I saw the movie “Inception” by Christopher Nolan last night. It is not a movie I would usually pick, since I am not particularly fond of science fiction. But my daughter insisted: “You MUST see this movie. You won’t regret it.” I caved in and indeed enjoyed watching that movie. In the movie, technology has advanced to the point where certain highly skilled people are able to enter the human mind through dream invasion and plant seeds for new ideas. The story is sophisticated and emotionally engaging, the actors give excellent performances, and the ending is, well, unexpected.
Marketers using the behavioral advertising technique would have never recommended that movie to me.
Behavioral Advertising is a technique used by internet marketers to target consumers, based exclusively on their past online behavior: Past choices, past preferences, past browsing and search history. Companies will tell you what to purchase, based on your past online behavior.
Amazon’s and Netflix’s recommendations are based on the customer’s past purchases. I recently bought a Garmin nüvi 255W 4.3 inch Portable GPS Navigator on Amazon. Within the hour, I received an email from Amazon, suggesting I might also be interested in the Garmin nüvi 37907 4.3 inch Portable GPS Navigator . Sure, Amazon, thanks! I was just thinking of starting a Garmin nüvi GPS Navigator collection…
Facebook also recommends friends based on people who already are your friends. LinkedIn recommends “People You May Know”, based on your previous connections.
Proponents of behavioral advertising claim that the loss of privacy experienced by consumers as a result of the creation of individual profiles for the purpose of behavioral targeting is offset by the benefit consumers gain from getting advertisements that are custom tailored to their peferences and interests.
I beg to differ.
No machine on earth would have recommended I see “Inception”, because none of my past choices pointed in that direction.
But, I am not a “compumer“. I am not a “computer-consumer”. I am a human being, capable of imagination and dreams, programmed for evolution and change.
I am afraid that if we let machines make all our consumption suggestions, we will become frozen in our status quo, defined and limited by our past inputs, in other words, we might welll turn into computers, or “compumers” ourselves.
We will keep watching the same type of movies we have watched in the past, we will keep reading the same type of books we have read in the past, we will keep eating the same type of food we have eaten in the past, we will keep friending the same type of friends we have friended in the past, and we will keep connecting with the same type of professionals we have connected with in the past.
We will be locked into a class, as determined by data mining companies and online data aggregators.
What will become of that quintessential American idea of being able to “re-invent” ourselves, when our past becomes less than satisfactory? What will become of the desire to expand horizons, of the allure of unchartered territories, of the drive for social mobility, of the basic human need for change and progress?
But then, maybe one day technology will have progressed to the point where marketers themselves will be able to plant the seeds for all of the above mentioned ideas into our brains through “Inception”!
On June 24, the Article 29 Working Party established by the 1995 European Directive on Data Protection published an opinion declaring that online advertisers who want to target ads by tracking consumers’ surfing habits must obtain the consumers’ affirmative opt-in consent to such data collection.At the same time, the Working Party lauded certain privacy-enhancing practices incorporated into behavioral advertising today and it encouraged industry to develop technologies to comply with the framework and “to exchange views” with the Working Party on the use of such technologies.
Behavioral Advertising is Regulated in the EU by Two Primary Sources
The Working Party explained that behavioral advertising ecosystem is regulated in the EU by two primary sources. The first is Article 5(3) of EU Directive 2002/58 (the ePrivacy Directive) that requires that organizations wishing to store or access information on an individual’s computer to obtain the consent of the individual before doing so. The e-Privacy Directive is to be implemented in the national laws of EU member states law by June 2011.
The Opinion explained that since behavioral advertising relies on the placement of cookies (small data files) on individuals’ computers to aid in the tracking of their web browsing habits, the ePrivacy Directive applies. In addition, the Opinion went on to specify that if the behavioral advertising involves the collection of any personally identifiable information (PII), including an individual’s IP address (which is recognized as PII in the EU), then the EU Directive 95/46/EC (the Data Protection Directive) also applies.
Opt-In Consent Requirement and Opt-Out Deficiencies Explained
The major theme of the opinion is that under the ePrivacy Directive, meaningful, informed consent must be obtained by an individual before any information is collected and used for behavioral advertising purposes. The opinion went a long way in discussing what the Working Party considers to be meaningful consent in the behavioral advertising context.
Currently, consumers can “opt out” of behavior tracking through control panels offered by certain online advertising services or by relying on default web browser settings through which Internet users automatically accept all cookies that websites request to place on their computers. Users are therefore automatically “enrolled” in behavioral advertising, and can only stop the practice (if they know it is occurring) by blocking or deleting cookies.
The Working Party rejected this “opt-out” approach, concluding that it does not sufficiently allow individuals the ability to exercise choice on whether to share their information with behavioral advertisers. Instead, it stated that notice to individuals should explicitly reference the ad network that will place the cookie and describe how the information will be used once it is collected. Then, the individual should be given the opportunity to “opt in” to the sharing of their information for behavioral advertising purposes.
Once a user opts in, separate consent would not need to be obtained every time the user visited a website participating in the ad network, but separate consent would need to be periodically obtained (the opinion did not specify a time period) and the user would need to be afforded the opportunity to easily revoke consent.
“It is quite clear,” replied Don Quixote, “that you are not experienced in this matter of adventures. They are giants, and if you are afraid, go away and say your prayers, whilst I advance and engage them in fierce and unequal battle.”
“It is quite clear,” replied Don Quixote, “that you are not experienced in this matter of adventures. They are giants, and if you are afraid, go away and say your prayers, whilst I advance and engage them in fierce and unequal battle.”
Cloud Computing With Borders May Be On Horizon in Europe
by Jennifer L. Schenker
A proposal to build a national federation of interconnected computing clouds in France, funded in part by government in order to protect the country’s sovereignty, data privacy and local jobs, is gaining favor. Some fear that the idea, which is in part a backlash against American companies like Google, will spread to other parts of the Continent, potentially undermining the promised benefits to Europeans of cloud computing, which is being billed as the biggest shift in computing since personal computers were introduced in the 1970s.
French tech companies and businesses are calling on local governments in France to partner with private companies to build a network of data centers and shared cloud platforms and services that would respond to the computing needs of French businesses, organizations, governments and citizens, giving them an alternative to handing their data to American companies. The group called for local cloud infrastructure to be built with the help of funds set aside for France’s “grand emprunt national,” a €4.5 billion economic stimulus package that will start to kick-in at the end of next year.
Cloud computing is the term for a new form of distributed computing which allows consumers, enterprises and governments to store their data and their applications on networked servers rather than on local computers and data centers and to tap into computer applications and other software via the cloud, freeing themselves from building and managing their own technology infrastructure In addition to reducing operational costs, analysts say the shift to cloud technologies allows radical business innovation and new business models.
Some industry experts in Europe believe only giants like Google and Amazon can achieve the necessary economies of scale in building the massive data centers that underpin the cloud. They fear that national projects will be white elephants and question whether big enterprise customers like Danone and Carrefour will be willing to pay the price of French sovereignty. “Interconnection of hybrid clouds is not a simple problem and the risk is that the benefits come slowly and that local champions cannot grow and reach critical mass fast enough,” say Pierre Liautaud, a Frenchman who has worked in the tech industry for 25 years, holding executive positions at both IBM and Microsoft and heading up start-ups. He is currently organizing a November conference for the European Tech Tour Association to highlight European start-up companies in cloud computing. Most start-ups in Europe are concentrating on creating applications that run on top of infrastructure built and run by American companies like Google, Amazon and Microsoft.
ILITA, The Israeli Law, Information and Technology Authority, will host a Privacy Week on October 25-29, 2010 in Jerusalem, Israel.
Article 29 Working Party recently published an an opinion finding that Israeli data protection law largely provides an “adequate level of data protection” under the European Union Data Protection Directive 95/46.
Thus Israel will be joining the small and select club of countries to which personal data from the 27 EU member states and three EEA member countries ( Norway, Liechtenstein and Iceland ) can flow without any safeguard being necessary.
( The other countries deemed “adequate” are : Switzerland, Canada, Argentina, Guernsey, Jersey, Isle of Man and the Faroe Islands.)
This International Conference will consist of two parts:
1.October 25-26: OECD Conferenceon “Privacy, Technology and Global Data Flows”
and
2.October 27-29:The 32nd Annual International Conference of Data Protection and Privacy Commissioners on: ” Privacy: Generations.”
At the recent IAPP Global Privacy Summit in Washington, D.C., one of the more interesting sessions offered a preview to the32nd Annual International Conference of Data and Privacy Commissioners‘ main themes.
The panel consisted of Jules Polonetsky, Director of the Future of Privacy Forum, Yoram Hacohen, the Head of ILITA and Dr. Omer Tene, a Law Professor and an Israeli Legal Consultant on Law and Technology.
The theme of the conference will be:
A New Generation of Privacy :
1. A New Generation of Technologies
2. A New Generation of Users
3. A New Generation of Governance
1.The top issues for A New Generation of Technologies will be:
.Privacy by Design,
.E-Health and Genetics
.Profiling and Behavioral Targeting, RFID and the Smart Grid
.Privacy v. Intellectual Property
2.The top issues for a New Generation of Users will be:
.The past: Where did we come from?
.The present: Where are we now? What are the inter-generational shifts in privacy perceptions?
.The Future; Where are we headed?
3.The top issues for a New Generation of Governance will be:
.The relationship of Privacy and Antitrust Law
.Consumer Protection
.Erosion of Consent and the Right to Oblivion
.Government access to private sector data and Conflict of Law
Jules Polonetsky noted that this is the first time that the agenda of the conference has been revealed so openly, and also that for the first time, the conference will be featured on Twitter and Facebook.
Part 1 discusses the principal federal and state laws regulating cloud activities.
Part 2 provides a practical due diligence checklist companies should consult before entering into a cloud service agreement.
While storage of user data on remote servers is hardly a recent phenomenon, the current explosion of cloud computing warrants a closer look at the associated privacy and security implications.
Cloud computing carries with it its own unique risks regarding the privacy, confidentiality, and security of business information, which companies must fully assess before migrating to the cloud. Armed with an appropriate legal compliance and risk-management strategy—and strong, fully-negotiated contractual protections—companies should be able to safely transfer their data and applications to the cloud.
Part I of this article discusses the principal federal and state laws regulating cloud activities, and the legal security and privacy risks associated with cloud computing.
U.S. Laws and Regulations Governing Data Security and Privacy
The United States has numerous federal and state data security and privacy laws with implications for cloud computing. Unfortunately, there is not a single, comprehensive legal framework in which the rights, liabilities, and obligations of cloud providers and cloud users are regulated or defined. Instead, U.S.-based cloud users and providers must rely upon a veritable hodgepodge of (oftentimes) sector-specific laws to evaluate their legal risks and obligations, and the contractual terms between them.
The most notable data security and privacy laws are examined here.
The location of information stored in the cloud can have a profound impact upon the level of privacy and confidentiality protections afforded the information in question, and upon the privacy obligations of the cloud provider.
For instance, the European Union’s Data Protection Directive, which regulates the processing of personal data within the EU as a means to safeguard individual citizens’ privacy, is of particular significance.
Under the EU Data Protection Directive, personal data may be transferred to third countries (non-EU member states) only if that country provides an “adequate” level of protection. Most notably, the United States is not on the list of countries that meet the EU’s “adequacy” standard for privacy protection. Accordingly, an organization that does its processing in the cloud may be violating EU law if the data goes to a server outside of the EU to prohibited countries, such as the United States.
In order to provide a means for U.S. companies to comply with the Directive (and thereby ensure continued trans-Atlantic transactions), the U.S. Department of Commerce, in consultation with the European Commission, developed a “Safe Harbor Program” designed to protect accidental information disclosure or loss.
After Facebook’s recent changes in their privacy policies, you need to take a few steps if you don’t want your Facebook bio, education & work, hometown, likes and interests data to be publicly shared online, as well as probably sold to behavioral marketers.
1. Go to your Facebook page
2. Go to “account”
3. Go to “privacy settings”
4. Go to “applications & websites”
5. Go to “instant personalization pilot program” all the way at the bottom
6. UN-check the PRE-checked box: allow selected partners to …(steal all your data?)
7. A window pops up; are you SURE? click: CONFIRM!!
8. Go back to “applications & websites”
9. Go to “what your friends can share”
10. Uncheck each category that you don’t want your friends to share online
11. Click : Save Changes
After this, you need to block each “selected partner” on their respective Facebook page. So far, they are
12. Microsoft Docs : click “block”
13. Pandora : click “block”
14. Yelp : click “block”
15. Keep checking every day , for the rest of your life, which new “selected partner” Facebook has added to the list and block those too.
Voilà! You have just opted out! Wasn’t that quick & easy?
Unfortunately, I believe most people won’t bother to go through all these steps, even in order to protect their privacy.
Worse, most people won’t even know how to opt-out, because the opt-out option is set up in such a complicated way. Facebook knows this and counts on this.
Do you think it’s fair to have to go through fifteen steps in order to prevent your personal data to be sold to advertisers?
Both above mentioned alternatives have one thing in common: the ingredient that is missing in Facebook’s machiavellian opt-out design, which is “respect for the consumer”.
UPDATE: EPIC and others have filed a complaint on 5/5/ 2010 with the FTC about the New Facebook Features discussed in this article.
UPDATE: After worldwide outrage about Facebook’s new Privacy Policy, Facebook caved in and made some changes:
At the recent IAPP Global Privacy Summit in Washington, D.C., many hot topics were addressed:
Privacy by Design, Behavioral Advertising, the new EU Cookie Consent Law, the Smart Power Grid, the Cloud, Web 2.0, the new EU Model Clause Agreements, Controllers, Processors and Sub-Processors, the recent Google convictions, to name just a few.
I interviewed a few prominent privacy professionals, attending and/or presenting at the summit on some of the important issues of the day.
Robert Rothman, President of Privacy Associates International, (PAI ), is an expert in Cross Border Data Transfers.
The EU Commission Decision of February 5, 2010, contains new rules on standard contractual clauses for the transfer of personal data from EU countries to processors established in third ( non-EU , and non- “adequate” ) countries. This decision comes into effect on May 15, 2010.
I asked Robert Rothman to explain the changes in the model clauses.
See also my previous post for a comprehensive coverage of the subject matter.
At the recent IAPP Global Privacy Summit in Washington, D.C., many hot topics were addressed:
Privacy by Design, Behavioral Advertising, the new EU Cookie Consent Law, the Smart Power Grid, the Cloud, Web 2.0, the new EU Model Clause Agreements, Controllers, Processors and Sub-Processors, the recent Google convictions, to name just a few.
I interviewed a few prominent privacy professionals, attending and/or presenting at the summit on some of the important issues of the day.
In this video, Jay Libove, CISSP, CIPP, an experienced privacy professional, expresses some concerns about the recent Italian verdict against three Google executives.
