Table of Contents INTRODUCTIO

Table of Contents
Definitions 4
Groups looking for a regulation 6
Energy Subcommittee on Communications, Technology, and the Internet 6
Advertising Industry 7
Privacy Advocates 8
Other key players 9
Gmail 10
Google Buzz 10
Facebook Beacon 11
Facebook Connect 11
Web Coupons 12


Behavioral Targeting-BT-is the most sophisticated system the Advertising industry has come up with in order to track the activity of web users, and be able to deliver personalized advertising to those.

The main tools for that purpose-cookies-are not new. But now the advertisers can use the information from these cookies to build-supposedly anonymous-profiles of the users, a kind of information very valuable for advertisers. That new techniques have enabled a whole market of third parties and middlemen who even get to match that information with physical databases in order to have a complete picture of the potential customer.

The quest for the user data is so aggressive, and little known for the mainstream user, that has arisen questions about its legality and created a growing feeling of insecurity among many individuals. Those concerns were expressed first by privacy advocates, then the FTC, and lately users through national surveys, and even the Congress. The privacy issues related to popular services as Google or Facebook have made this a public issue: one that is not quite well explained or understood.

With some delay, the main advertising associations are trying to avoid Federal legislation through the introduction of a series of self-regulation principles. Meanwhile, the chairman of the U.S. House Energy Subcommittee on Communications, Technology, and the Internet, Rep. Rick Boucher, has submitted a bill in line with theprivacy advocacy groups proposals, and even the FTC-who initially pushed for advertisers’ auto-regulation-is considering a “Do not track” list in the vein of the “Do not call” one.

In this paper I’ll also talk briefly about two issues related to BT: web coupons, and what has been named Deep Packet Inspection.

– Behavioral Targeting-BT-: Tracking of individual Internet users across multiple websites. Tracking cookies are being used to collect information about surfing behavior and to send targeted advertisements to the users. That information is not supposed to be enough to identify the user as a physical person-does not include name, email, credit card number…-

We can talk about first party behavioral targeting-or first party transactions-when the web site the user is visiting is the one who tracks the activity in order to offer a product or option inside the same site -i.e. Amazon, Netflix…

– Cookie: Is a text file stored in a user’s web browser. Basically it identifies a web user in a single browsing session, storing information about the user’s activity. That allows not only for the advertisers to know about her or his habits, but also permits to create statistical informs, to personalize the web experience in a specific site, and contributes to make some of the functionalities of many websites possible.

– Super-cookies: A new bread of cookie-like objects that are harder to locate and delete and provide even more information about the activity of the user. The main examples are Microsoft’s “User Data Persistence” and Adobe’s “Local Shared Objects”, otherwise known as Flash cookies1. The latter are installed when the user wants to see an online flash video or a flash ad is loaded. As the regular cookies, it’s primary function is to help the user-i.e. remembering the preferred audio volume settings-but can also be used to help the tracking of the user and make sure that advertising-related cookies are installed in the computer.

– Beacon(aka web bugs): An object, embedded in a website or e-mail, that tracks which user in which computer is visiting a specific web page or reading an email. In web pages usually works in combination with cookies. Unlike cookies, is not stored in the user’s computer. That means the user cannot remove it.

– Deep Packet Inspection-DPI-: A series of technologies that help Internet Service Providers-ISPs- to identify and control the information packages that are transmitted through their networks. Its primary use is to anonymous control of the information traffic-i.e. Comcast use it to know is their customers are using Bit Torrent and slow the download, without knowing who the actual user is-but potentially can track the whole activity of the web user, and even sell the data from its customer to a third party.

– Contextual advertising: A system that reads the text content displayed to the user and offers related advertisements, usually in text form. The most popular service of this kind is Google Ad words, present in both Google Search results and Gmail.

– Sensitive information or personally identifiableinformation: To the effects of BT and privacy, any piece of data that is likely to identify one web user: from the name to an email address, a telephone, financial account number, or persistent online identifiers as the Internet Protocol address (IP address). It applies also to data that can reveal racial or ethnic origin, political opinions, sex, or religious beliefs.

– IP address: Numerical label, which identifies a computer or group of networked computers that use the Internet Protocol to connect to the public Internet. Its function is to identify the computer that is asking for a web site or document, and then to provide the requested information. Depending on the ISP, the address can be static-always the same-or dynamic-changes with each Internet session-.

– Browser: Application that allows any user to retrieve and present information located in the World Wide Web. That information can be either a web page or a file-audio, video, image, and pdf…-. In order to perform its tasks, the browser not only gets information from web servers, but also sends information-mainly petitions-, including the web identity-IP-from the user. Most browsers host cookies by default, enabling the tracking of the user’s activity.

– Publisher: The owner of the web page, video, or document that the user accesses through the browser. Usually this publisher will get money from the display of web ads. Usually collects permission from the user to use their information for advertisement purposes.

– Middlemen: It would include tracking companies, data brokers and advertising networks. All of them would be included, with the advertisers and the publishers in what the Boucher bill calls ‘Covered entities’. Those are defined as any person or company-excluding government agencies-engaged in interstate (web) commerce that collects data containing sensitive or personal information from more than 5,000 individuals.

– Profile: The package of data stored by a middlemen, publisher or advertiser about an Internet user.

– Opt-in: the process through which a web user is offered the option to receive some specific advertisement, or have his or her personal information shared with a third party. That means that there won’t be any kind of advertisement delivering without a previous consent.

– Opt-out:here the user has the option to stop receiving unsolicited advertisement. It puts the burden on consumers to learn how the privacy polices work, how the data is collected and shared, and decide if they are ok with that.

– The Guidelines: It refers to the “Self-Regulatory Principles For Online Behavioral Advertising”, created by the advertisement industry after proposals by the FTC. In those both first party BT and contextual advertisement are excluded2.
Groups looking for a regulation

Energy Subcommittee on Communications, Technology, and the Internet
The chairman of this U.S. House Subcommittee, Rep. Rick Boucher, and the also member Rep. Cliff Stearns, presented last May a bill on privacy issues. Boucher is a well-known advocate of consumers’ rights in the Internet and against intrusive advertisement. He created the Digital Media Consumer’s Rights Act (DMCRA) legislation and co-authored the CAN-SPAM Act of 20033.

The main points the bill wants to regulate are:
* Privacy policy disclosures: the websites that collect sensitive data should make it clear, as the use they will make of such information.
* Opt-in for sensitive data, and easy opt-out for any kind of data.
* Option for the users to modify their profiles and opt-out the sharing of their data with third parties.
* Ensure the security and control of the data stored.
* The FTC as implementer and enforcer of the rules.

The Federal Trade Commission has as a principal mission to promote the “consumer protection”. In the last years the agency has lobbied for the online advertisement industry to self-regulate BT practices and respect the user’s expectancy of privacy. FTC Chairman Jon Leibowitz has warned the industry that it is facing the “last clear chance” to avoid specific governmental regulation4.

Right now the FTC is not only thinking about a “Do not track” list-similar to the “do not call” for telemarketers-, but even to force each site to show a brief summary of their privacy policy to each user during their first visit. This option would clearly disclose each site policy, but also become extremely annoying for a new user, or even one that has changed of ISP5.

Among their main concerns, we can talk about:
* Give more information-and in a transparent way-to the user, who should be able to easily opt-out. In the ‘Guidelines, the FTC don’t choose between opt-in and opt-out. They just say that those should “be clear, easy-to-use, and accessible to consumers.”
* Obtain permission from the users when their information or profile is going to be shared with a third party or it is going to be used in a way not reflected in the original privacy policy.
* The use of sensitive data-related to heath, financial states-and what kind of data do the advertisers collect from minors.
* Prohibit ISPs to collect personal data through DPI.

The FTC has focus their efforts in BT, considering that both contextual advertising and first party behavioral targeting raise far less privacy issues.
Advertising Industry
This refers to a cross-industry coalition of web advertisers that try to complain with some of the FTC requisites.

Members include the American Association of Advertisers Agency, the Association of National Advertisers, the Interactive Advertising Bureau, the Direct Marketing Association and the Council of Better Business Bureaus. This coalition has created a series of guidelines named “Self-Regulatory Principles For Online Behavioral Advertising”.

The intention of this set of principles is double:
* Avoid the option of a Federal regulation of BT. They fear a conservative legislation, based on the principles of classic marketing, which would discourage innovation and progress.
* Convince the users that their tactics do not violate their intimacy. And even that BT is positive for them, as they will only receive relevant advertisement.A study ofninety online marketers released in May 2010 by the Ponemon Institute indicated that despite an acknowledged return on investment from behavioral ads, hundreds of millions of dollars are being held back from online behavioral ads due to privacy concerns6.

Among the measures the advertisers have already introduced or are willing to, we can highlight these:
* Disclosure data collection and the kind of use that will be done on the webpage where the ad is displayed-non on the web of a middlemen, as the user would never know where to look for it-. Some advertisers are starting to display a behavioral ad icon with a blue square with a lowercase “i” in a circle, making clear that the ad has been selected through BT.
* Let consumers decide whether their data can be transferred or user by another entity. Some advertisers are even willing to give the users access to their profile, in order to modify it-and, so, get more accurate ads-, or to decide what kind of data do they want the advertiser to know about. One example is the Seattle-based middlemen BlueKai, through their registry7.

Even more, the advertisers have said that they are even willing to cooperate with the FTC in order to enforce the observance of their rules. An article in Wire explained that the Council of Better Business Bureau is seeking software to detect targeted ads that lack these mechanisms, and report non-complying ad networks to the FTC8.

Privacy Advocates
A group of entities and privacy watchdogs have lobbied for a strong regulation of BT, arguing that is an invasion of privacy, can be used to take advantage of vulnerable consumers, or even discriminate them, and that the profiles may be used for purposes beyond commercial ones9.

Here we present their main proposals:
* Personal and behavioral data should be relevant to the purposes for which they are to be used. Any change in the use of the data should include a new consent from the user.
* No behavioral data should be collected or used from children and adolescents under 18 to the extent that age can be inferred.
* Sensitive information should not be collected or used for behavioral tracking or targeting. Sensitive information should be defined by the FTC and should include data about health, finances, ethnicity, race, sexual orientation, personal relationships and political activity.
* The FTC should establish a Behavioral Tracker Registry.
* Use of behavioral targeting for individual redlining activities should be illegal.
* Websites should only initially collect and use data from consumers for a 24-hour period. After that they should ask the user for consent. Data collected on users who gave consent must not be retained beyond a period of three months.
Among the members of the coalition we can highlight the Center for Digital Democracy, the Consumer Federation of America, Electronic Frontier Foundation, Privacy Lives, or the World Privacy Forum. In September 2009 the groups delivered a legislative primer to the Congress.

Other key players
Although the discussion is focused on advertisers, regulators, and consumer rights advocates, the global issue is more complex, and a complete overview of the main players should include also:

* The providers of content in the Internet-Publishers-, who many times are not transparent about how the visitors of their sites are being tracked, usually as a way of profiting from their personal information.

* The web browser vendors. The browsers allow the action of potentially intrusive cookies. During the design of the Internet Explorer 8, the development team created a product that prioritized user’s privacy over commercial interests, considering that the default should be some private browsing10. That means that if the user wanted to receive/install the cookies she or he should give consent.

That would have turned the acceptance of cookies from a kind of Opt-out to an Opt-in model. After some discussion, the final version of the popular Microsoft browser didn’t make the swift and the users concerned with the use of their data via cookies need to turn the security options on.

* The Media plays a big role in the public perception of privacy and the threats of Behavioral Targeting. On one side the Media voices out practices that can be unknown for many Internet users. On the other side they can create alert over a number of practices.

A recent series of articles by the Wall Street Journal under the generic title of What They Know11, have been highly controversial. In one of the infographics they showed how some of the most popular U.S. websites give data about any individual who visits their site to advertisers12. Some influential bloggers, like Jeff Jarvis13, have argued that there’s nothing new about advertisers tracking us, while tracking companies say that portraying cookies as some kind of spying is misleading14.

* The ISPs. The companies that provide access to the Internet obviously also have control over how their customers browse through the Net. ISPs are waiting to see what happens with BT and the public privacy concerns before starting to use the profiles they own to make business-through DPI-and offer the “best potential clients” to both advertisers and Publishers.


Now I will review some publicly notorious cases regarding Internet privacy, that have raised concerns on the general public about the way the data they consider private can be treated. I’ll also review what can be the next privacy big case: web coupons and their match of online and offline information on the client.
The free email service by Google was, in 200715, one of the very first places where users could experiment Google Ad words, a contextual advertising service that scanned the mails in order to find keywords and select automatically a series of text advertisements. That means that if the text of the mails talks about someone named Michael from Jordan who likes strawberry Jam, the ads will offer to buy the Space Jam DVD.

While opening someone else’s letter or postcard is a Federal offense16, email providers can read the content of electronic correspondence. As a private provider, Google has set a series of terms and conditions regarding this issue, which should be accepted by the user before starting to receive the service.

But even though users have accepted the terms and conditions, those still expect their communications to be safe and private. Google has stated repeatedly that their work is limited to scan for words that can help to display related advertisement, not literally “reading” the content. And will not keep a log of which ads went to which users, nor will it keep a record of keywords that appear often in an individual’s email17.

In the case of case of U.S. v. Warshak-one of the first ones regarding email communications-the Sixth Circuit ruled that the user has a right to privacy that is only diminished if the subscriber or user agrees to the ISP’s terms of service18. Finally the subscriber is receiving a free service that pays through the reception of advertisement.

Google Buzz
In February 2010 Google launched a new application tied to the Gmail service, called Google Buzz. In short it was a social networking tool that allowed Gmail users to share items with all or part of their network, vote on them, or comment. Google failed at explaining the users how the information about their network would be shared and how to modify their preferences.

The basic problem was the auto-follow function that Google used to create automatically a list of “followers” for Google Buzz user, based on the most emailed contacts list. That made that many users were sharing content inadvertently with people with whom they had mail relationship but they didn’t necessarily consider friends, at the time that disclosure to their entire network the mail relationship.

The users of the Gmail who accepted to try Google Buzz never thought that their contact list would be made public, or that anyone related to, say, their ex-boss, would be able through Google Buzz to reach their personal e-mail. They expected that personal data to be something locked in their Gmail account and that wouldn’t be public through that new networking feature. The company was forced to change the auto-follow system for one based on recommendations just days after the launch19.

Other than the contacts issue, another of the problems during the early days of the service was the difficulty for the users to understand and change their default settings.

Facebook Beacon
Starting in November 2007, Facebook allowed information about their users collected via a beacon to be transmitted from affiliated retailers to Facebook, and even show this information to the user’s network. Most of the times this happened without the user being aware. Several newspapers and blogs told the story of a man who bought a ring online for his wife. The website was affiliated to Facebook, and the news about the purchase were published in his profile, making it possible for all his network, including his wife, to know about the supposedlysurprise gift20.

After a series of articles in press and blogs attacking the beacon, Facebook changed its operation for an Opt-in system. But a class action was presented in California, alleging that the company didn’t sought after the user’s approval before implementing the beacon21.

Facebook Connect
Facebook has more than 500 million users worldwide. Near one third of them-round 160 million-are in the United States. That means 160 million Americans that have given them their names, likes, email, list of friends, and interests.

Through their application Facebook Connect they offer a trusted authentication method for any website. For a regular Publisher, that means that Facebook will do the job of identify any web user. For the social media company it means two things:
* They will get even more information about the user, as they control her or his activity in other web sites, being able to deliver even more precise advertising.
* Facebook become a kind of ID regulator of the Internet. In a way, their authentication system becomes an online version of a government releasing ID cards for their citizens.
Facebook Privacy Policy
Another of the main privacy complaints against Facebook is related to the continuous changes in their privacy policy. It would be reasonable to ask for a system that would be clear, easy-to-use and simple. Instead, as a graphic from the TheNew York Times showed22, Facebook released in May 2010 a version with 50 settings, more than 170 options, and 5,830 words-more than the United States Constitution, and more than this paper-.

Web Coupons
During 2009, in part due to the economic crisis, the redemption of coupons grew a 27% v. 200823. Internet coupons still represent a small portion of the whole business-0.5% of the total number of coupons and 1.5% of the redemptions-, but redemption rates for Internet coupons are by far the fastest growing in the business, up 263% from 2008 to 2009. The site grew from 238,000 unique visitors in July 2009 to 6,491,554 in July 2010, according to Compete.com24. That means that we are facing a fast growing marketing segment, one that also uses BT tactics in order to retrieve information about the users.

The issue with this new breed of coupons-as the ones that are sent to mobile devices-is that when matching the physical person that comes into the shop with the data provided with regular BT, the retailer-or whichever middleman who can have access to the data the retailer gets while the redemption of the coupon-can connect the actual name with the supposedly anonymous online data.

A The New York Times article25 explained recently how a company named RevTrax operates: they are a third party who displays the coupon ads on the retailer’s site or any other web page. As they are ‘just’ middleman they don’t need to have a privacy policy, even when they are the ones who collect the personal information of the users, including the keywords they used before getting to the coupon-i.e. cheap trekking boots-.

After the user prints the coupon and redeems it, RevTrax get the information back from the retailer and can complete the user profile. That way they can also get to the conclusion that people from, say, Kirkland, is more likely to buy equipment for outdoor activities through coupons than those in Seattle. The following step would be to make a better offer to Seattle users-as they are harder to convince-than to those in Kirkland. This is called ‘online redlining’, and the advocates of online privacy define it as a form of discrimination.


Some of the cases reviewed in the previous section-mainly those related to Google and Facebook-have made regular Internet users more aware of their online privacy, and more worried about how much these service companies use their data, and how much advertisers know about them.

In an Annenberg poll conducted between June and July 2009, 66 percent of American adults indicated they did not want websites or networks targeting advertisements to them. Even a majority (54%) of younger consumers (18-24) “rejected” behavioral advertising. In addition, 92% of the respondents said there should be a law requiring websites and advertising companies to delete stored information if asked to26.

Is very interesting to see that young people is also worried about how their information is being used. The digital natives are supposed to be far less worried about privacy. On this vein, a research published in August 2010 shows that young Facebook users are more interested in privacy issues than what it was believed27. The study examines “the attitudes and practices of a cohort of 18- and 19-year-olds surveyed in 2009 and again in 2010 about Facebook’s privacy settings”. The results show how even most the occasional Facebook users-79%- modified at least twice their settings during 2010. This data opposes to the idea that young people is less concerned about online privacy.

On the other hand, while all the articles and negative buzz about Facebook’s privacy issues have made them scored pretty low in the 2010 American Consumer Satisfaction Index-in the lower 5% of all measured private sector companies-28, the company is continuously growing in number of users. Maybe the concerns of the users are less important than the benefits they get from the service.

Advertisers and middlemen collect information that isincreasingly more specific. One company, Clearsight has announced that it has enough information to link 65 million IP addresses to actual email and post mail addresses29. Even more, some companies are starting to match offline and online data, being able to put name and yearly income to the users that have a certain cookie installed30.

And if advertisers use that data, could someone else do the same? Family law attorney Brad LaMorgese thinks so, and plans to use it as evidence in lawsuits:
“It’s a great, ready-made source, almost puts the investigation together for you,” LaMorgese said, noting that how much money spouses spend online and what sites they visit are crucial details in a divorce case. “If someone is doing all sorts of things online, why wouldn’t a court want to know that?” 31.

As we have seen when reviewing the main players in search of a regulation, there is a huge tension between two different positions:

* The Advertising industry position is to let the market and the industry self-regulate, and see the profits rise.

* On the other side, the sectors concerned about privacy issues think that consumer privacy must be given special and priority consideration when government “measures” the economic benefits related to any data collection activity.

The representatives of both positions-the advertisers on one side; and the privacy advocates, and the Energy Subcommittee on Communications on the other-are trying to advance each one on their side in order to get a solid regulation. Both know that time is crucial and are tying to play with that. Now I’ll expose the three more likely resolutions:

1. Self-regulation by the advertisers
o The advertisers need to implement the most urgent improvements collected in the Guidelines-such as the behavioral ad icon-and conduct a PR campaign in order to explain users that advertising is a fair trade for the free content they are getting-as TV-, explaining how users are tracked and how to decide about what is done with their data.

o And they need to do it before the Boucher bill is voted. Because even if it doesn’t go on but gets a significant amount of support, there will be for sure some kind of Federal legislation soon.

o Other challenges they need to overcome are the huge privacy crisis that services as Facebook or Google create, and to make sure that not only the main advertisers, but also middlemen as RevTrax or even the ISPs, follow the Guidelines.
2. Strong Federal regulation
o Either the Boucher bill passes or a new proposal comes later and gets enough support. Here we would see the FTC as main enforcer of the new rules. The more restrictive the legislation comes to be, the more advertising companies and middlemen will struggle.

3. The Congress doesn’t pass new legislation, but the FTC obtains power to impose a series of minimum standards
o That would bea compromise where the advertisers would accept to be sanctioned by the FTC, create some kind of database in order tocontrol the different companies who engage in BT, and how they use the data; and follow strictly the Guidelines.
In any of the aforementioned scenarios, what will happen for sure is that the internet user will be able to have a broader control over the information that advertising companies compile on them.

Also Opt-out formulas will become clearer and more accessible, so those individuals really worried about how advertisers manage their data will be able to avoid BT and get the regular non-personalized advertisements.

But if Federal regulation passes, or if the FTC is allowed to regulate tightly the BT practices, we can face a situation in which consumer privacy measures will be taken in advance, as prevention. A situation where the FTC would allow a new developmentbased on its potential ability to threat the privacy rights, more than on its commercial or inventive values. That will, for sure, decrease the innovation speed in the industry, and would even threaten the growth of this kind of advertising.

That last possibility raises another question: BT is designed to provide users with more relevant ads. That should translate in higher profits. Right now the online content industry-mainly news-related sites-is unable to become profitable offering free content that is paid just with the money they receive from regular advertising. If now BT don’t replace the classic random ads system and provides them with more profits, the Publishers will be likely to start charging for the content, or at least for the experience of browsing their content without seeing any kind of ad, damaging the ecommerce sector.


As technology guru Tim O’Reilly has stated, personal data collection can be key for a number of good purposes, foster invention and help to solve complex problems32. His point is that, in today’s world, technology is driving us to collaborate in ways that were previously impossible. And the sharing of data is one of the main ways in which this collaboration can really happen.

Is important to find a balance between innovation and the privacy concerns, because the later can even prevent some users to buy online or surf freely the Internet.

The users should be aware of how the bargain works-the advertising pays for the free content-, and the advertisers be more transparent about their activities.Also the publishers should be clear about whom do they track information for, or whom do they permit to track users from their websites.

Regarding the debate about the Opt-in and the Opt-out, it seems clear that any user should be able to easily and effectively Opt-out from receiving behavioral advertisement. The same way, there should be some kind of acceptance when anyone is about to gather from the user the kind of information that we have defined as sensitive or personally identifiable information.

Another restriction for the advertisers should be to use that sensitive and personal data only for the purposes that it was given by the user. A different use of the data should be subject to a new consent.

Is dangerous to offer a “Do not track” list, at least with that denomination. And is dangerous because there is a big difference between BT and the telemarketing practices that the “Do not call” list tried to avoid: in BT the individual who would ask to be in that list won’t receive less advertisement because of that, but just will see random ads when browsing. Even more, it is possible that, as BT ads are more profitable, this person will get more ads than a web user who won’t sign for the list.

Regarding privacy policies, companies should be clear and simple. The user shouldn’t face such an amount of choices that would cause paralysis. The policies should be appropriate for the average user of the site. That means that a site for teenagers should have a privacy policy much simpler than a Forum for Linux programmers.

The alternative to BT will be probably to pay in order not to have ads at all or to suffer more regular ads when browsing the web, as the profit advertisers and Publishers get for today’s banners is decreasing, and even contextual advertising is stuck and not growing.

Summarizing, the privacy concerns should provoke some kind of regulation of BT, but always keeping in mind the advantages that this kind of advertisement brings.
2 (National Law Review)
4 (Privacy & Security Law Blog)
5 (Ars Technica)
6 (Tech IT News)
8 (Wired)
10 (Wall Street Journal)
15 (Information Week)
16 (Legal Information Institute)
18 (Law Journal Library)
20 (Washington Post)
21 (TechCrunch)
22 (The New York Times)
23 (Nieman Journalism Lab)

26 (Broadcasting & Cable)
27 (UIC)
28 (Foresee Results)
29 (Mediapost)
31 Advertiser tracking of Web surfing brings suits. The National Law Journal (March 2, 2009). Gale Document Number:A195138320
32 (Readwriteweb)




Searching For a Behavioral Targeting Regulation Xurxo Martínez
COM 558 U.S. Digital Media Law and Policy MCDM Summer 2010