August 19, 2008
Against eprivacy, attackers like to proceed by stealth. Their target however shows itself clearly "on the radar in Congress", to use Stephanie Clifford's expression (*). According to her quote from Representative Edward J. Markey, "some type of omnibus electronic privacy legislation is needed". From the chairman of the House Subcommittee on Telecommunications and the Internet, these are no idle words.
Exuberant optimism would be totally irrational at this point. The track record of the US Congress is dismal indeed when it comes to defending our constitutional data rights. Last session saw the total rout of all anti-IDtheft bills, written to deny IDthieves their reward, i.e. the ability to milk victims' credit beyond simple credit card purchases (1). Inaction however may be better than meaningless measures such as the one which gave us those vacuous "privacy policy notices" (2).
The fact that the US Government is the first to disregard any concern of privacy when it suits its needs is not encouraging either, to say the least.
Even with the best of intentions, members of Congress will be grappling with a complex issue. Its current focus is on "behavioral targeting", which promises to deliver more relevant ads to web users thanks to the invisible collection and aggregation of their every click. This is meant to be an exchange, and a fair one at that. As John Gapper states (**), "there is no such thing as a free lunch, even a virtual one, and increasing advertising yields helps to pay for content". And yet the more John Gapper explains the practice, the more he expresses a deep seated ambivalence. "Indeed, up to a point, I believe it". "This sounds fine and, in some way, it is". "Targeted advertising has its uses [...] but".
If an expert answering to his sole conscience wavers so, what to expect from elected congressmen, buffeted as they are by powerful lobbies?
My hope is that these honorable members come to realize the root of the issue. Were privacy and its mirror image, personal data, a tradable commodity, the conflicting interests of consumers and advertising networks would be balanced at market price. The problem is, no such traditional "price market" exists. Privacy is only one factor in more complex trades on what I called a "value market". In the instance, other factors include the nature of the service rendered, its price, the transparency of the personalization process, the attractiveness of the consumer profile (3).
Unfortunately value markets are rarely fair. Most are asymmetric, like the job market where the recruiters have generally more information at their disposal than candidates. Some are little more than confidence games, like frequent-flier mile programs whose manipulations by airlines are documented by Ron Lieber (***)(4). In the case of behavioral advertising, the asymmetry which favors advertisement space sellers over consumers is compounded by the fact the market organizer itself, the ad network, is steeped in inherent conflict of interests.
A lasting solution (5) must enforce fairness over this value market. It would at the minimum require to let consumers know what the ad network knows about them. But can advertisers and ad space suppliers be expected to willingly tip their hands on what they know about you lest they lose the advantage of stealth? Can ad networks managers welcome real, effective transparency when Facebook got into serious trouble for this very feature of their Beacon initiative? Can isolated consumers compel market counterparts to adopt a real solution against the counterparts' wishes?
No solution is likely to appear without a favorable legal framework. Yet what legislator will be bold enough to pass a law unless convinced it is backed by proven solutions? Far easier to yield to privacy blackmail or settle for well intentioned but ineffective methods acceptable to the industry.
Beware though, privacy is not a luxury. May Congress ponder the recent cyberattacks against Georgia, as reported by John Markoff (****). What country at war would miss the opportunity to get confidential personal preferences on every prisoner, suspected spy and known key active member of the opposing force? Would the enemy prove less crafty than New York Times reporters in seeing through the thin veil of anonymization?
I do not relish Cassandra's mantle. Yet it must be said. Ad networks are busy creating what hacker hunters call honey pots (6). In the instance, these honey pots contain millions of aggregated personal profiles and are sure to attract big bears but, subtle mistake, the data is for real.
Mr Markey, before the invisible eye of the market causes trouble, tear it out and throw it away!
Philippe Coueignoux
- (*) ......... Web Privacy On the Radar In Congress, by Stephanie Clifford (New-York Times) - August 11, 2008
- (**) ....... Advertisers will see you read this, by John Gapper (Financial Times) - August 13, 2008
- (***) .... New Ways to Evaluate Bonus-Mile Credit Cards, by Ron Lieber (New-York Times) - August 16, 2008
- (****) .. Before the Gunfire, Cyberattacks, by John Markoff (New-York Times) - August 12, 2008
- (1) we are speaking here about IDtheft, not idtheft. To better understand the difference, see The Wizards of ID and What the meaning of the word "is" is
- (2) for factual information, please refer to the documentation prepared for our lecture on marketing
- (3) e.g., a good zip code, a fondness for browsing luxury goods sites and a good job, the last information courtesy of your LinkedIn page
- (4) as contracts for future deliveries, airmiles are similar to Jim Bakker's hotel nights; as a currency, they behave like Zimbabwean dollars
- (5) for more details, see my comments to the FTC on behavioral advertising
- (6) honeypots are web sites baited with faked data and set to identify hackers. For more details, see our lecture notes on protecting digital information
|