TOC A little closer to the bull's eye, please Your Turn

September 8, 2009

"Targeted television advertising is touted as a winning innovation for everyone involved". Obviously Tim Bradshaw and Kenneth Li never thought of double-checking with the targets. Their filing (*) does mention viewer "surveys". Yet would you infer the comfort of Chicago bound cows from people paid by meat packers? As Adam Cohen concludes his editorial about "locational privacy" (**), "it's time for a serious conversation".

Whether put in the bull's eye by their cellphone or their television habit, it is high time indeed for consumers to speak up. The recent appointment of David Vladeck as head of the Bureau of Consumer Protection at the FTC has created an opportunity. If his declaring "some online tracking is Orwellian" is not an invitation to target targeted advertising, what will?

As it happens, Ryan Paul reports (***) "a coalition of privacy and consumer rights groups have written an open letter to the House Committee on Energy and Commerce calling for the regulation of behavioral advertising". Last year punctured the myth of deregulation together with the financial bubble and no intellectual obstacle can prevent elected representatives free from the ties of pronaocracy to set the rules for this new game.

The open letter proposes such a set of rules, called principles by its writers (1). Since it much easier to criticize than to build, these authors deserve our commendations. On the other hand they no less deserve to see their work critically reviewed.

From the legislator and the FTC will come the judgment. And what to expect from advertisers but frantic squeals about their being squeezed by enemies of innovation? Unfortunately, by combining their forces in signing this letter, privacy advocates have left precious few independent critics to give constructive feedback. I will gladly oblige.

Among the sixteen rules, four should be singled out as a solid foundation. The first one eliminates the superannuated notion of "personally identifiable information". The second forbids the collection of "sensitive information" including a list of seven explicit topics led by health and finances. Principle 8 mandates "reasonable security safeguards". The next one calls for means to "establish[...] the existence and nature of personal data".

These rules have teeth even when using weasel words like "reasonable". For experience shows that, when security is concerned, asking for "reasonable measures" acts as a ratchet. The pioneering measures of today are soon found to be best practices which it is unreasonable to ignore.

At the other extreme, four other rules look like the fake teeth favored by self-regulation, so easily removed to expose impotent gums beneath.

Principles 5 and 6 for instance hold behavioral information users to their self-declared "purposes". Granted, this would improve on current practices which allow "purposes" to be changed at will and retroactively. But start to enforce this rule and expect every company concerned to declare their one and only purpose is "to increase the relevance of the consumer experience, with the help of their business associates and in compliance with the law" or some such blandishment. We have been there before with so-called "privacy notices", the most gigantic waste of paper ever.

Yet one should think carefully about lessons drawn from experience. Rule 15 tries to replicate the success of the "Do Not Call Registry" (2). But, as I have explained earlier (3), the latter works because those who dare call a duly registered consumer are immediately spotted and identified in the very act of violating the rule. Consumers on the contrary are unaware when their behavior is being tracked, especially were such tracking illegal.

A good rule must not offer a way out for people of bad faith. Take rule 3. It forbids tracking underage users "to the extent that age can be inferred". If I were in data collection, I would simply take care to limit user age to 25 and make sure to prevent further precision. A real rule would reverse the burden of the proof and forbids collection when the tracker is not positively sure the user is 18 or older.

At this point readers may accuse me of being in bad faith myself, as my rule would shut down behavioral tracking in a round about fashion. How indeed can an online service be sure of a user's age? Since I believe in individual responsibility, I would take a user's self-declaration at face value. Children are known to lie of course but enforcing good morals is a task for their parents and teachers, not online service providers. And if adults lie too, relax and take it as a cheap but effective substitute for a do not track registry.

At the heart of the document, rule 10 establishes the right of user access to their profile "within a reasonable time, at a charge, if any, that is not excessive, in a reasonable manner; and in a form which is readily intelligible to him". This is what New-York Assemblyman Richard Brodsky had courageously proposed last year. The world would be better with such a rule but its implementation is fraught with dangers.

First, the idea of having to pay to access one's own data is simply repellant. It creates a new revenue stream for companies already exploiting personal data for free. Hear the howls of the music companies if they were asked to pay the consumer each time they want to verify he or she does not engage in illegal downloads. With their track record, they would even find it excessive if one only asked for one dollar, doing it for a song truly.

More crucially it creates a conundrum as consumers will have to justify their identities to the companies holding confidential data on them, but perhaps not their names. Expect at the very least that a tracking company which receives a profile access request put a heavy burden of proof on the user. My suggestion is to transfer the burden on the companies which profit from behavioral tracking in the first place.

From a practical point of view, behavioral tracking comes to fruition as the consumer receives an ad which has been targeted. This is a time when both the consumer is likely to be curious about how much is known about him or her and the targeting system happens to have right at hand the profile it holds to be the relevant one. If the ad is not profitable enough to support data display, just forget to target, no need to charge consumers. And no more uncertainty about his or her identity either. The advertiser and its suppliers' willingness to target shifts any legal responsibility to them.

My good faith is unimpugnable. Since targeted television advertising is "a winning innovation for everyone involved", highlighting such higher quality ads is another winner. Thus warned, consumers will click the appropriate key on their remote or device and access their profile on the spot.

The coalition aims in the right direction. Its shots are on target. But couldn't they be a little closer to the bull's eye, please?

Philippe Coueignoux

September 2009
Copyright © 2009 ePrio Inc. All rights reserved.