Rep. Hank Johnson, D-GA, also questioned Google about what it was doing. Google was sending to apps developers the name, email address and address of people who bought apps on Google play. It tried to claim that the the information was necessary for the transaction, but that’s clearly not the case when talking about downloading an app from its app store. Neither Apple nor Microsoft provide such personal information. Google’s response to Rep. Johnson confirmed what Google was doing and actually showed it was unnecessary. Consumer Watchdog sent a second letter to the FTC with a copy to California Attorney General Kamala Harris when Google answered Rep. Johnson’s letter.
On Tuesday WebProNews and DroidLife reported Google was addressing the concerns on a new Wallet Merchant Center it is rolling out and won’t send the personal information to apps developers.
I’m glad the change is coming, but I’ve got questions.
What role did the Federal Trade Commission or the California Attorney General’s office play in this change? Why did Google only act when formal complaints were filed? Will there be fines?
Google has become a serial privacy violator. You’ll remember that no sooner was the ink dry on the “Buzz” consent agreement than it was caught hacking around the privacy settings on the Safari browser used on iPhones, iPads and other Apple devices. It ultimately cost Google a fine of $22.5 million, which is pocket change to a company that has annual revenue of around $50 billion. It’s like giving a $25 parking ticket to a person who makes $50,000 a year.
Google is simply figuring that fines are a cost — and a minor one at that — of doing business. In case you missed it, on Monday Germany hit Google with a $189,225 for the Wi-Spy incident where its Street View Cars sucked up emails, URLs, passwords, account numbers as they snapped photos around the world.
In describing the fine The New Times’ Claire Cain Miller wrote:
Regulators in Germany, one of the most privacy-sensitive countries in the world, unleashed their wrath on Google on Monday for scooping up sensitive personal information in the Street View mapping project, and imposed the largest fine ever assessed by European regulators over a privacy violation.
The penalty? $189,225.
Put another way, that’s how much Google made every two minutes last year, or roughly 0.002 percent of its $10.7 billion in net profit.
It is the latest example of regulators’ meager arsenal of fines and punishments for corporations in the wrong. Academics, activists and even regulators themselves say fines that are pocket change for companies do little to deter them from misbehaving again, and are merely baked into the cost of doing business.
The fact Google is changing Google Wallet’s practices makes it clear Google violated the Buzz Agreement. Google claims that it is taking privacy seriously now that it is operating for 20 years under the Buzz Agreement. It isn’t and the regulators aren’t holding Google’s feet to the fire.
The company’s executives need to be held to account in a meaningful way. I’ve always argued the way to get corporate executives’ attention is to hit them with jail time when they flout the law. It’s not going to happen here, but a meaningful fine for the second Buzz violation sure would be nice.]]>
I mean how many of you actually thought Google even had a privacy chief?
Whitten, an engineer based in London (now that’s a location convenient to its Mountain View Headquarters) took the position in 2010 about six months after the Wi-Spy scandal was uncovered and as Google was reaching a consent agreement with the Federal Trade Commission for invading users’ privacy when it launched the ill-fated Buzz social network.
Well, about all that happened on Whitten’s watch was that Google became a confirmed serial privacy violator. No sooner was the ink dry on the Buzz Consent Decree with the FTC, than Google was caught hacking around privacy settings on Apple’s Safari browser, which is on iPads and iPhones, and lying about its practices on the Google website. Google was fined $22.5 million by the FTC, pocket change to the Internet giant.
Also on Whitten’s watch Google was fined $25,000 for obstructing the Federal Communications Commission’s investigation of Wi-Spy and just settled for a paltry $7 million with 38 states attorney general who were investigating. They’ve also got to make a YouTube video telling people how to improve Wi-Fi network security and have a Privacy Day for employees. That’s like asking the fox teach the chickens about how to make the coop safe.
It was also on Whitten’s watch that Google combined its privacy and data collection policies across its services without asking users’ consent first. European data protection officials led by the French are still investigating and action is likely this spring.
Whitten intends to stay on the job through June — not that it makes much difference to users — until her successor Lawrence You takes over.
I guess it makes sense a certain amount of sense that this got announced on April Fools’ Day. Privacy at Google is a joke. Google’s executives view the taps on the wrist the Internet giant has received for privacy violations as nothing more than the cost of doing business.]]>
Judge Susan Illston approved the Federal Trade Commission’s $22.5 million settlement with the Internet giant for hacking past privacy settings on Apple’s Safari browser in U.S. District Court in San Francisco, in a deal that Consumer Watchdog had argued was insufficient in light of Google’s wanton privacy violations.
“The Court also grants additional deference where the decree has been negotiated by a governmental agency that is an expert in its field,” Judge Illston said in her decision.
I was disappointed with the ruling, but think we made important points that will affect how similar cases are dealt with in the future. Drawing the public’s attention to this case was tremendously important. I’m glad we did it.
Attorney Gary Reback of Carr & Ferrell represented us as an amicus curiae or friend of the court. Frankly, I expected an uphill battle with Google and the FTC aligned against us. Together the government and Google defended the deal that had been negotiated in secret.
Judge Illston did not surprise when she began the hearing by saying her “preliminary view” was to approve the settlement. We opposed the deal for three basic reasons:
1. The settlement allows Google to deny that it did anything wrong.
2. The $22.5 million fine — a lot for you and me – is insufficient for a company like Google with revenue of $40 billion a year. Really it’s just chump change. Google makes $22.5 million in about five hours. Google was liable for fines totaling $16,0000 per day per violation. If you consider each wrongly placed cookie a violation — and you should — Google quickly reaches a liability in the billions. A fine of that magnitude would have caught Google executives’ attention.
3. The injunctive relief in the settlement is insufficient. Google is allowed to keep the ill-gotten data it obtained by hacking around the Safari privacy settings, which is the browser used on iPhones and iPads.
Reback made the arguments in two excellent briefs before the hearing. Both are well worth reviewing. The first is particularly valuable for the way it lays out Google’s history of privacy invasions. Read the original amicus brief here and our response brief here.
As the hearing began Judge Illston said there was no need to require Google to admit it did anything wrong. She said she had no problem with the amount of the fine. She did, however, have questions questions about allowing the Internet giant to retain the wrongfully acquired data.
The government and Google’s attorneys tried to make the case that the Google wouldn’t use the information, so keeping it was irrelevant. I thought Reback effectively rebutted their position, but then, you’d expect me to think that.
By the end of the day, though, Judge Illston had ruled against us. As Reback told The Associated Press’ Mike Liedtke, after the hearing, a consent decree ‘‘is not a good way to police Google,”
What the decision does is allow Google executives to buy their way out of trouble with what for them is pocket change and then deny doing anything wrong. As our briefs made clear, Google has demonstrated an ability to out maneuver government regulators repeatedly and ride roughshod over the privacy rights of consumers. Google continues to be disingenuous about its practices.
That’s why the decision makes two things clear: First, if consumers are to have any privacy at all and be able to control what data is gathered about them, tough Do Not Track rules must be implemented. Second, as we told the FTC last week, the Commission needs to file an antitrust suit against Google and take it to trial in U.S. District Court. The FTC should seek to force Google to divest its Motorola Mobility subsidiary, separate search from advertising, and undergo the same sort of regulation as a public utility.
The Federal Trade Commission’s role in keeping Google’s abuses in check is essential. The Internet is too important to allow an unregulated monopolist to dominate it.]]>
The estimate came in the FTC’s response to Consumer Watchdog’s amicus curiae brief opposing the proposed $22.5 million settlement with Google for the violation. We argued that the settlement is deficient because: 1. It includes no permanent injunction precluding Google from violating the “Buzz” Consent Decree; 2. The $22.5 million civil penalty is inadequate; and 3. The proposed deal specifically allows Google to deny it did anything wrong.
Booth Google and the FTC filed their responses late Friday. Frankly, they both claimed about what I expected they would say: that the deal was reached after arms-length negotiations; that it was fair, reasonable and in the public interest; and that decisions by an executive branch agency deserve considerable deference from a court.
We’ll have to wait see what Judge Susan Illston thinks of all the arguments. What’s next in the case is up to her.
Meanwhile, the interesting new nugget in the FTC’s filing was the estimate of what Google earned by violating our privacy. Megan Bartley, an attorney in the FTC’s Division of Enforcement in the Bureau of Consumer Protection said in a declaration filed as Exhibit A with the FTC response brief: “Using a variety of sources, the FTC estimated that Google profited no more than $4 million from the alleged violation.”
I’ve maintained that the fine is mere pocket change to Google executives. Indeed, the value of the company’s outstanding stock climbed more than $22.5 million the day the proposed settlement deal was announced. The FTC doesn’t want to us to compare the fine to Google’s $40 billion in annual revenue, but rather what Google derived by playing fast and loose with our privacy.
It’s good to see the FTC cite the $4 million figure if that was a basis for the fine. What’s missing, though, is what sources and methods the agency used to make the estimate.]]>
“Google apologizes for its error,” wrote Peter Fleischer, Google’s Global Privacy Counsel (an oxymoron of a title by the way) in a letter to Steve Eckersley, Head of Enforcement for the Information Commission’s Office.
Why am I not surprised? Whenever Google executives get caught with their fingers in the cookie jar — something that is happening with increasing frequency — they claim it was all a mistake and “apologize.” Frankly it’s getting a little tiresome.
Here is how Fleischer put it:
“In recent months, Google has been reviewing its handling of Street View disks and undertaking a comprehensive manual review of our Street View disk inventory. That review involves the physical inspection and rescanning of thousands of disks. In conducting that review we have determined that we continue to have payload data from the UK and other countries.“
Let’s review what happened with the Wi-Spy scandal. Google deployed its Street View cars to photograph city streets in 30 countries around the world. What it didn’t say was that it was gathering Wi-Fi “payload data” — emails, passwords, health and banking data — from private networks as the cars drove by .
When the Germans asked what was going on back in 2010, Google said its cars were only mapping the location of Wi-Fi networks. Then Google said it was gathering payload data, but it was all by mistake and was only insignificant snippets. Then it said it was the work of one rogue engineer.
Data protection officials investigated and in a number of cases like in the UK and Ireland accepted the corporate apologies and promises that the data would be destroyed. That was supposed to have happened in December 2010 in the UK.
As the result of a recently concluded Federal Communications Commission investigation we now know that gathering the Wi-Fi data was not an accident or mistake. It was described in Street View project design documents as “War Driving” and the engineer responsible discussed the plans with his colleagues and managers.
The FCC fined Google $25,000 for obstructing its Wi-Spy investigation and concluded that it could not determine if the Wi-Spy effort had broken any laws. The Commission said a primary reason that it could not decide was because the engineer who wrote the code exercised his Fifth Amendment right not testify, Google has tried to portray the FCC’s report has finding that no laws were broken. That’s not true at all. The FCC said it could not determine if laws were broken.
The British were disturbed enough by the FCC report that the Information Commission’s Office re-opened its investigation of Wi-Spy. The ICO Friday told Google it wants to see the data before it decides what to do.
“The ICO is clear that this information should never have been collected in the first place and the company’s failure to secure its deletion as promised is cause for concern,” a spokesman said.
Google says it still has data that was supposedly destroyed from France, Belgium, the Netherlands, Norway, Sweden, Finland, Switzerland, Austria and Australia.
Ireland’s deputy commissioner for data protection, Gary Davis, called Google’s failure “clearly unacceptable.” Davis said his organization had conveyed its “deep unhappiness.”
I’d say the time for “concern” and “deep unhappiness” has long passed.
The data protection authorities need to do something that will get the Internet giant’s attention. They should levy the maximum fines possible. In the ICO’s case, for instance, that would be 500,000 pounds or about $780,000.
And, if there were ever any doubt, it’s now clear that you simply can’t trust Google to keep its promises.]]>
It wasn’t a popular view of the Internet giant. I think many people used to see Google as a feisty start-up offering “cool” products. Many accepted the idea that Google was true to its “Don’t Be Evil” motto.
But two articles this week, I think, make it clear people are coming around to Consumer Watchdog’s view of Google.
First, a report in The New York Times — Google Privacy Inquiries Get Little Cooperation — demonstrates how perceptions about the company are rapidly changing to reflect reality. Reporters David Streitfeld and Kevin J. Obrien put it like this:
Google might be one of the coolest and smartest companies of this or any era, but it also upsets a lot of people — competitors who argue it wields its tremendous weight unfairly, officials like Mr. Caspar who says it ignores local laws, privacy advocates who think it takes too much from its users. Just this week, European antitrust regulators gave the company an ultimatum to change its search business or face legal consequences. American regulators may not be far behind.
The article details how Google obstructed and stonewalled regulators worldwide who were attempting to get to the bottom of Google’s Wi-Spy activities. That’s when it sent Street View Cars into 30 countries around the world not only to photograph the roads they traveled, but also to suck up emails, passwords and other data from private Wi-Fi networks in 30 countries.
The Times notes:
The FCC did not see it Google’s way, saying last month the engineer “intended to collect, store and review” the data “for possible use in other Google products.” It also said the engineer shared his software code and a “design document” with other members of the Street View team. The data collection may have been misguided, the agency said, but was not accidental.
Although the agency said it could find no violation of American law, it also said the inquiry was inconclusive, because the engineer cited his Fifth Amendment against self-incrimination. It tagged Google with a $25,000 fine for obstructing the investigation.
Google executives followed their usual playbook and declined to comment for the Times article.
“We don’t have much choice but to trust Google,” Christian Sandvig, a researcher in communications technology and public policy at the University of Illinois, told the Times.
“We rely on them for everything. Google doesn’t seem to think it ever will be held accountable. And to date it hasn’t been.”
Google not only doesn’t want to answer these questions, it doesn’t even believe it is obligated to do so. Indeed, it essentially said as much back in April, when it specifically questioned the authority of the CNIL and the Article 29 Data Protection Working Party to even investigate it. From Google’s April 5, 2012, response to the CNIL:
1) What is the legal basis for the Working Party to act as a regulatory body, or to mandate the CNIL to conduct a regulatory review on behalf of 26 other independent DPAs?
2) What law is being applied to this review?
3) Could the Working Party explain the process being followed and the ultimate aim of the review?
Questions respectfully asked, certainly. But they clearly reflect an uncooperativeness and, more to the point, an overweening arrogance that’s so prevalent these days that it might as well be one of Google’s hallowed “10 Things We Know To Be True.”
I think these articles reflect a seachange in the popular attitude toward the Internet giant. But it’s not just a change in how Google is perceived that the folks in the Googleplex need to be concerned with. There are active investigations underway by antitrust authorities on both sides of the Atlantic. Privacy breaches are also a focus of regulators’ attention.
And then back to the Wi-Spy scandal. I checked in today with the office of Connecticut Attorney General George Jepsen. He’s leading the multi-state investigation of the incident being conducted by 40 state attorneys general. A spokesperson made it clear; the probe is “active and ongoing.”
People are finally getting Google’s number. I’m betting that despite the Internet giant’s self-righteous arrogance, Google will be held accountable.]]>
That’s already happened to Google, which reached a consent agreement with the FTC, because of its privacy violations. They face 20 years of privacy audits.
Back in January the Internet giant said it would combine more than 60 privacy policies into one statement. Google also said that data that had been kept on separate Google services would be combined. The corporate spin was this would improve user experience across all of Google’s sites. Actually, it’s about even better digital dossiers about you and other people who use Google’s services. The data will enable to the company to increase its ad revenue. Remember, you’re not Google’s customer, you are Google’s product.
After Google made its announcement of what I call the new “spy” policy, European data protection authorities sent a polite letter asking that the company delay implementation until the authorities had an opportunity to study the impact of the planned changes on people’s privacy. They said the French data protection authority, CNIL, would lead the investigation
Google, in its usual we-know-better-than-anybody-else mode, stiffed them.
Then 36 U.S. state attorneys general sent a letter expressing their concerns. Several members of Congress voiced objections and wanted an explanation of what’s going on.
While this was all playing out, Jonathan Mayer, Stanford University researcher, discovered that Google was deliberately circumventing privacy settings on the Safari web browser. Making it worse was the fact that Google provided false information about the effectiveness of the Safari settings it was circumventing.
Tuesday CNIL released a letter it had sent to Google that said, “our preliminary analysis shows that Google’s new policy does not meet the requirements of the European Directive on Data protection.” It also said, “The CNIL and the EU data protection authorities are deeply concerned about the combination of personal data across services: they have strong doubts about the lawfulness and fairness of such processing, and about its compliance with European Data Protection legislation.”
And even though Google has claimed that the new “spy” (my word, not theirs) policy is supposed to be more transparent easier to understand, the CNIL disagreed:
“Moreover, rather than promoting transparency, the terms of the new policy and the fact that Google claims publicly that it will combine data across services raises fears about Google’s actual practices. Our preliminary investigation shows that it is extremely difficult to know exactly which data is combined between which services for which purposes, even for trained privacy professionals.”
In the letter the CNIL repeated the request that the new policies be delayed. Google stiffed them again.
It looks to me like the only way to get the Internet giant’s attention will be some serious fines. We have made that case that Google is violating the consent agreement with the FTC. Their could be penalties of $16,000 per violation, per day. The CNIL can impose fines up to $400,000 for a privacy breach. It can also seek court orders to block action that violates data protection law.
Regulators on both sides of the Atlantic need to take meaningful action to halt Google’s willful flouting of the rules.]]>
We protested that it should be open, but didn’t carry the day. After the session, Rep. Bono Mack told reporters that she wasn’t impressed with Google’s explanations.
We then wrote a letter to her and ranking member G.K. Butterfield (D-NC) urging them to call CEO Larry Page before the subcommittee.
With Google’s latest privy breach, Bono Mack issued news release titled, ” Bono Mack Calls Google Back to Capitol Hill for Explanation of Latest Privacy Flap.” It said:
“Google has some tough new questions to answer in the wake of this latest privacy flap, and that’s why I am asking them to come in for another briefing. Even if unintentional, as the company claims, these types of incidents continue to create consumer concerns about how their personal information is used and shared. Companies need to be open about what they’re collecting, and how that information is used. Just as importantly, this needs to be clearly communicated to consumers. While I am determined to get to the bottom of this, some of it simply may be ‘growing pains.’ That’s why it’s important to sit down and figure out how we can better protect consumer privacy in the future.”
Not clear to me was whether she wants another closed-door meeting, so I called her office and asked. A spokesperson explained that they are still working out the details, who would come, whether it would be open or what. At this point, the spokesperson said, it could go either way.
I suspect it’s no surprise that I made a strong pitch to make sure it’s public and that CEO Page does the explaining.]]>
The Internet giant recently announced it would consolidate more than 60 privacy policies into one and that it would combine a user’s data collected on various sites into one profile. What you did on YouTube would be commingled with data from your search queries and your Gmail account, for example.
Google has spun this as being aimed at “improving the user experience.” In fact, it’s all about amassing even greater digital dossiers on people so they are better targets for advertising. Remember, our information is Google’s lifeblood. We’re not Google’s customers; we’re the product.
The big problem with Google’s unilateral action is that it appears to violate the terms of the “Buzz” consent settlement with the Federal Trade Commission. I called for the FTC to determine if there’s a violation last week. Rep. Ed Markey (D-MA) and Rep. Joe Barton (R-TX) asked the same question in a letter to FTC Chairman Jon Leibowitz.
Google’s consent agreement with the FTC came as a result of the “Buzz” debacle in which the Internet giant displayed users email addresses without their consent as it tried to launch a social network. Under the terms of the consent agreement, Google can’t use data it has collected in new ways unless users opt-in to the new use.
Click here to read the consent agreement.
EPIC today filed a complaint and a motion for a temporary restraining order and preliminary injunction in Federal Court in Washington. It wants to compel the FTC to act before the new policies are implemented March 1.
Google’s plan raised concerns in Europe, where the Article 29 Working Party, a group representing European data protection officials, asked Google to “pause” implementation of the new polices until the group could determine how they affect users’ privacy. The French data protection agency is taking the lead in the analysis. So far, Google has rebuffed the European request.
“We believe Google went way over the line in a variety of ways,” Marc Rotenberg, EPIC’s executive director, told USA Today. I couldn’t agree more.
The best thing that could happen now is for the FTC to act immediately and block Google’s arrogant, unilateral action. Then there’d be no need for a hearing on EPIC’s motion.]]>
City Council is expected on Wednesday to approve amendments to its contract with CSC and Google that acknowledge the reality that Google, despite promises two years ago, cannot meet the security requirements of the 13,000 Los Angeles Police Department and other city law enforcement employees.
Cloud computing, by the way, is where the software and much of the data resides on the provider’s servers and not on the user’s computer and is accessed via the Internet. Consumer Watchdog is just one of many who are concerned about the security of data in the cloud. We expressed doubts about Google’s solution for LA when it was announced.
CSC is the contractor implementing the Google “cloud” system. A report to Council from Chief Legislative Analyst Gerry F. Miller and City Administrative Office Miguel Santana, which recommends the new deal notes:
“Although CSC does not have the technical ability to comply with the City’s security requirements, it should be noted that the DOJ requirements are not currently compatible with cloud computing.”
Well, duh. Wouldn’t you have thought someone would have figured this out before the project started?
I think the problem was that Google’s data-driven computer geek culture got in the way. Google executives choose to see the world as they think it should be, not as it is. To them DOJ security requirements are more than they deem necessary. So Google, in their minds, ought not to have to meet them.
I for one am glad the LAPD stuck by its guns. Here are the key elements of the deal Council is expected to approve:
– Los Angeles pays for the 17,000 users actually on Google’s cloud according to the reduced rate per seat it would qualify for if it had 30,000 users.
– Google pays the city for the Groupwise licenses and expenses required for 13,000 law enforcement employees to use the old system through the term of the contract (November 2012) and any extensions. Google’s obligation is caped at $350,000 annually. Actual payment now is about $250,000 a year.
– CSC had given the city $250,000 as incentive for Los Angeles to encourage other governments to adopt Google. CSC will not seek reimbursement for that.
Frankly, I’d forgotten the city got financial incentives — let’s be accurate, a kickback – to tout Google to other municipalities. Now that city officials know the city won’t lose a quarter of million dollars for candor, perhaps they’ll honestly tell the world about Google’s failure.
At the least they must demand that this misleading video be removed from the Google Apps for Government Website. By no stretch of the imagination was Los Angeles a success for Google. And now, Los Angeles officials have an obligation to make that fact clear to the world.
And folks in other jurisdictions considering Google solutions should pay close attention to the Los Angeles experience. Are you listening Chicago Board of Education?]]>
The New York meetings, convened by the Consumer Federation of America, were an off-the-record session for consumer and privacy advocates to discuss privacy issues candidly with each other and some Microsoft Corp. representatives.
While still honoring the off-the-record rules of the New York session, I can say I emerged with a feeling that it’s unlikely Congress will manage to pass any privacy legislation soon. Perhaps a bipartisan consensus could emerge around protracting children’s privacy, but given the ongoing divisive rancour and stalemate in Washington, even that seems unlikely.
But the bills that have been introduced — Do Not Track legislation by Sen. Jay Rockefeller and Rep. Jackie Spier and a general online privacy legislation by Sen. John Kerry and Sen. John McCain — have, partly because of advocacy efforts of many of the participants in the New York meeting, prompted action elsewhere.
The latest versions of three of the four web browsers — Mozilla’s Firefox, Apple’s Safari, and Microsoft’s Internet Explorer — now offer a Do Not Track mechanism. The only catch is that nobody is under any obligation to honor it.
That’s why I was in the Silicon Valley — Santa Clara to be precise — on Monday and Tuesday. The World Wide Web Consortium, fondly known in geek speak as the W3C, was meeting. This is an organization that brings so-called Internet stakeholders together to develop “standards” for the web. When you get into high tech, it’s sometimes necessary to agree to the rules of the road. And, if you don’t want government figuring them out for you and imposing them, you do it yourself. W3C is comprised mostly of tech companies, trade association and academics.
Most of the standards developed are highly technical and while I’m sure they are critical to a well-functioning Internet, they are way over my head.
But because of all the recent emphasis on online privacy, the various Do Not Track bills that have been introduced, including Sen. Alan Lowenthal’s SB 762 right here California, and advocacy that has resulted in lots of media attention, the W3C decided to do something.
They’ve created a committee called the Tracking Protection Working Group. It’s supposed to set standards for how a Do Not Track message would be sent and what a website’s responsibilities would be if it received a DNT message. A third objective is to set standards for tracking protection lists, an approach to the problem favored by Microsoft.
When we at Consumer Watchdog heard about this we figured this process was going to result in more than just technical standards; it would also have significant policy implications. So we asked if we could be part of the process.
Co-chair Aleecia McDonald and her W3C colleagues agreed that we had contributions to make and my colleague Carmen Balber and I have been participating for the last few weeks. I was at the Santa Clara Face-to-Face meeting (F2F as it’s known) as an “invited expert.” It’s probably the first time I’ve ever been dubbed an “expert” in my life.
The group spent two long days attempting to find consensus on two draft documents: “Tracking Preference Expression” (how you send the DNT message) and “Tracking Compliance and Scope” (what a website is supposed to do when it gets a message). After two days under the leadership of McDonald and her Co-chair Matthias Schunter, the working group was able to reach consensus on a first working draft of each of the two documents. Progress on the tracking lists piece remains slow.
As you’ll see if you check the documents on the working group’s website, much of the documents at this stage simply identify issues that have been raised and still need to be resolved. On the site you can also find an archive of the emails where much of the discussion as taken place.
The ambitious schedule calls for the standards to be written by June. They may call me an “expert,” but frankly I don’t know if that schedule is possible. I do know this, though, W3C would not be moving forward at all were it not for the independent activities of the advocates who met in New York and others like them.]]>
The letter, from Maneesha Mithal, the division’s Associate Director, was in response to our recent complaint about companies who said they would not track consumers who opted out. According to a study by the Stanford Security Lab, eight companies only stopped serving behavioral ads to consumers. They continued to track them in violation of their published privacy policies.
The offenders were 24/7 Real Media, Adconion, AudienceScience, Netmining, Undertone, Vibrant Media, Wall Street on Demand and TARGUSinfo Advisor.
“Your letter raises important issues that relate to online data collection and use practices as well as the ability of consumers to limit or prevent such collection and use of their data,” wrote Mithal. She said the FTC has “aggressively pursued enforcement in the online behavioral advertising area.”
Mithal also cited the June settlement with Chitika, an advertising company which allowed consumers to opt out, but didn’t say the opt-out cookies lasted only 10 days. Under the FTC order Chitika’s opt-out cookie must last at least five years.
She also pointed out that FTC staff has recommended “that consumers be given a universal, one-stop control mechanism for online behavioral tracking, often referred to as Do Not Track.”
Three of the four browsers — Apple’s Safari, Mozilla’s Firefox and Microsoft’s Internet Explorer — have implemented a Do Not Track option. Google has not done so with Chrome. The problem is that there is no requirement that DNT requests be honored. We need legislation that would mandate DNT requests be honored and impose stiff sanctions if they were not. The law should give explicit enforcement authority to the FTC and state attorneys general as well as include a right of private action.
For now the FTC is essentially limited to cracking down on companies that violate their own privacy policies or act in unfair or deceptive manner. That was the case in the Stanford Security Lab case.
Here’s what Mithal said specifically about my complaint:
“Please be advised that any Commission investigation is non-public unless and until the Commission decides to issue a formal complaint or close the investigation. As a result, we can neither confirm nor deny that we are conducting an investigation of the issues raised by your letter.
“Thank you for raising this issue with us.”
My interpretation of the entire letter: The FTC is very much on the case.]]>