|
META TOPICPARENT | name="FirstPaper" |
| |
< < | Online Behavioral Advertising and the Federal Trade Commission | > > | Online Behavioral Advertising | | | |
< < | -- By JonathanBonilla - 09 Mar 2009 | > > | -- By JonathanBonilla - 26 Apr 2009 | | | |
< < | As seen in O’Harrow’s No Place to Hide, online data aggregation can pose a real problem to consumers. One specific and pervasive form of data aggregation occurs as a result of “online behavioral advertising” (OBA). Essentially, any time a user visits a site, performs a search, purchases a product online, or otherwise submits personal information to a site that participates in such advertising, this information is stored in order to track the user’s “behavior” and tailor future online advertisements to fit the predicted desires of that user. | > > | As seen in O’Harrow’s No Place to Hide, online data aggregation can pose a real problem to consumers. One pervasive form of data aggregation occurs as a result of “online behavioral advertising” (OBA). Any time a user visits a site, performs a search, purchases a product online, or otherwise submits personal information to a site that participates in such advertising, this information is stored to track the user’s “behavior” and tailor future online advertisements to fit the user’s predicted desires. | | | |
< < | History and Current Regulatory System | > > | FTC Regulatory System | | | |
< < | Under the current system of US regulation, OBA is monitored by the Federal Trade Commission (FTC). 15 U.S.C. §45 (a) provides a broad statutory mandate for the FTC to prohibit “deceptive acts or practices in or affecting commerce”[1]. This has been interpreted by the FTC to implicate situations where companies collect or use customer data in a manner contrary to that company’s stated privacy policy, which is punishable as an unfair or deceptive practice. As a result of this interpretation, the FTC assumed jurisdiction in this area and has since been following the development of OBA. | > > | Under the current system of US regulation, OBA is monitored by the Federal Trade Commission (FTC). 15 U.S.C. §45 (a) provides a broad statutory mandate for the FTC to prohibit “deceptive acts … in or affecting commerce”. This has been interpreted by the FTC to implicate situations where companies collect or use customer data in a manner contrary to that company’s stated privacy policy, which is punishable as a deceptive practice. As a result of this interpretation, the FTC assumed jurisdiction in this area and has been following the development of OBA. | | | |
< < | Regulation in this field began in 1998, when the FTC presented to Congress a report containing the “core principles of privacy protection” to guide industry practice [2]. These core principles included notice to consumers regarding what is collected, choice to consumers as to how it will be used, consumer access to the collected data, security of the collected data, and several enforcement mechanisms for the principles. However, this report merely presented possibilities for regulation, and no further action was taken at the time, despite the report’s conclusion that there is “real need for implementing the basic fair information practices.” Further reports were sent to Congress, such as in 2000, when the FTC asked for legislation to support an otherwise self-regulatory scheme for OBA, based on the 1998 report’s core principles [3]. Notwithstanding Congress' failure to enact the requested legislation, the self-regulatory scheme took off, using the newly-created Network Advertising Initiative (NAI) to enforce core FTC principles. NAI represents roughly 90% of the advertising industry [4]. | > > | Unfortunately, FTC’s role in regulating OBA is largely passive. Compliance with the “deceptive acts” mandate is fairly simple for online publishers, merely requiring advertisers to inform a user exactly how they will make commercial use of the information. The self-regulatory scheme which emerged is equally ineffective, evinced by the fact that the advertisers’ policing body, Network Advertising Initiative (NAI), does not represent the entire industry. As well, FTC calls for congressional legislation to act as a backstop for NAI have gone unanswered. | | | |
< < | The FTC did not re-examine this issue until 2006, when it began holding hearings to determine future action relating to OBA. A series of updated principles were created and then altered over the next several years, based on input from privacy advocates and advertisers, alike [5]. Throughout this time period, as well, Congress failed to legislate on the issue. NAI now operates using its own series of principles, though they are similar to the FTC's. | > > | Deep Packet Inspection | | | |
< < | Problems and Possible Solutions | > > | One of the more recent developments in OBA is the ability of advertisers to use Deep Packet Inspection (DPI) to monitor all traffic going through a particular Internet Service Provider’s (ISP) network. Compared to the traditional “cookie-based” model of web-behavior tracking, which could only monitor a user’s movements within the advertiser’s created network of sites (and only so long as the cookies were not blocked), DPI allows for inspection of all web traffic from a user, resulting in more closely tailored advertisements – as well as more information stored by the advertiser. Fortunately for consumers, DPI advertising is only possible through an agreement with ISP’s; unfortunately for consumers, ISP’s so far have been eager to explore this new profit source. | | | |
< < | One issue with the current system is apparent in the fact that NAI does not represent the entirety of online advertisers. As a result, NAI is powerless to enact sanctions against non-complying entities whom are not members. This was one of the reasons FTC sought congressional legislation in 2000. While it is true that FTC may still take action against those companies that do not follow the provisions of their privacy policies, under the “deceptive practices” mandate, that alone does not go far enough to ensure the privacy of online consumers. For example, a company might not have a privacy policy that clearly illuminates how the data is being used; in such a situation, it would be hard to find the company broke their agreement with the consumer, where the agreement itself was overly vague. | > > | Not surprisingly, the FTC has failed to address DPI-based advertising any differently from previous OBA, despite the increased potential for privacy concerns. Taking matters into their own hands, a class action was filed by internet users against NebuAd? and ISP’s who allowed NebuAd? to install the DPI hardware on their networks, alleging violations of various federal and state statutes, including the Wiretap Act and Computer Fraud and Abuse Act. While this lawsuit will likely fail for similar reasons that previous cookie-based advertising litigation failed, Congress has already shown an interest in the DPI advertising process, and could potentially find DPI-based advertising to be serious enough to warrant legislation. | | | |
< < | Along those lines, if Congress continues to fail to enact specific legislation for this issue, Congress could at the least expand on the FTC mandate to allow FTC to take direct action. Currently, FTC does not feel it has the statutory authority to issue regulations relating to OBA, which in itself is a problem since it results in FTC trying to find and justify a roundabout solution (self-regulation), instead of attempting direct regulation. Even if Congress did expand the FTC mandate to allow clear regulation, the cited FTC Staff Reports suggest FTC might yet maintain the self-regulatory scheme, based on the industry's insistence that giving up consumer privacy is crucial for keeping web content free. | > > | With potential legislation-based restrictions to DPI advertising in mind, the focus turns to whether such legislation would be able to withstand judicial scrutiny based on the 1st Amendment. This, in turn, could be viewed as having two components: the right to use DPI to inspect packets in the first place and the right to advertise based on obtained information. For the first aspect, it could be said that there is a right for the ISP to be informed; however, this seems distinguishable from the traditional right to education, as it does not directly relate to the ability of one to be informed in the democratic process, which is highly protected free speech. As well, any sort of right to inspect packets on the internet must be weighed against the right to privacy of network users. It would seem that any restrictive legislation on this topic would merely need to be justified in terms of a rational relation towards a goal of preserving the right to privacy. For the second aspect, the right to advertise falls under a form of commercial speech, which is protected unless intermediate scrutiny can be overcome. Again, such speech must be weighed against the counter-point of privacy concerns, but since the “speech” in advertising involves sending tailored information back to the person the information came from, the privacy concern for transmitting OBA is reduced. The result is that restrictive legislation would have to be careful not to overstep “excessive restrictions” imposed by Central Hudson. | | | |
< < | Another issue with the current FTC guideline-based self-regulatory scheme is that it centers on a contract-theory of the privacy policy of the website being used, where the user is free to view the privacy policy, but need not expressly assent to the terms. The issue with this contract approach is that when using various websites during any given day, it is unlikely the average non-law-educated consumer will take the time to read through and understand each privacy policy of every website, prior to using the website. As a result, it seems much of the benefit of providing such transparency may be lost in the real world. | > > | Possible Tech Solution | | | |
< < | One possible solution would be to require express assent prior to collecting or using any personal information (FTC guidelines already require express assent for use of “sensitive data”). However, the same problem arises here as did before: much like it is common for users to click-through a EULA without reading it, prior to installing a computer program, it would seem likely that users would also not pay much attention to a large wall of text describing the details of a website’s privacy policy, when all the user wants to do is get to the content of the website as quickly and easily as possible. | > > | One counter argument to the basis of this paper is that given technology available today, namely, Firefox, AdBlock? , and TrackMeNot? , the issue of OBA should not be a concern, since online ads can be blocked prior to ever being seen by the user. While the point is valid that some users are capable of blocking ads through this technology, it is a stretch to assume that use of this technology is significant enough to render advertising unprofitable, either now or in the near future. | | | |
< < | In such a situation, where ease of computing is a large factor, it would appear that a statutory solution in limiting the specific uses of certain information would be warranted. Unfortunately, being that Congress has neglected to enact such on multiple occasions, the only remaining option would be a state-by-state approach. Indeed, several states in 2008 already proposed bills relating to the regulation of behavioral advertising. Massachusetts, for instance, was able to pass their version, though it primarily deals with safeguarding personal information once it has been obtained by the advertisers [6]. | > > | Estimates of Firefox usage range anywhere from 10% - 20% of the browsing population; of those, only a small fraction have downloaded AdBlock? Plus, with the percent using TrackMeNot being negligible. Even if vastly more users were to switch over to Firefox and install AdBlock? , which seems unlikely especially when reports raise security concerns (and in light of Google’s Chrome browser), the whole efficiency of OBA is that it is extremely cheap to tailor ads to a large number of individuals. Chances are that any person who would use AdBlock? and TrackMeNot? were probably not clicking on the advertisements anyways, thus already not contributing to the profits these companies earn, which is based on advertisement success. | | | |
< < | As Online Behavioral Advertising is becoming more widespread, these developments are noteworthy to all online consumers. | > > | It would seem for this situation that technology is not a current realistic solution. With the FTC regulatory scheme providing little protection, a solution would have to come from Congress, either in the form of establishing restrictions to DPI, or perhaps creating a private cause of action based on weak privacy policies. | | | |
< < | (Word Count: 999)
[1] http://www4.law.cornell.edu/uscode/15/45.html
[2] http://www.ftc.gov/reports/privacy3/priv-23a.pdf
[3] http://www.ftc.gov/os/2000/07/onlineprofiling.pdf
[4] http://www.networkadvertising.org/index.asp
[5] http://www.ftc.gov/os/2009/02/P085400behavadreport.pdf
[6] 201 CMR 17.00 | > > | (Word Count: 993) | | | |
> > |
| |
- What's the point of footnotes in a wiki? Why not just link directly from the text?
|
|