Misleading On Interactive Advertising

The Federal Trade Commission has posted the comments in their ongoing review of the Child Online Privacy Protection Act (COPPA). The act provides privacy rules that, among other things, require parental consent for the collection of data from children or from users of online services directed at children.

One particular statement stands out. The Interactive Advertising Bureau comments (pdf) included this description of their members’ activities:

The delivery of online advertisements involves no more “contact” with an individual by a network advertiser than the advertising department of a city newspaper has with its subscribers as a result of including inserts tailored for locals residing in particular suburban neighborhoods.

Their goal is trying to make sure that their data collection and use practices do not qualify as an online service that collects personal information under COPPA.

They are misleading the Federal Trade Commission. Interactive advertisers tout abilities to track and contact consumers throughout the web. They build profiles based on this tracking and augment these profiles with data from other sources.

Here’s how IAB member AudienceScience describes their capability:

The Audience Gateway for Advertisers Enables Marketers To:

  • Engage with customers based on their behaviors and interests
  • Reach target audiences wherever they go across the Web
  • Send prospects relevant messages based on where they are in the buy cycle

Here’s how IAB member Google describes their retargeting techniques:

After driving traffic to your site with search ads, you can then remarket to those users who reach your site by showing them tailored ads on sites throughout the Google Content Network.

Here’s an example of how it works. Let’s say you’re a basketball team with tickets that you want to sell. You can put a piece of code on the tickets page of your website, which will let you later show relevant ticket ads (such as last minute discounts) to everyone who has visited that page, as they subsequently browse sites in the Google Content Network. In addition to your own site, you can also remarket to users who visited your YouTube brand channel or clicked your YouTube homepage ad.

You can also run a number of remarketing campaigns at the same time. For example, you could offer discount game tickets to users who’ve previously visited your tickets page, advertise VIP hospitality packages to users who clicked on your “How to get to the arena” page, and advertise a sale on team merchandise to users who previously visited your YouTube brand channel.

IAB Member OwnerIQ describes its abilities as:

OwnerIQ enables advertisers to target consumers based on what they own, what they have expressed an interest in owning (“Intenders”)… or both!

[W]e use our proprietary MostIQ Advertising Platform to reach consumers who have the appropriate Ownership Signals as they travel the web — on over 250,000 web sites, with creative designed to appeal to the Target Segments.

Their retargeting page explains, using a neat graphic, the 4 steps:

  1. Shoppers visit your site
  2. They leave your site and travel the web
  3. OwnerIQ identifies your prospect and presents them your message
  4. Your prospect is brought back to your site

IAB member Criteo also has a retargeting product:

Retargeting allows you to find your previous website visitors across the Internet and display relevant banners to lead them back to your website to complete their transaction. Bringing ready-to-buy users back to your website after they have left should be a key part of your customer acquisition and conversion strategy.

This is not contact like your newspaper delivery targeting your neighborhood.

Posted: July 15, 2010 in:

New Monitoring Service “SafetyWeb” Has Some Privacy, Safety Problems

The new monitoring service SafetyWeb raises some serious questions about its compliance with the Child Online Privacy Protection Act. There’s also some potential safety problems with how it could be misused.

The service’s description is rather simple. You enter an email address, and then the service scours the web (and presumably, its own built up database) and builds up an online profile based on the social networks that person has joined. In this way it appears similar to the service that Rapleaf used to offer.  The service then promises to monitor the actions of the targeted person on those social networks and report those actions to you.

When I tried it with one of my email addresses, it found several social network services I have joined.  It did not find all of them. Only on one of those did I join with that email address, so they must have had some way to figure out the rest were me. None of them were false positives where they identified someone else as me — but my name is rather unique.

COPPA

The Child Online Privacy Protection Act (COPPA) seeks to protect children’s privacy online. Safetyweb appears to address their compliance with COPPA with this simple note in their Privacy Policy:

Our Policy Towards Children

The Site is not directed to persons under 18. If a parent or guardian becomes aware that his or her child has provided us with personally identifiable information without their consent, he or she should contact us by email at: info@safetyweb.com.

This seems to go against the spirit, if not the letter, of COPPA.  COPPA applies to:

the operator of any website or online service directed to children that collects personal information from children or the operator of a website or online service that has actual knowledge that it is collecting personal information from a child

They are collecting children’s information — the “parent” that signs up tells them the child’s email address, name and age. Their website is not “directed at children” but they are given “actual knowledge” that they are collecting children’s data. They even have the “parent” check a box that states:  “I certify that I’m the Parent of this child.”

Perhaps they think that they are not collecting personal information from a child, since they get it from the parent.  But the entire point of the service is to monitor what the child does online — to go and collect that information from the child’s online profiles and present it to the “parent.”

They need to double check that their service is COPPA compliant, because it appears that they are covered by COPPA. A simple statement that their website is not “directed to persons under 18″  does not change the fact that this is a commercial service whose stated purpose is to collect information from children and to sell it to people who “certify” that they are the parents of that child.

The FTC appears to be taking a serious tone on the mixed issue of children’s online safety and privacy.  They recently denied the application of a non-profit to become a COPPA “safe harbor” — meaning a service that would monitor and certify websites for compliance with COPPA. Their denial letter took strong umbrage at the fact that the non-profit itself did not follow COPPA  — even though it did not have to:

The Commission feels strongly that any organization – including a non-profit organization – to which it grants safe harbor status should itself comply with COPPA when interacting with children online. In the case of i-SAFE, which promotes itself as a leader in educating children on Internet safety, the failure to provide COPPA protections is particularly troubling. This failure also would undermine i-SAFE’s authority to enforce other website operators’ compliance with COPPA.

Safetyweb’s cavalier attitude towards COPPA indeed does not inspire confidence in them as purveyor of a legitimate parental monitoring service.

Safety / Stalkerware

The other major problem with the service is how they handle the safety issue.  How do they know anything about the relationship of the person ordering the monitoring and the one being monitored? I never completed my transaction above, but they were about to allow me to order the monitoring of a target their service reported as being 35.  All they appeared to require was that the person doing the ordering check a box agreeing to the terms and conditions, as well as another box that certified they were the parent of the child.

The FTC recently acted against a provider of stalkerware.  Key to that case was that the simple fact that inappropriate uses were against the terms of service should not insulate the provider of the service from liability.

Safetyweb should also take note of the New Hampshire case Remsburg v. Docusearch. Liam Youens paid 150 dollars to Docusearch for several pieces of personal information about Amy Boyer.  He had maintained a website where he documented how he was stalking her.  With this information, Youens tracked her down, killed her, and committed suicide.  A New Hampshire court said Docusearch had a duty to exercise reasonable care that they did not cause harm when selling this information:

The threats posed by stalking and identity theft lead us to conclude that the risk of criminal misconduct is sufficiently foreseeable so that an investigator has a duty to exercise reasonable care in disclosing a third person’s personal information to a client. And we so hold. This is especially true when, as in this case, the investigator does not know the client or the client’s purpose in seeking the information.

One Benefit

There’s a benefit of widespread knowledge of the existence of this service. It lets people know their online profiles can be monitored and mined. What we’re seeing here is the consumer facing side of something that is surely going on behind the scenes — starting with an email address, marketers and other data mining companies can compile extensive profiles of individuals.  Perhaps this awareness will lead to some outrage, and support for regulation.

Safetyweb has hired a leading expert in children’s online safety and privacy issues. They should be able to adequately address these issues.

Posted: June 15, 2010 in: