Publishings
Program Areas
-
News
FTC Tells Facebook it will have to honor Whatsapp's privacy promise; EPIC and CDD letters spur commission action
The Federal Trade Commission's Bureau of Consumer Protection sent a letter (link is external) to Facebook and Whatsapp [attached] requiring the companies to honor the latter's privacy promises (no advertising, highly limited data collection etc). Facebook is in the process of acquiring Whatsapp. The Electronic Privacy Information Center (EPIC) and CDD sent (link is external) two letters to the FTC urging the commission to address the privacy implications of the pending merger. The FTC's letter states that [excerpt]: WhatsApp has made a number of promises about the limited nature of the data it collects, maintains, and shares with third parties -promises that exceed the protections currently promised to Facebook users. We want to make clear that, regardless of the acquisition, WhatsApp must continue to honor these promises to consumers. Further, if the acquisition is completed and WhatsApp fails to honor these promises, both companies could be in violation of Section 5 of the Federal Trade Commission (FTC) Act and, potentially, the FTC's order against Facebook. Jeff Chester CDD's executive Director said: "We believe that despite claims that they would preserve Whatsapp's more privacy-friendly approach, the ultimate plan was to expand its mobile data collection practices and fully integrate it into Facebook. Facebook's future depends on its ability to successfully grow its mobile advertising, commerce, and payment applications. It did not spend $19 billion without planning to reap huge financial rewards by turning Whatsapp into an effective monetization machine for Facebook. The FTC is to be commended for sending a very strong signal that they will hold Facebook and Whatsapp accountable for their promises. The commission's action has likely spoiled, for now, the plans Facebook has developed to turn its $19b shopping spree into even more digital gold for themselves." News reports say that the FTC has approved Facebook's deal with Whatsapp. But the commission's letter clearly connects the privacy concerns that EPIC and CDD raised that should be addressed in its merger review. -
News
Groups call on White House to support safeguards on the use of "Big Data" when targeting youth, esp. for unhealthy foods and beverages
Twenty-eight consumer, child advocacy and public health groups submitted this letter today to President Obama's review on "Big Data" team. Among the groups signing the letter included the African American Colloboraative Obesity Research Network, American Academy of Child & Adolescent Psychiatry, Consumers Union, Children Now, Common Sense Media, CFA, Interfaith Center on Corporate Responsibility, Momsrising, National Consumers League, Praxis Project and Salud America! "A broad coalition of child, public health and consumer advocacy groups have come together to send a strong message that children and adolescents need serious protections in this age of Big Data, " explained CDD's associate director Joy Spencer. "The White House should adopt recommendations that ensure that this vulnerable group is protected from Big Data practices that undermine their health, well being and privacy." -
News
Behind the Commercial Facial Recognition (FR) Digital Curtain: Privacy & Consumer Protection Safeguards Required as NTIA Stakeholders Address FR
Beginning a more informed discussion on the privacy and consumer protection implications of Facial Recognition Technology: NTIA Privacy Multi-stakeholder Process: The NTIA's present inquiry must be based on a solid foundation that objectively analyzes actual commercial FR developments, places its use in the context of the multi-dimensional and cross-platform contemporary data-driven practices, identifies its implications beyond consumer concerns to reflect upon its broader societal impact (such as civil liberties), and engages with legal frameworks or proposals that have or could address how FR should be properly regulated. Given that the focus of the Commerce Department-led proceeding is to help implement the Obama Administration’s Consumer Privacy Bill of Rights (CPBR), stakeholders should also address how FR should be dealt with in related legislation and identify the specific CPBR principles inherent in such a discussion (such as “Individual Control,” “Respect for Context,” “Accountability,” etc.). To help promote a more informed discussion of actual FR and related biometric data practices, CDD provides this overview on ten of the hundreds that could be cited. The report is attached. -
News
EPIC & CDD file follow-up Whatsapp complaint at FTC; Urges Commission to listen to users and not repeat past errors in merger approval that failed to protect consumers
EPIC and CDD filed this at the FTC today. Despite the protestations (link is external)of Whatsapp's founders, they cannot guarantee that Facebook won't eventually incorporate the rich vein of mobile, location and other data that flows from its services. If the Whatsapp founders are truly to commited to its user privacy, we ask them to enter into a voluntary 20 year consent decree with the FTC, placing on the record that they will maintain privacy practices without Facebook interference. -
News
CDD applauds FTC for telling 9th Circuit Facebook was incorrect on COPPA and that teen privacy can be protected by state law/Calif also weighs in
We were pleased to learn that the FTC filed an Amicus brief in the 9th Circuit yesterday to help create the misleading record Facebook created in the so-called "Sponsored Stories" case. CDD, along with Public Citizens and the Children's Advovacy Institute (U of San Diego) have been closely working together on the case, to support an outcome that provides the privacy safeguards teens require. Here's what CDD's attorney Hudson Kingston said about the FTC's filing: "The Federal Trade Commission's brief in this case is a major development for the protection of teenagers' privacy. Facebook's attorneys tried to get this settlement through by using a law meant to protect children to block state law protection of teens – now the agency made clear that this is a wrong reading of the law, this settlement clearly harms teenagers by ignoring their rights under state laws. States play a vital role protecting teens from privacy violations. Settlements that are based on illegality cannot stand. While the agency did not officially support either party, its reading of the law undermines one of Facebook’s key arguments that it can get out of this case without first addressing its weak privacy protections for teens. We hope that the Ninth Circuit accepts this authoritative view and throws out the settlement." The FTC's Amicus is attached. So is the State of California's amicus. -
News
CDD files follow-up COPPA complaint on Disney/Marvelkids at FTC/Company needs to do better job on kids privacy and empower parents
Here's a summary from our attorney Eric Null at Institute for Public Representation, Georgetown University Law Center: CDD filed its initial complaint against Disney and Marvelkids.com in December 2013. Shortly thereafter, Disney updated Marvelkids' nearly two-year-old privacy policy with Disney's company-wide policy. Apparently, Disney thought this would solve its COPPA-related issues, but our investigation shows that it did not. Our review showed multiple deficiencies, including insufficient notice of data collection and use, as well as continued ability to collect and use data for unlawful purposes. Further, its violations include allowing well-known third party behavioral advertisers, such as Omniture and TapJoy, to collect information from Marvelkids.com users--these practices may violate the COPPA Rule. CDD calls on the FTC to take a close look at the new policy and practices, and to investigate Marvelkids.com and all Disney-operated child-directed websites to ensure COPPA compliance. PS: Disney has challenged our complaint, suggesting we are interested in headlines. What CDD is interested in is meaningful compliance with the key law protecting privacy and empowering parents. CDD suggests Disney engage in a more serious review of its digital data collection system--something we expect FTC action to help spur. -
News
Protecting Consumer Privacy and Welfare in the Era of “E-Scores,” Real-time Big-Data “Lead-Generation” Practices and other Scoring/Profile Applications [USPIRG/CDD FTC Filing]
Summary: These scores have long been an area of research interest for the non-partisan non-profit organizations U.S. PIRG and the Center for Digital Democracy. The growing use of so-called “e-scores” —a form of invisible (to the consumer) online ratings — can help determine our credit worthiness, “lifetime value,” or even the prices we pay. These e-scores can be used to blacklist or engage in discriminatory practices against individuals or even groups of consumers. We are aware that there are numerous online scores being generated for a variety of generally non-controversial uses, including predicting identity theft or fraud. However, we remain concerned that the largest and most important uses of online scoring are to substitute for the highly-regulated pre-screening regime that for years has governed the use of consumer credit reports for marketing purposes. Its proponents claim that the files developed are not on individual consumers, but on clusters of consumers. Its proponents claim online scores are simply a method for establishing audiences for serving ads. Not subject to the Fair Credit Reporting Act FCRA) regulation, they assert, are scores and other products that identify consumers on an aggregate basis (which for them means information narrowed to a small cluster of households at the ZIP+4 level) or consumers not named by name. We disagree with these representations and commend FTC for its inquiry. For CDD and other comments on this issue, see FTC docket. (link is external) -
News
EPIC and CDD file "Unfair and Deceptive" Practices Complaint at FTC on Facebook/WhatsApp Deal: WhatsApp Users Were Promised Privacy/Now they will have Facebook
We urge you to review the attached FTC complaint that was filed today by EPIC (link is external) and CDD. The millions of WhatsApp users who signed up for the service were promised--repeatedly as you will read in the complaint--that the company didn't want to gather and commercialize their data. They posed as the "unFacebook," deriding the commercial surveillance apparatus that lies at the core of contemporary online practices. Yet at the same time they made their public privacy promises, they were being wooed (link is external) by Mark Zuckerberg to join The Circle (link is external)--oops, I mean Facebook. Despite Facebook's denial that WhatsApp and its digital gold mine of mobile numbers, address books, and access to selling all kinds of financial services in real-time won't become part of its Big Data-driven (link is external) advertising machine, one only has to look at what happened with Instagram (link is external) (let alone the track record of the industry). The Dutch and Canadian data protection authorities raised serious questions (link is external) about WhatsApp's own data and privacy policies in January. The Dutch report (attached) provides insights into how WhatsApp operates. The FTC (which will likely review the merger) needs to stand up for privacy and act on the complaint. Otherwise, WhatsApp's users will be merely Facebook customers who have lost their privacy and consumer protection rights. -
News
Pres. Obama Urged to Address Privacy Bill of Rights; Dozens of NGOs support call for comprehensive privacy safeguards
More than 40 groups sent a letter to President Obama today on the second anniversary of the Administration's promise it would seek a new "Consumer Privacy Bill of Rights." Although the President said in 2012 that "we can't wait" (link is external) for such new safeguards, so far the Administration has failed to deliver proposed legislative language. Civil rights, civil liberties, consumer, privacy and child advocacy groups signed the letter, which urged the President to now fulfill its commitment to advance enforceable rights for the public. The letter is attached. The New York Times editorial board also called (link is external) on the White House to deliver "specific legislative proposals." -
News
Public Citizen, Children's Advocacy Institute & CDD Oppose Facebook Sponsored Stories Deal That Threatens Teen Privacy/CCFC Rejects Facebook Settlement, Turns down $290K
Feb. 13, 2014 Facebook Settlement Endangers Kids and Breaks Law in Seven States, Public Interest Groups, Parents Tell 9th Circuit Children’s Privacy Organization Denounces Settlement, Refuses Money WASHINGTON, D.C. – Consumer, children’s safety, digital privacy groups and parents are urging a federal appeals court to toss out a settlement agreement that permits Facebook to use kids’ pictures in ads without the consent of their parents – which is illegal in seven states. In a brief filed today with the U.S. Court of Appeals for the Ninth Circuit, several parents, on behalf of their teenaged children, called on the court to vacate the settlement. “This settlement authorizes Facebook to continue doing what California and six other states specifically prohibit by law: use children’s images for advertising without their parents’ consent,” said Scott Michelman, attorney with Public Citizen, which is representing the parents in challenging the settlement. The other states are Florida, New York, Oklahoma, Tennessee, Virginia and Wisconsin. Margaret Becker of Brooklyn, N.Y., is one of the parents Public Citizen represents. She explained, “I’m fighting this settlement because Facebook shouldn’t be permitted to use my teenage daughter’s image for profit without my consent. The Internet compromises children's privacy in many ways that we parents must grapple with. But this settlement lets Facebook make my daughter a shill and leaves me powerless to stop it.” Added Hudson Kingston, legal director of the Center for Digital Democracy, which is filing an amicus brief supporting the challenge to the settlement, “Teens are unprepared to address the consequences of Facebook’s practice of creating ads with profile information but without their knowledge. If this settlement stands, teens face a serious loss of their privacy and a damaged reputation continuing into adulthood. Research proves teens are not ready for this kind of exposure, and parents’ consent for commercial appropriation is a necessary protection.” Also today, one of the groups designated in the settlement agreement to receive money, the Campaign (link is external)for a Commercial-Free Childhood (CCFC), announced that it was rejecting the money because it opposes the agreement. The group was to receive approximately $290,000 in a “cy pres” award – settlement money distributed to a public interest group whose work relates to the subject of the lawsuit. In a statement, the CCFC explained that the settlement’s supposed protections for minors were “hollow” and “meaningless.” “While we always understood the Fraley settlement agreement as a compromise, we came to understand that it’s worse than no settlement,” said CCFC Director Susan Linn, “Its purported protections are largely illusory, and it will undermine future efforts to protect minors on Facebook. We could do a lot of good with $290,000, but we cannot benefit from a settlement that we now realize conflicts with our mission to protect children from harmful marketing.” The case began with a lawsuit (link is external) filed in 2011 by some Facebook users over the use of their images in ads without their consent and the use of their children’s images without parental consent. If a user “likes” a company that advertises on Facebook, or if she “checks in” (identifies her location) at a restaurant, or uses an application associated with that company, her image may appear next to an ad for the business on Facebook, with text suggesting that she endorses that business. It is unlikely the children or the parents will know it’s going to happen until after it has occurred. Under a settlement that a federal district court approved in August, Facebook will include new language in its terms of service stating that users under age 18 “represent” that their parents consented to the use of the children’s names and images in advertising. The settlement does not require Facebook to obtain consent from the parents. “The capture and republication of teen postings by Facebook is a pernicious assault on their rights to decide where their messages should go,” said Professor Robert Fellmeth, director of the Children’s Advocacy Institute at the University of San Diego School of Law, which is representing another challenger to the settlement. -
News
Civil Society groups ask White House inquiry on Big Data, announced as part of new NSA policies, to include public comment
This letter was sent today to John Holdren, the director of the White House Office of Science and Technology Policy, and was signed by 25 groups. It calls on the White House to include a public comment period as part of its current 90-day "Big Data" review announced by the President during his speech on NSA reforms. It coincides as well with a meeting planned today on the issue led by John Podesta. -
excerpt via Exchangewire (link is external): Privacy awareness body Truste has today (28 January) released its annual Consumer Confidence Index, revealing 60% of participants in the survey were more concerned about their online privacy compared to 12 months ago, with 89% actively “avoiding” companies they don’t believe protect their privacy adequately....However, it seems that contagion has spread to the private sector too, as there are three times as many survey participants concerned about companies sharing their personal information with other companies (60%), than governments’ monitoring activity (20%)....Ken Parnham, Truste managing director, Europe, commenting that the online advertising sector can only suffer over such widespread negative public sentiment.He says: “After a barrage of media headlines about government surveillance programmes such as NSA’s PRISM, it is perhaps unsurprising that consumer online trust has fallen to its lowest point yet, with only 55% of internet users prepared to trust companies with personal data online.“It is a wake-up call for businesses that commercial data collection and sharing, rather than government activity, is the main driver of increased online privacy concerns.”In fact the use of personal data for the purposes of targeting online advertising ranked as the second-biggest concern among the survey participants, with 54% of respondents reporting it as a major concern, while 19% were concerned about companies tracking their location on a smartphone.
-
Blog
Role of health technology may distract, not empower providers & patients. A reminder via NY Review of Books essay
A personal essay in the New York Review of Books (link is external) by Dr. Arnold Relman on his recent serious accident reminds us that not only does fate play an important role in our lives, but the limits of our health care system. I urge you to read it. But in addition to the horrific experience he (and his family) had to undergo (and he's a lucky one). Dr. Relman's piece also underscores that the very much-hyped use of technology in health care (such as electronic patient records) brings its own set of contradictions and problems. He writes:But what I hadn’t appreciated was the extent to which, when there is no emergency, new technologies and electronic record-keeping affect how doctors do their work. Attention to the masses of data generated by laboratory and imaging studies has shifted their focus away from the patient. Doctors now spend more time with their computers than at the bedside. That seemed true at both the ICU and Spaulding. Reading the physicians’ notes in the MGH and Spaulding records, I found only a few brief descriptions of how I felt or looked, but there were copious reports of the data from tests and monitoring devices. Conversations with my physicians were infrequent, brief, and hardly ever reported. -
“The Federal Trade Commission’s investigation of Apple sheds light on a growing practice that poses risks to children and families,” commented Jeff Chester, Executive Director of the Center for Digital Democracy. “Children are spending increasing amounts of time with mobile apps, generating potentially huge profits for the rapidly expanding gaming and app industries. In-app purchasing is becoming the dominant business model in many online games and other children’s entertainment content on mobile phones, tablets and gaming devices. Yet the techniques used to trigger these purchases are, in many cases, unfair and deceptive, taking advantage of children’s vulnerabilities. CDD commends today’s action by the commission. However, the agency should conduct a broad investigation of emerging techniques that target children on mobile, gaming and other platforms, and identify a set of industry-wide fair marketing guidelines.” “Today’s decision should be viewed as a first step in a wider initiative to develop clear government rules for protecting children and their families across a spectrum of digital devices,” said Dr. Kathryn Montgomery, Professor of Communication at American University, who led the campaign to enact the Children’s Online Privacy Protection Act (COPPA). “Just as we have principles and rules for safeguarding children’s privacy online, we need a policy for protecting young people and their families from covert and manipulative in-app marketing practices,” she explained. “Requiring app developers to secure informed parental consent before in-app purchases can be made will only address part of the problem. We need a comprehensive set of rules that take into account the cognitive and other developmental needs of children and their vulnerabilities in the digital marketplace.”
-
News
Why the Transatlantic Trade and Investment Partnership (TTIP) Could Expand NSA and Other Governmental and Commercial Surveillance on Citizens
U.S. online marketing companies are pioneering the dramatic expansion of data collection throughout the world, as they gather, analyze, and make actionable all of our information. Giants such as Google and Facebook effectively become “private NSAs”—tracking us on social media, mobile devices, search engines, online games, and increasingly even when we are in the grocery or department store. Telephone companies involved with the NSA’s “bulk” data-collection program are expanding their own data gathering on the Internet and mobile devices as well. This information is used to create dossiers—online targeting profiles—on individuals. While U.S. online data companies will claim that all this information is used primarily for selling and interactive advertising, in reality it’s connected to a powerful system that uses personal data to make decisions about us in order to influence our behaviors. This handout is designed for a "Teach-in" held on December 17" on the impact of the Transatlantic Trade and Investment Partnership (TTIP). It discusses the relationship between NSA and U.S. commercial online data company practices. -
CDD, joined by the Electronic Privacy Information Center, filed comments at the FTC yesterday opposing the request by AssertID that the commission approve a new method of verifiable parental consent under COPPA (Children's Online Privacy Protection Act). The proposed method would mine parents’ online social network information and ask third parties to judge whether that information is truthful or not, a method based on a “trust score” algorithm that the company claims is confidential and secret from the public. CDD asked the commission to oppose the application because it lacked information that explains how it assures that consenting parties are parents, and it leaves big questions about what the company is going to do with information it requires from parents. “This proposed method would take a parent’s personal information (including their location, photos, and full friends list from Facebook) and sensitive information on their child, without first telling parents that they had a right to refuse consent – parents have to pay out their own privacy in order to protect their children’s. This turns the regulations on their head by undercutting families’ privacy, and this method should not be approved by the FTC without significant changes in the application,” said CDD’s Legal Director, Hudson Kingston. The request (link is external)to approve a new parental consent mechanism is the first COPPA proceeding under the stronger children's privacy rules that went into effect last July. Jeff Chester, CDD's executive director, noted that this filing launches an expanded effort to ensure that online and mobile commercial sites and services are in compliance with COPPA's enhanced safeguards. "CDD has added legal, public outreach and technical resources designed to protect kids and empower parents and caregivers," he explained. The Institute for Public Representation at the Georgetown University Law Center, under the direction of Prof. Angela Campbell, collaborates with CDD on this child-protection initiative.
-
News
Digital Ad Lobby withdraws from Do-Not Track at WC3/Consumers confront 24/7 data tracking landscape/Fed. action needed on privacy
Earlier today, the Digital Advertising Alliance (DAA (link is external)) sent an email to the WC3 Tracking (link is external) Protecting list withdrawing from the group. Its email, along with one from the IAB and from former WC3 co-chair Peter Swire, follows CDD's statement: The DAA's opposition to a Do Not Track system that actually placed consumers in control is one of the key reasons the WC3 process has floundered. If the DAA power brokers--Google, Yahoo, and the ad giants, had really wanted to deliver new privacy protection clout to consumers, our work would have successfully finished a year ago. The DAA has not yet developed a serious (link is external) way to fulfill its promise (link is external)made to the White House in 2012--that they would give consumers the power to control data tracking. It's time for the White House to urge passage of consumer privacy safeguards that gives real ways online users can decide about how best to protect their privacy. Online consumers urgently require privacy safeguards, as they confront a Big Data powered data collection machine that closely tracks them wherever they are--whether on their mobile phones or in front of a personal computer. The DAA members do not want to face a rival Do Not Track system emerging from the WC3--especially one that exposes the inadequacy of its approach. We found it disingenuous for the DAA to claim, as it does, that among its rationale for leaving the WC3 is the failure to reach consensus on "Defining a harm or problem it seeks to prevent," and "Defining the term “tracking." This is merely an excuse, since the DAA and most of the data collection companies comprising the WC3 group know very well the range and applications of their own tracking systems. They have even claimed that such tracking should be exempt (link is external) from the very DNT process as well! Now we are going to have dueling DNT initatives. The DAA wants to meet with consumer and privacy groups, among others, on its plans moving forward. The WC3 will likely continue its work, although many participants (including CDD) believe it cannot deliver a consumer privacy friendly approach for DNT. Work to offer consumers some modest control over third-party data tracking--which is at the core of the current and limited DNT scheme--illustrates why we cannot rely on multistakeholder processes dominated by data collection companies to deliver better privacy for consumers. They have no incentive to do so; indeed, the expansion of data collection on individual users is occuring at an alarming rate. (link is external) CDD will continue, however, to play a role at the WC3 and its DNT work as long as it can help ensure a better outcome. We will also meet with the DAA. But this sad episode in the annals of privacy underscore why both the EU and U.S. need to enact strong safeguards on data protection. Here's the DAA email: Dear Mr. Jaffe: After serious consideration, the leadership of the Digital Advertising Alliance (DAA) has agreed that the DAA will withdraw from future participation in the World Wide Web Consortium (W3C) Tracking Protection Working Group (TPWG). After more than two years of good-faith effort and having contributed significant resources, the DAA no longer believes that the TPWG is capable of fostering the development of a workable “do not track” (“dnt”) solution. As we depart W3C and TPWG, DAA will focus its resources on convening its own forum to evaluate how browser-based signals can be used meaningfully to address consumer privacy. During more than two years since the W3C began its attempt at a dnt standard, the DAA has delivered real tools to millions of consumers. It has grown participation; enhanced transparency with more than a trillion ad impressions per month delivered with the DAA’s Icon making notice and choice information available within one-click of the ad; educated millions of consumers and provided browser-based persistent plug ins. The DAA has also succeeded in applying its principles to all of the participants in the digital ecosystem. Furthermore, we have expanded these consumer safeguards into 30 countries and clarified how the DAA’s Principles apply in the mobile Web and app environments. Going forward, the DAA intends to focus its time and efforts on growing this already-successful consumer choice program in “desktop,” mobile and in-app environments. The DAA is confident that such efforts will yield greater advances in consumer privacy and industry self-regulation than would its continued participation at the W3C. Despite extension after extension of its charter year after year by the W3C, the TPWG has yet to reach agreement on the most elementary and material issues facing the group. These open items include fundamental issues and key definitions that have been discussed by this group since its inception without reaching consensus, including: · Defining a harm or problem it seeks to prevent. · Defining the term “tracking”. · Identifying limitations on the use of unique identifiers. · Determining the effect of user choice. Concerned about the TPWG’s inability to resolve such basic issues, the DAA wrote a letter to you on October 2, 2012, expressing its strong concern with the W3C’s foray into setting public policy standards. In particular, the letter noted that the W3C “has been designed to build consensus around complex technology issues, not complex public policy matters.” In response, despite the turmoil evident at that time, you personally assured us that appropriate procedures and policies would be applied to the process and the W3C’s retention of Professor Swire would settle and bring legitimacy to the process. In the ensuing eight months that led up to the July 2013 deadline imposed on the TPWG, the DAA worked in good faith with other stakeholders, supporting proposals consistent with recommendations from the U.S. Administration and the former chairman of the Federal Trade Commission. Unfortunately, these efforts were rejected out of hand by TPWG co-chair Peter Swire, who jettisoned the long-accepted W3C procedure in order to anoint his own path forward. As others in the working group have substantiated, as a result of Swire’s actions there is no longer a legitimate TPWG procedure. Jonathan Mayer, commenting on the working process, stated, “We do not have clear rules of decision. And even if we were to have procedural commitments, they could be unilaterally cast aside at any time. This is not process: this is the absence of process.” Roy T. Fielding, Senior Principal Scientist at Adobe, highlighted the dictatorial approach taken by chairs who have eschewed participant input and subrogated participants’ right to vote on issues. In recent weeks, you have indicated to TPWG participants that you have no intent to revisit acts or processes (or the lack thereof) that occurred leading up to July 2013, and instead plan to move forward. However, it is not possible to move forward without an accounting for the previous flagrant disregard for procedure. Today, parties on all sides agree that the TPWG is not a sensible use of W3C resources and that the process will not lead to a workable result. For example, Jonathan Mayer, in his recent letter of resignation from the TPWG, stated: “Given the lack of a viable path to consensus, I can no longer justify the substantial time, travel, and effort associated with continuing in the Working Group.” John Simpson, the director of the Consumer Watchdog’s privacy project, commented on the news of the departure of TPWG co-chairman Professor Swire: “Peter Swire gave it a good shot, but I don’t think that he or anybody can get this group to a general consensus.” These participants and others who previously supported the TPWG now conclude that the process has devolved into an exercise in frustration on all sides without any meaningful increase in consumer choice or transparency. The DAA agrees with these parties on this matter. Therefore, rather than continue to work in a forum that has failed, we intend to commit our resources and time in participating in efforts that can achieve results while enhancing the consumer digital experience. The DAA will immediately convene a process to evaluate how browser-based signals can be used to meaningfully address consumer privacy. The DAA looks forward to working with browsers, consumer groups, advertisers, marketers, agencies, and technologists. This DAA-led process will be a more practical use of our resources than to continue to participate at the W3C. With the departure of the latest TPWG co-chair as well as a key staff member, and no definitive process to move forward, the DAA recommends that that the W3C should not attempt to resurrect a process that has clearly reached the end of its useful life. The DAA will continue to move forward in its own area of expertise, advancing consumer control, transparency, and other critical practices through its own program. Lou Mastria, CIPP, CISSP Managing Director Digital Advertising Alliance This email was sent by IAB to the WC3 list on September 13, 2013 and is related: Dear TPWG Chair, W3C Staff, and fellow TPWG Members, In accordance with the September 13th deadline for feedback on "the proposed plan", I respectfully provide the following feedback on the proposed plan and process: IAB, DAA, DMA, and NAI incorporates by reference, their objections submitted on July 12, 2013. See http://www.w3.org/2002/09/wbs/49311/datahygiene/results (link is external). In addition to renewing their objections to the use of the Editors' draft as the basis for moving forward, IAB, DAA, DMA, and NAI also respectfully submit the following feedback in opposition to proceeding with the proposed plan: 1. Genuine Working Group consensus cannot be achieved through the proposed plan and it remains entirely unclear what "consensus" means or how it is reached. The W3C contends that "[t]he Editors' Draft (based on the June draft) represents the most promising path toward consensus of the Working Group on the Tracking Compliance document." (Sep. 3, 2013 email from M. Schunter to public-tracking@w3.org (link sends e-mail)). But it is clear from the TPWG's unsuccessful efforts in June and July to reach consensus with the June draft that the June draft does not present a viable document from which to reach consensus. Although the term consensus is often used, it is unclear as to exactly what that term means or what is actually required to reach consensus. In conjunction with moving forward with a document that cannot create consensus, the W3C has also expressed its intention to close one issue per week starting in October. Id. "If there is no consensus, then the Chairs will issue a Call for Objections. In this case, the resolution will be based on the Chairs' assessment of the relative strength of the arguments. Working Group decisions made through a Call for Objections are also documented in a revision of the Editors' Draft." Id. This process of arbitrary decision making will likely create a disjointed patch-work document that would be neither the product of the working group nor a cohesive compliance document that could be adopted. Mr. Fielding, who has significant W3C experience, has expressed similar concerns with the co-chairs taking over the decision making process for the working group: In general, W3C staff have often (over 15+ years) made the mistake that they can speed the process of a working group by making decisions for the WG in the form of "simplifying". In all such cases, the WG derails ... making decisions for the WG means that there is no reason to have a WG, since you aren't letting us make the decisions that matter. Hence, in the future, stop trying to wag the dog -- let the group make its own decisions and act as a facilitator, not a judge. Found at http://www.w3.org/2013/09/04-dnt-minutes (link is external). 2. The Due Dates suggest that the Poll is an exercise in futility. Because the W3C is proceeding with Option 1 prior to the opening of the poll to discuss other options, it is apparent that the W3C is intent on moving forward with the proposed plan regardless of the outcome of the Poll. "The clear recommendation from the Chair/Staff is to make progress with Options 1 or 2." (Sep. 3, 2013 email from M. Schunter to public-tracking@w3.org (link sends e-mail)). We note that Option 2 only pushes out the hard issues to a later version of the standard. Unfortunately, the hard issues, those that cannot find consensus, are at the heart of the standard itself. Indeed, the W3C has suggested that the technology is not ready for a DNT standard: "Thus, we are focused on the appropriate DNT solution for release in 2013-14 which we call DNT 1.0. As technology and user references evolve, we fully expect that there will be further releases that address scenarios that are not well addressed today." (Sep. 3, 2013 email from M. Schunter to public-tracking@w3.org (link sends e-mail))(emphasis added). DAA, IAB, NAI, ANA, AAAA, DMA object to the W3C's approach of moving forward before the analysis of the poll results. 3. Move the issue closing process to one based on membership voting. This would fast track the process and could still allow for a formal objection process to follow. This mirrors the escalation structure to ACRs and has been discussed in the past. This process would be limited to W3C membership as they represent actual implementers of standards. 4. Consensus and decision-making o What exactly is the standard for consensus? o If the standard is "least strong objections," then please clarify what this means? Does it mean least strong substantively, or least strong in terms of the vigor of the objection, e.g. "my business will be killed by this and I can't live with it!" o Whose opinions count in weighing consensus, e.g. invited experts or multiple reps from a single organization? 5. Participation a. Who is an invited expert and how are they chosen? b. Third parties are the primary target of this standard, and the companies likely to be most impacted economically. Why are so few represented directly in the working group, and what will be done to increase their participation? c. Understanding that there should be a periodic review of invited experts per W3C rules (http://www.w3.org/2004/08/invexp (link is external) "Principles Guiding Invitations and Periodic Review"), can you please disclose when such reviews have occurred, if ever, on which invited experts, the determination of those reviews, and the rationale used for such determination? If no such review has been conducted, can you please supply the rationale for not conducting the reviews and indicate when such reviews will take place? d. In our opinion, most of the "invited experts" represent organizations "which have significant business interest in the results from W3C" noting that the W3C rules themselves state "this might even include some not-for-profit organizations." e. At least two invited experts have submitted their formal resignation from the working group, but have not yet been removed from the TPWG official roster. 6. Charter a. What is the meaning of "The Working Group will not design mechanisms for the expression of complex or general-purpose policy statements." b. What is the intent of this limitation? c. What is the meaning of "The group will actively engage governmental, industry, academic and advocacy organizations to seek global consensus definitions and codes of conduct." d. See participation above. What has the group done to ensure active engagement with /all/ relevant stakeholders, especially those who will likely be most impacted by this standard? 7. What are the criteria and milestones for continuing or winding down the group, if progress is not made? 8. W3C process requires an implementation and testing phase. How will this apply to the compliance specification? Can elements of the compliance spec become "features at risk"? What about crucial elements of the technical spec that are closely coupled with the policy? 9. Provide detailed timelines and decision criteria for each Formal Objection being considered prior to requesting WG input. 10. More firmly state within the updated plan that driving towards a standard that will achieve broad industry adoption is a core goal (otherwise, why are we here?). 11. We need clear criteria for reopening issues. The "new information" standard is overly vague and inconsistently applied. 12. We need assurances about the process for closing issues, including addressing the problem of having to continually raise and re-raise issues. We need a predictable, rational process for bringing issues to close. 13. What is the status of the global considerations effort? 14. Who is the new co-chair? It is impossible to express our faith or lack of it in the poll without knowing who will co-lead the group going forward. 15. What is the status of FTC participation, and who is speaking for the FTC? Is Ed Felton speaking for FTC? Or Paul Ohm? 16. What is the status of the PAG? Respectfully submitted on 9/13/2013, on behalf of the DAA, IAB, NAI and DMA, Chris Mejia, DAA & IAB Finally, one sent on 17 September from Peter Swire: To the Working Group: I note with sadness but not surprise the decision today by the Digital Advertising Alliance to withdraw from the Tracking Protection Working Group of the World Wide Web Consortium. In announcing their departure, they chose my actions as the most convenient excuse for leaving the process: “Unfortunately, these efforts were rejected out of hand by TPWG co-chair Peter Swire, who jettisoned the long-accepted W3C procedure in order to anoint his own way forward.” I share the frustration in the DAA message with the inability of the Working Group to achieve better results. I believe a fair review of the history, however, shows that the views of the DAA and its members were valued and included in months of hard work together in the Group: (1) I met individually with the leadership of each DAAmember during the “listening tour” in late 2012, after I was named co-chair. (2) A major part of the agenda at the February Face-to-Face, in Cambridge, was based on the DAA proposal concerning ways to limit access to a user’s lifetime browsing history. (3) DAA proposals and language were discussed in detail during weekly teleconferences for the next several months. Indeed, a repeated theme on the list during this period was the concern from consumer advocates that a disproportionateamount of time of the Group was being spent on DAA proposals. (4) In the lead-up to the May Face-to-Face in California, there were intensive negotiations on what became known as the Draft Framework, which became the agenda for our three-day meeting. The DAA was deeply enough involved in these negotiations that its General Counsel, Stu Ingis, presented the Draft Framework to the Group in one of its calls. (5) Coming out of the May meeting, the full group, including the DAA, issued a consensus document that enough progress had been made that we should continue to work toward the long-agreed Last Call deadline of the end of July. (6) As an effort to have one clear text that would be the focus of the Group’s efforts, we then had the summer process to create proposed language and then comments on a base text. Among the change proposals, by far the greatest amount of time on the Group calls was devoted to the text proposed by the DAA and those associated with it. (7) Both co-chairs, supported by W3C staff, then issued approximately 40 single-spaced pages of decision documents. These documents contained a massive number of footnotes and citations to the comments submitted by Working Group members. Based on the record developed by the full Group, these documents explained reasons why the June Draft would remain the base text rather than the proposal submitted by the DAA and those associated with it. In brief, the criteria for a standard that we discussed in Cambridge, based on the overall record, would not be met by the proposal submitted by the DAA and others. Based on this history, the DAA views were simply not rejected “out of hand.” My own view is that the Working Group does not have a path to consensus that includes large blocs of stakeholders with views as divergent as the DAA, on the one hand, and those seeking stricter privacy rules, on the other. I devoted my time as co-chair to trying to find creative ways to achieve consumer choice and privacy while also enabling a thriving commercial Internet. I no longer see any workable path to a standard that will gain active support from both wings of the Working Group. When participants don’t get the outcome they want on substance, they often blame the procedure. As an imperfect human being, and one working within the W3C processes for the first time, I am sure that I could have done better at various points on procedure. The actual procedure that led to the July decision came directly from my close discussions with W3C staff, and used the mechanism for resolving a disputed issue that the Working Group established and used before I became co-chair. I intensely share the frustration that all the hard work by members of the Working Group has not created a consensus path forward. I believe there is consensus in the Working Group that members have worked very hard, and I worked very hard, to find apath forward. I put almost all of my other professional work on hold, at financial cost to myself, to try to find a solution on Do Not Track. Going forward, there are cogent reasons for stakeholders to continue to work, inside and outside of W3C, to develop standards and good practices for commercial privacy on the Internet. We knew coming in that this was a hard problem. It remains a hard problem. The procedures at W3C this summer are not the reason that it became hard. With best wishes to all of you, Peter -
News
Groups Ask the FTC to Take a Closer Look at How Facebook’s Recent Proposed Privacy Changes Will Negatively Impact Teens
Washington, DC: Over 20 public health, media, youth, and consumer advocacy groups sent a letter to the Federal Trade Commission (FTC) today objecting to Facebook’s recent proposed changes to its privacy policy. The groups raised concerns about the potential negative impact of these changes on teens. In a letter to the Federal Trade Commission’s Chairwoman Edith Ramirez, groups working on teen-related issues—including American Academy of Pediatrics, Consumers Union, Public Citizen, Consumer Watchdog, Pediatrics Now, and the National Collaboration for Youth—challenged changes to the “Statement of Rights and Responsibilities” that give Facebook permission to use, for commercial purposes, the name, profile picture, actions, and other information concerning its teen users. The groups also objected to new language directed at 13-17 year-old users that states that teens “represent that at least one of their guardian’s or parent’s have given consent for this use of their personal information on their behalf.” As groups with a broad range of expertise and years of research in issues related to marketing, media, public health, consumer rights, and youth, the concerns in the letter addressed—among other issues—the ways in which Facebook’s proposed changes would expose teens to the same problematic data collection and sophisticated ad-targeted practices that adults currently face. “These new changes should raise alarms among parents and any groups concerned about the welfare of teens using Facebook,” observed Joy Spencer, who runs the Center for Digital Democracy’s digital marketing and youth project. “By giving itself permission to use the name, profile picture and other content of teens as it sees fit for commercial purposes, Facebook will bring to bear the full weight of a very powerful marketing apparatus to teen social networks.” Dr. Gwenn O’Keefe at Pediatrics Now also expressed concern. “Given the number of teens who are legally on Facebook and pre-teens who are on there posing as teens,” she declared, “it’s in everyone’s interest that Facebook create an environment that is appropriate and healthy for the development of teens.” Citing the FTC’s 2011 Consent Decree with Facebook, the letter asked the agency to hold Facebook accountable, redress the changes, and protect the interests of teens. (A list of the 27 signatories is attached.) ### African American Collaborative Obesity Research Network American Academy of Child and Adolescent Psychiatry American Academy of Pediatrics Benton Foundation Berkeley Media Studies Group Campaign for a Commercial-Free Childhood Center for Digital Democracy Center for Global Policy Solutions Center for Media Justice Center for Science in the Public Interest Children’s Advocacy Institute Children Now Consumers Union Consumer Watchdog Corporate Accountability International Pediatrics Now Prevention Institute Public Citizen Public Health Advocacy Institute Public Health Institute Media Alliance Media Literacy Project Mercy Hospital’s Young People’s Healthy Heart Program National Collaboration for Youth Shaping Youth United Church of Christ, OC Inc. Yale Rudd Center for Food Policy and Obesity -
News
Consumer & Privacy Coalition Ask FTC to Force Facebook to Comply with Consent Decree/Roll Back Proposed Changes that Threaten User Privacy, inc for Teens
The coalition's letter is attached. Facebook is violating the terms and spirit of its 2011 Consent Decree (link is external) with the Federal Trade Commission (FTC). As we have explained to FTC officials, the new policies planned by Facebook are designed to further expand its wide-ranging data collection and targeting apparatus. Facebook must be required to be candid and specific to its U.S. users on how its new data use policies reflect what it sells to marketers and advertisers (its various ad products, data techniques, focus on mobile, etc.). Without such candor and transparency, Facebook is fundamentally in violation of the 20-year committment it made to the American public via the FTC. The FTC has to stand up for the rights of U.S. consumers and make the Consent Decree--which the agency has repeatedly said has created new privacy safeguards for Internet users around the world--mean something. The agency has claimed (link is external) that its Facebook order "alone protects the privacy of more than a billion people world-wide." That has largely been a fiction--something anyone who follows Facebook (as we do at CDD) know. It's time for the FTC to take Facebook to court for violating its agreement. Facebook's new policy on its 13-17 year old users is especially alarming. It wants to target teens with an aggressive mix of data collection, profiling and tracking--without any safeguards.Here's what CDD's attorney Hudson Kingston said to us about Facebook's new tactic on teens: "Across the United States, states' laws don't allow minors to definitively bind themselves with a contract. Through legal fictions Facebook's new policy tries to bind both minors and their parents to consent to ongoing invasions of privacy, based only on the nonaction of teenage users. This violates the FTC 2011 Facebook Order's requirement of affirmative consent before the company undercuts privacy, as well as basic concepts of capacity to consent." Joy Spencer, who runs CDD's project on digital food marketing and youth, said: "Teens spend their lives online 24/7, especially on social media platforms like Facebook. They use Facebook to socialize and share critical information that often spreads quickly and has great power and influence within tight and trusted social networks. By changing its Statement of Rights and Responsibilities and Data Use Policy to grant itself permission to use the name, profile picture, content and other actions of teen users for commercial purposes and without their express consent or compensation, Facebook is definitely stepping over the line. Most teens do not share their personal photos and personal views on Facebook with the expectation that brands can take their pick of their images and actions to digitally market commercial products. What is most disturbing here is that Facebook is taking advantage of teens while they socialize with peers and exploiting their rightful need for self-expression in order to make a profit. The FTC should definitely step in to make sure this does not happen. " Facebook's redlined changes is attached in the FBSRS document. Here's what it says (my bold): 10. About Advertisements and Other Commercial Content Served or Enhanced by Facebook Our goal is to deliver advertisings and other commercial or sponsored content that are is valuable to our users and advertisers. In order to help us do that, you agree to the following: 1. You can use your privacy settings to limit how your name and profile picture may be associated with commercial, sponsored, or related content (such as a brand you like) served or enhanced by us. You give us permission to use your name, and profile picture, content, and information in connection with commercial, sponsored, or relatedthat content (such as a brand you like) served or enhanced by us, subject to the limits you place. This means, for example, that you permit a business or other entity to pay us to display your name and/or profile picture with your content or information, without any compensation to you. If you have selected a specific audience for your content or information, we will respect your choice when we use it. If you are under the age of eighteen (18), or under any other applicable age of majority, you represent that at least one of your parents or legal guardians has also agreed to the terms of this section (and the use of your name, profile picture, content, and information) on your behalf. -
News
Hudson Kingston Joins CDD as Legal Director/Will Oversee COPPA and Teen Privacy and Digital Marketing Initiatives
Center for Digital Democracy Adds Legal Director Focusing on Youth Privacy and Digital Marketing Issues CDD Begins Industry Review to ensure new COPPA Rules are Enforced Washington, DC: Hudson Kingston has joined the Center for Digital Democracy (CDD) as its new Legal Director. Mr. Kingston will oversee CDD’s regulatory and industry initiatives to ensure that the Children’s Online Privacy Protection Act (COPPA) rules, recently updated by the Federal Trade Commission (FTC), protect children effectively. Under the new regulations, which went into effect in July 2013, a child’s privacy is better protected when they use mobile devices, social media, “Apps,” or online games. There are also new safeguards regulating marketing practices such as online behavioral targeting. CDD spearheaded a coalition of consumer, child advocacy, and public health groups during a four-year campaign to press the FTC to bring its COPPA rules up to date. “Hudson’s strong commitment to consumer protection and public health will help CDD represent the interests of young people in the digital era,” said executive director Jeff Chester. With a background in human rights and environmental law, Mr. Kingston worked on consumer protection issues at the Center for Food Safety, and also focused on national environmental policy at the White House Council on Environmental Quality. Hudson earned his J.D. from the University of Iowa and LL.M. degrees from both New York University and the National University of Singapore. He is a member of the New York and D.C. bars as well as the Federal District for D.C. Kingston has also worked on legal projects in Laos and India. “Now that the revised COPPA rules are in force, CDD intends to closely monitor the children’s online marketplace to help promote compliance,” explained Chester. “We are also stepping up our examination of data collection and interactive marketing practices targeting teens. Hudson will be working closely with the FTC and other policymakers and will be spearheading our regulatory efforts,” he noted. “Parents, as well as most Americans, believe children should be able to use the Internet without being surreptitiously tracked,” said Hudson. “I look forward to leading CDD's expanded efforts on COPPA and protecting minors from privacy and health threats.” CDD works to protect the interests of consumers in the digital era, including on issues related to public health, children and youth, and financial services.