregation can pose a real problem to consumers. One specific and pervasive form of data aggregation occurs as a result of “online behavioral advertising” (OBA). Essentially, any time a user visits a site, performs a search, purchases a product online, or otherwise submits personal information to a site that participates in such advertising, this information is stored in order to track the user’s “behavior” and tailor future online advertisements to fit the predicted desires of that user.
>
>
As seen in O’Harrow’s No Place to Hide, online data aggregation can pose a real problem to consumers. One pervasive form of data aggregation occurs as a result of “online behavioral advertising” (OBA). Any time a user visits a site, performs a search, purchases a product online, or otherwise submits personal information to a site that participates in such advertising, this information is stored to track the user’s “behavior” and tailor future online advertisements to fit the user’s predicted desires.
 
Changed:
<
<

History and Current Regulatory System

>
>

FTC Regulatory System

 
Changed:
<
<
Under the current system of US regulation, OBA is monitored by the Federal Trade Commission (FTC). 15 U.S.C. 45 (a) provides a broad statutory mandate for the FTC to prohibit “deceptive acts or practices in or affecting commerce”[1]. This has been interpreted by the FTC to implicate situations where companies collect or use customer data in a manner contrary to that company’s stated privacy policy, which is punishable as an unfair or deceptive practice. As a result of this interpretation, the FTC assumed jurisdiction in this area and has since been following the development of OBA.
>
>
Under the current system of US regulation, OBA is monitored by the Federal Trade Commission (FTC). 15 U.S.C. 45 (a) provides a broad statutory mandate for the FTC to prohibit “deceptive acts … in or affecting commerce”. This has been interpreted by the FTC to implicate situations where companies collect or use customer data in a manner contrary to that company’s stated privacy policy, which is punishable as a deceptive practice. As a result of this interpretation, the FTC assumed jurisdiction in this area and has been following the development of OBA.
 
Changed:
<
<
Regulation in this field began in 1998, when the FTC presented to Congress a report containing the “core principles of privacy protection” to guide industry practice [2]. These core principles included notice to consumers regarding what is collected, choice to consumers as to how it will be used, consumer access to the collected data, security of the collected data, and several enforcement mechanisms for the principles. However, this report merely presented possibilities for regulation, and no further action was taken at the time, despite the report’s conclusion that there is “real need for implementing the basic fair information practices.” Further reports were sent to Congress, such as in 2000, when the FTC asked for legislation to support an otherwise self-regulatory scheme for OBA, based on the 1998 report’s core principles [3]. Notwithstanding Congress' failure to enact the requested legislation, the self-regulatory scheme took off, using the newly-created Network Advertising Initiative (NAI) to enforce core FTC principles. NAI represents roughly 90% of the advertising industry [4].
>
>
Unfortunately, FTC’s role in regulating OBA is largely passive. Compliance with the “deceptive acts” mandate is fairly simple for online publishers, merely requiring advertisers to inform a user exactly how they will make commercial use of the information. The self-regulatory scheme which emerged is equally ineffective, evinced by the fact that the advertisers’ policing body, Network Advertising Initiative (NAI), does not represent the entire industry. As well, FTC calls for congressional legislation to act as a backstop for NAI have gone unanswered.
 
Changed:
<
<
The FTC did not re-examine this issue until 2006, when it began holding hearings to determine future action relating to OBA. A series of updated principles were created and then altered over the next several years, based on input from privacy advocates and advertisers, alike [5]. Throughout this time period, as well, Congress failed to legislate on the issue. NAI now operates using its own series of principles, though they are similar to the FTC's.
>
>

Deep Packet Inspection

 
Changed:
<
<

Problems and Possible Solutions

>
>
One of the more recent developments in OBA is the ability of advertisers to use Deep Packet Inspection (DPI) to monitor all traffic going through a particular Internet Service Provider’s (ISP) network. Compared to the traditional “cookie-based” model of web-behavior tracking, which could only monitor a user’s movements within the advertiser’s created network of sites (and only so long as the cookies were not blocked), DPI allows for inspection of all web traffic from a user, resulting in more closely tailored advertisements – as well as more information stored by the advertiser. Fortunately for consumers, DPI advertising is only possible through an agreement with ISP’s; unfortunately for consumers, ISP’s so far have been eager to explore this new profit source.
 
Changed:
<
<
One issue with the current system is apparent in the fact that NAI does not represent the entirety of online advertisers. As a result, NAI is powerless to enact sanctions against non-complying entities whom are not members. This was one of the reasons FTC sought congressional legislation in 2000. While it is true that FTC may still take action against those companies that do not follow the provisions of their privacy policies, under the “deceptive practices” mandate, that alone does not go far enough to ensure the privacy of online consumers. For example, a company might not have a privacy policy that clearly illuminates how the data is being used; in such a situation, it would be hard to find the company broke their agreement with the consumer, where the agreement itself was overly vague.
>
>
Not surprisingly, the FTC has failed to address DPI-based advertising any differently from previous OBA, despite the increased potential for privacy concerns. Taking matters into their own hands, a class action was filed by internet users against NebuAd? and ISP’s who allowed NebuAd? to install the DPI hardware on their networks, alleging violations of various federal and state statutes, including the Wiretap Act and Computer Fraud and Abuse Act. While this lawsuit will likely fail for similar reasons that previous cookie-based advertising litigation failed, Congress has already shown an interest in the DPI advertising process, and could potentially find DPI-based advertising to be serious enough to warrant legislation.
 
Changed:
<
<
Along those lines, if Congress continues to fail to enact specific legislation for this issue, Congress could at the least expand on the FTC mandate to allow FTC to take direct action. Currently, FTC does not feel it has the statutory authority to issue regulations relating to OBA, which in itself is a problem since it results in FTC trying to find and justify a roundabout solution (self-regulation), instead of attempting direct regulation. Even if Congress did expand the FTC mandate to allow clear regulation, the cited FTC Staff Reports suggest FTC might yet maintain the self-regulatory scheme, based on the industry's insistence that giving up consumer privacy is crucial for keeping web content free.
>
>
With potential legislation-based restrictions to DPI advertising in mind, the focus turns to whether such legislation would be able to withstand judicial scrutiny based on the 1st Amendment. This, in turn, could be viewed as having two components: the right to use DPI to inspect packets in the first place and the right to advertise based on obtained information. For the first aspect, it could be said that there is a right for the ISP to be informed; however, this seems distinguishable from the traditional right to education, as it does not directly relate to the ability of one to be informed in the democratic process, which is highly protected free speech. As well, any sort of right to inspect packets on the internet must be weighed against the right to privacy of network users. It would seem that any restrictive legislation on this topic would merely need to be justified in terms of a rational relation towards a goal of preserving the right to privacy. For the second aspect, the right to advertise falls under a form of commercial speech, which is protected unless intermediate scrutiny can be overcome. Again, such speech must be weighed against the counter-point of privacy concerns, but since the “speech” in advertising involves sending tailored information back to the person the information came from, the privacy concern for transmitting OBA is reduced. The result is that restrictive legislation would have to be careful not to overstep “excessive restrictions” imposed by Central Hudson.
 
Changed:
<
<
Another issue with the current FTC guideline-based self-regulatory scheme is that it centers on a contract-theory of the privacy policy of the website being used, where the user is free to view the privacy policy, but need not expressly assent to the terms. The issue with this contract approach is that when using various websites during any given day, it is unlikely the average non-law-educated consumer will take the time to read through and understand each privacy policy of every website, prior to using the website. As a result, it seems much of the benefit of providing such transparency may be lost in the real world.
>
>

Possible Tech Solution

 
Changed:
<
<
One possible solution would be to require express assent prior to collecting or using any personal information (FTC guidelines already require express assent for use of “sensitive data”). However, the same problem arises here as did before: much like it is common for users to click-through a EULA without reading it, prior to installing a computer program, it would seem likely that users would also not pay much attention to a large wall of text describing the details of a website’s privacy policy, when all the user wants to do is get to the content of the website as quickly and easily as possible.
>
>
One counter argument to the basis of this paper is that given technology available today, namely, Firefox, AdBlock? , and TrackMeNot? , the issue of OBA should not be a concern, since online ads can be blocked prior to ever being seen by the user. While the point is valid that some users are capable of blocking ads through this technology, it is a stretch to assume that use of this technology is significant enough to render advertising unprofitable, either now or in the near future.
 
Changed:
<
<
In such a situation, where ease of computing is a large factor, it would appear that a statutory solution in limiting the specific uses of certain information would be warranted. Unfortunately, being that Congress has neglected to enact such on multiple occasions, the only remaining option would be a state-by-state approach. Indeed, several states in 2008 already proposed bills relating to the regulation of behavioral advertising. Massachusetts, for instance, was able to pass their version, though it primarily deals with safeguarding personal information once it has been obtained by the advertisers [6].
>
>
Estimates of Firefox usage range anywhere from 10% - 20% of the browsing population; of those, only a small fraction have downloaded AdBlock? Plus, with the percent using TrackMeNot being negligible. Even if vastly more users were to switch over to Firefox and install AdBlock? , which seems unlikely especially when reports raise security concerns (and in light of Google’s Chrome browser), the whole efficiency of OBA is that it is extremely cheap to tailor ads to a large number of individuals. Chances are that any person who would use AdBlock? and TrackMeNot? were probably not clicking on the advertisements anyways, thus already not contributing to the profits these companies earn, which is based on advertisement success.
 
Changed:
<
<
As Online Behavioral Advertising is becoming more widespread, these developments are noteworthy to all online consumers.
>
>
It would seem for this situation that technology is not a current realistic solution. With the FTC regulatory scheme providing little protection, a solution would have to come from Congress, either in the form of establishing restrictions to DPI, or perhaps creating a private cause of action based on weak privacy policies.
 
Changed:
<
<
(Word Count: 999)

[1] http://www4.law.cornell.edu/uscode/15/45.html

[2] http://www.ftc.gov/reports/privacy3/priv-23a.pdf

[3] http://www.ftc.gov/os/2000/07/onlineprofiling.pdf

[4] http://www.networkadvertising.org/index.asp

[5] http://www.ftc.gov/os/2009/02/P085400behavadreport.pdf

[6] 201 CMR 17.00

>
>
(Word Count: 993)
 
Added:
>
>

 
  • What's the point of footnotes in a wiki? Why not just link directly from the text?

JonathanBonillaFirstPaper 6 - 15 Apr 2009 - Main.EbenMoglen
Line: 1 to 1
Changed:
<
<
META TOPICPARENT name="FirstPaper%25"
>
>
META TOPICPARENT name="FirstPaper"
 

Online Behavioral Advertising and the Federal Trade Commission

Line: 45 to 45
 [6] 201 CMR 17.00
Added:
>
>
  • What's the point of footnotes in a wiki? Why not just link directly from the text?

  • It doesn't seem to me that you've ever addressed first principles:
    1. A packet moving on the public internet: who should be allowed to study it? Do I have a first amendment interest in my ability to learn from the traffic on the net?
    2. Given that I have some knowledge about someone, without regard to how I gained that knowledge, do I have a First Amendment right to advertise to them on the basis of what I know about them?

  • Then it seems to me there are some practical questions:
    1. If a behavioral advertiser is studying my behavior on the net in order to serve me ads that I am automatically removing from my web content before I see them: (a) am I harmed? (b) will he keep spending money to serve ads I will never see? (c) does this cycle when repeated ever end with the advertiser better off? (d) if not, why not just teach your friends how to install AdBlock Plus and stop worrying about the problem?
    2. If a behavioral advertiser is studying my behavior on the net in order to serve me ads that I am automatically removing, but in fact he's not studying my behavior because I am automatically also sending out a large number of automatically-generated random net behavior, designed to confuse onlooking analyzers without making my life harder in any way: [repeat all subparts of question 2, substituting TrackMeNot for AdBlock Plus.]
    3. In light of numbers 1 and 2 above, what is this all about, again?

 
# * Set ALLOWTOPICVIEW = TWikiAdminGroup, JonathanBonilla

JonathanBonillaFirstPaper 5 - 26 Mar 2009 - Main.JonathanBonilla
Line: 1 to 1
 
META TOPICPARENT name="FirstPaper%25"
Line: 29 to 29
 In such a situation, where ease of computing is a large factor, it would appear that a statutory solution in limiting the specific uses of certain information would be warranted. Unfortunately, being that Congress has neglected to enact such on multiple occasions, the only remaining option would be a state-by-state approach. Indeed, several states in 2008 already proposed bills relating to the regulation of behavioral advertising. Massachusetts, for instance, was able to pass their version, though it primarily deals with safeguarding personal information once it has been obtained by the advertisers [6].
Changed:
<
<
As OBA is becoming more widespread, these developments are noteworthy to all online consumers.
>
>
As Online Behavioral Advertising is becoming more widespread, these developments are noteworthy to all online consumers.
 
Changed:
<
<
(Word Count: 997)
>
>
(Word Count: 999)
 [1] http://www4.law.cornell.edu/uscode/15/45.html
Line: 47 to 47
 
# * Set ALLOWTOPICVIEW = TWikiAdminGroup, JonathanBonilla \ No newline at end of file
Added:
>
>
 
<--/commentPlugin-->

JonathanBonillaFirstPaper 4 - 25 Mar 2009 - Main.JonathanBonilla
Line: 1 to 1
 
META TOPICPARENT name="FirstPaper%25"
Line: 7 to 7
 -- By JonathanBonilla - 09 Mar 2009
Changed:
<
<
As seen in O’Harrow’s No Place to Hide, online data aggregation can pose a real problem to consumers. One specific and pervasive form of data aggregation occurs as a result of “online behavioral advertising.” Essentially, any time a user visits a site, performs a search, purchases a product online, or otherwise submits personal information to a site that participates in such advertising, this information is stored in order to track the user’s “behavior” and tailor future online advertisements to fit the predicted desires of that user.
>
>
As seen in O’Harrow’s No Place to Hide, online data aggregation can pose a real problem to consumers. One specific and pervasive form of data aggregation occurs as a result of “online behavioral advertising” (OBA). Essentially, any time a user visits a site, performs a search, purchases a product online, or otherwise submits personal information to a site that participates in such advertising, this information is stored in order to track the user’s “behavior” and tailor future online advertisements to fit the predicted desires of that user.
 

History and Current Regulatory System

Changed:
<
<
Under the current system of US regulation, online behavioral advertising is monitored by the Federal Trade Commission (FTC). 15 U.S.C. 45 (a) provides a broad statutory mandate for the FTC to prohibit “deceptive acts or practices in or affecting commerce”[1]. This has been interpreted by the FTC to implicate situations where companies collect or use customer data in a manner contrary to that company’s stated privacy policy, which is punishable as an unfair or deceptive practice. As a result of this interpretation, the FTC assumed jurisdiction in this area and has since been closely following the development of online behavioral advertising.
>
>
Under the current system of US regulation, OBA is monitored by the Federal Trade Commission (FTC). 15 U.S.C. 45 (a) provides a broad statutory mandate for the FTC to prohibit “deceptive acts or practices in or affecting commerce”[1]. This has been interpreted by the FTC to implicate situations where companies collect or use customer data in a manner contrary to that company’s stated privacy policy, which is punishable as an unfair or deceptive practice. As a result of this interpretation, the FTC assumed jurisdiction in this area and has since been following the development of OBA.
 
Changed:
<
<
Regulation in this field began in 1998, when the FTC presented to Congress a report containing the “core principles of privacy protection” to guide industry practice [2]. These core principles included notice to consumers regarding what is collected, choice to consumers as to how it will be used, consumer access to the collected data, security of the collected data, and enforcement mechanisms (self-regulatory, private remedy, government enforcement) for the principles. However, this report merely presented possibilities for regulation, and no further action was taken at the time, despite the report’s conclusion that there is “real need for implementing the basic fair information practices.” Further reports were sent to Congress, such as in 2000, when the FTC asked for legislation to support an otherwise self-regulatory scheme for online behavioral advertising, based on the 1998 report’s core principles [3]. Congress failed to enact this legislation, though the self-regulatory scheme took off, using the newly-created Network Advertising Initiative (NAI) to enforce the core FTC principles. NAI represents roughly 90% of the advertising industry [4].
>
>
Regulation in this field began in 1998, when the FTC presented to Congress a report containing the “core principles of privacy protection” to guide industry practice [2]. These core principles included notice to consumers regarding what is collected, choice to consumers as to how it will be used, consumer access to the collected data, security of the collected data, and several enforcement mechanisms for the principles. However, this report merely presented possibilities for regulation, and no further action was taken at the time, despite the report’s conclusion that there is “real need for implementing the basic fair information practices.” Further reports were sent to Congress, such as in 2000, when the FTC asked for legislation to support an otherwise self-regulatory scheme for OBA, based on the 1998 report’s core principles [3]. Notwithstanding Congress' failure to enact the requested legislation, the self-regulatory scheme took off, using the newly-created Network Advertising Initiative (NAI) to enforce core FTC principles. NAI represents roughly 90% of the advertising industry [4].
 
Changed:
<
<
The FTC did not re-examine this issue until 2006, when it began holding hearings to determine future action relating to online behavioral advertising. A series of updated principles were created and then altered over the next several years, based on input from privacy advocates and advertisers, alike [5]. Throughout this time period, as well, Congress has failed to legislate on the issue.
>
>
The FTC did not re-examine this issue until 2006, when it began holding hearings to determine future action relating to OBA. A series of updated principles were created and then altered over the next several years, based on input from privacy advocates and advertisers, alike [5]. Throughout this time period, as well, Congress failed to legislate on the issue. NAI now operates using its own series of principles, though they are similar to the FTC's.
 

Problems and Possible Solutions

Changed:
<
<
One issue with the current system is apparent in the fact that NAI does not represent the entirety of online advertisers. As a result, NAI is powerless to enact sanctions against non-complying entities whom are not members. This was one of the reasons FTC sought congressional legislation in 2000. While it is true that FTC may still take action under the “deceptive practices” mandate, against those companies that do not follow the provisions of their privacy policies, that alone does not go far enough to ensure the privacy of online consumers. For example, a company might not have a privacy policy that clearly illuminates how the data is being used; in such a situation, it would be hard to find the company broke their agreement with the consumer, where the agreement itself was overly vague.
>
>
One issue with the current system is apparent in the fact that NAI does not represent the entirety of online advertisers. As a result, NAI is powerless to enact sanctions against non-complying entities whom are not members. This was one of the reasons FTC sought congressional legislation in 2000. While it is true that FTC may still take action against those companies that do not follow the provisions of their privacy policies, under the “deceptive practices” mandate, that alone does not go far enough to ensure the privacy of online consumers. For example, a company might not have a privacy policy that clearly illuminates how the data is being used; in such a situation, it would be hard to find the company broke their agreement with the consumer, where the agreement itself was overly vague.
 
Changed:
<
<
Along those lines, if Congress continues to fail to enact specific legislation for this issue, Congress could at the least expand on the FTC mandate to allow FTC to take direct action. Currently, FTC does not feel it has the statutory authority to issue regulations relating to online behavioral advertising, which in itself is a problem since it results in FTC trying to find and justify a roundabout solution (self-regulation), instead of attempting direct regulation, which it arguably could based on the existing mandate.
>
>
Along those lines, if Congress continues to fail to enact specific legislation for this issue, Congress could at the least expand on the FTC mandate to allow FTC to take direct action. Currently, FTC does not feel it has the statutory authority to issue regulations relating to OBA, which in itself is a problem since it results in FTC trying to find and justify a roundabout solution (self-regulation), instead of attempting direct regulation. Even if Congress did expand the FTC mandate to allow clear regulation, the cited FTC Staff Reports suggest FTC might yet maintain the self-regulatory scheme, based on the industry's insistence that giving up consumer privacy is crucial for keeping web content free.
 
Changed:
<
<
Another issue with the current FTC guideline-based self-regulatory scheme is that it is centered on a contract-theory of the privacy policy of the website being used, where the user is free to view the privacy policy, but need not expressly assent to the terms. The issue with this contract approach is that when using various websites during any given day, it is unlikely the average non-law-educated consumer will take the time to read through and understand each privacy policy of every website, prior to using the website. As a result, it seems much of the benefit of providing such transparency may be lost in the real world.
>
>
Another issue with the current FTC guideline-based self-regulatory scheme is that it centers on a contract-theory of the privacy policy of the website being used, where the user is free to view the privacy policy, but need not expressly assent to the terms. The issue with this contract approach is that when using various websites during any given day, it is unlikely the average non-law-educated consumer will take the time to read through and understand each privacy policy of every website, prior to using the website. As a result, it seems much of the benefit of providing such transparency may be lost in the real world.
 One possible solution would be to require express assent prior to collecting or using any personal information (FTC guidelines already require express assent for use of “sensitive data”). However, the same problem arises here as did before: much like it is common for users to click-through a EULA without reading it, prior to installing a computer program, it would seem likely that users would also not pay much attention to a large wall of text describing the details of a website’s privacy policy, when all the user wants to do is get to the content of the website as quickly and easily as possible.

In such a situation, where ease of computing is a large factor, it would appear that a statutory solution in limiting the specific uses of certain information would be warranted. Unfortunately, being that Congress has neglected to enact such on multiple occasions, the only remaining option would be a state-by-state approach. Indeed, several states in 2008 already proposed bills relating to the regulation of behavioral advertising. Massachusetts, for instance, was able to pass their version, though it primarily deals with safeguarding personal information once it has been obtained by the advertisers [6].

Changed:
<
<
As online behavioral advertising is a rapidly expanding process, these developments are certainly noteworthy to all online consumers.
>
>
As OBA is becoming more widespread, these developments are noteworthy to all online consumers.
 
Changed:
<
<
(Word Count: 969)
>
>
(Word Count: 997)
 [1] http://www4.law.cornell.edu/uscode/15/45.html

JonathanBonillaFirstPaper 3 - 10 Mar 2009 - Main.JonathanBonilla
Line: 1 to 1
 
META TOPICPARENT name="FirstPaper%25"
Line: 11 to 11
 

History and Current Regulatory System

Changed:
<
<
Under the current system of US regulation, online behavioral advertising is monitored by the Federal Trade Commission (FTC). 15 U.S.C. 45 (a) provides a broad statutory mandate for the FTC to prohibit “deceptive acts or practices in or affecting commerce.” This has been interpreted by the FTC to implicate situations where companies collect or use customer data in a manner contrary to that company’s stated privacy policy, which is punishable as an unfair or deceptive practice. As a result of this interpretation, the FTC assumed jurisdiction in this area and has since been closely following the development of online behavioral advertising.
>
>
Under the current system of US regulation, online behavioral advertising is monitored by the Federal Trade Commission (FTC). 15 U.S.C. 45 (a) provides a broad statutory mandate for the FTC to prohibit “deceptive acts or practices in or affecting commerce”[1]. This has been interpreted by the FTC to implicate situations where companies collect or use customer data in a manner contrary to that company’s stated privacy policy, which is punishable as an unfair or deceptive practice. As a result of this interpretation, the FTC assumed jurisdiction in this area and has since been closely following the development of online behavioral advertising.
 
Changed:
<
<
Regulation in this field began in 1998, when the FTC presented to Congress a report containing the “core principles of privacy protection” to guide industry practice. These core principles included notice to consumers regarding what is collected, choice to consumers as to how it will be used, consumer access to the collected data, security of the collected data, and enforcement mechanisms (self-regulatory, private remedy, government enforcement) for the principles. However, this report merely presented possibilities for regulation, and no further action was taken at the time, despite the report’s conclusion that there is “real need for implementing the basic fair information practices.” Further reports were sent to Congress, such as in 2000, when the FTC asked for legislation to support an otherwise self-regulatory scheme for online behavioral advertising, based on the 1998 report’s core principles. Congress failed to enact this legislation, though the self-regulatory scheme took off, using the newly-created Network Advertising Initiative (NAI) to enforce the core FTC principles. NAI represents roughly 90% of the advertising industry.
>
>
Regulation in this field began in 1998, when the FTC presented to Congress a report containing the “core principles of privacy protection” to guide industry practice [2]. These core principles included notice to consumers regarding what is collected, choice to consumers as to how it will be used, consumer access to the collected data, security of the collected data, and enforcement mechanisms (self-regulatory, private remedy, government enforcement) for the principles. However, this report merely presented possibilities for regulation, and no further action was taken at the time, despite the report’s conclusion that there is “real need for implementing the basic fair information practices.” Further reports were sent to Congress, such as in 2000, when the FTC asked for legislation to support an otherwise self-regulatory scheme for online behavioral advertising, based on the 1998 report’s core principles [3]. Congress failed to enact this legislation, though the self-regulatory scheme took off, using the newly-created Network Advertising Initiative (NAI) to enforce the core FTC principles. NAI represents roughly 90% of the advertising industry [4].
 
Changed:
<
<
The FTC did not re-examine this issue until 2006, when it began holding hearings to determine future action relating to online behavioral advertising. A series of updated principles were created and then altered over the next several years, based on input from privacy advocates and advertisers, alike. Throughout this time period, as well, Congress has failed to legislate on the issue.
>
>
The FTC did not re-examine this issue until 2006, when it began holding hearings to determine future action relating to online behavioral advertising. A series of updated principles were created and then altered over the next several years, based on input from privacy advocates and advertisers, alike [5]. Throughout this time period, as well, Congress has failed to legislate on the issue.
 

Problems and Possible Solutions

Line: 27 to 27
 One possible solution would be to require express assent prior to collecting or using any personal information (FTC guidelines already require express assent for use of “sensitive data”). However, the same problem arises here as did before: much like it is common for users to click-through a EULA without reading it, prior to installing a computer program, it would seem likely that users would also not pay much attention to a large wall of text describing the details of a website’s privacy policy, when all the user wants to do is get to the content of the website as quickly and easily as possible.
Changed:
<
<
In such a situation, where ease of computing is a large factor, it would appear that a statutory solution in limiting the specific uses of certain information would be warranted. Unfortunately, being that Congress has neglected to enact such on multiple occasions, the only remaining option would be a state-by-state approach. Indeed, several states in 2008 already proposed bills relating to the regulation of behavioral advertising. Massachusetts, for instance, was able to pass their version, though it primarily deals with safeguarding personal information once it has been obtained by the advertisers.
>
>
In such a situation, where ease of computing is a large factor, it would appear that a statutory solution in limiting the specific uses of certain information would be warranted. Unfortunately, being that Congress has neglected to enact such on multiple occasions, the only remaining option would be a state-by-state approach. Indeed, several states in 2008 already proposed bills relating to the regulation of behavioral advertising. Massachusetts, for instance, was able to pass their version, though it primarily deals with safeguarding personal information once it has been obtained by the advertisers [6].
 As online behavioral advertising is a rapidly expanding process, these developments are certainly noteworthy to all online consumers.
Changed:
<
<
(Word Count: 965) (Citations to be added)
>
>
(Word Count: 969)

[1] http://www4.law.cornell.edu/uscode/15/45.html

[2] http://www.ftc.gov/reports/privacy3/priv-23a.pdf

[3] http://www.ftc.gov/os/2000/07/onlineprofiling.pdf

[4] http://www.networkadvertising.org/index.asp

[5] http://www.ftc.gov/os/2009/02/P085400behavadreport.pdf

[6] 201 CMR 17.00

 
# * Set ALLOWTOPICVIEW = TWikiAdminGroup, JonathanBonilla

JonathanBonillaFirstPaper 2 - 09 Mar 2009 - Main.JonathanBonilla
Line: 1 to 1
 
META TOPICPARENT name="FirstPaper%25"
Line: 7 to 7
 -- By JonathanBonilla - 09 Mar 2009
Deleted:
<
<

I. Online Behavioral Advertising

 As seen in O’Harrow’s No Place to Hide, online data aggregation can pose a real problem to consumers. One specific and pervasive form of data aggregation occurs as a result of “online behavioral advertising.” Essentially, any time a user visits a site, performs a search, purchases a product online, or otherwise submits personal information to a site that participates in such advertising, this information is stored in order to track the user’s “behavior” and tailor future online advertisements to fit the predicted desires of that user.
Changed:
<
<

II. Current Regulatory System

>
>

History and Current Regulatory System

 Under the current system of US regulation, online behavioral advertising is monitored by the Federal Trade Commission (FTC). 15 U.S.C. 45 (a) provides a broad statutory mandate for the FTC to prohibit “deceptive acts or practices in or affecting commerce.” This has been interpreted by the FTC to implicate situations where companies collect or use customer data in a manner contrary to that company’s stated privacy policy, which is punishable as an unfair or deceptive practice. As a result of this interpretation, the FTC assumed jurisdiction in this area and has since been closely following the development of online behavioral advertising.
Changed:
<
<
To begin regulation of this field, in 1998 the FTC presented to Congress a report containing the “core principles of privacy protection” to guide industry practice. These core principles included notice to consumers regarding what is collected, choice to consumers as to how it will be used, consumer access to the collected data, security of the collected data, and enforcement mechanisms (self-regulatory, private remedy, government enforcement) for the principles. However, this report merely presented possibilities for regulation, and no further action was taken at the time, despite the report’s conclusion that there is “real need for implementing the basic fair information practices.” Further reports were sent to Congress, such as in 2000, when the FTC asked for legislation to support an otherwise self-regulatory scheme for online behavioral advertising, based on the 1998 report’s core principles. Congress failed to enact this legislation, though the self-regulatory scheme took off, using the newly-created Network Advertising Initiative (NAI) to enforce the core FTC principles. NAI represents roughly 90% of the advertising industry.
>
>
Regulation in this field began in 1998, when the FTC presented to Congress a report containing the “core principles of privacy protection” to guide industry practice. These core principles included notice to consumers regarding what is collected, choice to consumers as to how it will be used, consumer access to the collected data, security of the collected data, and enforcement mechanisms (self-regulatory, private remedy, government enforcement) for the principles. However, this report merely presented possibilities for regulation, and no further action was taken at the time, despite the report’s conclusion that there is “real need for implementing the basic fair information practices.” Further reports were sent to Congress, such as in 2000, when the FTC asked for legislation to support an otherwise self-regulatory scheme for online behavioral advertising, based on the 1998 report’s core principles. Congress failed to enact this legislation, though the self-regulatory scheme took off, using the newly-created Network Advertising Initiative (NAI) to enforce the core FTC principles. NAI represents roughly 90% of the advertising industry.
 The FTC did not re-examine this issue until 2006, when it began holding hearings to determine future action relating to online behavioral advertising. A series of updated principles were created and then altered over the next several years, based on input from privacy advocates and advertisers, alike. Throughout this time period, as well, Congress has failed to legislate on the issue.
Changed:
<
<

III. Problems and Possible Solutions

>
>

Problems and Possible Solutions

 One issue with the current system is apparent in the fact that NAI does not represent the entirety of online advertisers. As a result, NAI is powerless to enact sanctions against non-complying entities whom are not members. This was one of the reasons FTC sought congressional legislation in 2000. While it is true that FTC may still take action under the “deceptive practices” mandate, against those companies that do not follow the provisions of their privacy policies, that alone does not go far enough to ensure the privacy of online consumers. For example, a company might not have a privacy policy that clearly illuminates how the data is being used; in such a situation, it would be hard to find the company broke their agreement with the consumer, where the agreement itself was overly vague.
Line: 33 to 31
 As online behavioral advertising is a rapidly expanding process, these developments are certainly noteworthy to all online consumers.
Changed:
<
<
(Word Count: 968)
>
>
(Word Count: 965)
 (Citations to be added)



JonathanBonillaFirstPaper 1 - 09 Mar 2009 - Main.JonathanBonilla
Line: 1 to 1
Added:
>
>
META TOPICPARENT name="FirstPaper%25"

Online Behavioral Advertising and the Federal Trade Commission

-- By JonathanBonilla - 09 Mar 2009

I. Online Behavioral Advertising

As seen in O’Harrow’s No Place to Hide, online data aggregation can pose a real problem to consumers. One specific and pervasive form of data aggregation occurs as a result of “online behavioral advertising.” Essentially, any time a user visits a site, performs a search, purchases a product online, or otherwise submits personal information to a site that participates in such advertising, this information is stored in order to track the user’s “behavior” and tailor future online advertisements to fit the predicted desires of that user.

II. Current Regulatory System

Under the current system of US regulation, online behavioral advertising is monitored by the Federal Trade Commission (FTC). 15 U.S.C. 45 (a) provides a broad statutory mandate for the FTC to prohibit “deceptive acts or practices in or affecting commerce.” This has been interpreted by the FTC to implicate situations where companies collect or use customer data in a manner contrary to that company’s stated privacy policy, which is punishable as an unfair or deceptive practice. As a result of this interpretation, the FTC assumed jurisdiction in this area and has since been closely following the development of online behavioral advertising.

To begin regulation of this field, in 1998 the FTC presented to Congress a report containing the “core principles of privacy protection” to guide industry practice. These core principles included notice to consumers regarding what is collected, choice to consumers as to how it will be used, consumer access to the collected data, security of the collected data, and enforcement mechanisms (self-regulatory, private remedy, government enforcement) for the principles. However, this report merely presented possibilities for regulation, and no further action was taken at the time, despite the report’s conclusion that there is “real need for implementing the basic fair information practices.” Further reports were sent to Congress, such as in 2000, when the FTC asked for legislation to support an otherwise self-regulatory scheme for online behavioral advertising, based on the 1998 report’s core principles. Congress failed to enact this legislation, though the self-regulatory scheme took off, using the newly-created Network Advertising Initiative (NAI) to enforce the core FTC principles. NAI represents roughly 90% of the advertising industry.

The FTC did not re-examine this issue until 2006, when it began holding hearings to determine future action relating to online behavioral advertising. A series of updated principles were created and then altered over the next several years, based on input from privacy advocates and advertisers, alike. Throughout this time period, as well, Congress has failed to legislate on the issue.

III. Problems and Possible Solutions

One issue with the current system is apparent in the fact that NAI does not represent the entirety of online advertisers. As a result, NAI is powerless to enact sanctions against non-complying entities whom are not members. This was one of the reasons FTC sought congressional legislation in 2000. While it is true that FTC may still take action under the “deceptive practices” mandate, against those companies that do not follow the provisions of their privacy policies, that alone does not go far enough to ensure the privacy of online consumers. For example, a company might not have a privacy policy that clearly illuminates how the data is being used; in such a situation, it would be hard to find the company broke their agreement with the consumer, where the agreement itself was overly vague.

Along those lines, if Congress continues to fail to enact specific legislation for this issue, Congress could at the least expand on the FTC mandate to allow FTC to take direct action. Currently, FTC does not feel it has the statutory authority to issue regulations relating to online behavioral advertising, which in itself is a problem since it results in FTC trying to find and justify a roundabout solution (self-regulation), instead of attempting direct regulation, which it arguably could based on the existing mandate.

Another issue with the current FTC guideline-based self-regulatory scheme is that it is centered on a contract-theory of the privacy policy of the website being used, where the user is free to view the privacy policy, but need not expressly assent to the terms. The issue with this contract approach is that when using various websites during any given day, it is unlikely the average non-law-educated consumer will take the time to read through and understand each privacy policy of every website, prior to using the website. As a result, it seems much of the benefit of providing such transparency may be lost in the real world.

One possible solution would be to require express assent prior to collecting or using any personal information (FTC guidelines already require express assent for use of “sensitive data”). However, the same problem arises here as did before: much like it is common for users to click-through a EULA without reading it, prior to installing a computer program, it would seem likely that users would also not pay much attention to a large wall of text describing the details of a website’s privacy policy, when all the user wants to do is get to the content of the website as quickly and easily as possible.

In such a situation, where ease of computing is a large factor, it would appear that a statutory solution in limiting the specific uses of certain information would be warranted. Unfortunately, being that Congress has neglected to enact such on multiple occasions, the only remaining option would be a state-by-state approach. Indeed, several states in 2008 already proposed bills relating to the regulation of behavioral advertising. Massachusetts, for instance, was able to pass their version, though it primarily deals with safeguarding personal information once it has been obtained by the advertisers.

As online behavioral advertising is a rapidly expanding process, these developments are certainly noteworthy to all online consumers.

(Word Count: 968) (Citations to be added)


# * Set ALLOWTOPICVIEW = TWikiAdminGroup, JonathanBonilla

Revision 8r8 - 05 Jan 2010 - 22:30:31 - IanSullivan
Revision 7r7 - 26 Apr 2009 - 17:04:39 - JonathanBonilla
Revision 6r6 - 15 Apr 2009 - 23:17:25 - EbenMoglen
Revision 5r5 - 26 Mar 2009 - 03:05:02 - JonathanBonilla
Revision 4r4 - 25 Mar 2009 - 23:22:24 - JonathanBonilla
Revision 3r3 - 10 Mar 2009 - 01:11:15 - JonathanBonilla
Revision 2r2 - 09 Mar 2009 - 16:27:13 - JonathanBonilla
Revision 1r1 - 09 Mar 2009 - 01:43:43 - JonathanBonilla
This site is powered by the TWiki collaboration platform.
All material on this collaboration platform is the property of the contributing authors.
All material marked as authored by Eben Moglen is available under the license terms CC-BY-SA version 4.
Syndicate this site RSSATOM