Herding Cats: Regulating Online Tracking

There was a time, when the World Wide Web was young, that many entrepreneurs counted on the idea they could make money the old-fashioned way–by charging cyber-customers on a per-use basis, the same way they charged traditional brick-and-mortar patrons. Most print magazines, for example, felt they could make a seamless transition from paid print subscriptions to paid Internet subscriptions. Newspapers believed that some of their traditional departments, such as classifieds, would become huge profit centers because they would bring in the same revenue without the cost of all that paper or postage. However, it became clear very quickly that while many would be willing to pay for many physical goods by means of e-commerce, very few seemed terribly enthusiastic about paying for information or entertainment on a per-use basis.

As a result–a very good result in the opinion of many observers–almost all of the information on the Internet, including a great deal of entertainment–is free to all. The trouble, of course, is that creating and posting all that content still costs money, and so, slowly but very surely, much of the Web switched over to supporting content and services by means of advertising, analogous to the broadcast TV model. I believe that a significant number of people wouldn’t use Google or Facebook if they had to pay for it. But unlike broadcast TV, which only talks to you, the great strength of the Internet is its easy interactivity, and these characteristics produced a different kind of advertising strategy–one typically involving the extensive tracking of consumer activity.

[Related Article: Bin Phishin’?]

Google became the burgeoning behemoth that it is today by perfecting the ability to track a user’s movements and tastes, enabling it to target advertising more effectively than could ever have been accomplished in any other medium. Nevertheless, there has always been a yin for every yang. In this case, the bad news is the fact that our personal information has become much more valuable to advertisers than ever before. The lengths to which advertisers go to collect consumers’ information speaks to the larger issue of the widespread information-gathering across all sectors that leaves us all vulnerable to data breaches and identity theft.

The fact of the matter is that tracking data at first glance may seem innocuous enough. It’s essentially your likes and dislikes based upon your activity on the Internet, and maybe you don’t care if people know what sites you frequent, or what kinds of things you buy online. After all, it’s not your birthday or Social Security Number, right? Well, not exactly. For identity thieves, unless and until they acquire your most essential personal identifying information (i.e., name, address, date of birth and SSN), every snippet of information relating to your personal preferences is another piece of the puzzle that when added to the mix brings them a step closer to having the secret sauce that is you–so that they can more effectively masquerade as you.

[Free Tool: Obtain your Identity Risk Score from Credit.com]

Enter, slowly, the feds. At this moment there are no fewer than five pieces of legislation that have been introduced on subjects relating to tracking and Internet privacy. Given that the political web in Washington is much more tangled than the Web we surf, no one can predict if, when, or which of these proposals will actually become law. But at least, finally, everyone is getting in on the act. One recent offering, authored by two former presidential candidates on opposite sides of the aisle–John McCain and John Kerry–is called “The Commercial Privacy Bill of Rights.” Although the bill is laudable in many respects, it leaves out what many think is perhaps the most important protection for consumers; that is, a “Do Not Track” option, akin to the “Do Not Call” list codified into law only a few years ago. The FTC agrees, and has lobbied vigorously for such a provision for some time.

Part of the problem is that the issues raised by any legislation in this area are extremely complex, and involve very high stakes. Some legislation has been deemed unconstitutional on First Amendment grounds. A 1998 law known as The Child Online Protection Act (“COPA”–not to be confused with COPPA or CIPA—whew!) was eviscerated in 2008 by a federal court. Although that law didn’t deal with tracking, it serves to illustrate that the federal government’s approach to online privacy has been less than perfect.

Regulating the Dark Side (cont.) »

Image: Kathleen Murtagh, via Flickr.com

But where the U.S. government has had problems creating reasonable rules of the cyber-road, some states have had greater success, a success now threatened by preemption; that is, federal law superseding an effective state law such as California’s “Online Privacy Protection Act” (called–you guessed it–“OPPA”). But perhaps the thorniest issue is what such a “Do Not Track” registry would do to the cornucopia of free services we all receive from companies like Google and Facebook.

Most search and social-network companies seem to support the Kerry-McCain proposal, perhaps precisely because it doesn’t include a “Do Not Track” provision. “The bottom line is that behavioral ad networks sound more scary than they are in practice,” said Mark Hopkins, editor-and-chief of SiliconANGLE, a popular tech blog, “and regulating the fundamentals of that business would knee-cap a large swath of the web. It should go without saying that this is a bad thing.” On the other hand, regardless of the good intentions of an online data collector, the simple fact that data is being collected about all of us puts each of us in harm’s way. Until Internet security is such that we don’t have news of a huge data breach every week, the better part of valor requires less tracking, even if it means less service for those who choose to opt out.

[Article: When You’re the Apple of Their Eye]

From an historical perspective, the World Wide Web is new; Google is new; Facebook is new; and tracking is very new. But in a way, everything old has become new again. After all, advertisers are in the business of finding clever ways of crawling into our pockets. Remember all those “negative options?” You know, where you get the first three issues for free, but you can cancel that 30-year magazine subscription anytime? The tactics that are now being used by web sites–promising greater customization but upping the chances of having personal data exposed–aren’t really so different, are they? The distinction is that however many magazines we may have accumulated on our coffee tables as a result of those negative options, the tactics that may have put them there didn’t threaten our entire financial existence by providing identity thieves with the additional bread crumbs they need to find their way to the back doors of our lives. The digital world has simply magnified the cost, and the likelihood, of abuse by edgy advertising practices.

I believe that until security technology has caught up with tracking and data collection technology, we absolutely need a “Do Not Track” registry. Nowhere on earth has privacy existed without a well-developed means of security. How private can you be if you can’t draw the blinds or lock the door?

[Resource: Get your free Credit Report Card]

Instead of introducing haphazard and half-measured legislation about privacy, our elected officials in Washington should be working with industry on something that presents no conflict between the interests of industry and the interests of consumers–real security to prevent the bad guys from getting their hands on our personal information. In tandem, reasonable rules to protect privacy should be enacted to prevent unnecessary intrusions by government, or honest websites, or anybody else. And last but not least (an issue I intend to address in future columns), we need to develop a mechanism to compensate us for use of our data.

In short, you can keep the chickens in the hen house with a fence that’s only 2 feet high, but it won’t keep out the foxes.