Privacy Gourmet

Here's an interview with Kenneth Corbin at InternetNews.com that lays out some of our thinking about privacy.  As I said in the interview, I think the key thing for both consumers and businesses is that there are clear rules in place that so it's obvious to consumers what's happening, and that there are clear rules for businesses about what's appropriate and what's not appropriate. Don't use sensitive profiles. Don't keep data forever. Give people the ability to opt out!

We did an earlier post discussing IP Addresses.  For those of you who prefer a video, here's a discussion of IP Address use. Once again, apologies to the very tech-savvy, I have over-simplified this to make it clear to the widest audience.

Here are some useful links about IP addresses:

For a quick look up of your IP Address and demonstration of geo-targeting check out http://whatismyipaddress.com/
Note: Although this tool shows an exact point on a map to illustrate the point, the exact location is actually an approximation. Estimated location information is usually at best available at zip code level.

For information about how an IP address can be used to show the business, university or organization you are coming from, see  http://en.wikipedia.org/wiki/List_of_assigned_/8_IP_address_blocks

Privacy and advertising critic Jeff Chester points to an AOL promotion in AdAge and suggests that we should tell consumers about the capabilities of Platform A (AOL's advertising division) in the same terms we promote those capabilities to advertising and marketing clients.  So from the promotion in AdAge, here goes:

Audience insights guide all Platform-A solutions. Our sophisticated reporting allows us to discover the behavioral profile of the consumers who are most receptive to your message. This information helps you find target audiences, understand their demographic, psychographic and behavioral characteristics and, ultimately, decide how you craft and place your brand’s message.

NETWORK REACH
Platform-A reaches nine out of 10 online consumers.
TARGETING
Platform-A offers a comprehensive suite of targeting technologies, including:
• Demographic
• Age/gender/household income
• Audience affinity
• Cluster solutions
• Rosters/data match
• Contextual
• Via content networks and sponsorships
• Geographic
• Data targeting, destination-based and regional content
• Daypart
• Behavioral
• Vertical

…Our performance technology continually learns and refines ad placement across our network based on observed and expected performance. Ads are automatically allocated across our network based on the highest expected return for the advertiser and publisher. We also optimize advertising based on the behavioral interests that resonate with an advertiser’s key audience. Leveraging conversion data—anything from newsletter sign-ups to event registrations and online purchases—will increase brand performance and drive more response with less waste.”

The above makes perfect sense to expert readers in the online advertising world where the ad is running, but probably could use some interpretation for most everyone else!  I will devote a few posts this week to try to describe these capabilities in consumer friendly terms.

Warning for geeks, techies and others - I am taking some minor technical liberties here to describe the use of IP addresses in a way my mom would understand and hopefully stay interested.  You probably know the technical details already, so skip to the end.  I spent several hours last night at my father-in-law's home, uninstalling dozens of programs that were bogging down his computer.  They weren't nefarious programs and were all listed in add/remove via the control panel. But he has never clicked on start, other then to shut down, and does not know how to uninstall a program.  He is widely considered one of the most brilliant lawyers in the country, but didn't grow up or spend most of his career using a computer.  Most people don't know what you do, so I beg your indulgence while I try to communicate these details in an accessible manner!)

IP  or Internet Protocol addresses have become one of the hotly debated areas in the privacy arena.   I thought it might be useful to describe what I understand about the ways AOL, Platform A (our advertising business) and many others use this information.

I like to think of an IP address as an address on the internet.  This might be a fixed address that is assigned to a particular Web site so that consumers can request the content of the site.  For example, when a consumer uses their Web browser to request AOL.com or PrivacyGourmet.com, your computer queries a table that holds the IP addresses assigned to these names and then actually sends a request to that IP address.  In order for the Web site to send anything back to your computer, your computer needs an address on the internet.  Your Internet Service Provider (ISP) provides you with that address so that you can "connect" to the internet.

When a Web site gets a request for content from a consumer, it "sees" the IP address of the computer making the request.  In addition to sending back the homepage requested to the IP addresses, it can use the IP address for a number of purposes including geo-targeting and analysis, fraud, audit and law enforcement support.

Geo-targeting:  Some companies have mapped, often to zip code level, the geographic areas where IP addresses have been allocated.  Before it sends back content (or an ad) to a certain IP address, a Web site can quickly look up  a table that indicates that this IP address belongs to a block used by an ISP in Southern Florida.  It could decide to display to the consumer an ad for a convertible rather than one for a snow-blower.  Or it might simply log the IP and later prepare a report that showed that 30% or visitors to the site came from the South, 10% came from outside the U.S. and so on.  Geo-targeting isn't completely accurate, for example many dial-up AOL users from around the country may appear to be assigned Dulles, Virginia IP addresses because of how we route customers through our proxy servers.  But it is certainly useful enough that companies find the information useful.

It is also common knowledge that certain blocks of IP addresses belong to certain businesses, organisations or universities.  As a result a Web site or ad server can "know" that certain IP addresses belong to IBM or to MIT and target an ad to presumed tech company employees or university students and faculty.

Fraud: There are criminals who control thousands of computers belonging to unwitting victims who may have downloaded malware.  These crooks often try to profit by generating "fake" clicks on ads in order to get paid.  Security experts at search engines or ad networks can analyze the logs of IP addresses over time to detect patterns and  eliminate the false results.

Audit: An advertiser may want proof that the banners it has paid to have placed on a Web site are actually displayed the number of times promised. Auditors rely on retention of log files that include IP addresses to verify ad delivery.

Law Enforcement:  If the FBI believes that child porn has been posted at a Web site or that a criminal used the site to find information used in the crime, it might issue a legal demand for the IP address the Web site has logged.  The FBI will then go to the ISP that IP belongs to and issue a legal demand for the name of the ISPs subscriber who was assigned that IP at a certain time.  Indeed this happens regularly and criminals are tracked down in this manner.

This last point creates a fair amount of the privacy concerns raised by some.  Unless you register, most of the other information a Web site logs when you visit (a "cookie", information about your computer and web browser) is very unlikely to ever be linked to your name.  Your IP address is unlikely to ever be linked to your name by a Web site - but an ISP may have a record of which of its users it assigned a certain IP address and thus the government or litigants could possible force the creation of a link to your Web activity. So although most U.S. Web companies firmly maintain that IP addresses are "anonymous" because the data is anonymous to the Web site, the IP address is certainly qualitatively different in that there are circumstances where someone could force an "identification" to take place.  And although the courts haven't always agreed, many of the data protection commissioners in Europe have repeatedly advised that in their opinion IP addresses are personal information.

Cognizant of this concern, and as we noted in our comments to the Federal Trade Commission last week, my team has kicked off an effort to examine options for limiting how long AOL retains IP addresses in certain circumstances.  I don't think that all of the rules or committments made about personal data are 100% technically or practically relevant to IP addresses, but I do think that is important to recognise the greater sensitivity of this data element and to take steps to examine were more limited retention is feasible.

One additional point to clarify is about the use of IP addresses by Web sites or ad networks to track users over time - to create a profile or for other purposes.  I am not aware of anyone in the industry doing this, because IP addresses are just not reliable enough to use in this manner for state management.  Despite the fact that many users are on broadband and may use the same IP address for longer than dial-up users, a recent study found that the typical home averages 10.5 IP addresses assigned to a computer in a month.  Rather than IP addresses, Web sites and ad networks rely heavily on cookies for most  tracking, analytics or behavioral activity.  Despite the frailties of cookies (they get deleted, overwritten, removed by anti-spyware programs or users opt-out) they are the common tool used for correlating user data and the privacy debate over tracking is better focused on improving controls and standards for cookie use.

Here are some useful links about IP addresses:

For a quick look up of your IP Address and demonstration of geo-targeting check out
http://whatismyipaddress.com/

Note: Although this tool shows an exact point on a map to illustrate the point, the exact location is actually an approximation. Estimated location information is usually at best available at zip code level.

For information about how an IP address can be used to show the business, university or organization you are coming from, see  http://en.wikipedia.org/wiki/List_of_assigned_/8_IP_address_blocks

UPDATE: Just added a video with similar information on IP use. Click Here to go to video.

Here on the TACODA Web site is a list of many of the behavorial profiles that advertisers can seek to reach.  As our animated penguin explains, these are developed when consumers visit Web sites that have code on them that results in information about the site and the consumer's cookie being sent to TACODA.  Those sites are required by contract with TACODA to have a privacy policy explaining this data use and a link to allow consumers to opt-out.

Listed are many of the segments of greatest interest to marketers.  There are many many more and I am working on assembling a more complete list to post and to increase transparency in this area.

"We've been so concerned about the legalese and the technical accuracy and exactly what the regulator wants to say that we've lost the average user," said Jules Polonetsky, AOL's senior vice president and chief privacy officer. Read more from an interview I did recently with Rachelle Crum of E-Commerce Times.

Comments to the Federal Trade Commission about Behavioral Advertising are due today and groups have been submitting their opinions.  Chuck Curran, AOL Chief Counsel for Policy and Regulatory, and I worked hard to lay out AOL's point of view which you can read here. Download aolftccomments041108_2.pdf .  We believe that this area is best regulated by a mix of company best practices, industry self-regulation and enforcement of current law.  The FTC has been effective at bringing actions against companies that cause harm to consumers and commit deceptive practices and their technical expertise about the online advertising business continues to grow.  The Network Advertising Initiative has proposed enhanced rules restricting ad network behavioral targeting on sensitive health sites and kids sites, among other requirements.  And different companies have been experimenting with new ways to improve practices relevant to their unique services.  Ebay is delivering banner ads that have privacy notices alongside the ad itself.  Google is posting videos on YouTube explaining their use of data.  AOL is running a campaign using an animated penguin and looking for ways to do more.

Since cookies are the basis for much of the data correlation about consumers online, I have been focused on what AOL can do to make sure our cookies are "kosher".  In our comments, we address a few steps that we think everyone using cookies in a robust manner can implement.  First of all, we are attempting to limit the common practice of allowing cookies to default to a 30 year lifespan.  No cookie has ever lived for 30 years.  Computers don't last that long, people delete cookies, anti-spyware programs remove them and web browsers can only handle a limited number of cookies before they toss the older ones.  So why set a 30 year cookie?  We propose setting a maximum two-year lifespan and are encouraging many of our developers to expire their cookies on a far shorter time-table when they can.

As the parent company of Netscape, the "inventor" of the cookie, we think we have a particular responsibility to press a number of additional points that can ensure companies are privacy and consumer friendly when using cookies.  The following measures could help consumers more easily elicit information about the practices associated with cookies set by a party other than the Web site operator.

    - Any company that primarily interacts with consumers via secondary browser requests, such as an ad network, could use its home page to provide consumers with more easy-to-find information (in addition to the current corporate information for business partners).  Although a privacy link at the bottom of the page may be appropriate for consumers visiting a site to check email or the weather, consumers visiting the Web site of an ad network provider may be specifically seeking privacy or opt-out information.  Such links could be provided more prominently.  On the home page for TACODA, for example, an opt-out link for network advertising cookies is prominently displayed.  Similarly, for AOL's Advertising.com, the link to privacy information and opt-out is placed at the top, rather than the bottom, of the page.

    -Consumers should be able to obtain cookie-related privacy information from Web servers associated with domains whose principal purpose is to set cookies as a result of a user's secondary browser request. (For example, an adserver or analytics server, where a user's request for a primary domain results in requests to adserving or other tracking servers.)  This could enable a consumer examing a cookie on their computer to discover the practices relevant to the cookie by visiting the domain address.  (When the domain is obvious such as tacoda.net or doubleclick.net, users can easily find the "cookie owner".  But often cookies are set in domains that aren't obvious and users visiting those domains see a blank page.)  For an example of how to address this, see http://atwola.com.  Vistors here are advised that this domain is used by AOL for adserving and directed to privacy information.

    -A consumer's choice to opt-out must be maintained.  Consumers are suprised to learn that deleting cookies means their opt-out cookie is deleted and they are again assigned a unique ID cookie the next time they visit a site using that ad-server.  In order to better preserve consumer choice, AOL's TACODA division has implemented a technique using ETags and a browser's Web cache to ensure a user that opted-out is not tracked after deleting cookies.  As Professors Swire and Anton point out, it would be better if browsers helped maintain opt-out cookies, and we have urged Microsoft to consider this in the Internet Explorer 8.0 release.  Until then, we invite companies to contact us to learn how to license this technology on a royalty free basis for use exclusively in consumer privacy protection programs.

-

During the last week of January 2008, AOL conducted a survey of 1081 consumers (50% AOL users & 50% non-AOL users) to measure awareness of behavioral advertising and to determine the most important types of information that can be provided about such advertising.  The demographics were 33% each of 18-34, 35-54, and 55+, evenly split between male and female.

AOL’s research examined possible means for additional consumer education and notification about privacy.  In particular, the survey examined the specific types of consumer privacy concerns, and how various consumers would like to be informed about privacy and their choices.

The survey results underscore that “the consumer perspective” is not monolithic.  Rather, there is wide spectrum, not only in the depth of consumer understanding about privacy issues generally and behavioral targeting specifically:  there is also considerable variety among consumers in terms of a willingness to pursue additional privacy information; their willingness or likelihood of exercising an opt out; and the manner in which they would prefer to learn about privacy issues.

AOL’s research indicates that consumer attitudes are still evolving, and may depend on nature of the particular site or service that they use.  Thus, it continues to be critical for companies to experiment with varying modes of communication and privacy options in order to provide the best user experience.

Specific Data Highlights:

1. High Baseline Awareness of Privacy Policies:  Half of respondents claim to have read a privacy policy, and even larger numbers of users find privacy policies useful (79%) and easy to understand (62%).  However, among those who have read a privacy policy, 57% said the policy contained too much legalese or jargon, and 58% said the policy takes too long to read.  Only 42% of respondents said that they would stop what they are doing online to learn more about behavioral targeting, and even then only for a brief glance.

2. Additional Mechanisms for Privacy Education:  Some consumers prefer that Web sites use a variety of means to inform them about privacy.  They are interested in additional means of notice and education about behavioral advertising beyond privacy policy disclosures.  For example, 82% of respondents said they would like to see information about how a site uses behavioral advertising data in the form of “A paragraph describing behavioral advertising”, and 80% would like to see “a diagram of how behavioral advertising works.”  Younger consumers in particular were slightly more likely to prefer video, diagram, or cartoon information.

3. Propensity to Seek Out Privacy Information:  Overall, younger users in our survey appeared more likely to seek out privacy information, and more likely already to be knowledgeable about privacy issues.  Younger people (less than age 35) are slightly more knowledgeable about behavioral advertising than those age 35+.   The initial data suggest that younger people are possibly less likely to opt-out of behavioral advertising because of their greater awareness and understanding, but this area requires additional research.

4.  Specific Consumer Preferences for Privacy Information :  Users appear to be less interested in technical issues relating to behavioral targeting, or general policy issues related to these practices.  Rather, consumers appear to be more interested in learning specifically about whether personally identifiable or sensitive information is being used for behavioral targeting, and whether an opt-out is being provided to the sharing of their data across Web sites. Users identified the following as the most important piece of information that might be provided:

·        Whether behavioral targeting includes a person’s name or is anonymous (44%)

·        The sensitivity of the data collected (42%)

·        The ability for the consumer to opt out of sharing their data across websites (36%).

The Network Advertising Initiative, a self-regulatory group for ad networks that do behavioral targeting, has just finalized updated rules for companies that tailor ads across a network of sites.  AOL's ad networks, Advertising.com and TACODA, are part of our Platform A advertising division and offer advertisers the opportunity to have their ads delivered to consumers who have been to auto sites or other types of sites in their networks.  These ad networks are members of the NAI and their privacy leads, Ho Shin and Khan Smith, worked closely with me to help the NAI update the standards and close some important gaps.  I was part of the group that drafted the initial set of rules, about 7 years ago when I was Chief Privacy Officer at DoubleClick and I have to admit that they had grown stale and needed to catch up to the current marketplace.  It took some urging by the Federal Trade Commission to get companies moving on this and there is more to do, but this was a big step forward.

The most important advance is that the rules now clearly limit ad networks from creating a "clickstream profile" that represents a sensitive category such as cancer, HIV or other sensitive health categories, unless a user explicitly opts-in.  This was in the old rules - but only if the profile was personal.  The new rules restrict such activity even when the ad is targeted based solely on cookie linked information, without a name attached to the profile.  Also covered are areas like sexual behavior/orientation/identity, mental illness, sexually related conditions, abortion related and more.  And since children can't consent to data sharing, an ad network kids profile isn't permitted, even on an opt-in basis.

AOL, Advertising.com and TACODA have for quite some time enforced a similar internal policy, considering it inappropriate to use these types of categories to tailor an ad on one Web site based on a consumers visit to another.  We are pleased to see all the major portals and ad networks coalescing around this.

Another key point in the new rules is a restriction against using a clickstream profile for a non-marketing use.  This means that the data can be used to help deliver an ad for a motorcycle to a biker, but that profile may not be used by an insurance company to turn them down for a policy.  I am not aware of anyone in the industry doing anything of the sort, but I have often seen speculation from critics that such could occur.  Hopefully this should put those concerns to rest.

I will post more on the NAI rules in the future, but one last area that should be cleared up by the rules is regarding the use of flash cookies for tracking.  HTTP cookies, with all their frailties, are subject to many controls.  You can block them with your browser settings, remove them with an anti-spyware program, or overwrite them with an opt-out cookie. In fact, your browser will only hold so many cookies, and then they will be overwritten.  Flash cookies are very useful to allow an application to remember your settings, or for example to save your high score for an online game.  But since they are not as well known, they are not as easy for consumers to delete or control with browser settings as are HTTP cookies.  My opinion is that it is not a good practice to use a Flash cookie to create an ad network behavioral profile.  The new NAI document makes it clear that the requirements are technology neutral. All Web sites that share data for behavioral targeting need to provide a link to an easy to use opt-out  - and if you can't do that with a flash cookie, then you shouldn't use it for tracking.  I do note that Macromedia has more recently built additional settings that allow some user control of flash cookies, but I agree with the concerns of privacy experts at the Center for Democracy and Technology on this one.

Jules

As AOL's Chief Privacy Officer and SVP for Consumer Advocacy, I am responsible for ensuring that AOL's users can trust the company with their information and for educating employees about best practices for advertising, content, and product development.  My team and I are passionate about privacy.  We believe that online advertising will only succeed in providing a good experience for consumers and serve the needs of advertisers if companies are trustworthy in the way they use consumer data.  And to be trustworthy – we need to be open and transparent.  In fact, you might say that we think that transparency is the essential ingredient that has to be added!

My privacy team and I will be using this blog to provide additional transparency about data use by AOL and by our advertising divisions.  We already provide a good deal of information at the AOL Privacy Policy  but we understand that adding more and more detail to the legalese of a privacy policy may not be the most effective way to educate people.  Some of our recent research shows that all consumers are not alike when it comes to how they want to get privacy information.  Old, young, net-savvy, beginners, male, female – different people have different levels of interest, different privacy concerns, and want to be informed about privacy in different ways.   We are trying to understand consumer concerns and how best to let consumers know what is going on with their information, and what control they have over it.

We will be talking about cookie use, about how IP addresses are used, about behavioral targeting, data retention and more.  We will also be experimenting with better ways to communicate about privacy in a quick easy way with busy non-technical people who are just looking to check their email or the weather.  Ideas are welcomed!

On the note of adding transparency, AOL has launched today an online education campaign including banner ads and an animated penguin.  The campaign is an effort to quickly and simply explain how a Web site and an ad network often work to tailor ads based on a consumers visit to previous sites in their network.  We previewed the animation with advocates, regulators and consumers and got a great response for making this easy to understand – well easier than the legalese of a privacy policy.  Not everyone loved it,  but this is only a start and we will be experimenting and testing different ways to add the essential ingredient of transparency.