So it is surprising to learn that Mr. Martinez, an aide in the Illinois Senate, is also vigilant about his privacy online.
“I’m pretty aware of the fact that ANYTHING you do on the Internet pretty much should just be considered public,” Mr. Martinez said. While he knows that companies are collecting his data and often tracking his online habits so they can show him more relevant ads, he said, he would like to see more transparency “about what the company intends to do with your data and your information.”Those same questions of data collection and privacy policies are attracting the attention of Congress, too. There is no broad privacy legislation governing advertising on the Internet. And even some in the government admit that they do not have a clear grasp of what companies are able to do with the wealth of data now available to them.
“Like all privacy matters, it’s something that people need to be informed on,” Mr. Martinez said.
“That is why Congress, at this point, is wanting to gather a lot more information, because no one knows,” said Steven A. Hetcher, a professor at Vanderbilt University Law School. “That information is incredibly valuable; it’s the new frontier of advertising.”Beyond the data question, there are issues of how companies should tell browsers that their information is being tracked, which area of law covers this and what — if anything — proper regulation would look like.
On Aug. 1, four top members of the House Committee on Energy and Commerce sent letters ordering 33 cable and Internet companies, including Google, Microsoft, Comcast and Cox Communications, to provide details about their privacy standards. That followed House and Senate hearings last month about privacy and behavioral targeting, in which advertisers show ads to consumers based on their travels around the Web. If an advertiser knows that Mr. Martinez watches “The Colbert Report,” for example, it might show him an ad for “The Daily Show.”
As advertisers become more sophisticated about behavioral targeting, and online privacy standards become increasingly varied, regulators and privacy advocates are becoming concerned. A few companies have taken precautionary measures to try to fend off criticism; in the last few days, for instance, both Yahoo and Google have made it easier for people to opt out of targeted ads on their sites. But that may not be enough.
“Some type of omnibus electronic privacy legislation is needed,” said Representative Edward J. Markey, Democrat of Massachusetts, chairman of the House Subcommittee on Telecommunications and the Internet, “regardless of the particular technologies or companies involved.”He and the other members of the House expect to receive responses from all of the companies by early this week. With the responses to the House letters, “we can understand exactly what each sector of the communications industry is technically capable of doing, and how they use the information once they do get access to it.”
One of the controversial new behavioral-targeting technologies is called deep packet inspection, and a company that does it — NebuAd — was a focus of the July Congressional hearings.
In NebuAd’s version of deep packet inspection, a hardware device is put into an Internet service provider’s network that can track where users are going online. NebuAd looks for categories that the user will be interested in. If the device notes that a user is browsing or searching for sites about German automobiles, it can deliver an ad about German automobiles later that day, even when the user is on a site about pets.
NebuAd’s chief executive, Bob Dykes, who testified at the hearings last month, said his company protects privacy.
“We don’t have any raw data on the identifiable individual,” Mr. Dykes said in an interview last month. “Everything is anonymous.”He said NebuAd took several steps to ensure that the information could not be traced back to an individual or an Internet protocol address. The company avoids sensitive categories, he said; someone making a search about H.I.V., for example, would not see related ads. And NebuAd cannot gain access to secure sites.
Mr. Dykes came under scrutiny at the hearings for NebuAd’s technology and for how the company notified consumers.
The ways that some Internet service providers told consumers about their tracking were vague or too subtle, some privacy advocates and congressmen said.
NebuAd lost several customers this summer amid all the scrutiny, including CenturyTel, Charter Communications, WideOpenWest Holdings and Embarq.
“We will not be using this technology again until such time as all the privacy concerns have been addressed,” said Charles Fleckenstein, an Embarq spokesman.Mr. Dykes said, “We are perfectly O.K. for some of our partners to wait until we have a better, more informed education of the public and folks in Washington before they resume their rollout.”
The NebuAd controversy illustrates the difficulty of regulation in online advertising, when new ways of tracking users arise regularly and companies have different ways of handling data.
The Federal Trade Commission has made some tentative steps toward standards, including a December proposal on behavioral-advertising practices. The proposal suggested that companies provide a clear notice to consumers that lets them opt out of tracking, notify consumers if the company changes the way it uses the data and use reasonable security measures. It also sought comment on several matters.
But Lydia B. Parnes, the director of the F.T.C.’s Bureau of Consumer Protection, has said she supports industry self-regulation, saying that it isn’t yet clear that the consumer is being harmed and that regulations might be too specific to current technologies. Laws have been made on slices of the privacy pie, including data about finances or children. But complying with various pieces of legislation is difficult, companies said.
“Compliance is becoming very complex and not very clear in terms of what applies to a new and emerging business model,” said Mike Hintze, the associate general counsel at Microsoft. “From the company’s perspective of trying to comply with these laws, we thought a comprehensive federal privacy law made a lot of sense.”There is some industry support for a comprehensive law, but any wide-ranging law would require some legal wrangling.
“They’re raising these bigger-picture questions, and those questions are inherently intertwined not just with privacy laws, but also with contract law, computer-intrusion law, consumer-fraud law,” said Andrea M. Matwyshyn, an assistant professor of legal studies and business ethics at the Wharton School at the University of Pennsylvania.
“When legislators are trying to regulate in this area, they’re always caught a little bit between a rock and a hard place,” she said. “You don’t want to adopt a technology-specific standard that’s destined to fail as technology advances faster than the law can ever hope to embody. At the same time, you need to allow adequate specificity in the law to allow companies to comply with it and allow consumers to know what their rights are.”Some advertising industry groups say self-regulation is enough. The most prominent programs are the Online Privacy Alliance and the Network Advertising Initiative. Both ask members to follow principles on notifying consumers and avoiding personally identifiable information.
Regulation is “certainly going to have unintended consequences and unintended impact,” said Mike Zaneis, the vice president for public policy at the Interactive Advertising Bureau, a coalition of online advertisers.
Some civil liberties groups disagreed.
“There’s a self-regulatory program out there which hasn’t been very effective,” said Alissa Cooper, the chief computer scientist at the Center for Democracy and Technology. She said her organization was concerned about NebuAd’s technology. As for general federal privacy legislation, she said, the center supports it but thinks more information is needed about data-handling.
The letter from the House committee, she said, was “a really welcome development in the absence of any kind of regulation.”
“The companies don’t feel the need to explain everything they’re doing,” she said, “so a little bit of pressure from Congress or the F.T.C. can go a long way.”
As government representatives think about legislation, they are also trying to gauge how aware and concerned consumers are about online privacy. A recent study of about 1,000 Internet users asked them if they agreed with the statement that they were comfortable with advertisers’ using their browsing history to decide what ads to show them. Thirty-nine percent strongly disagreed; only 6 percent strongly agreed. The study was conducted by TNS Global, a research firm, and TRUSTe, an online privacy network.
Is privacy a concern for younger consumers, who are splashing personal details all over MySpace? The sparse data available suggest that it is. A study last year of 2,274 British adults showed that people ages 18 to 24 considered privacy tied with “avoiding hate and offense” as the most important consideration in digital technologies. For older people, privacy was second to “avoiding hate and offense.” The study was conducted by YouGov, a British research firm.
“People my age — in their 20s or in their 30s — a lot of them are very clued up on protecting privacy on the Internet,” said Ben Saxon, 23, a student in Cambridge, England. He has started a Facebook group objecting to Phorm, a NebuAd-like company that is working in Britain and is starting to court the United States market.ORIGINAL ARTICLE
Still, he said, “I don’t think complete privacy on the Internet is actually possible anymore.”