Privacy and Security Risks in Online Marketing and Advertising
Total Page:16
File Type:pdf, Size:1020Kb
- 1 -
From PLI’s Course Handbook Ninth Annual Institute on Privacy and Security Law #14648
Get 40% off this title right now by clicking here.
35
PRIVACY AND SECURITY RISKS IN ONLINE MARKETING AND ADVERTISING: CURRENT EVENTS IN SEARCH DATA COLLECTION AND RETENTION
Eve Chaurand-Fraser Ask.com - 2 -
BIOGRAPHICAL INFORMATION
Name: Eve Chaurand-Fraser
Position/Title: Associate General Counsel
Firm or Place of Business:Ask.com
Address:555, 12th Street, Suite 500
Phone:510 986 8005
Fax: 510 985 7507
E-Mail:[email protected]
Primary Areas of Practice: Internet Law
Law School/ Graduate School: University of Paris X (law degree) and University of Lyon III (post graduate business law degree)
Work History: Eve worked as a corporate attorney in France, the UK, and the Baltic States (for Moquet Borde et Associes, now the Paul Hastings Paris Office). Upon arriving in San Francisco in 2000, Eve worked in boutique firms and advised Bay Area start-ups and small businesses in the IT and e-commerce sector . Since May 2005 Eve works at Ask.com where she supports Ask.com and IAC Advertising Solutions and overviews legal issues relating to search services and online advertising sales. - 3 -
Professional Memberships: French American Chamber of Commerce, Bay Area Chapter - 4 -
PRIVACY AND SECURITY RISKS IN ONLINE MARKETING AND ADVERTISING
Current Events in Search Data Collection and Retention
Eve Chaurand-Fraser
Associate General Counsel, Ask.com
Online consumer data collection practices including search data collection and use are not specifically regulated. Web search service providers are generally subject to the FTC’s fairness test and consumer protection provisions of state laws.
I. What Consumer Information do the Search Engines Collect?
Typically, when a consumer enters a query in a search box or clicks on a search term link, the search engine collects the following data: (a) the consumer’s Internet Protocol (IP) address; (b) the address of the last URL the consumer visited prior to clicking through to the search engine; (c) the consumer’s browser and platform type (e.g., a Netscape browser on a Macintosh platform); (d) the consumer’s browser language; and (e) the data in any undeleted cookies that the consumer’s browser previously accepted from the search engine. The search engine associates such data with the search terms submitted by the consumer. Historically, search engines retained such data indefinitely, and cookies placed on users’ computers had an indefinite lifetime value. If the consumer never cleared the cookies placed on his computer, the cookie would persist and the search engine would continue to accrue information. With a high volume of search query data tied to an individual IP address, search engines store a material amount of data about each of their users and some of this user data may be sensitive personal information. - 5 -
II. Events that Triggered the Commencement of Self- Regulation
A. AOL Search Data Release
Early August 2006, AOL posted on a publicly accessible web page 20 million keyword searches submitted by its subscribers. The purpose of the release was to enable researchers to learn more about how people look for information on the Internet. Journalists and bloggers were able to analyze the query data relating to several particular individuals and were able to determine such individuals’ identities and draw inferences about their interests, lifestyle, and habits based solely on their search queries. The AOL data revealed that a consumer’s search queries can contain very personal and sensitive data, including names, addresses, medical related searches, and even social security numbers.
B. DOJ Subpoena to Google for Search Data
In August 2006, Google was served with a subpoena from the U.S. Department of Justice demanding disclosure of all search queries submitted by Google users within a two month period, as well as all URLs in Google’s search index. The U.S. Department of Justice’s motivation was to determine the proportion of search queries that were related to adult or pornographic content, in an effort to ban from the internet material that would be harmful to minors. Google objected to the subpoena, which led to a lengthy legal battle that Google eventually won.
C. The AOL/Tacoda, Microsoft/aQuantive and Google/DoubleClick Acquisitions.1
Tacoda, aQuantive and DoubleClick are advertising service companies that perform online profiling of consumers using cookie technology. The acquisitions of these companies by major search engines caused great concerns - 6 -
among consumer privacy advocates that search data would be combined with other online profiling data. An ad-serving company like DoubleClick is capable of capturing all the search terms typed by the user of a search engine, with the ability to match these queries with a unique IP address or browser, and then use this information to accurately serve the individual behind the IP address or browser with ad banners. Search query data is certainly valuable for marketers and online profiling companies. It can be combined with the data already collected by ad serving companies such as web sites and web pages visited, the time and duration of the visit, purchases, “click through” responses to advertisements, etc. Knowing what a consumer is seeking on the web enables advertisements to be designed specifically for that consumer’s particular interests.
It became increasingly apparent that (1) search query data is not necessarily anonymous information and can lead to the identification of the individual performing the searches, (2) as long as the search engines retain user sensitive data, such data is susceptible to fall in the hands of the government through legal process, (3) search data can be combined with other data collected from the same consumer and can be used for profiling and behavioral targeting purposes, and (4) high volumes of data retained by the search engines represent a high data security risk.
III.Pressure from the Article 29 Working Party
In 2007, all major search engines made efforts to dramatically improve their privacy practices. All search engines committed to keep their user registration information and their user search query data in separate and segregated databases, so as to not link search data with any personal data. Google also announced in March that it would anonymize its server logs after 18-24 months, meaning that after such time period, search query data would be disassociated from the consumers who performed the queries. - 7 -
But the Article 29 Working Party was not satisfied and continued to put pressure on Google and the other search engines.
The Article 29 Working Party was established by Article 29 of the EU Directive 95/46/EC (the “Data Protection Directive”). The Working Party is made up of the Data Protection Commissioners from the EU together with a representative of the EU Commission. The Working Party is independent and its goals are to harmonize the application of data protection rules throughout the EU, publish opinions and recommendations on various data protection topics, and advise the EU Commission on the adequacy of data protection standards in non-EU countries.
Under the Data Protection Directive, “Personal data” is defined as “any information relating to an identified or identifiable natural person (“data subject”); an identifiable person is one who can be identified directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity.” The Working Party interpreted such definition to include any information relating to any identified or identifiable natural person, i.e., any information which may be linked to an individual.2 Search data falls into such definition: the terms themselves can link back to a particular individual, and each query is associated with an IP address, which may also potentially trace back to a particular individual.
Therefore search engines’ practices of keeping a record of queries tied to particular IP addresses must comply with the Data Protection Directive, which imposes obligations on firms processing personal data, including those that do not have offices in the EU. Among such obligations, the Data Protection Directive provides that personal data must be “adequate, relevant and not excessive in relation to the purposes for which they are collected and/or - 8 -
further processed,” and “kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data were collected or for which they are further processed.” In addition, The Working Party argued that under the Data Protection Directive, consumers must agree to the collection of their data and have the right to verify the information collected or object to its storage.
IV. Evolution of Search Engines’ Data Collection and Retention Practices
In response to the arguments from the Working Party and to satisfy the consumer demand for improved privacy practices, the search engines implemented a variety of new policies and privacy features:
In June 2007, after initially announcing in March that search data would be anonymized after 18-24 months, Google reduced such data retention period to 18 months. Thereafter, its anonymization process deletes the final digits of the logged IP addresses of the user, such that the user is no longer uniquely identifiable.
In July, Ask.com announced a new privacy feature called “Ask Eraser” which, when enabled by the consumer, deletes the consumer’s search queries and data from Ask.com servers, including the IP address, User ID, and Session ID cookies. For the first time, users were given a tool to exercise choice of having their search histories deleted from a search engine’s servers.3 At the same time, Ask announced it would make all user search data anonymous after 18 months.
A week later, Microsoft announced it will give users a way to search anonymously on its Microsoft Windows Live Web sites by the end of 2007, and released in October a white paper on its de-identification process,4 which allows - 9 -
Microsoft to serve targeted ads without correlating personally and directly identifying data with user behavior. Microsoft also said it will make all user search data anonymous after 18 months.
A day after Microsoft’s announcement, Yahoo announced that it would make all search log data anonymous after 13 months.
Microsoft and Ask.com announced that they would invite privacy advocates and Internet search and advertising companies such as Google, AOL, and Yahoo to come together and more clearly explain how the industry will handle privacy. Currently, the major search engines meet periodically to determine an industry standard for search data collection, retention, and use.
V. Federal Trade Commission Initiatives
To address growing concerns with respect to online profiling and behavioral targeting, the Federal Trade Commission organized, on November 1-2, 2007, a town hall event which included discussions on the practices of search engines with respect to data collection and retention and their use of search query data for targeting ads to users.
Following the town hall discussions, the staff of the Federal Trade Commission released a set of proposed principles on December 20, 2007.5 The proposals include the following:
· “ Every Web site where data is collected for behavioral advertising should provide a clear, consumer-friendly, and prominent statement that data is being collected to provide ads targeted to the consumer and give consumers the ability to choose whether or not to have their information collected for such purpose.” - 10 -
· “Any company that collects or stores consumer data for behavioral advertising should provide reasonable security for that data and should retain data only as long as is necessary to fulfill a legitimate business or law enforcement need.”
· Companies should only collect sensitive data6 for behavioral advertising if they obtain affirmative express consent from the consumer to receive such advertising.
As applied to search engines, the first proposal on transparency and consumer control may be difficult to implement in a meaningful way. The industry has not come to a consensus on how to effectively communicate about a search engine’s data collection and advertising targeting practices without unduly burdening both the consumer and the functionality of the site. Significant development will be needed (most effectively through innovation by industry and individual companies) to develop a “clear, easy-to-use, and accessible” method for exercising the choice to opt out of such data collection and use. As of today, Ask Eraser is the only example of a meaningful choice offered to the consumer about search data retention.
It seems that search engines have come to an industry consensus with respect to the second FTC proposal on reasonable security and limited data retention. All search engines need to retain a high volume of data for at least 18 months in order to improve their respective services, defend their systems from malicious access and exploitation attempts, fight click fraud and phishing, respond to valid law enforcement requests, and comply with other data retention obligations.
Online privacy in general, and search privacy in particular, is an ever-evolving area as search engines and other online services develop new tools and techniques to render services to their users and monetize their sites. Such - 11 -
evolution is also occurring on a global scale, since the major online services operate internationally. State regulators and consumer privacy advocates must be vigilant to ensure consumer data is adequately protected. However, the web search sector has demonstrated the effectiveness of self- regulation with major search engines using privacy features to obtain competitive edges against one another. 1 Google announced its acquisition of DoubleClick on April 13, 2007. Microsoft announced its acquisition of aQuantive on May 18, 2007. Tacoda’s acquisition by AOL was announced on July 24, 2007.
2 Article 29 Working Party Opinion 4/2007 on the concept of personal data adopted June 20, 2007
3 Ask.com, About AskEraser, http://sp.ask.com/en/docs/about/askeraser.shtml
4 Privacy Protections in Microsoft’s Ad Serving System and the Process of “De-identification”, October 2007.
5 FTC, FTC Staff Proposes Online Behavioral Advertising Privacy Principles (Dec. 20, 2007), available at http://www.ftc.gov/opa/2007/12/principles.shtm. The FTC is not following the Administrative Procedure Act and appears not to be engaging in a formal rule making. It is unclear whether the FTC is attempting to impose an unfairness rule standard through an FTC-lead “self-regulatory” set of principles.
6 FTC staff also seeks comment on what constitutes “sensitive data” and whether the use of sensitive data should be prohibited, rather than subject to consumer choice.