The Federal Trade Commission is planning to crack down on bloggers who review or promote products while earning freebies or payments, the Associated Press reported Sunday.
This would, for the first time, bring bloggers under FTC guidelines that ban deceptive or unfair business practices.
"New guidelines, expected to be approved late this summer with possible modifications, would clarify that the agency can go after bloggers--as well as the companies that compensate them--for any false claims or failure to disclose conflicts of interest," the article explained.
The rules could be quite strict, even extending to the practice of affiliate links--for example, a music blogger who links to a song on Amazon MP3 or iTunes that earns an affiliate commission in the process.
The practice of free products for bloggers, most of whom are not bound by ethical guidelines that journalists have historically followed, has been making headlines for some time now. Microsoft, for example, created a wave of bad press a few years ago when it gave free Acer laptops preloaded with Windows Vista to several dozen bloggers.
Some companies have sprung up around the whole notion of blogger compensation and giveaways. The AP article mentions some of the marketing companies that have made a business out of offering bloggers incentives--free trips, products, gift certificates, or outright payments--for coverage. One of them, Izea, has been generating controversy in the tech press since it started PayPerPost.
Izea says that it requires bloggers to disclose what they've gotten paid for or what they've received for free. But with the proposed FTC guidelines, if a blogger fails to disclose a freebie or payment, both Izea and the blogger could be held responsible. The FTC could also take issue with the fact that for at least one promotion, Izea has said it avoided including bloggers who would be likely to give the company negative press.
Izea CEO Ted Murphy wrote in a blog post Monday that the company supports stricter FTC regulations for bloggers.
"The companies that should be worried about these changes are those that have no standards and no way to enforce disclosure," Murphy wrote. "We have invested millions of dollars creating systems that allow us to automate transactions and verify standardized disclosure."
But some bloggers, the AP article mentioned, are concerned that the FTC's efforts could go too far, possibly generating probes into posts that were written without any compensation, and possibly leading bloggers to post with more restraint. And some believe it would be better if bloggers created their own standards based on niche and industry.
Then there's this: does the FTC realize just how many small-time bloggers are out there? Championing business ethics is a worthy goal, but, um, good luck getting much done when there are hundreds of thousands of blogs out there and new ones popping up more or less daily. Ever heard of the expression "herding cats?"
This post was updated at 11:37 a.m. PT with comment from Izea.
The federal government and four states are suing satellite television provider Dish Network for violating laws regarding the national Do Not Call registry.
The Federal Trade Commission on Wednesday said Dish Network has been calling consumers on the Do Not Call list, either directly or through marketing dealers working on its behalf, to promote its services since 2003.
The agency also said the company's "robocalls," or automated messages, are in violation of the federal Telemarketing Sales Rule. The agency's complaint was filed jointly with attorneys general from California, Illinois, Ohio, and North Carolina.
"Because a few bad actors still don't get it, we want to make it crystal-clear," Eileen Harrington, acting director of the FTC's Bureau of Consumer Protection, said in a statement. "If you call consumers whose numbers are on the Do Not Call registry, you're breaking the law."
The government is seeking a permanent injunction against Dish Network, prohibiting it from violating robocall and Do Not Call restrictions, and requiring that it monitor the marketing dealers it works with to prevent future violations. It is also seeking monetary civil penalties for every Telemarketing Sales Rule violation.
Dish Network said it has not violated the law and should not be held responsible for Do Not Call violations made by other companies.
"An independent audit demonstrates that Dish Network is in compliance with Do Not Call laws, has proper controls in place, and is well within the safe-harbor provisions of the law," the company said in a statement. "We also believe that the FTC is equating merely doing business with an independent retailer to 'causing,' or 'assisting and facilitating,' violations by that retailer, which creates a strict liability standard that does not exist in the law and was not intended by Congress."
The government is also filing complaints against two of the marketing dealers with which Dish works, Vision Quest and New Edge Satellite, for allegedly calling consumers on the Do Not Call list.
The FTC filed similar complaints against two other Dish Network partners in 2008--Planet Earth Satellite and Star Satellite. Those charges were settled, with the companies paying a total of $95,000 in penalties.
WASHINGTON--President Obama's economic stimulus plan has already spurred activity in at least one online industry, though not one the administration was hoping to encourage.
Deceptive Web sites, advertisements, and e-mail campaigns have cropped up across the Web in recent weeks, luring consumers into scams by promising them federal grant money from the stimulus package, the Federal Trade Commission said Wednesday.
The FTC is investigating these scams and is reaching out to the private sector for help. Google on Wednesday morning committed to investigating stimulus-related ads that violate its anti-scam policy, and Facebook has pulled ads for stimulus funds from its site, in accordance with a new advertising policy it implemented this week.
The deceptive sites and ads "have literally mushroomed up almost overnight," Eileen Harrington, the acting director of the FTC's Bureau of Consumer Protection, said Wednesday.
Web sites fraudulently offering ways for consumers to receive stimulus funds often use pictures of President Obama.
(Credit: Screenshot provided by the Federal Trade Commission)Scammers have created sites with domains like PresidentObamaGrants.com and OfficialStimulusGrants.com, Harrington said, and include pictures of President Obama and Vice President Biden. The sites prompt consumers to enter a credit card number to pay a small fee in return for a list of grants supposedly available for things like mortgage payments. Those small fees, however, are often nothing more than a down payment on a "negative option" agreement that could cost someone thousands of dollars over the course of a year if not canceled.
"These Web sites tout free money for you," Harrington said. "But as the saying goes, the devil is in the details. Buried deep within the Web site is the fact that they'll charge you a lot of money."
Advertisements for these sites have started on appearing on social-networking sites, video-streaming sites, and search engines. While Google and Facebook have been cooperative, Harrington said not all sites have been responsive to the FTC's request for help, though she declined to name any such sites. She also said the FTC has been in communication with network advertising groups about the problem, though she once again declined to name which ones.
"We've spent a lot of time educating advertisers how to screen for ads and this one should be a no-brainer for them," she said.
Facebook started noticing the suspect stimulus-related ads on its site about four to five weeks ago, before the FTC contacted the company, said Joe Sullivan, senior counsel for Facebook. Through Facebook's own ad screening and the "thumbs down" function that lets users give feedback on ads, it was able to identify the problem. Facebook launched a new policy this week to prohibit ads on its site with any obscure recurring billing schemes.
Spammers are also targeting consumers through e-mails that encourage consumers to click on a link within the message or to fill out attached forms to find out more about receiving stimulus funds. Clicking on the links or the attachments, however, can result in identity theft or in harmful software being downloaded to one's computer.
The FTC will not discuss ongoing investigations publicly, but Harrington said the deceptive negative-option marketing campaigns found on many of the fraudulent stimulus sites fit the profile of scams the FTC has already challenged in many law enforcement actions.
"The FTC has broad authority to challenge deceptive and unfair practices," she said.
Either through court proceedings or administrative challenges, the agency could take actions that could result in any number of consequences, such as prohibiting the use of certain ads or requesting that money be returned to consumers.
President Obama plans to appoint current Federal Trade Commission member Jon Leibowitz to lead the agency, which partially enforces antitrust laws and has taken a recent interest in online advertising.
An administration official on Monday confirmed to CNET News that Leibowitz, a Democrat appointed to the five-person commission in 2004, would be nominated as chairman.
Liberal groups including the ACLU and U.S. PIRG last year called on the Obama administration to appoint a chairman who would take a more regulatory approach. More recently, many of those same groups criticized the FTC's view that self-regulation of online targeted advertising was sufficient, which Leibowitz also seemed to take issue with.
"Industry needs to do a better job of meaningful, rigorous self-regulation, or it will certainly invite legislation by Congress and a more regulatory approach by our commission," he said earlier this month.
In November 2007, Leibowitz suggested that Internet companies should take an "opt in" approach to cookies instead of the current "opt out" approach, a requirement that would have roiled the industry. He also suggested the idea of a "Do Not Track" list for Web surfers.
"Leibowitz will help transform what has been a largely anemic regulatory watchdog during the Bush years into an agency that sees its first priority as consumer protection," said Jeff Chester, executive director of the Center for Digital Democracy, a liberal group that advocates for more regulation. "Public interest groups such as mine appreciate that Leibowitz has called for tougher online privacy safeguards, and that his door has always been open."
The FTC under Leibowitz will also continue to address questions of anti-comptetitive practices in the technology sector, including in its proceeding investigation of Intel.
"Under Leibowitz's lead, we expect this investigation to proceed fairly and hope that the new chairman uses his position to investigate similar anti-competitive abuses by other companies," said Ed Black, the president and CEO of the Computer and Communications Industry Association. "His knowledge of high-tech and Internet issues is a huge plus."
On Monday, the U.S. Supreme Court dealt the FTC a bitter defeat when it declined to hear the agency's appeal of the unsuccessful Sherman Act antitrust case it brought against chipmaker Rambus. The case has lasted seven years and is now effectively over; the FTC initially alleged the company "threatens to undermine participation in industry standard-setting activities."
Leibowitz was one of two commissioners to dissent from the FTC'S 2006 decision to allow Time Warner and Comcast to buy cable television systems from Adelphia Communications, without conditions. He and commissioner Pamela Jones Harbour called for restrictions to keep the cable companies from discriminating against rival providers.
On the issue of Net neutrality, Leibowitz stood out from his colleagues in June 2007 when the FTC released a report stating no new laws were necessary. Leibowitz issued an opinion saying existing antitrust laws may not have been "adequate to the task" of Internet broadband regulation.
"Will carriers block, slow or interfere with applications?" Leibowitz asked at a public hearing held by the FTC in November 2006. "If so, will consumers be told about this before they sign up? In my mind, failure to disclose these procedures would be...unfair and deceptive."
Leibowitz previously worked as a lobbyist for the Motion Picture Association of America. Before that, he was chief counsel and staff director for a Senate antitrust subcommittee.
Plans for Leibowitz's nomination were first reported by Bloomberg.
CNET's Declan McCullagh contributed to this report
A government regulatory agency said Thursday that it will continue to push for better self-regulation of online behavioral advertising, but privacy advocates--as well as a key congressman who plans to introduce data collection legislation soon--say self-regulation will not sufficiently protect consumers.
After considering public comments over the past two months, the Federal Trade Commission on Thursday released a revised set of four principles to guide self-regulation of online targeted ads. Yet the changes to the principles are minimal, privacy advocates say, and may even create more loopholes for online companies collecting behavioral data. Critics also charge the guidelines punt the important task of defining certain terms related to online advertising to the industry and public interest groups.
The following are the four principles:
• Web sites should prominently note their behavioral advertising practices and give consumers an accessible way to opt out of such programs. Companies are encouraged to make these notifications separate from general privacy policies. Companies that collect information through mobile devices or other means should ensure they have sufficient disclosure mechanisms.
• Companies are encouraged to maintain reasonable security and retention practices with respect to the data they collect.
• Companies are also encouraged to inform consumers of retroactive material changes to their data collection policies.
• And companies are encouraged to receive express consent from consumers before collecting "sensitive data," such as information about children, health information, and Social Security numbers.
The revised principles were issued with a report (PDF) that responds to comments the agency received on the topic. The commission voted 4 to 0 to approve the report, but two commissioners suggested the issue is far from resolved.
"Industry needs to do a better job of meaningful, rigorous self-regulation, or it will certainly invite legislation by Congress and a more regulatory approach by our commission," Commissioner Jon Leibowitz said. "Put simply, this could be the last clear chance to show that self-regulation can--and will--effectively protect consumers' privacy in a dynamic online marketplace."
Rep. Rick Boucher (D-Va.), who chairs the Internet subcommittee in the House Energy and Commerce Committee, said he intends to reintroduce data collection legislation in the "not-too-distant" future.
"I think self-regulation is helpful, and responsible Web sites will abide by (the principles), but self-regulation is not sufficient, in my opinion," Boucher told CNET News.
He said he and Rep. Cliff Stearns (R-Fla.), who is the ranking Republican on the Internet subcommittee, will introduce bipartisan legislation similar to a bill introduced in 2002, called the Consumer Privacy Protection Act, to ensure online companies notify consumers whenever behavioral or personal data is being collected.
"I think if we empower (Internet) users in this way, it would lead to greater consumer confidence, leading to more electronic commerce," Boucher said.
The congressman said his subcommittee will work in conjunction with the House Energy and Commerce's consumer protection subcommittee to put together a new version of the bill. The FTC and the Federal Commissions Commission would likely share authority enforcing it.
No big changes
The principles announced by the FTC are unlikely to result in any significant changes in online tracking, privacy advocates said, though they are broad enough to address practices such as Google's method of partially basing search results on a user's search history. Google applauded the revised principles.
"The FTC principles underscore that in a fast-evolving space like the Internet, a self-regulatory approach is the best way to protect consumers and promote innovation," Pablo Chavez, Google senior policy counsel, said on Google's public policy blog. "Google will continue to engage in efforts to develop strong self-regulatory principles and will continue to advocate for comprehensive federal privacy legislation."
Mike Cassidy, CEO of Undertone Networks, a premium online advertising network, also said that the revised principles are unlikely to change much.
"But I'm also of the belief not a lot needs to be changed," Cassidy said. "As a U.S. citizen, I think the government's got better things to do," such as addressing the current economic recession.
The provisions found in the so-called "stimulus" bill Congress is finalizing only make the need for regulation more important, argued Pam Dixon, executive director of the World Privacy Forum.
The FTC's principles are coming out "at the same time the stimulus package is going to fund millions of dollars of health care data moving online," Dixon said. "It's not a good intersection. I was hoping for more."
She said self-regulatory efforts such as the Network Advertising Initiative--to which both Google and Undertone Networks belong-- have been a "demonstrated failure."
Insufficient protection for "sensitive information" and kids
The NAI, she said, has insufficiently defined medical information in its own guidelines--yet the FTC on Wednesday called on industry groups and and privacy advocates to develop its own specific standards to address so-called "sensitive information."
"In terms of sensitive information, the FTC did a punt on this," Dixon said.
Furthermore, by neglecting to define "children," or address the fact that children are not able to give meaningful consent to data collection, the FTC "failed to protect kids from online predatory practices," said Corie Wright, a lawyer for Georgetown's Institute for Public Representation. Children, she said, are "increasingly becoming really attractive targets for marketers."
To the extent that any online behavioral targeting may amount to unfair or deceptive practices, the FTC will investigate them, said Jessica Rich from the FTC's Bureau of Consumer Protection. Meanwhile, the FTC will continue to evaluate this year self-regulatory programs like the NAI.
Jeff Chester, executive director of the Center for Digital Democracy said the agency has not taken a more proactive approach to regulating online targeting because of the Bush administration's preference for self-regulation.
"I see this document as the last official act of the Bush administration," he said, noting that President Obama has not yet appointed a new FTC chairman.
Congressman Boucher said he trusts Obama's judgment on the decision.
"I deeply respect his values and I'm confident he'll appoint a person of outstanding ability who shares his goals for consumer protection," he said.
About a dozen leading privacy and consumer groups met with members of President-elect Barack Obama's transition team Tuesday to discuss the Federal Trade Commission's role in protecting consumer privacy.
While participating organizations addressed a range of problems and potential solutions, the underlying message was clear: the FTC has for too long allowed industries to self-regulate their online privacy practices--to the detriment of consumers.
"The FTC keeps moving the goal post on what privacy advocates need to prove" before it provides substantive regulation, said Chris Jay Hoofnagle, director of the Berkeley Center for Law and Technology's Information Privacy Programs. "The commission has taken this posture that allowed business interests to win by just showing up. Self-regulation in online privacy has gotten more than a fair shake."
Hoofnagle took part in Tuesday's meeting, along with representatives from the Privacy Rights Clearinghouse, the Consumer Federation of America, the American Civil Liberties Union, the Center for Digital Democracy, the World Privacy Forum, the Electronic Privacy Information Center, the Privacy Times, the Privacy Journal, the Consumers Union, the Electronic Frontier Foundation, and U.S. PIRG, the federation of state Public Interest Research Groups. The groups met with Susan Ness and Phil Weiser, the FTC review team leaders for the Obama transition team.
While the transition's agency review leaders have been seeking insight from numerous sources about the functionality of agencies like the FTC, this meeting was held at the request of the privacy groups, according to Jeff Chester, the executive director of the Center for Digital Democracy.
"We wanted to impress upon the transition team that there are many online privacy issues that need to be the highest priority of the incoming Obama FTC," Chester said. "The last eight years has been a disaster for consumer protection and privacy, and the agency has not really had the interest to work on behalf of consumers to investigate the online ad industry and its harmful and problematic practices."
Along with the need for better regulation of targeted online marketing, the groups discussed the need for more oversight in the data broker industry and privacy policies for medical information, among other things. A range of solutions were offered, from more benchmarks for self-regulated industries to new legislation.
If the FTC is going to let industries self-regulate their privacy policies, it should provide clear benchmarks, Hoofnagle said. Without clearly defining the problems that need to be solved and the measures of success, the commission cannot know when it should intervene, he said.
More regulation for targeted online ads?
The Network Advertising Initiative, for example, is a group of third-party network advertisers including Google and Yahoo that has created its own online behavioral advertising guidelines. The group announced Tuesday it updated its code of conduct, but multiple groups at the meeting with the Obama transition team said that behavioral tracking and targeting is still a problem that the FTC needs to address.
Susan Grant, director of consumer protection at the Consumer Federation, called the practice "deceptive on its face."
"The FTC approach to this issue is emblematic of its timid and inadequate approach to consumer privacy in general over the past several years," she said. "Information is collected by entities with whom people have no relation, without consumers having any idea of what would be done with that information."
The Consumer Federation is calling for the FTC to establish a "Do Not Track" registry, Grant said. The FTC already oversees the Do Not Call Registry, which lets consumers opt out of receiving telemarketing calls. The registry has been very successful, Hoofnagle said, with telemarketers reporting larger profits and more effective results.
"It was a polar opposite from the self-regulatory system," he said. "It seems we can learn from these lessons but the FTC couldn't."
Groups like Center for Digital Democracy are now waiting for Congress to introduce legislation to empower the FTC to better regulate in this area, Chester said.
Congressman Ed Markey (D-Mass.) is, in fact, interested in introducing some type of omnibus electronic privacy legislation next Congress, according to his communications director Jessica Schafer. Though the legislation has yet to be drafted or finalized, it would likely include provisions to protect consumers from online Web tracking used to create targeted online ads, she said. Markey has criticized behavioral tracking in the past.
More oversight of the data broker industry
Multiple groups at Tuesday's meeting also told the transition team that the data broker industry needs better oversight from the FTC.
The Privacy Rights Clearinghouse, a nonprofit consumer rights group, has received numerous complaints from consumers about companies that sell their personal information, including companies that supposedly violate their own privacy policies, according to the Clearinghouse's director Beth Givens.
"This is an unregulated industry that needs to be investigated by the FTC," Givens said. "It's long overdue."
Data brokering may have contributed to the mortgage meltdown of the past year, Hoofnagle said, since Internet users would typically face a deluge of offers from mortgage brokers after making a single inquiry online about how to get a mortgage.
Those who participated in the meeting said it was difficult to gauge the transition team's interest in their ideas.
"They were in fact-gathering mode," Grant said.
One significant improvement Obama could make to the FTC, Hoofnagle said, would be to alter its makeup by appointing a commissioner to with a background in consumer advocacy.
"If you look around they're often antitrust lawyers," he said. "That reflects its important antitrust mission, but that leaves the other half of the mission a little short."
The privacy and consumer advocates also suggested Obama consider creating a national privacy official. The United States and Japan are the only two countries in the developed world that do not have overarching privacy laws or an official who enforces them, said Barry Steinhardt, director of the Technology and Liberty Program for the ACLU.
"It's time for the us to get in the international consensus on that," he said.
WASHINGTON--The Federal Trade Commission essentially banned robocalls Tuesday--creating new rules that telemarketers may only send the prerecorded sales pitches to people who actually want to receive them.
The FTC amended its Telemarketing Sales Rule after reviewing more than 14,000 comments made since October 2006, when proposed amendments were published for public consideration.
There are two stages to the change: By December 2008, robocalls will be required to include an automated key-press or voice-activated opt-out. Beginning September 2009, telemarketers won't be able to send out any robocalls without "the prior express written agreement of the recipient to receive such calls."
There are no exceptions for telemarketers to send robocalls to customers with whom they have an "established business relationship," as an earlier policy allowed, but there are some exceptions. Health care-related calls subject to the Health Insurance Portability and Accountability Act of 1996 are still allowed, as are charitable fundraising robocalls made to members of the nonprofit charitable organization for which the call is placed, or to people who previously donated to it. The fundraising calls must still include an automated opt-out, however.
The strict limits won't stop robocalls from political campaigns, either."Political calls are not placed for the purpose of inducing purchases of goods or services, and therefore are not 'telemarketing' within the meaning of the TSR," the FTC notes in a footnote of the amendment.
Congress made some attempts this year to address annoying prerecorded political phone messages. The Robocall Privacy Act of 2008, introduced in both the House and Senate earlier this year, would put a number of limits on robocalls from political campaigns, including the number of calls made to a house in one day and the hours such calls can be made.
Online advertising has ballooned into a roughly $45 billion-a-year business, to the benefit of Google, Yahoo, ad networks, and innumerable speciality and hobbyist Web sites.
One corner of this ecosystem that hasn't managed to cash in on advertising is, by some measurements, the largest: broadband providers. So it may have been inevitable that they would seek additional revenue by monitoring their customers' online activities and creating behavioral profiles that could yield hyper-relevant ads.
The only problem with this practice is that it may not be entirely, well, legal. The first warning sign came last week when two members of the U.S. Congress sent a letter to Charter Communications, a large cable provider, raising "substantial questions" about the legality of deep packet inspection and asking the company to hold off. (See our Q&A with a Charter executive.)
In interviews with News.com over the last few days, privacy advocates and attorneys pointed to a collection of federal laws--written in the 1980s when broadband services were merely a pipe dream--that combine to create a treacherous legal landscape for broadband providers that plan to conduct Web monitoring.
It's "a problem for cable providers because the very collection of personal information is prohibited without consent," said Al Gidari, a partner at Perkins Coie in Seattle, whose clients include Google and broadband providers. "It's plainly a problem for Charter. I'm amazed we haven't seen a class action lawsuit on this."
The problem for broadband providers is that intercepting customers' Web browsing, analyzing the protocols to see what's going on, and reviewing the packets' contents starts to look a lot like wiretapping. And there are federal and state laws, complete with civil and criminal sanctions, that broadly prohibit wiretapping.
It's unclear how many providers are performing Web monitoring for advertising, not least because all of the companies providing deep packet inspection are highly secretive.
Wide Open West is using technology from Redwood City, Calif.-based NebuAd, as it discloses in its privacy policy. Charter and (reportedly) Knology are experimenting with it, too. CenturyTel told us that "we are doing business" with NebuAd and that it did a trial of NebuAd's technology in one of its markets late last year.
Embarq talks about "preference advertising" in its privacy policy and confirmed it has tested NebuAd "in one of our markets," but added that "we are not currently using those tools and have not decided whether to move forward with them." Rivals to NebuAd include Front Porch of Sonora, Calif., and U.K.-based Phorm.
NebuAd refused to disclose what advertising networks--such as DoubleClick or Microsoft's Aquantive--it uses, or what broadband providers it counts as customers. So did Phorm and Front Porch (which said it could not arrange an interview).
When asked why it won't disclose that information, NebuAd told us in e-mail: "We would like to respect the trust and relationship that already exists between an ISP and their end customer. We want to stress that we do not publicly discuss our ISP partner relationships because of the direct relationship that already exists between an ISP and their customers. Our belief is that our ISP partners have a direct, trusted relationship with their customers; and communication, public or otherwise, should be directly from our ISP partner to their end customer." NebuAd does provide an opt-out mechanism through browser cookies.
The stakes are high. The advertising industry is moving toward behavioral targeting, meaning compiling dossiers (anonymized or not) on individuals and using those to display targeted ads. Theoretically, this benefits everyone: Internet users see ads that match their interests, and advertisers sell more products.
Because deep packet inspection can, barring the use of encryption, monitor everything that a customer does online, a broadband provider is in the enviable position of being able to know exactly what each customer is doing. The odds of successful monetization are high. But so are the legal risks.
Three federal laws, three legal hurdles
At least three wiretapping-related federal laws restrict what broadband providers can do: the Electronic Communications Privacy Act of 1986 (ECPA); the Communications Act of 1934; and the Cable TV Privacy Act of 1984. The cable privacy law is the most restrictive and applies only to cable broadband providers--meaning, thanks to a law written when the Apple Macintosh was new, they're at a competitive disadvantage to AT&T and Verizon.
The cable privacy law is unusually onerous because it requires the "prior written or electronic consent of the subscriber" before any personally identifiable information can be collected. What that means is sending a postcard or e-mail telling customers that they can opt-out (which is what cable providers are doing so far) may not be good enough.
"They have to worry about it more," said Gidari, the attorney at Perkins Coie, referring to cable operators. "Their rules are much more restrictive. They have the obligation to give notice to their customers before they disclose information. They have the obligation not to collect information without prior consent...Cable operators have the most exposure in doing this."
One irony of this situation is that broadband providers are seeking to do precisely what companies like Google and Yahoo have done for many years: monitor what users are doing and display relevant advertisements. But cultural expectations are different. And by an accident of history, or a quirk of fate, those laws don't apply to Google and Yahoo and other Web sites. They single out Internet service providers.
For their part, cable providers insist that they're following the law. Charter tells us it is "confident" that "all legal requirements" have been met. Wide Open West, a cable operator in the Midwest that's using NebuAd's hardware, said: "We feel that the service and our use of it is in compliance with current regulations."
But other laws apply to all Internet providers. ECPA says, in general, that "a person or entity providing an electronic communication service to the public shall not intentionally divulge the contents of any communication." Two exceptions to that general rule allow monitoring that is a "necessary incident" to providing the service and monitoring with a user's "lawful consent."
Translation: Obtaining "lawful consent" may mean more than sending e-mail notifying customers that the terms of service have changed. At the least it means that an opt-in process is less risky, legally speaking, than an opt-out one.
The 2003 In Re Pharmatrak decision from the U.S. Court of Appeals for the 1st Circuit offers a glimpse of how judges view consent. The court ruled in a case involving Web tracking "that it makes more sense to place the burden of showing consent on the party seeking the benefit of the exception." The judges approvingly cited a second case, which said "consent can only be implied when the surrounding circumstances convincingly show that the party knew about and consented to the interception."
Yet another legal obstacle for Web monitoring is the Communications Act, which says companies engaged in "transmitting" communications shall not "divulge" those contents.
"The question is whether or not a third party like this can track usage for things other than for routine maintenance of a network--they are entitled to do that," said Barry Steinhardt, director of the ACLU's Technology and Liberty Program. "But where you're actually tracking the content of what users do, there are serious questions there about the Electronic Communications Privacy Act and the cable laws."
Steinhardt added: "I think Congressman (Edward) Markey is exactly right to raise this issue. The implications here are profound...Do (broadband providers) think they own that data? If they own that data, there are no limits on what can be done with it? Can they give it to an employer? Can they give it to a credit bureau? Can they give it to a potential landlord?"
Another possible threat to broadband providers is the Federal Trade Commission, which can file lawsuits alleging unfair or deceptive business practices. The FTC has posed
CDT's comments allege that broadband providers do "not appear to be adequately disclosing this involvement" and suggests that the Electronic Communications Privacy Act regulates the practice. They also suggest that the FTC "should address" advertising-related monitoring and require affirmative consent from customers instead of an opt-out mechanism. In its privacy principles, the FTC said "companies should obtain affirmative express consent from affected consumers" before substantially changing privacy policies.
In the past, the FTC has taken a relatively strict view of informed consent. In its lawsuit filed against Odysseus Marketing, the FTC argued that it was unlawful for a company not "to adequately disclose" to customers that it was sharing information with third parties. The case ended in a settlement.
There's one final legal twist that could imperil NebuAd and similar companies that conduct deep packet inspection. The way they work is to perform a Carnivore-like interception of all customers' Web browsing. Then Web traffic with NebuAd's opt-out cookie is discarded.
What that means in practice is that, if you've chosen to opt-out through your Internet provider, the contents of your communications are nevertheless continually disclosed to a third party--even if for a microsecond--which is exactly what federal privacy laws seem to prohibit.
News.com's Anne Broache contributed to this report
A zealous band of pro-regulation privacy groups made a valiant effort a few days ago to convince the Feds to forcibly pull the plug on a new feature on the Ask.com search engine.
The groups, which include the Electronic Privacy Information Center and the Center for Digital Democracy, told the Federal Trade Commission on Saturday that a formal injunction was necessary to halt some supposedly pernicious practices on the part of Ask.com.
The only problem? Those supposedly pernicious practices don't actually exist.
Ask.com already had voluntarily changed the way it handled its new privacy feature weeks earlier. This self-appointed posse of liberal nonprofits, which also includes Consumer Action, was riding to bring to justice a problem that had long since vanished (and that's assuming it existed in the first place).
By way of background, this particular posse disagreed with the way Ask.com implemented a privacy feature called AskEraser. The idea is that instead of recording your search terms for a year or two the way other search engines do (see our survey from August), Ask.com was offering never to save them at all.
AskEraser is turned on or off by a link on Ask.com that changes the value of a cookie titled, reasonably enough, "askeraser." Originally, when AskEraser launched last month, the value of the cookie was set to the time that the service was activated.
Instead of applauding the idea as perhaps flawed but better than the status quo, EPIC et al. worked themselves into a state of high dudgeon. (These are the same groups that once claimed Google's Gmail service was illegal.) They sent a letter to Ask.com on December 19 saying the timestamp--down to the second, but not a fraction of a second--could be used as a kind of unique tracking number.
They had a point. If Ask.com encounters a thousand people signing up for AskEraser per second, the potential privacy intrusion is minimal (everyone has the same timestamp). If only one person per second signs up for AskEraser, however, the potential privacy intrusion is higher (the timestamp is unique).
Which is why Ask.com changed the cookie value in early January to be just "off" or "on"--meaning there's no longer the same kind of privacy issue. Unfortunately for the pro-regulatory privacy activists, they never actually checked before firing off their this-illegal-practice-must-be-halted missive on Saturday. It said that the FTC must:
- Order Ask.com to withdraw AskEraser from the marketplace.
- Order Ask.com to cease engaging in and unfair deceptive trade practices.
- Require Ask.com, as a condition of offering AskEraser in the future to:
a) Cease using the opt-out cookie
b) Cease creating a Persistent Identifier on customers
c) Provide meaningful notice if the service will be disabled...- Order Ask.com to delete all previously retained information, before the implementation of AskEraser.
- Order Ask.com to inform all current users of AskEraser, by prominent notice displayed on the Ask.com Web site, that they should delete the Ask.com AskEraser cookie.
And so on. Now, I admit that anyone can err. And in fact I've known the folks at EPIC to be careful, honest, and principled, even if I may disagree with them from time to time. I think this is an honest mistake.
But this episode is useful to note because it exposes how the Washington practice of advocacy groups using federal agencies to sabotage political enemies can be bereft of facts and logic. (From EPIC's perspective, this was supposed to be a no-lose situation: it's a win if AskEraser is taken off the market, and if the Republican-led FTC refuses to do so, the FTC and the Republican appointees can be slammed as insufficiently sensitive to "privacy interests.")
For his part, Ask.com spokesman Nicholas Graham told me on Tuesday:
EPIC's weekend filing regarding AskEraser is both flawed and unfortunate. It's unfortunate in the sense that Ask.com tried to engage in a constructive dialogue with the group last week, and was rebuffed. Privacy is an issue that demands collaboration and partnership between online companies and advocates, for the benefit of all consumers. Ask.com's relationship with the Center for Democracy & Technology is proof-positive of that.
EPIC's filing is flawed in the sense that the document they filed is factually inaccurate, and simply shows a fundamental misunderstanding of the functionality of our product. In addition, many of the issues they raise are outdated, while others are completely misguided from the outset, and others deal with changes that Ask.com already made to AskEraser weeks ago, and were subsequently posted publicly on our website.
EPIC Executive Director Marc Rotenberg replied to me in e-mail on Tuesday evening:
If Ask has now fixed the problem, (1) that means we were right, (2) they should have responded to our letter. But that doesn't solve the problem with opt-out cookies, which I think you will agree is a nutty approach that does not scale, i.e. it requires users to keep cookies for all the companies they don't want to be tracked by. Even the FTC should be able to see the problem.
Rotenberg is right that using opt-out cookies may not be the cleanest design technique. If I were coding it, I'd have created a special "ask.com/eraser" site--the same way Google set up its google.com/unclesam government search -- or a private.ask.com subdomain. No cookies would be needed.
Then again, I'm not privy to how Ask.com's software is designed and the trade-offs that would be involved. More to the point, probably, companies should have flexibility in how they try to offer new privacy features--and it's hardly clear that a bunch of permanent Washington insiders or FTC bureaucrats know more about scalable software engineering than, well, actual software engineers. As long as Ask.com is honest about what it's doing, and it seems to be in its FAQ, it should be allowed to keep on offering new features.
There's one more question worth asking: if EPIC and CDD and their ideological allies believed they had such a strong case, why not file an actual lawsuit instead of asking the FTC to undertake an investigation that would likely take half a year or more to complete?
After all, EPIC is staffed by attorneys, and their complaint to the FTC alleges that AskEraser is, beyond any doubt, "an unfair business practice." If true, that would violate state consumer protection laws, including California's section 17200, which says private attorneys may sue a company engaging in "unfair" business practices.
I think I know what the answer is. Judges have little patience for plaintiffs that waste their time. If this had been a lawsuit, a judge might well have fined EPIC et al. for wasting his time with frivolous claims, and its staff attorneys might even have been subject to individual sanctions.
Lawsuits, in other words, have risks. Firing off an inaccurate letter to the federal bureaucracy, on the other hand, merely results in the sender looking a little silly. The next time you see them complaining to the FTC about some alleged wrongdoing, remember these attorneys' odd reluctance to litigate.
A political controversy over deleted documents and conflicts of interest could, opponents of the deal hope, imperil Google's planned $3.1 billion acquisition of the DoubleClick advertising firm.
The most recent round started with my colleague Elinor Mills' article on Wednesday afternoon, which noted that two liberal groups opposed to the merger asked Federal Trade Commission Chairman Deborah Platt Majoras to recuse herself from a vote because her husband is a partner at the Jones Day law firm, which is representing DoubleClick. Majoras recused herself from a previous matter involving Procter & Gamble because Jones Day was involved.
That article quoted the FTC as saying Jones Day was only involved in the European aspects of the Google-DoubleClick merger and had not appeared before the FTC. But--the article noted--that "would seem to conflict" with what's on the Jones Day Web site. That site said:
Jones Day is advising DoubleClick Inc., the digital marketing technology provider, on the international and U.S. antitrust and competition law aspects of its planned $3.1 billion acquisition by Google Inc. The proposed acquisition will combine DoubleClick's expertise in ad management technology with Google's Internet search and content platform. The transaction is currently under review by the U.S. Federal Trade Commission (FTC) and European Commission.
Soon after our article appeared, Jones Day deleted that Web page, and it's now blank. Google's cached copy, however, is not.
The antimerger groups, the Electronic Privacy Information Center and the Center for Digital Democracy, cited our article and the subsequent deletion in a letter to the FTC on Thursday saying the commission's representatives "who addressed yesterday the representation of Doubleclick by Jones Day before the Commission were either misinformed or willfully misled the public." They're filing a Freedom of Information Act request for any relevant documents.
The subtext here is that EPIC and CDD are trying to embarrass Majoras into recusing herself, which would remove a Republican vote likely to be more sympathetic to free market arguments. That would leave two Republicans and two Democrats left with a vote. (On the other hand, for all we know, all five commissioners could be enthusiastic about supporting the deal.)
So, what's really going on? It seems that there are two likely possibilities: one, Jones Day is in fact representing DoubleClick before the FTC, and is reluctant to acknowledge it. Two, the Jones Day Webmaster innocently used imprecise language and the law firm truly was focused on Europe alone.
For their part, DoubleClick and Jones Day say it's option No. 2. Joe Sims, a partner at Jones Day, sent me this e-mail message in response to my question to him:
The language in the posting apparently was confusing, since EPIC cites it as evidence JD is representing DC at the FTC, and we never have. So we took it down and will rewrite it to eliminate the confusion.
And DoubleClick sent us this statement this morning:
Simpson Thacher has been DoubleClick's outside counsel since July of 2005 and was retained to represent it in all aspects of its proposed acquisition by Google, including with respect to United States antitrust matters. From the outset, Simpson Thacher has represented DoubleClick before the Federal Trade Commission and continues in that capacity. Jones Day has been engaged primarily with respect to European and other non-U.S. jurisdictions. Jones Day was not engaged to represent, and has not represented DoubleClick before the Federal Trade Commission or appeared before the Commission on DoubleClick's behalf.
Majoras' husband, John Majoras, is an antitrust litigator at Jones Day. That by itself may not mean much: Jones Day is one of the largest law firms in the country with something like 2,300 attorneys.
The FTC deadline for its review was December 13, but it's since been extended. Meanwhile, the European Commission has until April 2 to review the deal.
Update 10 a.m. PST Friday: Jeff Chester of CDD called me after this article appeared and said he would have raised the ethics issue regardless of whether Majoras was likely to vote with him or against him. Political party affiliation, he said, was irrelevant, and his only goal was transparency in government. In an e-mail he added: "I would be doing this whether she was a vote for us." Also Majoras replied this morning, saying that she would not recuse herself and that she had run this matter by the FTC's ethics officer. Here's our story.
(Disclosure: Declan McCullagh is married to a Google employee.)
