Nethui 2012: Pamela Jones Harbour Privacy Keynote
Nethui 2012: Pamela Jones Harbour Privacy Keynote
Nethui 2012 Live Notes: Privacy Keynote Address - ex FTC Pamela Jones Harbour
Live notes of Nethui 2012 Privacy Keynote Session Morning 11/07/2012 at the Sky City Convention Center, Auckland, New Zealand.
Nethui is an initiative of InternetNZ
Note: The event was broadcast by live stream and recorded by r2.co.nz. These notes are subject to further revision. Notes by @Gnat and helpers. )
Wednesday 11 July
Listening to
Penny Hulse Deputy mayor
Vikram Kumar
Internet NZ
If the Internet is for everyone, it makes no sense to negotiate about it in secret.
Trans
Pacific Partnership
WCIT
Need
transparency
Announced FairDeal campaign
Issues at #NETHUI
-Education features as one of the issues
Long introduction by Privacy Commissioner.
ex FTC Pamela Jones Harbour
Applause for her first visit to NZ. Pamela is former Federal Trade Commissioner. She’s graciously foregoing the opportunity to make sheep jokes, and is recounting her summary of the news headlines.
FTC Trifecta: the FTC’s complaints against Twitter, Facebook, and Google. And now they have added a complaint against MySpace. Will talk about how these recent cases are important milestones in the US emerging common law about privacy enforcement, and the important role these cases will play in protecting consumers worldwide.
US and NZ share common elements of history and culture, and commitment to democratic principles. As for privacy protection, NZ’s privacy act of 1993 has been called “the most comprehensive National Privacy Law outside of Europe”, even as the Law Commission proposals are with the government for consideration and govt bill to be announced in September.
NZ’s Privacy Act applies to gathering personal information by public and private sectors. Not the only model for privacy legislation: sectoral legislation and self-regulation as well (best practices).
Map showing all the sectoring and omnibus data protection and privacy laws around the world. US has sectoral and self-reg, no omnibus (though Congress being pushed to enact baseline regs). NZ has all three. New uses of tech can challenge these approaches.
A recent UMR study# in this country stated that NZers are “increasingly online” (no shit sherlock) and increasingly worried about how to control their digital presence. Probably why NZ will overhaul its 20 year privacy law. Justice Minister Collins said “huge changes to tech and information flows occurred during that time, overtaking our privacy laws”.
Look at those changes and effects: data brokers and tech companies gather huge amounts of personal information and distribute it wider than traditional data gathering companies ever could. We, the consumer, don’t know how much information is being collected about us, how it is being used, and how it could fall into the wrong hands.
Privacy advocates say these extraordinary data repositories demand extraordinary controls. Contain: biometric data, health, buying behaviour, geospatial and location, social media data, internet use, and more. Entrenched in the age of “Big Data”.
“Big Data” is a general term used to describe the voluminous amounts of unstructured data that companies can create. Also about technologies and practice of handling data sets so large that national database management systems cannot handle them efficiently. Although Big Data doesn’t refer to any quantity, often used when referring to petabytes and exabytes of data. Sources: financial markets, analytics, sensors, cell towers/traffic cameras, web server log data, social media data, e-commerce transactions, site crawling, and more.
Within this data, valuable patterns and information exist that were previously hidden by the amount of effort required to extract them. Big Data processing becoming possible for small startups due to the ability to rent server time in the cloud.
A more cynical definition of Big Data: when size itself becomes part of the problem. Consumer Report Magazine June 2012 noted: “our electronic trails been digitized, formatted, destandardized, analyzed, and modeled - and we [the global consumer] are up for sale”. The data is used for advertisers to deliver targeted ads that we may find useful. As a lawyer, she counsels companies how to keep off the radar screen of lawmakers around the world. As a consumer, it’s troubling.
Through all the negotiated agreements with FTC, building case law around privacy. Four cases really show how best practices that responsible companies can draw.
Start with Twitter. Earliest of orders, issued March 2011. FTC reached a settlement over security lapses that enabled hackers to gain administrative control of Twitter. The hackers sent phony tweets including one that seemed to be from the account of President-elect Obama.
Twitter’s privacy policy included the statement “we employ administrative, physical, and electronic measures designed to protect your information from unauthorized access”. FTC alleged that, contrary to that statement, Twitter engaged in practices that did not provide such security. FTC said the company failed to honour members privacy settings. And password for admin access was weak, lowercase, letter-only, common dictionary word.
FTC found that Twitter had represented to the public that Twitter used reasonable and appropriate security measures to honor the privacy choices exercised by users, and that their acts and practices constituted deceptive acts under Section 5. Twitter had to maintain a comprehensive information security program for 20 years, and compliance assessments from third party for 10 years (audit every 2 years). Consent order is typical of FTC consent orders in cases of security breaches. One can find more than 35 consent decrees with similar orders.
Second
complaint from FTC is against Google. March 2011, charged
with “deceiving consumers when it launched its first
social network service Buzz”. FTC alleged that Google took
previously private information, the contacts of gmail users,
and made it public to generate and populate Google Buzz,
without users’ consent. Until the complaint, Google’s
privacy statement said:
“when you sign up for a
particular service that requires registration, we ask you to
provide personal information. If we use this information in
a manner different that the purpose for which it was
collected, then we will ask for your consent prior to such a
use.” FTC found they acted against this.
If companies make promises in their privacy policies, but fail to follow them, this can be deceptive practice.
Second statement: “Google adheres to the US Safe Habor Privacy Principles of Notice … and is registered with the US Department of Commerce’s Safe Habor Program.” The principles violated referred to notice and choice. Participants to give notice and choices about the use and disclosure of their information, and have opportunity to opt out of whether information disclosed to third party or used for purpose incompatible with purpose for which it was originally collected.
Google’s actions contradicted by those requirements. Buzz order has been in the news as Google consolidated their privacy policies (and Apple’s Safari browser). Stanford researcher found Googe had exploited a Safari bug to track users even when users had chosen not to be followed. Rumour of $22M settlement.
Unlike most of the past breach orders, this order focused on privacy, not information security. The order bars Google from future privacy misrepresentations; requires Google to implement a comprehensive privacy program (same as Twitter order but for privacy, not information security); and require independent privacy audits for 20y (not 10y like Twitter). The Buzz settlement was the first time that FTC has required companies to enhance comprehensive privacy program to protect consumers, and first time FTC alleged substantive violations of the Safe Habor program.
Buzz headlines were around requirement for “opt-in consent”. (Part II of Google/Buzz consent order). Google or acting through any other subsidiary of device, etc. Key language is in opening cause: information sharing with third parties. Current FTC Commissioner Rush highlighted this language, stating that S2 of the order prohibits Google, without prior express consent (“opt in”) from engaging in any additional sharing of previously collected information with any third party, that results from “any change, addition, or enhancement”. This could be against public interest: Google willing to agree to terms that hurt competitors as much as the terms will hurt the party. Rush speculates that Google may have agreed to this term in hopes that FTC will include it on other consent agreements with Google’s competitors, resulting in adverse effect on those competitors. Rush concerned this language in Part 2 might be used as leverage in dealing with practices of competitors. “seems to be contrary to Google’s self-interest”.
FTC recently clarified that “affiliates are 3rd parties” … a consumer choice mechanism is necessary unless the affiliate relationship is clear to consumers. This wasn’t part of the Google/Buzz consent, which doesn’t recognize affiliates to be third parties. Wonder how this discrepancy will be reconciled. This includes search and analytics affiliates.
Data can be an antitrust issue.
Earlier this month, Google submitted proposals to EU Competition Commissioner over claims that Google was abusing its dominant position. These areas involved: the ways Google ranks its competitors results, copying content from other sites, exclusive advertising agreements, and restrictions on transferring ad campaigns to other platforms. EC decide whether to resolve case or settle formal charges. And they’re under investigation in US for potential anti-trust violations.
In my view, the precursor to these investigations began when the US FTC approved the Google DoubleClick merger in December 2007. I was a sitting commissioner at the time and wrote a dissenting statement highlighting the nexus between privacy and competition. My colleagues at the time disagreed with my premise but subsequent changes the marketplace have reinforced the validity of my concerns as well as my thesis that privacy protection is increasingly viewed as non-price dimension of [competition?]
Merging two firms might have long-term negative effects for consumers. Google assured regulators that deal was not motivated by desire to enter behavioural advertising market. Business incentives do change, and Google is currently in behavioural advertising. 90% of Google’s revenue (27.5B euros) around advertising. 95% market share in online ads.
Google often states they do not share data with third parties. Thanks to acquisitions, Google doesn’t need to share data to allow advertisers to conduct campaigns tailored to individual users. Not only acquired YouTube and Motorola but also DoubleClick and Admob which use consumer info to sell advertising. Now an advertiser never need leave the Google universe to purchase or sell targeted ads.
As we know, the company offers services and gathers data from consumers, which it then resells to advertisers. Google charges for eyeballs. The company’s recent March 1 privacy policy changes state that many of its services will be conditioned upon the user providing their personal information. This collection of user data across Google’s myriad of free products and services, IMHO, gives the company a competitive advantage. They have amassed so much consumer data and obtained so much control over so many aspects of the Internet ecosystem, that they have created entry barriers that prevent effective competition.
NZ’s Commerce Commission have announced investigation into Sky TV’s pay TV business to see if company denies rivals access to quality content in violation of commerce act. NZ’s antitrust enforcers are also concerned about entry barriers that prevent effective competition,. As for Google, by combining its various sources of consumer data into massive digital dossiers per consumer, Google can afford to place more effective ads, so any competitor would need a similar trove of data and would need to enter the ecosystem in multiple markets to act effectively. By uniting privacy policies, Google can consolidate data across multiple services and enhance value of data troves to advertisers.
While we are on the subject of disclosure of user information to advertisers, move on to third FTC action. Now against Facebook. In Nov 2011, Facebook agreed to settle FTC charges that it deceived customers by saying they could keep their info on Facebook private, but then repeatedly sharing it and making it public. Repeatedly violated S5 of the Act by falsely stating:
• falsely stating that it does not share
information about its users with advertisers;
• not
disclosing that a user’s privacy choices were ineffective
against a Friend’s platform apps;
• retroactively
applying its new privacy policy to previously collected user
info without informed consent; and
• Falsely claiming
that it adhered by the US Safe Habor Privacy
Principles.
Ended up in consent similar to Google’s.
Practices didn’t align with its privacy
policies.
Highlight disclosure of user info to advertisers. Facebook had made public statements that it didn’t share user info without consent, though their privacy policy did say its advertisers could choose characteristics of users who would see ads, and when you interact with the ad the advertiser might put a cookie into your browser and trace you that way. Partial list of Facebook criteria for advertisers to target ads: location (city or state); age; sex; birthday; “interested in” relationship responses; relationship status; likes and interests; education; name of employer.
And user ID shared with advertiser if user clicks on ad. This let advertisers get detailed info on the user. and then advertiser could use the ID to access profile page, get real name, combine with any targeted traits used for the ad which the user clicked; then advertiser collect with targeting traits from additional ads and targeted activities across the web. Facebook’s statement that it didn’t provide advertisers with info on its users: found to be false.
Final case: MySpace.
Alleges MySpace misrepresented its collection by sharing with 3rd party advertisers. Tracking cookies played prominent role in the settlement. MySpace used cookies to customize content, telling users “this info doesn’t provide your personally identifiable information or identify you as an individual to third parties”. The companies default settings made public information available around friend id. Third party advertisers able to tie or sync friend ID and personal information associated with it, to the advertising tracking cookie, enabling construction of history of web sites the user visited. And they could get full names and more, in violation of the privacy promise.
Settlement: stop that, 20 y privacy programme and audit.
Common themes in all of these cases is that companies should review their privacy policies and make sure that what is promised, either expressly or by implication, comports with the company’s everyday practices. Another commonality: each of these tech giants under an FTC order which means that compliance is legally enforceable, which will protect privacy of >1B users around the world. Also, the evolution of these cases points to shift in FTC’s approach to protecting online privacy by focusing on info that can reasonably be connected to device or person. FTC starting to move away from previous rules and regulations that were focused around securing information.
Moving on to Cookies. On May 2 of this year, Collins pointed out that new comms tech => introduction of third parties mediating the message between communicator and receiver, platforms for these communications often available for free but real cost is individual privacy. Most users aware that many free websites earn revenue from advertisements on their pages, but find it creepy to be tracked across websites.
US FTC included a “do not track” proposal in its final Mar 2012 report (“Protecting Consumer Privacy in an Era of Rapid Change”). The commission report recommended simplified choice for business and consumers where companies give consumers option to decide what information is collected about them, and should include a “do not track” mechanism which would be an easy way for consumers to disallow the tracking of their internet activities. This was included in early version of its report, and industry took the hint: Apple, Microsoft, Mozilla, Twitter, and others now have or are testing Do Not Track facilities. Google agreed to add it to Chrome.
FTC report also called on companies handling consumer data to consider additional regulations arou (“privacy by design”, recommending companies build in consumer privacy protections at every stage in developing products). Another feature called for transparency: companies should detail collection and use of consumer information, and provide consumers with access to the data collected about them.
The White House released its proposals in a white paper. Consumer Bill of Rights detailing set of principles about how companies should handle user data. FTC Report and White Paper recommended complementary approaches, with small clashes at the margin. FTC acknowledges that it lacks power to fully enforce these new privacy principles, which serve as template for best practices. Each urged US Congress to pass legislation to set mandatory privacy standards for all web companies.
FTC also working with Dept of Commerce and companies to develop codes of conduct around White House principles. FTC would have authority to sue companies that promised to abide by the codes but failed to do so.
Every considered how much of your data could be in the hands of third parties? Many people think that a simple transaction might involve your computer, your site, and a couple of advertisers. The situation is far more complex. Next slide shows the companies that could have access to your data. (lovely mishmash of names intended to make you go “oh”)
It’s perfectly legally for data brokers to collect data about you from any number of sources, then merge and sell it. IAB says personal information on Internet users is worth $30B, up 22%. This chart could also help explain regulatory interest in this particular subject and collection of information by data brokers around the globe.
Speaking of regulatory interest, a case came out a few days ago, FTC against Spokeo. Brought its first case against a data broker. Spokeo settled for $800k. FTC alleged data broker acted as de facto consumer reporting agency by selling personal information to job recruiters and employers without taking steps to protect consumers under Fair Credit Reporting Act.
Slide of many data brokers: natural outgrowth of lack of regulation in Internet. Internet would look different if it had been built with Privacy By Design from the start [no shit]. Privacy By Design places privacy at forefront of innovation, making new tech opt-in for use of personal information. Privacy By Design is a very European approach to privacy.
In last few minutes, will talk about European privacy and proposed regulations. The US sectoral approach results from foundational emphasis on free speech. In contrast, EU approach informed by historical experience of regime abuse, comes from opposite perspective: personal data is to be protected unless there is a specific exemption. The right to privacy is enshrined in EU Constitution, and EU takes comprehensive approach characterising companies as providers or controllers, and data by sensitivity.
Commission announced proposal to overhaul rules to consolidate member state laws and enacting more rigorous privacy requirements across the European Union. Not going to go into a lot of detail on the EU, so can leave time for q’s. When NZ announced it would update 1993 privacy act, said it would not jeopardise its “EU adequacy” finding.
Any company holding personal data faces risks regardless of which country it is stored in. US, EU, and perhaps even NZ, will have Privacy By Design in common. FTC recommended that in privacy report, and features are in consent order with Google and Facebook. In addition, US and EU appear to have coalesced around a baseline of principles.
• implementing privacy by
design
• increased transparency
• effective tools
to consumers to control their information
• providing
consumers access to their data
• ensuring consumer data
are accurate
• securing consumer data
• providing
parents with control over the collection of their children's
info
• creating a climate of accountability
Public and regulators very sensitive with regulation and privacy.
One way to harmonise approaches is by APEC. 21 Pacrim countries (‘member economies’) promoting economic cooperation. In 2004 APEC endorsed a 9-principle privacy framework. Cross-border cooperation. Embraces Privacy By Design, possible model for international harmonisation.
Practical applications for multinationals
around privacy.
1) consider becoming involved with
APEC
2) implement PBD
3) protect consumer data
4)
consumer choice
5) transparency
6) privacy policy
should reflect your actual practices
[someone else can
do Q&A, my fingers are knackered :) --nat] - bloody well
done mate v v impressive typing speed.
LOVED watching you
work
WOAH. Your notes are awesomely detailed!
very
well done!
[aw blush, thanks! that high school term
spent in a room full of girls, wearing a bib, being the only
boy in touchtyping class, obviously paid off :)]
Q&A..
ENDS