Four Missed Opportunities for Privacy

The NY Times has a blog posting on the occasion of the Internet advertising industry's release (PDF) of what it describes as tough new standards governing the collection and use of data about users' behavior. The Times' Saul Hansell describes these "new" standards as more of the same old status quo, and outlines four privacy-enhancing ideas, being discussed by Google, Yahoo, the FTC, and Congress, that the IAB has completely ignored. These principles are: every ad should explain itself; users should be able to see data collected about them; browsers should help enforce user choices about tracking; and some information (medical and financial) is simply too sensitive to track.

I'm completely shocked...

[fuzzyfuzzyfungus]

You mean that "self regulation" fails when it is opposed to self interest? Who could have guessed?

Re:

[log1385]

Self-regulation is even more effective when combined with wide-spread user apathy/stupidity/unawareness.

Re:

[emocomputerjock]

I think it's been proven again and again that the only privacy available on the net is that which you go and secure for yourself. You almost have to become obsessive-compulsive fighting against cookies, scripts, and counters to protect yourself nowadays.

Re:

[Darkness404]

It depends though what you mean by "protected". For example, I consider myself "protected" when no identifiable information that can be used to contact me, save for what is needed or I put in, is available. For example, while my IP can be used to trace me, its somewhat of a necessary evil as sites need to know where to send the information I request. I really don't mind "tracking" cookies or automated targeted advertising so long as it is first-party (like Google ads on Gmail). There are a few things that I

Re:

[broken_chaos]

[...] such as my full name, [...]

I have to disagree with this one... Unless you're very careful in the real world too, you'll end up with your name somewhere on the internet before long. I know I did long before I started identifying what I do with my name - welcome to the internet-enabled world. Name in a local paper? Good chance it's online too. Ever did well in school? If you won any awards, it'll be listed somewhere as well. The rest, I'm with you 100%. Unless I'm purchasing something, in which case phone number and credit card number

Re:

[broken_chaos]

Gah. I think I just missed a couple words in your initial post that caused me to miss the point.

"without me putting it in first"...

Sorry, carry on. I agree completely with you - and probably more. I don't want my e-mail divulged anywhere I haven't put it myself and checked the "make this public" box, for instance!

Re:

[KlaymenDK]

Today I got yet another invitation to "Come join the amazing new social network, SomeUnheardOfName.tld and meet with your friend Jimmy!", said Jimmy of course having helpfully entered my address at that site (or, more likely, clicked a Facebook button that automatically invited all his friends).

Things like that mean that it's just plain futile to try to claim any kind of ownership of your email address. I used to be really p*ssed about these occurrences, but realised that:
(a) half the globe are dumber than

Re:

[emocomputerjock]

Specifically, third party scripts and cookies. There's nothing I hate more than having to reject a slew of cookies and also having to pick through noscript to find out what I need to allow just to view a webpage. If it's too non-intuitive to weed through all that garbage I just close the tab.

Re:

[mpeskett]

I have a whitelist of websites that are allowed to set cookies - the places I visit regularly where I want them to remember who I am. Everywhere else is blocked, although if it makes something stop working then I'll consider putting it on "allow for session" just to get around some piece of bullshit that requires cookies. NoScript is the same - whitelist based protection, so that after you've been using it for a while you'll find that the things you use are automatically allowed, whereas random attack sites

Re:I'm completely shocked...

[megamerican]

People now expect government to do everything for them including protection against their own stupidity.

It would be quite simple to organize boycotts against products and companies that don't give you adequate information. However, people have forgotten that they have much more power than a beaurocrat ever will. What they get in return for their lost vigilence are corrupt politicians who sell them out and then they wonder how things went bad.

This is just another example of "my people suffer for lack of knowledge." If you think the government will do everything for you, then you'll end up like the Obsolete Man (a great Twilight Zone episode).

Re:I'm completely shocked...

[FlyingSquidStudios]

Okay, but this is the real world, not an Ayn Rand fantasy utopia. People are not going to realize or want to use their powers as individuals. Many people are perfectly happy being sheep as long as they are in a comfy pasture with plenty of grass. Despite my personal distaste for that behavior, I still feel those people deserve the same basic human rights as I do. The only way to ensure they have those rights is to work within the system, not rebel against it. The only way you will get people to join your self-reliance revolution will be for them to suffer a hell of a lot more than they are now. I, for one, am thankful we don't live in a world that desperate yet.

Re:

[5KVGhost]

Hmm. I've never though of Ayn Rand as a "utopian". Anyway. You say "People are not going to realize or want to use their powers as individuals."

I think you've got that wrong. Each of us make cost/benefit decisions all the time. Not surprisingly, most people have less stringent standards of privacy than full-time "privacy advocates" would prefer us to have.

No one can require people to make the same decisions or share the same priorities. When faced with this reality some people respond by feeling entitled, m

Re:

[blueg3]

So, people should protect themselves from their own stupidity. But apparently, creating a government that bars others within their society from taking advantage of their stupidity is not a permissible mechanism to protect themselves?

Now I suppose you'll tell me that since everyone should ensure that they can defend themselves, they should not create an organization of defense specialists tasked with securing the defense of the society.

Re:

[Darkness404]

No. Because that leads to a state-run economy. In case you haven't noticed, every single business takes advantage of the stupidity of the masses. If you don't believe me, why do you think most companies spend a fortune in marketing? If you don't want to be tracked, block the hosts who you think are trying to track you. Hosts files are available on most platforms and only take one line to redirect the tracker back to localhost. This is common information.

Now I suppose you'll tell me that since everyone should ensure that they can defend themselves, they should not create an organization of defense specialists tasked with securing the defense of the society.

Really, government was designed for this sole purpos

Re:

[Valdrax]

No. Because that leads to a state-run economy.

Right. Because if you're not black, you're white. There's no such thing as grey or even orange, and there's never been such a thing as a mixed-model economy. You know. Like ours. Either either fiscal anarchy or totalitarian socialism.

Now I suppose you'll tell me that since everyone should ensure that they can defend themselves, they should not create an organization of defense specialists tasked with securing the defense of the society.

Really, government was designed for this sole purpose.

Really, government wasn't originally designed at all. It just happens as soon as someone gains power over another person. The first formal state occurred when someone rounded up enough people to enforce their will over a populace.

I find it funny when libertarians accept

Re:

[Valdrax]

Small-l libertarians have been aware of and opposed the EPA allowing companies to pollute downstream property owners based on grandfathered "regulations" and other nonsense.

And I'd bet dollars to donuts that the solution isn't "fix the hole the EPA's scheme" but "scrap the EPA's authority to regulate entirely."

As far as "predatory" lending, that is people making money deflating our currency and hard-earned dollars courtesy of the Federal Reserve and Uncle Sam. Finance has not been a free market in a long, long time - if ever. The theory that government can fix it is flawed. You should find better examples upon which to harp your nonsense.

Maybe you should study the history of why financial systems are regulated and what kind of economic devastation used to happen before we had the Federal Reserve system. The theory that removing the government from the equation entirely is far more flawed and historically ignorant.

Re:

[nine-times]

It would be quite simple to organize boycotts against products and companies that don't give you adequate information.

The reality of boycotts is that they're a fairly extraordinary measure and not easy to organize on a scale that has an effect. The purpose of laws includes allowing even a single person to get justice in a case where he is the only person who has been wronged.

And should we say, "Hey, no point in having child labor laws. People can just boycott companies who use child labor if they don't like it"? Or "Screw the FDA. If someone is selling ineffective drugs and enough people die from treatable disease as

Re:

[Valdrax]

People now expect government to do everything for them including protection against their own stupidity.

I see that you're under the delusion that it's possible to not be "stupid" about every important transaction you engage in. Unfortunately, there's simply far, far, far too much information in the real world for any citizen to properly protect themselves in every transaction. You can't know everything, even in transactions where the seller isn't deliberately hiding information from you, and time is not an infinite resource.

This is what government is good for. We need specialists that can drill down and ma

Re:

[1u3hr]

It would be quite simple to organize boycotts against products and companies that don't give you adequate information.

If it were "so simple" why doesn't anyone do it?

Becasue it would require you to give up your day job and devote yourself to it full time for months to get anywhere. And then, very likely have zero effect.

Re:

[mcgrew]

It would be nice if the government would pass regulations with teeth, regulations that would say in effect "your data are yours and cannot be transferred to a third party without your express written consent".

A pony would be nice, too.

Re:

[zippthorne]

You don't encrypt to protect yourself from the NSA. If you're interesting to the NSA, they'll spend the resources to get the information they desire. And they'll get it one way or another involving a back door.

Re:

[ckaminski]

<quote>And they'll get it one way or another involving a back door.</quote>

including applying a cattle-prod to your anus.

Title sounds like

[Darkman, Walkin Dude]

A letter to penthouse...

Mostly not going to happen

[Nautical Insanity]

Ads will never "explain themselves" and companies will never reveal how much information they harvest from you (outside of lengthy, dull, usage terms written in Jargon.) Either case would make users skittish, and there's too much money involved for either them or congress to want to do anything about it.

As for medical and financial information, it's incredibly sensitive, yes, but having it tracked is incredibly convenient for both lay people and companies (if inconvenient for the IT staff who have to secure them.) Either way, these records have to be kept somewhere and somehow and be accessible in some way to people who need them (doctors and banks.)

The only change I see possible is improvement in the browsers. If any privacy change does occur, you can bet that it will start with either Firefox, Opera, or some non-mainstream browser, and then be eventually adopted by IE. Don't expect the end-users to know how to enable any privacy features though.

Re:

[fortyonejb]

As the other poster said, Chrome has incognito, IE released private browsing with v.8 and firefox did the same with 3.5. The browsers today are doing what they can, but when sites require specific tracking to function, the browser is limited in what it can do. Also, the thinly veiled jab at IE was appropriate for /. yet factually untrue,

Re:

[supernova_hq]

Actually, his jab at IE was completely true and valid. Private Browsing only keeps other people that use your computer from seeing what you did. It in NO WAY WHAT-SO-EVER protects ANY of your information from malicious websites.

It's things like XSS protection, security alerts and self-signed certificate warnings (though they can be annoying) that REALLY protect your data.

Valid but not simple?

[nine-times]

One thing that caught my attention in the summary:

users should be able to see data collected about them

Seems like a very valid sort of thing to want. If your company has information about me, I should be able to know what information you have. Common sense, right?

On the other hand, if you're going to talk about something like this, don't you also have to talk about other increases in security to go along with the additional transparency? If you're going to make it increasingly easy for me to see information about me, it should go hand in hand with making it increasingly difficult for someone who is not-me to access that information about me.

I really think it's time that we talk about improving our security models. SSL on everything would be a good start.

Re:Valid but not simple?

[funkatron]

In Britain the data protection act means that you can write to any company and request all of the data that they hold on you. However, the company is allowed to charge up to £10 to cover the costs of finding this data. I'm not sure what level of security is required tho.

Re:

[nine-times]

Yeah, if you can write to the company and they're required to tell you what information they have on you, then that's good. If anyone can write to that company and have all the information that they have on you, that's bad. So what's the security there?

I mean, isn't that always the problem with security? If everything could always be accessible to everyone, security would be easy. If nothing ever needed to be accessed by anyone, then security would be easy. It's making things easily accessible to the

Re:

[ashtophoenix]

It seems this suggestion was rejected on the basis that it is technically difficult. I think one of the real reasons for it being rejected was the loss of competitive advantage it would cause to some companies who are storing certain data that some other companies haven't thought of storing.

Also, its possible that data is being stored in various ways/stats, for example I may have come up with a single number to represent a user's political preferences (left, right and such) by consolidation of many other

Re:

[nine-times]

Also, its possible that data is being stored in various ways/stats, for example I may have come up with a single number to represent a user's political preferences (left, right and such) by consolidation of many other 'simple' stats. Disclosing this opens my 'better' algorithm to the rest of the industry.

Well it seems like it would be valid for a law to require that companies show you any raw data they collect on you, but not require that those companies show information that the company derives from that data. Even if you allow people to demand that specific data be deleted, you could just require that the company delete any derivative data (or recalculate based on remaining data) without disclosing the original derivative data to anyone else.

So, given your example, the company would have to disclose all

Re:

[T Murphy]

If it is information that should be kept from others, and the company doesn't tell you it has the information, then it sounds like information you don't want them collecting in the first place. It won't be a security problem once the company has to delete said info in order to keep the customer from being scared away in the event that full disclosure becomes required.

Re:

[nine-times]

It depends. If I buy from NewEgg on a regular basis, I might be fine with them keeping my address and purchase history on file, and I would like to be able to view that information myself. That doesn't mean I want them making that information publicly available to anyone who asks for it.

Re:

[T Murphy]

Most sites that store such information make it clear when your shipping address pops up or it asks if you want to save your credit card info. I'm talking about anything that would be newly revealed if companies are forced to inform you of everything they know about you. Not that the security issue is any less important for info currently on file, but that security should already be in place.

Cue the Testosterone

[TaoPhoenix]

Re: Ads explaining themselves.
-- Sacrifical Lamb to give so they can deny the other three. I have no problem *understanding*

THE HUGE AD FOR SAVE ENDANGERED GM!!!!!!!!!!!!!

It's the EXCITING INTERACTIVE PAGE-EATING DYNAMIC MULTIPLEXED SCRIPTS AND FRIENDS that suk here.

The others fall under "1984 is too sexy to give up."

Solution

[Sarcasmooo!]

Install adblock extension, disable 3rd party cookie files, use software that ads advertising domains to your hosts file.

As far as I can tell the internet doesn't even have banner ads anymore.

Re:

[jweller]

mod parent up. I never have points when I want them

Re:

[ashtophoenix]

I think you got it all wrong. Your solution works for those that are looking for a real solution while the proposed is one coming from the IAB!

Re:

[CroDragn]

There's a problem with this as being the only real solution. There are many sites I would like to support, and even by shear chance an ad sometimes that looks interesting. Both are times I'd like to be able to see that ad and be able to click on it. However, between ad based malware, tracking, and privacy concerns, NOT blocking them is annoying at best, a serious security concern at worst.

Won't work

[Darkness404]

These principles are: every ad should explain itself, users should be able to see data collected about them, browsers should help enforce user choices about tracking, and some information (medical and financial) is simply too sensitive to track.

This fails in many aspects. Every ad should explain itself? How are you going to do that on something that takes up 1/6th of a normal computer screen. If you click it for more info, that kinda kills the entire point of the ad to begin with. Users should be able to see the data collected about them? Oh no theres no potential for abuse for this one. Theres no way this can be used to create a very good phishing attack especially if you have physical access to the computer. As for browsers helping enforcing user choices, how do you do that? Have a box where you check "block tracking cookies?" I'm sure theres no potential for abuse for that either. Theres no way that MS or another company will "conveniently" "mislabel" legitimate cookies as tracking cookies. Plus, this can very well lead to a ton of censorship.

Re:

[PhxBlue]

This fails in many aspects. Every ad should explain itself? How are you going to do that on something that takes up 1/6th of a normal computer screen.

Alt text?

As for browsers helping enforcing user choices, how do you do that? Have a box where you check "block tracking cookies?"

Seems to be working just fine for Firefox. I have my Firefox browser set up to ask me whenever a site wants to set a cookie. I may say yes, but at least then I'm aware of the tracking. Cookies from advertisers' sites get the middle-finger treatment.

Re:

[Darkness404]

Alt text?

Either the alt text isn't descriptive enough, or it ends up being much more of an annoyance then the ad itself was. Plus, I'm not sure if Flash can have alt text in the traditional sense.

Seems to be working just fine for Firefox. I have my Firefox browser set up to ask me whenever a site wants to set a cookie. I may say yes, but at least then I'm aware of the tracking. Cookies from advertisers' sites get the middle-finger treatment.

But this I'm assuming would make that be the default (because all browsers I know of allow you to do that) which is quite annoying. Or would silently block tracking cookies.

Re:

[green1]

Every ad should explain itself? How are you going to do that on something that takes up 1/6th of a normal computer screen.

This depends on how you define "explain itself". My hope is that this would make illegal the ads that say "punch the monkey and win a prize" or "your internet connection is not secure" or any of a number of ridiculous things, and force ads to advertise the product they are selling. that way you know what you're clicking on before you do? I know these ads aren't a problem for experienced users, but there are still a LOT of people who fall for this garbage.

Re:

[maxume]

You can actually use a relatively simple heuristic to not click on ads that you don't understand sufficiently to justify a click.

Defining it is left as an exercise for the reader.

"Cookies"

[orngjce223]

There's a grain of truth here. Cookies have a nice cutesy name to them that makes them seem innocent. It's "just" an edible text file, that's all!

Why not call them something else? Take a page out of PETA's book; call them turds or something!

Re:

[Reason58]

There's a grain of truth here. Cookies have a nice cutesy name to them that makes them seem innocent. It's "just" an edible text file, that's all!

Why not call them something else? Take a page out of PETA's book; call them turds or something!

Internet Kittens

Meh

[SirGarlon]

When it comes to privacy, there are much bigger issues than the pervasive use of tracking cookies. (For example: indefinite data retention after a customer has stopped doing business with a vendor, sale of customer data without explicit opt-in, and let's not forget the pervasive failure of government agencies to encrypt sensitive data like Social Security numbers.) Tracking cookies seem quaint and harmless by comparison... this article reminds me of the privacy issues we used to worry about back in 1999.

Re:

[green1]

the problem is, that none of these issues have been addressed since 1999 so they are still there to worry about.

Privacy fails even when you BUY services

[furby076]

I recently bought two event services (one for a concert and two for joining a local city kickball team). Two weeks later I got rolling stone magazine (had my full name, address and e-mail). With no phone number available I had to e-mail the place (via their web form) to find out how they got my information and that I didn't order a subscription to two years of rolling stone. According to them the event pass i bought is what auto subscribed me (unbeknownst to me). I asked them to tell me who did this so