Web Privacy on the Radar in CongressAugust 11, 2008Web Privacy on the Radar in Congress By STEPHANIE CLIFFORDCorrection AppendedHere are some things Internet users can discover about Kiyoshi Martinez, a 24-year-old man from Mokena, Ill., from some of his recent posts online. He watched “The Colbert Report” on Tuesday night, he likes the musician Lenlow and he received bottles of olive oil and vinegar for his birthday. Mr. Martinez has Facebook and LinkedIn pages, a Twitter account and a Web site that includes his résumé.So it is surprising to learn that Mr. Martinez, an aide in the Illinois Senate, is also vigilantabout his privacy online.“I’m pretty aware of the fact that anything you do on the Internet pretty much should just be considered public,” Mr. Martinez said. While he knows that companies are collecting his data and often tracking his online habits so they can show him more relevant ads, he said, he would like to see more transparency “about what the company intends to do with your data and your information.”“Like all privacy matters, it’s something that people need to be informed on,” Mr. Martinez said.Those same questions of data collection and privacy policies are attracting the attention of Congress, too. There is no broad privacy legislation governing advertising on the Internet. And even some in the government admit that they do not have a clear grasp of what companies are able to do with the wealth of data now available to them.“That is why Congress, at this point, is wanting to gather a lot more information, because no one knows,” said Steven A. Hetcher, a professor at Vanderbilt University Law School. “That information is incredibly valuable; it’s the new frontier of advertising.”Beyond the data question, there are issues of how companies should tell browsers that their information is being tracked, which area of law covers this and what — if anything — proper regulation would look like.On Aug. 1, four top members of the House Committee on Energy and Commerce sent letters ordering 33 cable and Internet companies, including Google, Microsoft, Comcast and Cox Communications, to provide details about their privacy standards. That followedHouse and Senate hearings last month about privacy and behavioral targeting, in which advertisers show ads to consumers based on their travels around the Web. If an advertiserknows that Mr. Martinez watches “The Colbert Report,” for example, it might show him an ad for “The Daily Show.”As advertisers become more sophisticated about behavioral targeting, and online privacy standards become increasingly varied, regulators and privacy advocates are becoming concerned. A few companies have taken precautionary measures to try to fend off criticism; in the last few days, for instance, both Yahoo and Google have made it easier for people to opt out of targeted ads on their sites. But that may not be enough.“Some type of omnibus electronic privacy legislation is needed,” said Representative Edward J. Markey, Democrat of Massachusetts, chairman of the House Subcommittee on Telecommunications and the Internet, “regardless of the particular technologies or companies involved.” He and the other members of the House expect to receive responses from all of the companies by early this week. With the responses to the House letters, “we can understand exactly what each sector of the communications industry is technically capable of doing, and how they use the information once they do get access to it.”One of the controversial new behavioral-targeting technologies is called deep packet inspection, and a company that does it — NebuAd — was a focus of the July Congressional hearings. In NebuAd’s version of deep packet inspection, a hardware device is put into an Internet service provider’s network that can track where users are going online. NebuAd looks forcategories that the user will be interested in. If the device notes that a user is browsing or searching for sites about German automobiles, it can deliver an ad about German automobiles later that day, even when the user is on a site about pets.NebuAd’s chief executive, Bob Dykes, who testified at the hearings last month, said his company protects privacy.“We don’t have any raw data on the identifiable individual,” Mr. Dykes said in an interview last month. “Everything is anonymous.”He said NebuAd took several steps to ensure that the information could not be traced back to an individual or an Internet protocol address. The company avoids sensitive categories, he said; someone making a search about H.I.V., for example, would not see related ads. And NebuAd cannot gain access to secure sites.Mr. Dykes came under scrutiny at the hearings for NebuAd’s technology and for how the company notified consumers. The ways that some Internet service providers told consumers about their tracking were vague or too subtle, some privacy advocates and congressmen said.NebuAd lost several customers this summer amid all the scrutiny, including CenturyTel, Charter Communications, WideOpenWest Holdings and Embarq. “We will not be using this technology again until such time as all the privacy concerns have been addressed,” said Charles Fleckenstein, an Embarq spokesman.Mr. Dykes said, “We are perfectly O.K. for some of our partners to wait until we have a better, more informed education of the public and folks in Washington before they resume their rollout.”The NebuAd controversy illustrates the difficulty of regulation in online advertising, when new ways of tracking users arise regularly and companies have different ways of handling data.The Federal Trade Commission has made some tentative steps toward standards, including a December proposal on behavioral-advertising practices. The proposal suggested that companies provide a clear notice to consumers that lets them opt out of tracking, notify consumers if the company changes the way it uses the data and use reasonable security measures. It also sought comment on several matters.But Lydia B. Parnes, the director of the F.T.C.’s Bureau of Consumer Protection, has said she supports industry self-regulation, saying that it isn’t yet clear that the consumer is being harmed and that regulations might be too specific to current technologies. Laws have been made on slices of the privacy pie, including data about finances or children. But complying with various pieces of legislation
View Full Document