Privacy Report Word Cloud Fun

The Federal Trade Commission (FTC) and Commerce Department have each recently released reports and requests for comments on consumer privacy issues. Much attention is expected to be paid to the similarities and differences between the reports. The FTC has a consumer protection and law enforcement mission, while Commerce’s mission is  “to foster, promote, and develop the foreign and domestic commerce” of the United States. To contribute to the discussion, I’ve prepared these word clouds of the Executive Summaries of each of the reports.

The FTC’s December 2010 Report, Protecting Consumer Privacy in an Era of Rapid Change:

Commerce’s report, Commercial Data Privacy and Innovation in the Internet Economy: A Dynamic Policy Framework

The differences are striking. The subject matter — privacy, data and information — is the same. But the FTC seems particularly concerned with consumers (and “consumer”), companies and practices. Commerce’s report appears to be more about policy, and commercial concerns. The data subjects — consumers —  the ones with an interest in the data, are barely visible in the Commerce report word cloud. I can’t find them there.

UPDATE: At the suggestion of a reader, I’ve created two new ones. These are meant to tease out the differences more. As suggested, I’ve removed the large common words (“privacy” “data” and “information”). I’ve also collapsed the words “consumers” and “consumer” together.

The FTC’s Report

The Commerce Report

Consumers are now visible in the Commerce report, but the differences in  focus — Commercial vs. Consumers — is made clearer. It appears as if the FTC is concerned with consumers and companies’ practices.  While Commerce approaches this from the point of view of commercial policy.

Posted: December 16, 2010 in:

Misleading On Interactive Advertising

The Federal Trade Commission has posted the comments in their ongoing review of the Child Online Privacy Protection Act (COPPA). The act provides privacy rules that, among other things, require parental consent for the collection of data from children or from users of online services directed at children.

One particular statement stands out. The Interactive Advertising Bureau comments (pdf) included this description of their members’ activities:

The delivery of online advertisements involves no more “contact” with an individual by a network advertiser than the advertising department of a city newspaper has with its subscribers as a result of including inserts tailored for locals residing in particular suburban neighborhoods.

Their goal is trying to make sure that their data collection and use practices do not qualify as an online service that collects personal information under COPPA.

They are misleading the Federal Trade Commission. Interactive advertisers tout abilities to track and contact consumers throughout the web. They build profiles based on this tracking and augment these profiles with data from other sources.

Here’s how IAB member AudienceScience describes their capability:

The Audience Gateway for Advertisers Enables Marketers To:

  • Engage with customers based on their behaviors and interests
  • Reach target audiences wherever they go across the Web
  • Send prospects relevant messages based on where they are in the buy cycle

Here’s how IAB member Google describes their retargeting techniques:

After driving traffic to your site with search ads, you can then remarket to those users who reach your site by showing them tailored ads on sites throughout the Google Content Network.

Here’s an example of how it works. Let’s say you’re a basketball team with tickets that you want to sell. You can put a piece of code on the tickets page of your website, which will let you later show relevant ticket ads (such as last minute discounts) to everyone who has visited that page, as they subsequently browse sites in the Google Content Network. In addition to your own site, you can also remarket to users who visited your YouTube brand channel or clicked your YouTube homepage ad.

You can also run a number of remarketing campaigns at the same time. For example, you could offer discount game tickets to users who’ve previously visited your tickets page, advertise VIP hospitality packages to users who clicked on your “How to get to the arena” page, and advertise a sale on team merchandise to users who previously visited your YouTube brand channel.

IAB Member OwnerIQ describes its abilities as:

OwnerIQ enables advertisers to target consumers based on what they own, what they have expressed an interest in owning (“Intenders”)… or both!

[W]e use our proprietary MostIQ Advertising Platform to reach consumers who have the appropriate Ownership Signals as they travel the web — on over 250,000 web sites, with creative designed to appeal to the Target Segments.

Their retargeting page explains, using a neat graphic, the 4 steps:

  1. Shoppers visit your site
  2. They leave your site and travel the web
  3. OwnerIQ identifies your prospect and presents them your message
  4. Your prospect is brought back to your site

IAB member Criteo also has a retargeting product:

Retargeting allows you to find your previous website visitors across the Internet and display relevant banners to lead them back to your website to complete their transaction. Bringing ready-to-buy users back to your website after they have left should be a key part of your customer acquisition and conversion strategy.

This is not contact like your newspaper delivery targeting your neighborhood.

Posted: July 15, 2010 in:

FTC Budget Justification Requests More Privacy, Security, New Media Staff

The Federal Trade Commission’s Fiscal Year 2011 budget request asked Congress for 40 additional Full-Time Equivalent (FTE) staff.  Several of these would be in the area of privacy, data security, and new media:

2 FTE for data security enforcement and rulemakings related to data security, breach notice and consumer access to information in certain databases, and other opportunities to provide greater clarity regarding data security principles.

2 FTE to protect consumers in the mobile  marketplace and new media by addressing the privacy, security, and other risks of consumer harms associated with these new technologies.

3 FTE for the FTC Regional Offices to respond to  growing law enforcement challenges in fraud targeting vulnerable Americans and financial services fraud, and provide outreach to close information gaps in the areas of new media, privacy, and health, including 1 FTE for Spanish-speakers to combat illegal practices targeting Hispanic consumers.

2 FTE for economic analysis and support of the Consumer Protection area, including the FACTA study, advertising to children, and consumer financial services.

1 FTE for General Counsel for litigation and legal counsel to cover the rapidly increasing workload on privacy and information security issues.

Posted: February 10, 2010 in:

Neat Facebook App Named “Privacy”

I ran into a Facebook App named “privacy.” The operation is rather simple:

Privacy, the application, is a utility that provides insight into what information applications can access just by you or your friends using them.

I’ve previously blogged about the civil liberties implications of law enforcement applications.  Applications see your Facebook Site information, including:

The Facebook Site Information may include, without limitation, the following information, to the extent visible on the Facebook Site: your name, your profile picture, your gender, your birthday, your hometown location (city/state/country), your current location (city/state/country), your political view, your activities, your interests, your musical preferences, television shows in which you are interested, movies in which you are interested, books in which you are interested, your favorite quotes, the text of your “About Me” section, your relationship status, your dating interests, your relationship interests, your summer plans, your Facebook user network affiliations, your education history, your work history, your course information, copies of photos in your Facebook Site photo albums, metadata associated with your Facebook Site photo albums (e.g., time of upload, album name, comments on your photos, etc.), the total number of messages sent and/or received by you, the total number of unread messages in your Facebook in-box, the total number of “pokes” you have sent and/or received, the total number of wall posts on your Wall™, a list of user IDs mapped to your Facebook friends, your social timeline, and events associated with your Facebook profile.

The “privacy” application is another way to communicate to people just how much these thousands of third-party developers have access to.

Posted: June 9, 2008 in:

As the Web Goes Social, Where Is Privacy?

Google, MySpace, and Facebook have recently announced initiatives to share social networking information with third party sites. Google’s announcement describes Google Friend Connect:

This new service, announced as a preview release tonight at Campfire One, lets non-technical site owners sprinkle social features throughout their websites, so visitors will easily be able to join with their AOL, Google, OpenID, and Yahoo! credentials. You’ll be able to see, invite, and interact with new friends or, using secure authorization APIs, with existing friends from social sites on the web like Facebook, Google Talk, hi5, LinkedIn, orkut, Plaxo, and others.

Facebook similarly describes its initiative:

Facebook Connect is the next iteration of Facebook Platform that allows users to “connect” their Facebook identity, friends and privacy to any site. This will now enable third party websites to implement and offer even more features of Facebook Platform off of Facebook – similar to features available to third party applications today on Facebook.

It adds that key features will be: “Trusted authentication; Real Identity; Friends Access; and Dynamic Privacy.” Myspace’s launch includes some partner sites already:

LOS ANGELES—May 8, 2008—MySpace, the world’s most popular social network, alongside Yahoo!, eBay, Photobucket, and Twitter, today announced the launch of the MySpace ‘Data Availability’ initiative, a ground-breaking offering to empower the global MySpace community to share their public profile data to websites of their choice throughout the Internet. Today’s announcement throws open the doors to traditionally closed networks by putting users in the driver’s seat of their data and Web identit

Data Portability

These are being referred to as advances in “data portability” (see here, and here, for example). Data portability is the name given to the idea that data a user has generated with one vendor can easily be moved to or manipulated by another vendor, without the need for any pre-existing relationships.

There was some promise that data portability might improve privacy. Timothy Lee at Techdirt blogged on how data portability could mitigate privacy issues. I previously blogged about a position paper from ENISA on social networking security recommendations. They noted (pdf):

Many of the threats . . . in particular those relating to data privacy, have arisen because SNSs [Social Network Sites] are extremely centralized (i.e., high numbers of users with few providers). Where users were previously protected by spreading tehr data over many mutually inaccessible repositories, its now collected in a single place. It is currently very difficult to transfer your social network from one provider to another, or to interact between provers. . . . While there are clear commercial reasons behind these trends, the security and usability implications of a centralized and closed data storage model should not be ignored. A possible solution to this problem is portable social networks, which allows users to control and syndicate their own ‘social graph’. . . . At a minimum, it should be possible to export the social graph and its preferences from one providers to another and, ideally, users would have the possibility of complete control over their own social data, syndicating it to providers which created added-value ‘mashup’ applications.

The Promise of Privacy?

So portability holds great promise — users are able to easily move between providers; no one provider is a central point of tracking; and users control where their data goes and presumably who has access to it.

But what is now being billed as “portability” looks quite far from that promise. These systems look like they will allow them to track you as you use several sites, rather than allow you leave existing social networks with your data. That’s not really allowing data to move around — thats just SNSs giving you a long leash. It looks like more, not less decentralization. Instead of you having the security and privacy of having different accounts, different persona, you’ll instead have on single logon for several web services. In fact Facebook seems to tout as an advantage that people will no longer be anonymous, that they’ll be coming in with their entire social graph to new ventures. When privacy activists are telling users to use pseudonyms, to use different logins, this new development is going in a different direction.

I suspect these companies want your entire web experience to be “social.” But more importantly, while logged into them, and while a captive audience to their ads, and all while building up their profiles of personal information so that they can market to you.

Posted: May 20, 2008 in:

BBC Creates Data-Mining Facebook Application

I earlier blogged about the civil liberties dangers that law enforcement Facebook applications pose. The problem: by default, applications have access to much of your and your friends’ data.

The BBC has written an application that shows how easy data collection can be.

We wrote an evil data mining application called Miner, which, if we wanted, could masquerade as a game, a test, or a joke of the day. It took us less than three hours.

But whatever it looks like, in the background, it is collecting personal details, and those of the users’ friends, and e-mailing them out of Facebook, to our inbox.

When you add an application, unless you say otherwise, it is given access to most of the information in your profile. That includes information you have on your friends even if they think they have tight security settings.

Did you know that you were responsible for other people’s security?

Facebook responded:

Users are strongly encouraged to report any suspected misuse of information to Facebook. Additionally, users can block individual applications from accessing any of their data, block all applications, or block individual types of information.

We have sophisticated technology and a dedicated team to address inappropriate activity by applications. Access by applications to Facebook user data is strictly regulated and if we find that an application is in violation of our terms and policies, we take appropriate action to bring it into compliance or remove it entirely.

I hope this means that Facebook has some automated processes for detecting when applications are accessing too much data, and that this causes them to be reviewed. But overall I don’t see how users can be careful when adding an application. They have no way of knowing what it does.

Posted: May 2, 2008 in:

Sources for Social Networking Privacy

It seems like it is not sometimes known what the privacy interests are that one has when using social networking sites. There seems to sometimes be this idea, which has been referred to as the “secrecy paradigm,” that things which are “posted on a public website” cannot be the subject of “privacy.” That’s not really all that there is to privacy. For example, Alan Westin considered it:

Privacy is the claim of individuals, groups, or institutions to determine for themselves when, how and to what extent information about them is communicated to others.

So how does this get expressed in the world of social networking? Two recent publications give a good , though I suspect not exhaustive, overview. The European Network and Information Security Agency (ENISA) prepared a position paper on “Security Issues and Recommendations for Online Social Networks” (pdf). The International Working Group on Data Protection in Telecommunications, composed mainly of European privacy officials, has issued a “Report and Guidance on Privacy in Social Network Services” (pdf) A few examples from these highlight the idea that privacy is more than just secrecy.


ENISA identifies the problem of “Digital Dossier Aggregation.” Data can easily be taken from social networks and placed in a different context — it can be easy to build a profile of a person that is not controlled by that person. Further, social networks collect your browsing information — who you click on, who you interact with — and often don’t discuss what uses they put this information to. These are both common privacy issues: that users may lose control of their data and that data is being collected and put to secondary uses.

ENISA also identifies two risks which I had not considered previously. Facial recognition algorithms will be able to be deployed on social networks, and allow automatic identification of individuals and linking of several profiles. Semi anonymous online dating profiles will be able to be automatically matched with non-anonymous images elsewhere online. Extracting other information from images will allow algorithms to determine what people are doing (such as drinking) and maybe even where.

Lastly, ENISA also identifies the difficulty of account deletion as a privacy risk. Facebook users have complained about how difficult deletion can be. This is another way in which controlling your data is important. ENISA even goes one step further, and proposing that social networks make profiles “portable” so that users can easily move from one network to another — promoting competition and user control, and alleviating the other threats which come from the centralization of data.

The report contains other issues, such as stalking, spam, and even corporate espionage. Read the whole thing.

Working Group on Data Protection in Telecoms

The Working Group notes some of the security concerns that ENISA focuses on, but also mentions other privacy issues. The first is that online data is usually permanent — it is hard to erase. Even once the data subject deletes the data they control, cached copies may exist, or other services may have duplicated the data. Secondly, the intimacy of the relationships online may be illusory — and sometimes exclude key players. One’s “friends” on social networking sites are not necessarily real friends. I’ll add that the social nature of the site, as well as its communications (talking about your friends, your networks, and who can see your data) covers up the fact that the service operates as a Big Brother, watching and collecting all your activity online.

This data collection — of your browsing history and other activity — raises other issues, as this data may be accessible to law enforcement and intelligence services. The data will also be used for marketing and other secondary uses that may not be clearly specified by the social networking service. Further uses may be employers or others interested in researching the reputation of individuals.

Lastly, a new development is the creation of application programming interfaces, or APIs. These allow even more third party access to data, often in a way that is hidden. I’ve previously blogged about the privacy and civil liberties issues with law enforcement created applications. You can read there for the specific problems on the Facebook platform. But the general problem is that third party access is being increased in ways which are not transparent to users.

Guidelines and Recommendations

The discussion above should clarify what people mean when they talk about social networking privacy. It is not just a matter of “keep things secret.” For some steps on how to deal with these issues, I again recommend you check out the two publications.

Report and Guidance on Privacy in Social Network Services” (pdf).

Security Issues and Recommendations for Online Social Networks” (pdf).

Posted: April 24, 2008 in:

Facebook Applications: Back Doors for Law Enforcement?

Via Google News I hear of a new Facebook Application: GMP Updates. The application, also known as “The Greater Manchester Police Updates,” gives you a feed of crime updates and links to a form for reporting crimes, according to the article. It’s the first time I’ve seen a law enforcement based Facebook application.

GMP Updates

There have been several articles about law enforcement using its normal user-level access to Facebook for criminal prosecutions (For example: “Facebook Helps Law Enforcement“, “Site Used to Aid Investigations,” “Student Arrested After Police Facebook Him“). In these cases, law enforcement or their tipsters browse Facebook like a normal user, looking at the information made available to that user.

Expanded Viewing Powers

Law enforcement use of applications will significantly expand the reach of what law enforcement can see, and also provide a more surreptitious viewing ability. It’s been noted that some 90% of popular applications have access to more information than they need, but this seems like a significant first — giving law enforcement more access than it needs. Why the expansion? Because application providers get access to just about all of your Facebook information, as described in the “Platform Application Terms of Use“:

In order to allow you to use and participate in Platform Applications created by Developers (“Developer Applications”), Facebook may from time to time provide Developers access to the following information (collectively, the “Facebook Site Information”):

(i) any information provided by you and visible to you on the Facebook Site, excluding any of your Contact Information, and

(ii) the user ID associated with your Facebook Site profile.

Facebook provides some examples of what this means. Like:

The Facebook Site Information may include, without limitation, the following information, to the extent visible on the Facebook Site: your name, your profile picture, your gender, your birthday, your hometown location (city/state/country), your current location (city/state/country), your political view, your activities, your interests, your musical preferences, television shows in which you are interested, movies in which you are interested, books in which you are interested, your favorite quotes, the text of your “About Me” section, your relationship status, your dating interests, your relationship interests, your summer plans, your Facebook user network affiliations, your education history, your work history, your course information, copies of photos in your Facebook Site photo albums, metadata associated with your Facebook Site photo albums (e.g., time of upload, album name, comments on your photos, etc.), the total number of messages sent and/or received by you, the total number of unread messages in your Facebook in-box, the total number of “pokes” you have sent and/or received, the total number of wall posts on your Wall™, a list of user IDs mapped to your Facebook friends, your social timeline, and events associated with your Facebook profile.

[I’ve highlighted some of my favorites]

Note that applications can access your data even if you’ve marked it as not viewable by the police in your geographic network or school. Even if you’ve used a “friend list” to restrict who sees a photo, it’s still available to the third party application providers. So its not enough to carefully tune your privacy vis-a-vis other Facebook users. You also have to avoid adding in applications like the GMP Updater — avoid getting updates from your local law enforcement.

Inadvertent Snitching

That’s not all that is happening. When you add an application, by default it can see what you can see on Facebook. So you’re also sharing your friends’ information with law enforcement. Your friends may opt-out of this sharing, but until they do you’ll be the eyes and ears of law enforcement by adding a law enforcement-based Facebook app. The defaults include quite a bit of information:

API Defaults

When you add applications, you’re told they get to see your information:

Add GMP Updates

But you’re not told you’re also sharing your friends’ info.

Content Too?

One thing that is unclear to me is whether applications can see the content of my Facebook messages and other communications I make within the site. Content fits the definition (“any information provided by you and visible to you on the Facebook Site, excluding any of your Contact Information”) of information available to third party providers, but it would be quite shocking if this was being made available to third parties. In the US, intercepting a communication requires a warrant — pursuant to the 4th Amendment as well as ECPA, and accessing a stored communication requires court orders or warrants, depending on the age of the information. This is why I’m skeptical that content is being shared with law enforcement via the API. It would be quite a scandal.

Posted: April 16, 2008 in:

DHS Privacy: When Pigs Fly?

Ryan Singel at Wired’s THREAT LEVEL blog is having a contest to name the DHS privacy office mascot/gift they’ve received. A toy pig.

But there’s something else thats funny here. Check out the picture of the pig:

DHS pig

So whats the message here? “Privacy at Homeland Security. When Pigs Fly?” Am I missing something?

Posted: March 20, 2008 in:

Complaint Against Amateur Spyware Purveyors Filed

Today my project at EPIC filed a complaint before the Federal Trade Commission against several purveyors of amateur spyware. I’ve previously blogged about the uses of spyware to intercept the communications of spouses.

The complaint alleges unfair and deceptive practices by these companies. Specifically, these companies promote illegal surveillance targets; promote the use of “Trojan Horse” email attacks; and fail to warn their customers of the legal risks of the improper use of this software.

Click on this thumbnail for a view of what the marketing looks like:

Remote Spy

There are many more examples of the marketing in the complaint.

The FTC does pay attention to spyware. But this is a new beast for them to take on. I suspect that software like this is used in many situations of abuse, but that it goes relatively undetected, unpunished and in general unreported. Undetected because people do not know to look for it. Unpunished because it is difficult to get an otherwise busy police force to focus on the computer forensics needed to effectively prosecute. And unreported because there really is not much data collection going on with these products. We have inklings that the problem is growing, but not much hard data. I hope this also spurs more organizing around this topic and we get a better sense of the malicious uses of this software.

I suspect this is a growing industry, and there will soon be malicious payloads being offered for delivery to your target’s cell phones, iPhones, and other devices, not just PCs. Lets hope the FTC moves and nips it in the bud.

Posted: March 6, 2008 in: