Transparent cookie policy shows the privacy madness in Ad-tech

I went to Reuters UK website and, in clicking on their cookie policy, I was presented with this screen. See their advertising guidelines and click on the Cookie Consent button in the bottom right hand corner.

Well done to Reuters for demonstrating the transparency of how all the cookies on their site are being used.

But what a hideous user experience / privacy experience!

I clicked on the two 'All off' buttons to stop cookies being fired (hopefully??) and data being collected about me and my browsing habits (even more hopefully???). This is the next screen - the battle isn't over yet!!

I closed my browser window and got my news from another source - like the ad-free BBC.

Having worked in Ad-tech for the last 2 years, I've been on publishers' side of the fence on this issue (indeed Reuters was a customer of my previous employer, Grapeshot), but this is a truly frightening user experience for the average internet user. No wonder ad-blocking is rising at such a rate (See Wikipedia entry for Ad Blocking)

I'd be fascinated to see how many people actually manage their cookies using this screen or how many close down the page and go elsewhere - as I did!

Trading our privacy for functionality

If consume a free product, then stop and think:

If you aren't paying for the product, then you are the product.

From an excellent ReadWrite article:

Lost in the furor over government spying on its citizens is an inconvenient truth: personal data is the new currency of the 21st century, and until we rein in our desire to spend it we can't really stop others' desires to spy on it.

But we are the ones happily selling ourselves for a few more gigabytes of storage, or a way to talk with friends. We used to pay for such things with money. Now we pay with our private details through our personal details.

The public has to ask itself a hard question: Do we care? Or are we happy to sell little pieces of our online selves in the name of ease and convenience?

Instagram and Facebook mess up on digital ownership

Two days ago, I mentioned Facebook's desmise in my post about Digital Lockers and Personal Digital Identity, most probably due to its clumsy / haphazard approach to users' privacy.

And lo, barely had I hit submit, when Instagram (owned by Facebook) changed its T&Cs to grant Instagram licensing rights to sell all photographs taken by the application. (From the Register: Don't use Instagram, it'll sell YOUR photos)

The reactionary vitriol from its user base demanded that Instagram did an about turn within 24 hours:

Instagram users own their content and Instagram does not claim any ownership rights over your photos. Nothing about this has changed. We respect that there are creative artists and hobbyists alike that pour their heart into creating beautiful photos, and we respect that your photos are your photos. Period.

Blog post by Kevin Systrom co-founder, Instagram

Sigh - what a horrible embarrassment. Will Facebook ever learn???

User Profiling in Internet Advertising

There's fascinating article on The Register, How websites use your browser to sell you for cash. It explains some of the many techniques that internet advertising uses to profile users as they surf across multiple sites.

.... [we] came to the conclusion that with some minor tweaking, that firm is sitting on software nearly capable of delivering a Minority Report level of personalised advertising.

Below is the well-known clip from the Minority Report which demonstrates the future of Personalised Advertising - it's here already.

Do read the article, there are numerous links to other fascinating articles, such an explanation of a evercookie.

This article is fine for sophisticated web users, but what about Joe Public?
Legalisation (and enforcement) in this area is miles behind. The BBC reports on New net rules set to make cookies crumble:

European e-Privacy directive came into force in the UK in May this year. It mandates that users should be fully informed about the information being stored in cookies and told why they see particular adverts. This provides to gives some initial policy and some user protection from the use of behavioural advertising.

As part of its work to comply with the directive, the IAB - an industry body that represents web ad firms - created a site that explains how behavioural advertising works and lets people opt out of it. 

It should be no surprise that regulators are struggle to keep up, but a BBC article (admittedly from March this year), Governments 'not ready' for new European privacy law, indicates that they aren't even trying.

European rules aimed at giving consumers more control over how their web browsing is tracked will not be enforced come May, experts have said.

No European government has yet drawn up the guidelines for how the ePrivacy directive will be enforced.

The UK's Information Commissioner has indicated that it wants the industry to work out best practice before it starts wading in. From the same BBC article, Ed Vaizey, minister for Culture, Communications and the Creative Industries, said:

"Therefore we do not expect the Information Commissioner's Office (ICO) to take enforcement action in the short term against businesses and organisations as they work out how to address their use of cookies," he added.

OK, but when?

P2P Social Networks versus Group Management Software

I've been in social software for 9 years – almost before the term was started. I enjoy contributing to the alumni network for Judge Business School at Cambridge University. Naturally, we have our own online network, called the 'Common Room'.

We've run into a problem – recent graduates ie those that did their MBA in 2004/5 onwards are glued to Facebook in order to interact with others – to the detriment of any other social software.

This article intends to explain why the Common Room (and other Group Management software) will continue to remain much more useful and relevant than Facebook.

Group Management at the core of the network

There are two ways to manage a network:

• At the edge: means that each individual manages their connections and the level of information that they share by themselves. 
• At the centre: means that management is done centrally, by an appointed person(s) of the organisation.

Solutions between these two extreme have to make compromises between these two models which introduces technical and user complexity, ultimately confusing the end user which make participation harder.

Facebook Groups falls between these stools.

Facebook is good / bad at ….

Facebook is great – brilliant for connecting for individuals to connect with others – sharing ongoing updates, as well having the one place to house your profile information. It's perfect for students to join up together online (err, that was what is was invented for, right?!?).

Btw, many people outside the US don't realise that a ‘Facebook’ on American university campuses was the ubiquitous book that was handed out to all first year students so that they could quickly get to know each other. It was a book of faces and names possibly with some other information eg home town, birthday, interests, sports. Of course, the first thing that everyone does is flip through it looking for hot guys / girls – I did it myself at my American high school in New England.

Unfortunately, the elegant P2P social network model breaks down when it crosses from being a network of peers to being a group with a common interest. Certainly a group with a common interest can be set up on P2P networks. It fails because every individual has to join that group. Given that setting up the group is free and pretty painless, then lots of similar groups proliferate.

Remember Metcalf's Law? The value of a network is proportional to the square of the number of users of the system. The value of a large network is disproportionately more value than lots of little, ill-formed networks.

For the Alumni of Cambridge Judge Business School, there are Facebook groups for each year, country, location… except that it is inconsistent: many countries are missing, locations are based on the passion of the group leader and the naming convention is (inevitably) inconsistent.

Entrance to the community is done via invitation or more practically by request. The group manager has to undertake the verification of membership. Do they have the time to do that? I doubt it.

What happens when the group leader leaves / resigns / becomes too busy? Unfortunately, there’s no way for someone else to take over the management of the group.

Facebook and Privacy

Facebook have really, REALLY struggled with the issue of privacy. The user generated content is incredibly engaging, but what attracts new users is the mass of information on their friends – the more is disclosed, the more engaging that content becomes. Squirrelling information away is fundamentally destructive to Facebook.

Facebook blundered around the privacy issue. Facebook Beacon was an early version of Facebook Connect which enable certain activities on partner sites to publish activity on third party site to the user's News Feed. The colossal error of judgement was that it was default opt-in, rather than default opt-out. Worse, at launch, there was no opt-out.

Step forward Group Management functionality (again)

I was involved in Social Software before the term existed (it was community software back in the late 90s) so it is good to see its relevance today.

Group Management requires the appointment of someone to act a gatekeeper and referee (if required) to the community. This is required when everyone doesn’t know everyone, but would like to connect across a large network.

The Gatekeeper is nominated by the community to control entrance and exit. Once the community trusts the gatekeeper to do a good job then then the community is likely to be much more virulent and healthy because each member has been vetted and is likely to more trustworthy.

The Gatekeeper acts as a referee. It represents the (independent) court of appeal for any behaviour that is deemed to be detrimental to the community (eg spam or over communication) or a disagreement within the community.

Conclusion

Facebook has its uses, but not really in professional membership organisations. Bring on Group Management functionality please!

Voting on Social Network Users’ Bill of Rights

SXSW panel kicked this off. Here's the voting on the each right - taken from Jon Pincus's Liminal States blog:

41 yes 0 no Honesty: Honor your privacy policy and terms of service

41 yes 0 no Clarity: Make sure that policies, terms of service, and settings are easy to find and understand

41 yes 0 no Freedom of speech: Do not delete or modify my data without a clear policy and justification

33 yes 4 no Empowerment : Support assistive technologies and universal accessibility

35 yes 2 no Self-protection: Support privacy-enhancing technologies

37 yes 3 no Data minimization: Minimize the information I am required to provide and share with others

39 yes 1 no Control: Let me control my data, and don’t facilitate sharing it unless I agree first

39 yes 1 no Predictability: Obtain my prior consent before significantly changing who can see my data.

38 yes 0 no Data portability: Make it easy for me to obtain a copy of my data

39 yes 0 no Protection: Treat my data as securely as your own confidential data unless I choose to share it, and notify me if it is compromised

36 yes 2 no Right to know: Show me how you are using my data and allow me to see who and what has access to it.

24 yes 13 no Right to self-define: Let me create more than one identity and use pseudonyms. Do not link them without my permission.

35 yes 1 no Right to appeal: Allow me to appeal punitive actions

37 yes 1 no Right to withdraw: Allow me to delete my account, and remove my data

So it’s in general overwhelmingly positive: five rights are unanimous, and another eight at 89% or higher. The one exception: the right to self-define, currently at about 65%. As I said in a comment on the earlier thread, this right is vital for people like whistleblowers, domestic violence victims, political dissidents, closeted LGBTQs. I wonder whether the large minority of people who don’t think it matters are thinking about it from those perspectives.

Doc Searles on writing our own privacy rule

Doc Searles, someone whose views I admire a lot, writes a great post on this blog about how it's time for US to write our own privacy rules.

Doc's passionate about VRM, Vendor Relationship Management. Here is the definition:

Create an ecosystem of tools, protocols, and services that help users manage vendor relationships.

Hmm, I agree, but see my previous post on privacy - people expect high standards and assume that this is the case. They don't read the privacy statements in depth (neither do I). So a much simpler rating system is needed.

Facebook's Beacon cranking up privacy concerns

Mighty rumbles across Facebook universe as it has implemented a new advertising technology, called Beacon, to make the online shopping experience that much more social ... and has now reversed out the most intrusive elements of the new functionality.

What's the fuss about?

When Facebook users shopped online, Beacon told friends what they looked at or bought. More than 40 websites, including Fandango.com, Overstock.com and Blockbuster, signed up to use Beacon software on their webpages and report what Facebook users did when they visited. Could be useful, yes?

YES, but naively Facebook launched Beacon as an "default opt out" system (ie everyone knew what you had bought, unless you specifically said 'Absolutely no way').

International Herald Tribune reports that there was a pop-up box alert to FB users that indicated that information was about to be shared with Facebook unless they click on "No Thanks." The pop-up disappears after about 20 seconds, after which consent is assumed. Admittedly, this pop-up appears on every partner site that has adopted Beacon.

Here's one the more harmless examples of where it went wrong, also from IHT:

"People should be given much more of a notice, much more of an alert," said Matthew Helfgott, 20, a college student who discovered his girlfriend just bought him black leather gloves from Overstock for Hanukkah. "She said she had no idea (information would be shared). She said it invaded her privacy."

At the other end of the scale:

"What if you bought a book on Amazon called 'Coping with AIDS' and that got published to every single one of your friends?"

Yukky, basically.

For users of social software, best practices in privacy are assumed - and those practices don't vary. Messing with these principles messes with the brand.

So guess what? Disgruntled Facebook users formed an online protest (more than 50,000 of them) and forced the mothership to rescind - Beacon is now 'default opt-in'.

As the BBC reports:

The changes to Beacon may not be the last that Facebook has to make to the technology.

Two rights groups, the Electronic Privacy Information Center and the Center for Digital Democracy, are believed to be compiling a complaint to the US Federal Trade Commission about it.

I'd be much more afraid of further Facebook backlash - further investigative reports like this don't help: Facebook's Beacon More Intrusive Than Previously Thought.

Google proposes global privacy standard

From Silicon.com:
While Google is leading a charge to create a global privacy standard for how companies protect consumer data.

USA Today story adds some historical colour to the story, by highlighting the fact that Google is struggling with privacy concerns that threatens its purchase Internet ad service DoubleClick for $3.1 billion:

Facing pressure from European regulators, Google got the privacy ball rolling in a new direction earlier this year when it announced plans to regularly remove key pieces of personal information about the search requests stored in its computers.

It then narrowed its time frame for depersonalizing search requests from as long as two years to 18 months — a standard that Microsoft, which runs the third-most-popular search engine, also has adopted.

Yahoo, which operates the second-most-popular search engine, has gone further by promising to scrub personal information within 13 months — a standard Time Warner's AOL also follows.

InterActiveCorp's Ask.com is going even further by offering its users a tool that will prevent search terms and the Internet addresses of computers from being retained.

Previously, all the search engines had been vague about how long they hold on to the personal information logged from search requests.