LCI Learning

Share on Facebook

Share on Twitter

Share on LinkedIn

Share on Email

Share More

CA CS CIMA Adv Dip MA Prakash (CA CS CIMA)     16 April 2009

Internet Legal Issues: WWW Privacy Policy - Part I

Introduction

As we enter the new millennium the World Wide Web ("WWW"), because it collects and disseminates personal information, significantly impacts many personal privacy issues and concerns. One major concern of privacy advocates is that when one travels the WWW from one site to another is not the fact that they knowingly leave personal information at particular sites but that they also leave information at sites without their consent. The collection of personal information will continue to expand as the WWW grows in importance and as a greater number of individuals begin to use and purchase products and services from electronic commerce sites, commonly referred to as "e-commerce sites". For many e-commerce sites it may no longer really be an option to have a "privacy policy" because in reality a privacy policy may already be obligatory or an essential condition for successfully competing in e-commerce.

Developing and implementing a personal privacy policy for the WWW should be a relatively straightforward matter for those sites that collect personal information from visitors. This policy should let the visitor know how and why the site collects the information, how the site plans to use the information and whether this information will be disclosed to third parties. Despite the apparent simplicity involved in developing and implementing a privacy policy there have already been many examples of major WWW companies, such as Yahoo, America Online and GeoCities, and corporations, such as United Airlines, that have become embroiled in privacy issues.

WWW privacy issue problems emanate from a number of varied sources that include (1) uncertainties created by the convergence of new legislation, self-regulation models and WWW standards that are all continually evolving, (2) legislation that although it may be consistent in its approach is often very different regarding specific details, (3) sophisticated software products that permits the tracking and gathering of data and the ability to include such data into customized marketing programs, (4) an increasing commercial demand for consumer information and (5) and a gap that may be widening between what is legal and what may be necessary to prevent major embarrassment for an offending web site.

The complexity of privacy issues involving databases and the WWW is further compounded because it involves a variety of international, national and state laws, self-regulation models and an increasingly evident consumer demand for the protection of one's personal information. The result is that privacy law is constantly changing as the e-commerce environment rapidly approaches a climate where it may become a necessity, as well as legally advisable, for every Web-based business to have a privacy policy on its site.

Establishing and implementing a privacy policy on your site may now be obligatory if your site caters to Europeans, children or is in an industry that regulates the collection of information. With the passage of the "Children Online Privacy Protection Act of 1998" ("COPPA"), which goes into effect in April 2000, having a privacy policy has now become the reality for those sites that collect information from children. However, even when a privacy policy is not obligatory it may already be a necessity for e-commerce sites. This is because of the actions of certain web site owners who have previously gained notoriety and created unfavorable publicity by gathering personal information and exploiting such information without any regard to an individual's wishes and privacy.

A Web-based business requires consumer confidence to be successful. However, even with the significant growth of e-commerce, many consumers will still not register at web sites or transact business on the WWW because of their concern with the privacy of their personal information. Therefore, even though a privacy policy may not as yet be obligatory one may be essential for attracting visitors and potential customers to your site. This is because the posting of a privacy policy on your site should significantly increase consumer confidence in your site and result in increased traffic, registrations and purchasing transactions. Once you have developed and implemented a privacy policy for your site you may further want to instill consumer confidence by becoming a party to a "privacy seal" program such as "TRUSTe" or "BBBOnLine"; these are e-commerce counterparts to the more familiar consumer seal programs such as Good Housekeeping and Underwriters' Laboratories.

Preparing a Privacy Policy

A FTC report, "Public Workshop on Consumer Privacy on the Global Information Infrastructure" (1997), stated that an effective WWW privacy policy must (1) identify the party collecting the information, (2) state how that party intends to use the information, (3) state how a visitor to a particular web site could limit the disclosure of information, (4) provide consumer choice with respect to how the collector of the information could use or disclose the information, and (5) provide consumer access to any information that has been collected. At present, except for the recent passage of COPPA, the FTC's review of WWW privacy has not as yet resulted in formal regulatory action but instead has relied on consumer education on one-hand and self-regulation and policing by trade associations, individual companies and the Internet industry on the other. The FTC's ultimate response will probably depend upon the success of these "informal" privacy policy approaches.

Therefore, if you decide to adopt a privacy policy for your web site or already have an existing one you should make certain that it was or will be done correctly. Many of you may now be asking if there is a standardized privacy policy that you could copy and use on your web site or if you could generate a customized privacy policy by utilizing the resources of the Direct Marketing Association or a "privacy seal" program. The simple answer is "of course you can". However, as with all such approaches the privacy policy you would create will only be a generic policy rather than a policy that specifically addressed the requirements of your business model and the activities taking place on your web site.

The more effective way to establish a privacy policy is to make certain that it specifically addresses all the important issues, including any special legal requirements that may be applicable to your business. Therefore, the privacy policy you develop and implement for your Web-based business must be tailored to your company's specific business requirements, your visitor's privacy concerns and be written in such a manner that it "works" for your web site's targeted audience.

Preparing, implementing and maintaining a functional privacy policy for your company's web site is a company-wide activity that in order to be successful must involve the buy-in and cooperation from the general management, product development, marketing and sales, information services and Web design, and legal constituencies of your company. The process for creating a privacy policy is not really very different than it would be for any other business policy developed for your company. The process should include (1) conducting an audit of what you are currently doing, (2) evaluating your objectives, (3) formulating and preparing your company privacy policies, (4) preparing the design for incorporating the privacy policy on your web site, (5) implementing the privacy policy and (6) establishing maintenance procedures to ensure the on-going functionality of the privacy policy.

The second part of this article will discuss specific guidelines for preparing and implementing your company's WWW privacy policy as well as the specific requirements mandated by COPPA that will effect the design of your site and the services that are targeted toward the children who may visit your site.



Learning

 1 Replies


(Guest)

I found this interesting article on how the different services that google offers are a concern for some people on the internet - https://www.slightlyshadyseo.com/index.php/googles-user-data-empire/

I’ve been holding off on doing this entry for a bit, but with the introduction of SearchWiki their aims are so clear to me, I just can’t hold off anymore. Google’s problems over the past 2 years have been the result of an algorithm overly based on links. They’ve finally hit their wall. With the latest batch of link buying platforms, their options for truly detecting it are dying out. One can call Google many things, but ignorant of the marketplace and SEOs is not one of those things. So they needed a response. Their response? User data. Lots of f**king user data.
I know I’ve covered a similar topic before(how Google is essentially creating it’s own internet), but I wanted to do one specifically on user data.

The Basic Layout of the Google User Data Empire

  • Google Adsense - Google adsense has the unique ability to track without fear of repurcussion. Why? Because any data they send back can be used and archived in their eternal battle against click fraud. This means they transmit everything from screen resolution to ability/version of flash(things that arguably have nothing to do with click fraud). Either way, it’s a window they have into millions and millions of hits on the internet daily. It’s targetted towards informational sites though, and not commercial sites(Google’s true interest).
  • Google Analytics - This is Google’s window into non informational sites. It tracks an absolutely obscene amount of user data(actually, more than you can see/use in their analytics panel). Without this, they’d have no window into sale based sites that would give the competition traffic if they ran adsense. Webmasters flock to this tool, not realizing the danger of feeding Google all that information. Here’s a hint: it tracks conversion rates. Now, Google is currently taking anywhere from 2-5x the amount of adsense revenue they’re giving to the website owner, which means if you do PPC you’re more or less at their mercy for how much you’re paying per click. Them knowing how much you’re making per click via their conversion tracking could (in theory) allow them to adjust your PPC expenses up, while still remaining profitable. But once again, the real gold here is the ability to track the users.
  • Google Chrome - Google Chrome is an interesting creation. Google is a public company. That means they cannot create something like chrome without a significant financial reason. The trick is they’re already propping up firefox via $59.5-70 million a year in donations(85% of Firefox’s revenue) to keep them as the default search. $70 million is jack sh*t to Google, so they definitely wouldn’t create Chrome simply to save on that, and they’re already getting the ad revenue from firefox searches so that itself doesn’t make sense. So why would they create Chrome?
    • Unique Identifier - Chrome generates a unique id whether or not you agree to send your data to Google. If you agree to send it, this ID gets trasmitted. So what does that do? It makes it so they can identify you regardless of where your computer is, and regardless of cookies. It’s truly the perfect information gatherer.
    • [Partially] Closed Source - I’m no open source junkie, but let’s not kid ourselves. The one primary difference between Firefox and Chrome is that Chrome is closed source. It’s based off of Chromium, a BSD licensed piece of software. BSD license means you don’t have to open source your modification on their code(unlike the GPL). This means one has to run a sniffer to see the data Chrome is sending out; you can’t simply open the source code. While initial versions don’t send out an excessive amount of data, I’m willing to bet user adoption will change that.
    • Typing Tracking - I just sniffed a Chrome request(opted in to trasmit data). The page I was going to was complete blank except for a fake 404 error. Magically, it created 2 requests to Google. One was a “google suggest” style query(which means yes, Google suggest is used for tracking). The other was a curious query, as it trasmitted events(used generic names so I dont know what each stood for), a unique ID, and interestingly enough a variable called “rep”, presumably implying a user reputation level. A single type in of a domain created 3 of these “events”. I wonder what they are.
  • Google Checkout - One of a few ways Google is moving to be able to identify real people. That is to say it’s a way to be able to tie an IP and a cookie/username to a real, 100% legit name. This is worth more than most could ever imagine. Not only is that person identified as someone with a credit card, but the billing address itself gives you a region the person is from, and a probable demographic. Also used to tie back to a real identity is the much debated Google Health, which can store medical information on an individual.
  • Google Toolbar - Fantastic for identifying webmasters, the Google toolbar is among the most powerful methods of getting user data. How long do you think it will be before they turn users into unknowing cloaking checkers(click search results, omgz this pagerank request isn’t for the right domain)? Every single webpage you access, private or not, gets sent to Google for their page rank check.
  • Google Android - The one set of data they couldn’t access properly before. Phone habits. Note how agressively they’ve pursued the cell phone market(IPhone anyone?)
  • SearchWiki - Google’s latest addition to let you reorganize the search results. They say the data is used only for the user that changes it. Fun fact? That makes no sense. Google already has bookmarks, and if you are logged in and click “Web History”(and are  opted in) it will show you the searches you’ve made and the results you’ve clicked. So their is absolutely no reason for the creation of this other than to alter search results, and more importantly gauge user’s reactions to commercial vs. informational sites.
  • Other Obvious Sources - Gmail(your contacts, your interests), the actual search results, and many more.

Google justifies all of this on the idea that a lot of other companies have been gathering this data for some time. But there’s a difference. Those companies only had data from one source at a time. For Google, it’s different. Their specialty is organizing information. They have access to more avenues for userdata than any other company in the history of the world, and the ability to connect every aspect of every person’s life. Log into gmail on android? Congrats, your phone number can now be tied to your IP home IP. Don’t search using Google? Between adsense and analytics, you’ve probably got a 35-50% chance of sending data to Google anyways with every page load. Did you buy something through an ad served by Google? With conversion tracking, they know you bought, and can tie that back to everything else.

Why I’m Scared as a User
I’m really beginning to get scared here. Even ignoring Google’s less than benevolent intentions, can anyone imagine a data breach? No company is truly secure. 4 years ago the entire member database of the largest p*rn network on the planet was available(including passwords) for 1 grand. over 500,000 records. There have been data breaches at pharmaceutical companies, leaking millions customer records, down to the pill they took and when the prescription was up. Government servers get compromised, credit bureaus get compromised. So why would Google be any different?

Why I’m Scared as a Webmaster
Google has an interesting issue. They have more userdata than they can allow adwords advertisers to target. This is an absolutely insane amount of information. So they’re left with 3 options.

  1. Enter the CPA Market - With their Google Affiliate Network, this seems like a likely path. Imagine a massive in house program that can get clicks for dirt cheap(remember, Google takes a HUGE cut out of adsense revenue. Surrendering that they can afford conversion rates that would make normal PPCers cringe).
  2. Not Use the Data  - Google is a publically traded company. Their responsibility is to stock holders. So regardless of how warm and fuzzy they act to the internet community at large, this option is not viable. Their privacy policies contradict the filth they spew towards the consumer about how the data will and won’t be used. And guess which one is legally the reality? The privacy policy. They’re using the data folks.
  3. Take Control from Advertisers - They can’t let me target based on all the data they have, so the alternative is to make the decisions for me based on what they think is best. Well, sort of. Remember that Google automatically optimizes not for conversions, but for click through and profit on their end.

I don’t understand how prominent geeks normally so paranoid over spyware and whatnot can ignore Google. They function on a higher level than any spyware company in history, and do it all by winking at the webmaster community and acting like they’ll look out for us. “Do No Evil” is the motto of a private company. Not a public company. It’s the antithesis of the free market economy. What is good for the consumer is not good for the company, and that is especially true with an advertising company that has access to so much data.

Until next time,
XMCP

PS: Edited the entry to indicate that chrome is partially closed source. Though the open source aspects are chromium for the most part. To clarify, here’s a line from Chrome’s TOS: 10.2 You may not (and you may not permit anyone else to) copy, modify, create a derivative work of, reverse engineer, decompile or otherwise attempt to extract the source code of the Software or any part thereof, unless this is expressly permitted or required by law, or unless you have been specifically told that you may do so by Google, in writing.


Leave a reply

Your are not logged in . Please login to post replies

Click here to Login / Register