The Chapell Blog has moved. If your browser does not automatically redirect, please click here

 

 ·Home

 ·About Us

 ·Contact Us

 ·Our Services

 ·Speaking

 ·Articles

 ·Privacy Policy

 ·Chapell Blog

  Blog Archive:

  ·1st Quarter, 2005

  ·4th Quarter, 2004

  ·3rd Quarter, 2004

 

Chapell Blog: The Chapell view on privacy issues of the day.

To receive a weekly summary of the Chapell Blog, please click here.

Friday, July 1, 2005

Cable's Big Bet On Hyper-Targeting  BusinessWeek - June 29, 2005

Time Warner will test new software that sends different ads to different viewers Imagine the scene. You're relaxing at home, engrossed in the flickering images on your big-screen TV. Ahhh, nothing like really great programming. Except in this case, it's not a show that's got your attention; it's a 30-second commercial.

 

The Chapell View                              

You really know that behavioral targeting has hit the mainstream when the cable and television people start to use it. I’m a big fan of any technology that promises to increase the relevance of advertising IF it does so in a privacy neutral way. Of course, that’s a big IF. In the context of the Internet, behavioral targeting is generally conducted in a way that is privacy safe. The online folks have learned from the sins of the past, and (thanks to my friend Trevor Hughes and the NAI) have developed a set of principles and best practice standards for online profiling.

 

As I think about using behavioral targeting in the context of cable and network television, a few questions come to mind. For example, how will the cable companies notify their subscribers about this type of program? Will TV viewers have the ability to opt-out from this type of profiling? How is this information stored? Will viewing habits be combined in some way with other offline demographic information – for example, the billing address of the cable subscriber? If a cable subscriber also subscribers to the cable companies’ ISP and phone service, will any of that information be used to augment the targeting database? Ad relevance is wonderful, but if these questions are not adequately addressed on the front end, the burgeoning set-top behavioral industry will be set back several years via consumer backlash, advocacy and perhaps new legislation. This type of targeting was not really envisioned by the drafters of Cable Television Consumer Protection and Competition Act of 1992.

 

In many respects, set-top box behavioral targeting is similar to online behavioral targeting, and will need to address many of the same issues. I’d like the see the NAI Principles expanded to incorporate this and other new vehicles for behavioral targeting.

 

Thursday, June 30, 2005

Grokster: Get Over It  Mediapost - June 30, 2005

BY NOW, EVERYONE IN THE industry knows that the United States Supreme Court ruled earlier this week that file-sharing services could be held liable for copyright infringement by consumers using their services. This is big. It means that companies can no longer operate such services without assuming some liability for how they are used. Many in our industry are disappointed by the decision, concerned that holding the creators of technology liable for any one of a myriad of uses will discourage innovation.

 

The Chapell View                              

I have a tremendous amount of respect for Dave Morgan and Tacoda – sharp guy, great company. Dave revealed a number of his personal and professional biases – except for one. I dunno, maybe he thought it was too obvious to bother mentioning.

 

Tacoda is in direct competition with many of the Adware companies that bundle their software alongside file sharing programs. In other words, the Tacoda network is in many instances vying for the same ad dollars as the Adware companies. And this competition is only going to intensify if/when other Adware players move towards Behaviorlink (behavioral network) type networks. To the extent that Adware company distribution efforts are hurt by the Grokster decision, Tacoda may enjoy a relatively better position in the marketplace.

 

I’m not here to take Dave to task for this – just to make a larger point. One of the most interesting and exciting aspects about the whole Adware / online profiling / behavioral targeting debate is that each group is morally convinced that they are in the right. And it just so happens, that their definition of what’s right seems to line up in near-perfect symmetry with the business goals of their respective companies.

 

Perhaps this is why our friends at Microsoft can simultaneously (and with a straight face, I might add) offer THAT operating system, develop an anti-spyware software program AND contemplate the purchase of Claria. (As an aside, I can remember an episode of the old Batman TV series where the Penguin poisoned the water supply and then tried to charge people for the antidote. Talk about reality imitating art – of course, that assumes you define the Batman series as “art.”)

                                

Thomas Jefferson believed that factions were a good thing for society because they diffused the power of the elite. I wonder if this is what he had in mind?  (:

 

And just for the record - I have and continue to work with some of Tacoda’s competitors, including some in the Adware space.

 

Tuesday, June 28, 2005

Equifax CEO says no easy answers for identity theft  MercuryNews - June 28, 2005

The public's fear of identity theft has led to big profits for Atlanta-based credit-reporting agency Equifax Inc., but the company's outgoing CEO said Monday that he worries whether concerns over data security could eventually stifle consumer spending. "It's an epidemic that worries me to death," said Thomas Chapman, chairman and CEO of Equifax, one of the nation's top three credit-reporting companies, following a speech to about 50 people in attendance at the Commonwealth Club of California, a public affairs forum.

 

The Chapell View                              

Daddy, where does ID theft come from? I’ve read many articles that outline the connection between ID theft and Spyware, keystroke logging, and other nefarious creatures of the online universe. I’ve also read about the 100 million consumer records that have been breached over the past nine months, and their connection to ID theft. I ALSO looked at the study conducted earlier this year by BBBOnline, which indicated that most ID theft was perpetrated by people who know the victim.

 

My question – does anyone know what the leading cause of ID theft is? Seems to me, that if we want to know how to stop it (or at least do a better job of protecting ourselves from it) we should have a more complete answer to that question.

 

Friday, June 24, 2005

Only YOU Can Prevent … Privacy Concerns?  iMediaConnection - June 23, 2005                    A Chapell Article       

At OMMA-West in San Francisco on June 6th, I heard Bob Garfield opine on the future of advertising. For those of you who didn’t attend Garfield's discussion, he looked 20 years into the future towards a world which, in many ways, resembles that of George Jetson's. In the era of the Jetsons, advertisers will be able to know what consumers want and when they want it. In the era of the Jetsons, advertising won’t be intrusive to consumers, and all consumer privacy issues will be adequately addressed. It will be a wonderful, Utopian society.

 

The only trouble is -- we’re not there yet.

 

Thursday, June 23, 2005

Pentagon Creating Student Database  Washington Post - June 23, 2005

The Defense Department began working yesterday with a private marketing firm to create a database of high school students ages 16 to 18 and all college students to help the military identify potential recruits in a time of dwindling enlistment in some branches. The program is provoking a furor among privacy advocates. The new database will include personal information including birth dates, Social Security numbers, e-mail addresses, grade-point averages, ethnicity and what subjects the students are studying.

 

The Chapell View                              

As the U.S. Government increasingly turns to the private sector as a means to circumvent the spirit of the Privacy Act, it’s difficult to avoid feeling somewhat helpless. While I recognize that the cultural and political pendulum swings to the far right these days, I’d like to think that much of the progress made during the 1960’s & early 70’s isn’t going vanish in the proverbial haze of post 9-11 America. But little by little, our nation is heading towards a type of surveillance society that was unimaginable even ten years ago.

 

Tuesday, June 21, 2005

Gov't Collected Data on Airline Passengers  NY Times June 22, 2005

Air travelers who have been concerned about the government collecting their personal information from airlines now have a second source to worry about: commercial data aggregators. The federal agency in charge of aviation security revealed that it bought and is storing commercial data about some passengers -- even though officials said they wouldn't do it and Congress told them not to. The Transportation Security Administration is testing a terrorist screening program called Secure Flight that uses information about U.S. citizens who flew on commercial airlines in June 2004. ''This is like a secret file that's been compiled,'' said Tim Sparapani, a privacy lawyer with the American Civil Liberties Union. The TSA hopes that successful testing of Secure Flight will allow it to take over from the airlines the responsibility for checking passenger names against terrorist watch lists. But Secure Flight and its predecessor, CAPPS II, have been criticized for secretly obtaining personal information about airline passengers, not doing enough to protect it and then misleading the public about its role in acquiring the data.

 

The Chapell View                              

Congress needs to completely deconstruct the TSA – and I mean completely. Take apart the TSA office buildings a la the Abu Grave prison. Salt the earth like the Ancient Greeks used to do. Let’s just take a mulligan on this one – and start over.

 

Adding to their list of questionable decisions, the TSA has engaged data aggregators to help…

 

Ahh yes, the data aggregators. The same group that disenfranchised votes in Florida a few years ago. The same groups which have come under fire recently for their role in many of the data breaches.

 

Anyway - I have a brand spankin new data aggregator story for you.  Bear with me – I going somewhere with this.

 

A friend of mine works at a large Ivy League Medical Research lab. Her office engaged one of the data aggregators to compile updated information on study subjects. (Ensuring HIPAA compliance, of course.)

 

As you probably know, some of the large data aggregators have recently undergone some significant changes to their methods and procedures in light of the ChoicePoint scandal. About a year ago, ChoicePoint was bamboozled by a group of Nigerian credit card scammers. The scoundrels (the Nigerians, not Choicepoint) had posed as legitimate businesses in order to obtain access to ChoicePoints’ data products.

 

In order to ensure that their company doesn’t succumb to a similar fate, the data aggregator put the Ivy League Research Lab through three months of hoops – requesting copies of the university’s charter, photos of the building, etc. – in order to ascertain that the university is, in fact, a legitimate entity. Seems like a bit much for me given that the University is pretty much a household name, but whatever – rules are rules. And ensuring privacy is a priority, right?

 

Once satisfied, the data aggregator accepts the University’s data file, and begins work.  After a few weeks, the data aggregator returns a file that “they’re pretty sure was encrypted.” Again – great idea – ensuring privacy is a priority, right? Unfortunately, the data company must have done too good a job encrypting the data, as it was completely unreadable to the University staff.

 

When the University complained, the data company sent over another file to the University. The good news is that the file was completely readable. The bad news is that it was the wrong file. The new file included some other company’s data – including names, addresses, phone #, and private health information.

 

By now you’re probably wondering – is there a point to this story? I have two:

 

1.      All the planning and due diligence in the world can sometime be undone by one careless mistake.

2.      Data is becoming more burdensome to obtain. And it will only get more bureaucratic as additional privacy legislation is ushered in.

 

Friday, June 17, 2005

Marketers Seek To Make Cookies More Palatable WSJ – June 17, 2005

Online marketers are scrambling to protect one of the key tools of their trade: the cookie. Faced with reports showing that more and more computer users regularly delete the tracking files automatically downloaded by Web browsers, marketers and Web site publishers are launching a "cookies can be good for you" campaign. They argue that cookies -- small files that Web sites use to identify users and to serve up targeted ads -- don't deserve their bad reputation and shouldn't be lumped together with such Web scourges as spyware and viruses.

"There is a culture of fear in the marketplace" when it comes to consumer attitudes toward cookies, says Nick Nyhan, president of New York-based Dynamic Logic Inc., which uses cookies to measure the impact of online ads for companies such as General Motors Corp., PepsiCo Inc. and Yahoo Inc. "The industry needs to respond to that fear."

 

The Chapell View                              

I’m a big fan of SafeCount, and absolutely support their mission.

 

On a side note, I am extremely concerned about the use of Flash technology to “replicate” the tracking functionality. Using flash to track consumer movements is a bad idea:

1.      Consumers are already concerned about having their online movements tracked.

2.      Cookies can be removed, while it’s unclear how do disable the Flash functionality. In fact, I’m not even sure that Macromedia places the flash program in the add/remove.

3.      The average Internet user would have no idea that Flash was being used to track their movements.

4.      This would seem contrary to the mission of SafeCount, which seeks to reach out and educate consumers.

5.      We’re playing into the hands of the anti-spyware companies, who will eventually be able to detect the presence of the flash technology (if they can’t already) and remove it from consumer desktops.

 

I’ve heard members of the advocacy community refer to cookies as Spyware. I don’t agree with that characterization. Having said that, if your organization begins to use Flash (or any other downloadable program) to track consumers, and you don’t tell them about it, and there’s no reliable way of removing the program from the desktop --- don’t know about you, but that’s starting to sound a lot like Spyware to me.

 

 

What Will Erode Confidence in Online Next? Try Click Fraud MediaPost.com – June 17, 2005

Let's see now...consumers are so dismayed and frustrated with how online marketers track them around the internet, they download programs to sweep their hard drives of any programs they're unfamiliar with, including the harmless cookies that we use to quantify our campaigns, and their results. That's bad enough - but the real darling of interactive for the past two years has been Search, of course. And Search is quantified on clicks - not cookies. Search - or SEM, more precisely - has been responsible for the lion's share of the increase in online ad spending during the past two years, no matter how you slice it.

 

The Chapell View

Mark Naples is a smart guy and a good friend. I would take his argument a few steps further, though. Our industry is just beginning to address Adware/Spyware and click fraud, and it’s time to admit that these are merely the tip of the iceberg. Yes, we need to devise a process for advertisers to monitor Adware companies, and Adware companies to their distribution partners. We also need a process for the Leviathan otherwise known as affiliate marketing. Moreover, Ebay is suffering from a loss of consumer confidence as a result of the company’s inability (some might say unwillingness) to effectively police its user base and protect consumers against the nefarious scam artists who are perceived to be running amok these days.

 

Pure, Darwinian market forces are achieving less than stellar results. We as an industry need to do a better job of self-regulating the markets that we’ve created. More on this in the very near future.

 

 

Wednesday, June 15, 2005

Senate Takes up Data Security Law  InternetNews.com – June 15, 2005

With growing evidence that Americans want new data privacy laws, the U.S. Senate opens a series of hearing today on legislative solutions to data breaches and identity theft. Thursday's full Senate Commerce Committee hearing will not specifically address any of the several bills introduced in the 109th Congress, which combat identity theft and force data brokers to disclose breaches of personal information to consumers.

 

The Chapell View                              

Not much new information here. Consumers are drawing a connection between ID theft and Internet usage – and in some cases are curtailing their use of the Internet as a result. While Spyware and online scams certainly have played a part in ID theft, most of the ID theft cases of any significance over the past six months are a result of offline data breaches. The Choicepoint scandal had nothing to do with the Internet – neither did the recent MasterCard data breach. 

 

Monday, June 13, 2005

Cash-Strapped Airlines Try In-Flight Advertising MSNBC – June 7, 2005

On a recent Alaska Airlines flight, passengers were told to remain buckled and seated for the last 30 minutes before landing at Reagan National Airport. It was a standard security measure for flights heading into restricted airspace over Washington. It also turned a planeful of passengers into captive customers who were then pitched a Bank of America Visa card -- with little chance of tuning it out. Over the intercom, a flight attendant encouraged passengers to sign up for the Bank of America credit card. Then other flight attendants went down the aisle handing out applications.

 

The Chapell View

Sooner or later, I’m going to be on one of these airplanes. I’ll be heading out to make some big presentation – which, by the way, I won’t have even begun writing until I get onto the plane. I’ll feel particularly lucky as the infant in the seat behind me has fallen back to sleep. And then just as the plane reaches the 20,000 feet mark and the captain has OK’d the use of my laptop, I’ll hear some voice come over the PA – telling me about the wonderful new “mile-high” card from Visa. And I won’t be able to silence the voice. That DAMN voice. Hitting the “stewardess service” button above won’t make it stop…. AAAARRGGGGG!

 

When are advertisers going to stop focusing on intrusion, and start focusing on relevance?

 

Thursday, June 9, 2005

Symantec Sues Hotbar.com in Adware Case MSNBC – June 7, 2005

Symantec Corp., which makes Internet security software, on Tuesday said it filed a lawsuit against an Internet company Hotbar.com to seek the right to label some of its program files as adware. The company said it is not seeking monetary damages as part of the lawsuit filed in U.S. District Court in San Jose, Calif. Instead, Symantec said it wants to be able to help its customers remove adware programs from their computers that are linked to Hotbar.com's products. A spokesman for Hotbar.com could not be immediately reached for comment. The New York-based company develops a variety of products aimed at Internet users, including e-mail tools and desktop toolbars.

 

The Chapell View

Is this a case of man bites dog – or dog bites man?

 

The Scarlet “A” --- “Adware” is now so politically charged that companies are actually taking legal measures to avoid having the term applied to their company. Any way you look at it, the term “adware” is not meaningfully different than “spyware” – and certainly not in the mind of the consumer.

 

Tuesday, June 7, 2005

Citi notifies 3.9 million customers of lost data MSNBC – June 7, 2005

CitiFinancial, the consumer finance division of Citigroup Inc., said Monday it has begun notifying some 3.9 million U.S. customers that computer tapes containing their personal data had been lost. New York-based Citigroup said the tapes were in a box shipped in May via UPS Inc. from a Citigroup facility in Weehawken, N.J. to an Experian credit bureau facility in Allen, Texas. Data on the tapes included account information, payment histories and Social Security numbers.

 

The Chapell View

I shudder every time another data breach is announced. It seems like we hear about another one almost every week. And it occurs to me that the NUMBER of breaches has not changed, just the DUTY to disclose. I wonder how many of these breaches have occurred over the past five years? And how many people’s lives have been ruined by ID theft as a result of a breach.

 

Ironically, up until now, Citicorp has done a pretty good job using privacy as a marketing tool. Will claims that Citicorp is a privacy safe organization continue to resonate with consumers after this incident? We’ll see.

 

Btw, offering three months of credit protection is an insult to customer intelligence.

 

Monday, June 6, 2005

Phishers get smarter ZDNET UK – June 6, 2005

Phishing attacks are getting harder to spot as cybercriminals become increasingly skilled at disguising their fraudulent Web sites. Phishers are becoming increasingly sophisticated in their attempts to grab user names, passwords and other personal data from users of commercial websites, according to latest industry research. April's report from the Anti-Phishing Working Group, published on Monday, indicates an 11 percent drop in the number of reported attacks using simple IP address domains. The overall number of reports continued their upward trend to reach 14,441 for the month, said the APWG, which compiles its report with the help of WebSense.

 

The Chapell View

Given that the number of phishing emails has reached epic proportions, I am amazed when I receive (or hear of) traditional, legit brands who still send their customers email messages asking them to update their address and/or account information. C’mon folks, consumers are already confused enough. Let’s not muddy the waters further by imitating the bad guys!

Tuesday, May 31, 2005

I.B.M. Software Aims to Provide Security Without Sacrificing Privacy NYTimes – May 24, 2005

International Business Machines is introducing software today that is intended to let companies share and compare information with other companies or government agencies without identifying the people connected to it. Security specialists familiar with the technology say that, if truly effective, it could help tackle many security and privacy problems in handling personal information in fields like health care, financial services and national security. "There is real promise here," said Fred H. Cate, director of the Center for Applied Cybersecurity Research at Indiana University. "But we'll have to see how well it works in all kinds of settings."

The technology for anonymous data-matching has been under development by S.R.D. (Systems Research and Development), a start-up company that I.B.M. acquired this year.

 

The Chapell View

Hurrah for Big Blue!!! While I recognize that this technology is still in development, I like what I see so far. Any time you can enhance an organization’s (in this case Government) use of data while simultaneously decreasing the risk to privacy rights, you’ve got a win/win.

 

Monday, May 30, 2005

After theft, Bank of America tightens online security  InfoWorld – May 26, 2005

Just days after confirming that information on about 60,000 of its customers had been stolen by an identity-theft ring, Bank of America on Thursday announced plans to tighten security for its online banking customers. Beginning next month, the Charlotte, North Carolina, bank will begin offering a new service called SiteKey that will make it harder for thieves to access Bank of America accounts. SiteKey will recognize when a Bank of America account is being accessed via an unknown computer and will generate a predetermined "challenge" question, adding another level of security to the process of logging in. The software also lets users choose a specific image -- a photograph of a dog, for example -- that can then be re-shown to users in order to reassure them that they are actually visiting the Bank of America Web site, and not some other site masquerading as www.bofa.com.

 

The Chapell View

I like the SiteKey program – a lot!!! To date, Citicorp is one of the few banks to actively use privacy and security as differentiators. I hope that Bank of America will use this program as a way to set their company apart from the competition.

 

I do see one problem with SiteKey, however. And this is a similar problem faced by almost all security and authentication programs. Users tend to have trouble remembering their passwords. There’s an inherent difficult when setting up a password or challenge response answer. You want to make it complex enough so that the bad guys don’t get a hold of it, but not so complex that you can remember it. And it would be bad enough if you only had to remember one or two passwords, but many of us have dozens of different passwords to remember. I, for example, have a separate password for:

·         My Computer

·         My Hotmail Account

·         My Yahoo Account

·         My Gmail Account

·         The ChapellAssociates.com Server.

·         My Business Online Banking Account

·         My Personal Online Banking Account

·         My ATM Pin

·         The UID and Password to access my Blackberry.

·         Half of the web sites that I visit regularly…

 

And that’s just off the top of my head.

 

My point being, that in order for me to be smart about my security, I would need to remember a dozen different passwords. Given that I can just about remember my own bank account number, that’s a difficult task.

 

Someone in the technology world needs to come up with a better method of authentication.

 

Friday, May 27, 2005

Assigning a Value to E-Mail Addresses Washington Post – May 25, 2005

E-mail addresses have a shelf life. Nearly a third of them go bad every year. Some e-mail addresses are gold, others are duds, and some only behave the way you want them to at particular times of year. What's a marketer to do? First, you must understand the customers and prospects these addresses represent. Analyze customer spending, behavior, and the acquisition source. Though most marketers associate an e-mail address to an individual, far fewer associate a value with that e-mail address. A Jupiter Research report I wrote last year finds 71 percent of e-mail marketers surveyed didn't associate a value to their e-mail addresses.

 

The Chapell View

A nice piece by Dave Daniels of Jupiter. It’s too bad that so many companies aren’t willing to put the extra work into their email campaigns.

 

Here’s what I don’t get about email marketing. And for the purposes of this rant, I’m talking primarily about companies that use email to move merchandise (as opposed to companies that use it for branding, to drive traffic, Etc.) Nearly two years ago, just about everyone using email as a marketing tool was in a near panic as the specter of California’s email law hovered over the industry. If you remember, it was not a certainty that the Federal Can-Spam law would be promulgated in time to supersede the CA law. In the rush to compliance with the impending Legislation, it really seemed as if the majority of marketers were beginning to recognize that email was an exhaustible resource, and many were moving away from an email blast (spray and pray) philosophy towards a customer data driven philosophy.

 

But that was then…

 

And once marketers became comfortable with the relatively toothless Can-Spam Law, many seem to have reverted back to their old ways. Do you need some additional revenue to meet your quarterly number? Blast out another email. Is your company seeing declining response rates? No worries, simply sharpen your pencil and offer deeper discounts. It’s a shame, really.

 

Thursday, May 26, 2005

A Matter Of Public Record Washington Post – May 25, 2005

Betty (but call her BJ) Ostergren, a feisty 56-year-old from just north of Richmond, is driven to make important people angry. She puts their Social Security numbers on her Web site, or links to where they can be found. It's not that she wants CIA Director Porter J. Goss, former secretary of state Colin L. Powell, or Florida Gov. Jeb Bush to be victims of identity theft, as were millions of Americans in the past year. Ostergren is on a crusade to scare and shame public officials into doing something about how easy it is to get sensitive personal data.

 

The Chapell View

A good article by Jonathan Krim. Ms. Ostergren is part of a legion of independent stalwart privacy advocates. More and more regular folks are increasingly frustrated by the amount of privacy, personal data that is publicly available. And they are “taking it” to our elected officials any way that they can.

 

Part of the problem is that we as a society still don’t fully understand the ramifications of placing large amounts of data into databases.

 

The other part of the problem is that proposing the painstaking task of having each municipality scrub their records and remove sensitive information isn’t going to propel any politician up the next rung of the political ladder. It’s much sexier to address consumer nuisance issues such spyware and spam. I find it unlikely that the victims of identity theft care much about the specific source – be it spyware or a title search they conducted twenty years ago. 

 

Tuesday, May 24, 2005

Friendster is no friend of privacy Q Daily News – May 20, 2005

Wow, Friendster just violated their own Privacy Policy and gave my email address out to a third party for use in administering a survey. How do I know it was them? Here’s the story. At 4PM today, I received an email asking me to participate in an online survey about online social networks. Since it was about a topic other than penis pills, breast enlargement, poker, and child porn, the email immediately seemed different than the normal spam that slips through my filters, so I opened it to see what it was all about. It was sent to the unique email address I used ages ago to sign up for Friendster, so by that measure, it was clear that this wasn’t just a blanket spam that happened to land in the inbox of someone who actually has used a social network site. Interested in how the third party (Q&A Research) had obtained the email address, I went to the survey website to see if I could find a way to call and ask; not finding any such contact information, I checked the company’s WHOIS record, and called the listed number.

 

The Chapell View

I usually don’t post other blog postings unless I know and trust the poster. In this case, I don’t know Jason from Q Daily News, so I can’t make any representations about the accuracy of his posting. Having said that, I thought it was an interesting read nonetheless.

 

User generated Content (UCG) continues to proliferate. Some of it is insightful – some of it is crap. Business will increasingly need to deal with UCG, although many companies are choosing to ignore UCG for the most part. I think that’s a mistake, because there is a good deal of information that can be minded from UCG. The key is figuring out a way to sort through all the clutter in order to find information that is useful. And that can be like finding the proverbial needle in a haystack. Case in point – I spend a certain amount of time each day sorting through various anti-spyware blogs. Some of them are right on the money, while others are confused, convoluted rants from people who could barely operate a cash register let alone run a business. But if I want to get to the good stuff, I need to wade through the bad. I wonder if someone couldn’t figure out a way to automate this process?

 

 

This posting also gets me to revisit a previous rant regarding the privacy policy of an online travel website. Back when I first blogged on this subject, I was reluctant to mention the websites’ name. I figured that with a little bit of patience, that I’d be able to convince the company to do the right thing. Well, it’s been well over a month, and I haven’t gotten anywhere with these people. In case you were wondering the site is www.Hotels.com, a wholly-owned subsidiary of IAC/InterActiveCorp.

 

Anyway, here’s the story…

 

As a result of a purchase I made on this Hotels.com, I was somehow enrolled in a “Travel Rewards” program from one of their affiliates. Now I have ZERO recollection of signing up for this program, and but for the $10 charges to my credit card, I would not have even known that I was enrolled. When I confirmed that I’d been enrolled as a result of a purchase I’d made on the Hotels.com, I decided to end my relationship with Hotels.com. Here’s where the fun started…

 

 I sent an email to Hotels.com’s Customer Service group – asking them to remove all my personal information from their records. One would figure that this isn’t a very big deal as their web site privacy policy states:

 

 “If a visitor’s personally identifiable information (for example, their zip code, phone, email or postal address) changes or if a user no longer desires our service, we provide a way to correct, update or delete/deactivate visitor’s personally identifiable information.” (I paraphrased this to protect the company)

 

 

Well, I’m on my TENTH email requesting that they remove all my info, and here are the responses I’ve been getting from their CS group.

 

 

·         “Thank you for your reply. We can remove your e-mail address from our system so that you will not receive anymore offers. However, we are unable to remove your account from our site. Once you have registered with our services the account always remain active.”

 

·         “Please be advised your email address has been deleted from our newsletter.”

 

·         “Due to security reasons, we do not hold your personal & confidential information.”

 

·         “Please be advised if you have made a reservation or submitted information to us, this information will remain. This is not to be deleted, nor is your confidental information given out.”

 

I’ve also called a number of times, and was assured that they would have my information removed.

 

Finally, I asked them repeatedly to have their general counsel contact me. The CS person finally agreed, indicated that someone from their legal team would contact me. That was at least two weeks ago.

 

If you are a reporter and are looking for a good story, here it is. I am happy to provide any information you’d like. And needless to say, I will NEVER patronize Hotels.com again!

 

Thursday, May 19, 2005

Personal Data for the Taking NYTimes.com – May 18, 2005

Senator Ted Stevens wanted to know just how much the Internet had turned private lives into open books. So the senator, a Republican from Alaska and the chairman of the Senate Commerce Committee, instructed his staff to steal his identity. "I regret to say they were successful," the senator reported at a hearing he held last week on data theft. His staff, Mr. Stevens reported, had come back not just with digital breadcrumbs on the senator, but also with insights on his daughter's rental property and some of the comings and goings of his son, a student in California. "For $65 they were told they could get my Social Security number," he said. That would not surprise 41 graduate students in a computer security course at Johns Hopkins University. With less money than that, they became mini-data-brokers themselves over the last semester. They proved what privacy advocates have been saying for years and what Senator Stevens recently learned: all it takes to obtain reams of personal data is Internet access, a few dollars and some spare time.

 

The Chapell View

A few years ago, while working for email marketing Yesmail/ClickAction, I was given the tour of parent company infoUSA’s data facilities. They walked us through the process of aggregating all the data. Most of the basic data they have is obtained and updated via public sources.

 

First, I’ve got to award a gold start to whomever at infoUSA devised the M&P’s for obtaining the data. Mussolini could not have been so well organized, or thorough, in his approach. It’s like watching a scene from Willie Wonka. Hundreds of employees doing painstaking work which in and of itself seems irrelevant to the task at hand. But once all the work has been done, and all the data has been accounted for, the end product is like magic.

 

The trouble with magic (as I well remember from many a childhood storybook) is that it can be used for good or for evil. Similarly, large databases of information are by definition agnostic. They can be used to help to enrich lives – and if used irresponsibly, can literally ruin lives.

 

Wednesday, May 18, 2005

Store's Floor Model Computer Loaded With Woman's Personal Info  TheDenverChannel.com – May 7, 2005

Imagine receiving a phone call from a stranger who knew your most private thoughts, knew what you looked like, knew your Social Security number, and even knew how much you make and where you work. That happened to a Colorado woman after she took her computer to a major electronics store. Her situation may be surprising given all the warnings about identity theft. But it's not surprising if you think for a moment about what's on your personal computer. There may be files about your income, business records, taxes, personal e-mails, dirty jokes, pictures and more. It's all personal information unless you took your computer to a local retailer. Susan, who asked us to conceal her true identity, did just that.

 

The Chapell View

Companies are just plain weird when it comes to data. Perhaps its because data is not a tangible thing like a book, or a car, or a cheeseburger. But common sense seems to go out the window when it comes to data.

 

Case in point - I could certainly see how a teenaged Circuit City employee might copy this woman’s info onto a floor model computer. (Maybe it was a prank, maybe the employee simply forgot to remove the information from the floor model.) However, why in the world would Circuit City take the position that they are not responsible for protecting this woman’s information? Information is property, and once the retailer takes this woman’s property into their possession, they have to accept some responsibility for ensuring its care. If a Circuit City employee took possession of her computer, and then accidentally dropped it on the floor, the store would be responsible for fixing or replacing it, no?

 

I realize that we don’t have all the facts yet, but nonetheless… OIY!

 

This seems like a situation that could have been completely resolved with a sincere apology and a gift certificate. Now its going to cost a lot more…

 

Tuesday, May 17, 2005

Protect passwords? Not if latte is free MercuryNews.com – May 6, 2005

Would you give up your computer passwords for a Starbucks latte? “imasexyguy'” did. So did “raiderfan.'” The football fanatic even gave it to a radio reporter -- to put on the air. And then he told the interviewer he still wasn't going to change it. In a marketing stunt designed to shine a light on sloppy personal cybersecurity, VeriSign on Thursday offered passersby in downtown San Francisco $3 coffee coupons if they would reveal their passwords to survey-takers. Two-thirds of the 272 respondents turned over their passwords without flinching. The rain and then a BART bomb scare seemed more problematic. A few who said they simply would give a made-up password were dropped from the results, though they did get free coffee. And with a little coaxing, 70 percent of those who said ``no way'' gave up significant hints, like wife's name, anniversary date and the ever popular pet's name.

 

The Chapell View

OK. Before I even get to the article, I’ve gotta comment on the MercuryNews’ registration process. Holy smoke, people. Two full pages of offers to cull through and then I get a series of pop-overs. It’s their web site, and they can do whatever they want, but I’m unlikely to visit that site again soon… When making the exchange between free content and advertising, its very difficult sometimes to find the right balance. Mercury’s gone over the line, at least according to this cowboy.

 

 

Anyway, this is all a bit ironic given the topic of the article. One of the challenges that privacy professionals consistently come up against is that consumers generally don’t take responsibility for ensuring the safety of their own personal information. Consumers will give up whatever they have to in order to get WHAT they want WHEN they want it. How do you help someone who won’t help themselves? How seriously can you take the concerns of someone who doesn’t want pop-up ads, but doesn’t bother reading the EULA before downloading the P2P software?

 

Trouble is… privacy professionals (and marketers and publishers for that matter) don’t have the luxury of not taking consumer concerns seriously. So what do we do? Should we gradually continue to push the envelope on privacy and hope that consumers (and lawmakers) will simply continue to grumble and not take real action? Or do we push forward trying to broker deals on industry best practices for privacy? I genuinely believe that the latter is the best course. But I have to admit – when I hear of stories such as “coffee for your password,” it makes me wonder…

 

One other comment – What is the nexus of most ID theft crimes - unguarded computer passwords or data aggregators with insufficient privacy and security procedures?

 

Wednesday, May 11, 2005

Police keep an eye on city NY Times – May 5, 2005

Allison Davis, who lives in the suburbs and works downtown, was strolling past Lexington Market on her lunch break yesterday when she first noticed the small glass orb mounted on the side of a building. "I don't think it is such a bad thing in this area," Mrs. Davis, 27, said of the police surveillance camera, one of 43 that Baltimore police turned on yesterday to watch and digitally record, around the clock, everything that happens on the block. Residents in neighborhoods struggling with street-crime problems likely will welcome the cameras, Mrs. Davis said. But if the system expands to "places without a lot of crime," she said, "it would freak me out."

 

The Chapell View

I find it interesting that the cameras were purchased with “homeland security” funds. If God forbid a terrorist unleashes a dirty bomb on the West side of Baltimore, I’m sure it will be some small consolation that we were able to capture on film the exact moment that he met the Almighty…

 

Monday, May 9, 2005

Cookie Saga: Consumer Education Needed iMediaConnection.com – May 9, 2005 – A Chapell Article

Mark Twain once quipped, “Rumors of my death have been greatly exaggerated.” I can only wonder what he’d have to say about our industry’s recent dialog around cookies. My former colleagues at Jupiter are no doubt pretty happy to have their numbers vindicated, after a good deal of skepticism was leveled against their report from many -- including me. Of course, which research methodology was right is ultimately far less important than the action items that each of us can take away from the research as a whole. And I think there are still a few things we can draw from the recent body of research on cookies.

 

Friday, May 6, 2005

Warnings That Madison Avenue Needs to Be Nimble About Changing NY Times – May 5, 2005

MADISON AVENUE was warned yesterday that it risked being marginalized by profound changes in technology and demographics that are fundamentally changing the ways products are sold to consumers. The warning came from speakers at the opening session here of the 2005 management conference of the American Association of Advertising Agencies.  "In a world where the only constant is change, the only way to stay in business is to recognize when the lessons you have learned no longer apply," said Ron Berger, the 2004-6 chairman of the Four A's, as the association is known.  "Throwing out a business model that has worked in the past takes just as much guts, just as much courage, perhaps even more so, than starting a business from scratch," said Mr. Berger, who is also chief executive and chief creative officer of the New York and San Francisco offices of Euro RSCG Worldwide, part of Havas. Tough decisions have to be made by agency senior executives, he added, because "we, as leaders of the industry, have a responsibility - and part of that responsibility is to lead, not to follow."

 

The Chapell View

It’s very encouraging that senior advertising professionals are addressing issues of ad clutter and consumer burn-out. Many of us in the privacy space have been thinking about these issues for some time. In fact, this is an area where the privacy folks could really be an asset to advertisers. I’m working on a White Paper with the Ponemon RIM council which should address some of these issues.

 

Think about how much trouble the Entertainment industry is in right now – in part because they stopped listening to their customers, and their customers eventually cast them aside. Look for an article from my colleague Isaac Scarborough. The article will compare various ways that consumers have veered away from “legitimate” (read traditional) media consumption – from P2P file sharing to ad-blocking technologies.

 

Thursday, May 5, 2005

Intermix is just the start - Commentary: Ramifications of adware suit are broad Marketwatch – May 3, 2005

As I stepped ashore on the island of Cozumel last year after a pleasant few days aboard a cruise ship, I was accosted by solicitors offering scuba-diving tours before I could get 50 feet away from the ship. One after the other, they invaded my space. I thought: "Ugh! Live pop-ups!" That happened once. But on a computer, the digital equivalents of pesky sporting tours or timeshare touts haunt us every minute of each day. The way they get on our computer is through adware, which is on an estimated nine out of 10 computers. The definition is fluid, but, broadly speaking, adware is software that's mysteriously installed on computers without user consent. It can track user activity and serve up advertisements related to that activity. It's typically bundled with applications, like screensavers, or music file-sharing applications or when people mistype URLs.

 

The Chapell View

Overall, this is one of the best written articles on the relationship between advertisers and some of the more nefarious elements in the online universe. A few items of note:

 

·         Size of the Adware Market - I wouldn’t take Webroots #’s too seriously. The anti-spyware software company recently released a report indicating that revenues for adware companies was $2 billion per year, which is over 20% of the total online advertising market. If you were to ad up the adware revenues of six of the largest adware firms - Claria, WhenU, Direct-Revenue, 180 Solutions, Ask Jeeves and eXact Advertising – I don’t know that you’d reach $500 million. Moreover, I participated in the CNET Spyware event yesterday, and David Moll of Webroot wasn’t able to effectively back up his $2 billion number – and NONE of the other software firms on his panel were willing to estimate the adware market to be higher than $800 million…. I wonder if it might be in their interest to create a perception that the adware problem is larger than it actually is?

 

·         Eyes wide shut – no more! – The real takeaway with this study is that it is imperative for any online advertiser to have firm understanding and control of their data, distribution and/or advertising partners. This includes; vetting your partners, establishing contractual accountabilities, and requiring audit rights.  I’ve already penned some steps that advertisers should take when selecting an adware partner. Bottom line - it’s crucial for advertisers to have a firm grasp of the data governance issues.

 

·         Eyes wide open – I’ve spoken with several companies in the online space over the past week. There’s a level of concern that I haven’t seen since late 2003 when it looked like that CA Spam bill was going to pass without Federal Pre-emption.

 

Wednesday, May 4, 2005

Patients Not Notified That Their Health Records Were Stolen CNET - April 26, 2005

Detailed health records of more than 1,600 Colorado families -- containing their most personal information -- are missing, and most of the families don't even know it. Mickey Ritter feels that the state health department should inform all families whose health information has been stolen.  The records are part of an anonymous autism study and were entered into a laptop computer -- a computer that was stolen from a state health department employee last October when she carelessly left it in her car. But it wasn't until January of this year that some parents -- who had no idea the data was being collected -- began to find out their family's most private information could be for sale on the open market. "We received a letter from Boulder Community Hospital notifying us that they had sent our son's records to the state health department, and the records were then stolen in October," said parent Mickey Ritter. Ritter was stunned because she and more than 1,600 other Colorado families had never been informed that their medical records were even being studied. Notification is not required by state law.

 

The Chapell View

When there is a data breach that potentially puts at risk hundreds of people's information, I think it's incredibly irresponsible for those entrusted with the information to sit on their hands. People's lives are being absolutely ruined by ID theft.

 

I think there’s a larger “trust” issue at stake here. I am shocked that anyone would be enrolled in a public health study without their consent – regardless of the altruistic nature of the research. But since I don’t know much about the medical research world, I figured I’d ask an expert. Fortunately, my brother Rich has a PHD in Pharmacology (I don’t know what the heck that means either) and works as an analyst at a medical research firm. And he’s smart as a whip. Here’s what Rich had to say…

 

“I'm amazed that they were able to collect and share this information without the knowledge or consent of the participants. The article mentioned that there is no state law against it, but it violates the declaration of Helsinki, which is a result of the codification of medical ethics originally put together by the World Medical Organization in response to the Nuremberg trials. It's not a law, but it's a set of ethical principles that all medical researchers are familiar with. Some Helsinki quotes:

 

·         ‘It is the duty of the physician in medical research to protect the life, health, privacy and dignity of the human subject.’

 

·         ‘The subjects must be volunteers and informed participants in the research project.’

 

·         ‘Every precaution must be taken to respect the privacy of the subject, the confidentiality of the patient's information, and to minimize the impact of the study on the subject's physical and mental integrity and on the personality of the subject.’

 

According to the Helsinki Principles, not only should the patients, or their parents, have been informed of the study and given the option to refuse to participate, but they should also have been informed that the data was stolen. That's part of that pesky "privacy and dignity" thing.”

 

Thanks Rich!

 

I believe there may also be some Federal Privacy Issues at play here. I’m certainly no expert in HIPAA, but I believe that medical institutions are required to provide notice and obtain consent from patients prior to using their information for medical research. However, there may be an exemption for the CDT. And according to the news story, both federal and state laws allow CDC to survey health records without notice to patients.

 

So let’s assume that there’s no legal requirement to obtain consent here. 

 

Regardless of the legal and ethical requirements, it is just plain stupid to fail to notify the victims of a data breach. Why?

 

·         Because word of the data breach inevitably gets out into the public domain.

 

·         Because people will be less likely to hand over their data once they’ve been screwed.

 

·         Because law and policy makers tend to look at these types of scenarios when weighing the need for an additional regulatory framework.

 

·         Because eventually, it become more difficult to conduct important medical research as a result.

 

Talk about soiling your own food dish…

 

Monday, May 2, 2005

Pick your battles with Internet privacy CNET - April 26, 2005

The recent flurry of hype over ZabaSearch got me thinking about privacy. For those who didn't have the pleasure of receiving a frantic e-mail from a friend about it, ZabaSearch is a search engine for personal information. Folks across the Internet were shocked to find that not only their current addresses and phone numbers but even information from the past several years came up in ZabaSearch. Even unlisted numbers appeared. I received several e-mail messages with the Internet equivalents of gasps and expressions of horror attached. The truth is that ZabaSearch is no evil Big Brother. It's a search aggregator, and a rather efficient one at that. All the information in its database can be found elsewhere on the Web. Its crime, if any, was making personal information supereasy to find.

 

The Chapell View

Interesting article by Tom Merritt over at CNET.  I don’t want to come down on ZabaSearch. They certainly aren’t the only company out there that’s taking publicly available data and aggregating it into a useful tool. In fact, I agree with Tom and give the company kudos for capitalizing on ‘newsworthiness’ of privacy issues to land some free press coverage.

 

There’s one point that seems lost on Tom, as well as many others who cover privacy. We as a society have not come to terms with the impact of large scale data aggregation. So while I’ll concede that ZabaSearch isn’t doing anything illegal or inherently evil by aggregating publicly available data, its important to note that the sum of that data is inherently much more powerful than the individual parts. In other words, large scale data aggregation is in and of itself a potentially dangerous thing. I’m not saying that it should it should be illegal to aggregate data, but I do think that more thought needs to go into the implications of collecting, storing and using large databases.

 

I’ve often drawn an analogy from the world of science. A few atoms of hydrogen are completely harmless. However, if you put enough of them together, you’ve got something that is extremely powerful – and a potential weapon of mass destruction. If you don’t subscribe to my analogy, I offer the following question. How many people’s credit (and potentially their lives) was ruined by the data breaches of the past six months alone?

 

With large databases goes large responsibility.

 

Thursday, April 28, 2005

Whoa, Canada: SSN Request Doesn't Add Up Washington Post - April 26, 2005

Gaithersburg reader Denise McQuighan was ordering a pair of $269 Mission D3C roller hockey skates for her son, Patrick, from an online Canadian sports-equipment retailer recently, but she stopped cold when the order form required her Social Security number. "The Web site indicated that this was needed by the U.S. Customs agents for some reason," says McQuighan, who knows better than to hand out her Social Security number (SSN) to just anyone who asks for it.McQuighan told Patrick to find different skates -- from a U.S. company. " 

 

The Chapell View

I guess the lesson here is – DON’T ask for more information than you really need or you risk having your customers take their business across the street. Or in this case, across the border.

 

Its amazing how challenging it can be to get good privacy practices filtered down through an organization. My good friend Mike Spinney, who runs a media relations firm called Six Weight, conducted an informal survey last year. Mike called up the customer service #’s for a number of major retailers, and asked them to explain something from their privacy policy. Almost half of the time, Mike was given incomplete or incorrect information.

 

On a similar note, I’ve been having a go-round with a large travel web site. As a result of a purchase I made on this site, I was somehow enrolled in a “Travel Rewards” program from one of the web site’s affiliates. Now I have ZERO recollection of signing up for this program, and but for the $10 charges to my credit card, I would not have even known that I was enrolled. When I confirmed that I’d been enrolled as a result of a purchase I’d made on the travel web site, I decided to end my relationship with the travel web site. Here’s where the fun started…

 

I sent an email to the travel web site’s CS group – asking them to remove all my personal information from their records. One would figure that this isn’t a very big deal as their web site privacy policy states:

 

“If a visitor’s personally identifiable information (for example, their zip code, phone, email or postal address) changes or if a user no longer desires our service, we provide a way to correct, update or delete/deactivate visitor’s personally identifiable information.” (I paraphrased this to protect the company)

 

Well, I’m on my SIXTH email requesting that they remove all my info, and here are the responses I’ve been getting from their CS group.

 

·         “Thank you for your reply. We can remove your e-mail address from our system so that you will not receive anymore offers. However, we are unable to remove your account from our site. Once you have registered with our services the account always remain active.”

·         “Please be advised your email address has been deleted from our newsletter.”

·         “Due to security reasons, we do not hold your personal & confidential information.”

·         “Please be advised if you have made a reservation or submitted information to us, this information will remain. This is not to be deleted, nor is your confidental information given out.”

 

As a consumer, this is beyond frustrating. Btw, this is not some tiny website – it is a nationally advertised site owned by a fairly large company.

 

Perhaps its time to involve their seal program…

 

Wednesday, April 27, 2005

Experts Call Spy Agency Practice an Eye-Opener LA Times - April 25, 2005

The National Security Agency, which eavesdrops on electronic communications around the world, receives thousands of requests each year from U.S. government officials seeking the names of Americans who show up in intercepted calls or e-mails — and complies in the vast majority of cases without challenging the basis for the requests, current and former intelligence officials said. The volume of requests and the NSA's almost reflexive practice of disclosing Americans' identities — which under federal law are shielded unless there is a compelling intelligence reason for releasing a name — have come as a surprise even to some members of Congress and government officials deeply involved in intelligence matters.

 

The Chapell View

A few weeks ago, at one of the data breach hearings on the Hill, several of the Committee members took turns examining the practices of Choicepoint and the other data aggregators. The Senators were appalled at what appeared to be a lack of institutional safeguards to protect consumer data. It was like watching the 1978 Yankees take on a Little League team – the data aggregators seemed so overmatched…

 

If the NSA or any other agency is lacking in safeguards for protecting American’s from unreasonable Government intrusion – if the threshold for disclosing that data is so low as to make it merely a procedural speed bump, then we need a similar Congressional investigation. Most of the initial privacy legislation from the 1970’s was borne out of a recognition of the Government abuse during the 1950’s and 60’s. More and more, I get the sense that our Government has figured out ways to circumvent that legislation – either by contracting out to private sector data aggregators, or by minimizing internal check and balance procedures.

 

Tuesday, April 26, 2005

Privacy Nuts, Chill Out Forbes - April 22, 2005

What attracted the attention was Internet search giant Google's announcement this week that it is experimenting with a new feature to keep track of previous searches conducted by its users. At least one self-anointed privacy advocate immediately started clucking that the optional feature--which is not even available on Google's main search page--"a bad idea." Another expressed concern about the government snooping on our Web searches. One really outraged person commented in a message board on Slashdot, "Just think what a modern day Hitler could do with access to everyone's Google searches." 

 

The Chapell View

It’s kind of refreshing to have a different viewpoint on these pages – even if I don’t entirely agree with it. And I’ll ignore the references to privacy advocates as “nuts.”

 

I’m a huge fan of gathering customer data to deliver relevant ads and enhance the customer experience. But I think you can get 99% of the benefits of relevance by only holding onto the data for a limited time. Gathering data and holding onto it in perpetuity presents too significant a risk to the consumer.

 

I don’t think of Google as an inherently evil organization either. And I give the company credit for respecting consumer choice and making this an opt-in service. But I don’t think any of us can necessarily say what Google will ultimately do with the data they are collecting. And the company IS collecting loads of data – and storing it on their servers. And since much of that data will be tied to personally identifiable information, it is NOT a stretch to envision a person’s search history to be subpoenaed in a court proceeding, or by a Governmental agency.

 

I personally think that Google is taking a huge responsibility by having that much data reside on their servers, but that’s a different rant.

 

Friday, April 22, 2005

Google Personal-Search Tracker Raises Privacy Concerns  Internet Week - April 21, 2005

Google Inc.'s new tracking tool that keeps a detailed history of a person's web search has raised privacy concerns among experts who complain that information collected can't be permanently deleted by the user.

 

The Chapell View

Funny. If you changed the year of this story to 2004, and changed the company name, you’d have the same story with roughly the same concerns voiced from the advocacy community last year regarding Amazon’s A9.com search engine. I’m not sure how many people are actually using A9 at this point, but the company certainly hasn’t withered away and died from the controversy either.

 

Having said all that, I do think that Pam Dixon and others in the advocacy community make some very valid points. Long term, it is a mistake for Google and A9 to be holding so much data on their servers. This is particularly troubling given that the data is tied to personally identifiable information. With large databases comes large responsibility – and perhaps even larger decisions down the road. When law enforcement officials and attorneys in civil cases begin to subpoena Google and A9 for some of this information – and trust me, they will – people are going to regret using search tracking tools. Do the companies want to be in this position?

 

Think about Yahoo! email and their recent court battle with the family of a soldier killed in Iraq. The family wanted access to their son’s emails, which were stored on Yahoo! Although my heart goes out to the family of the soldier, I think Yahoo! did the right thing here. But my point is, that the more data that companies hold, the more they are at risk of putting themselves in difficult (and potentially costly) situations.

 

There’s a world of information that can be mined from search queries. But if I were Google, I’d starting finding ways to leverage that data without storing it en masse. Perhaps they could figure out a way to keep the information on the consumer’s desktop via a cookie or in the registry. Maybe they could store the data, but only for a specified (read: short) period of time.

 

 

Thursday, April 21, 2005

Revenue Science Launches Behavioral Targeting Network MediaPost - April 21, 2005

BEHAVIORAL TARGETING FIRM REVENUE SCIENCE announced Wednesday the release of its Audience Search behavioral targeting network, which has been live for about one month with three publisher partners. The Audience Search Network extends Revenue Science's existing business model, which is built on tracking consumers' behavior within a site and then serving ads within that same site. For the network, Revenue Science will pool together consumers who exhibit high-value behavior--such as showing an interest in purchasing a car or consumer electronics--regardless of which site Revenue Science first tracked them on, and then serving those consumers ads as they surf the Web.

 

The Chapell View

The challenges faced by the behavioral targeting firms have less to do with privacy and more to do with scale. I like the concept of delivering more relevant ads in a privacy friendly way. But as a practical matter, when BT is limited to the confines of a single site or a small group of sites, the data pools, and in turn the ability to actually increase relevance of a meaningful number of ads is generally limited.

 

So I think this is a step in the right direction for Revenue Science. RS and the others in this space still need to figure out how to entice the high value publishers to participate AND share their most valuable audience data. Perhaps they can establish some sort of commission system, or some other way to entice the larger players to participate...

 

Tuesday, April 19, 2005

Time to Buy a New Shirt, Dave Wired - April 15, 2005

Consumer retailers and manufacturers this week promised to help shoppers disable or discard the radio tags attached to their purchased items in coming years - if that's what shoppers really want. The companies are trying to appease consumer and privacy advocates, who worry that the data gathered from radio-frequency identification tags - item descriptions and unique ID codes - will be married with shoppers' personal data, making the tags into tracking devices for marketers, thieves and, possibly, the government.

 

The Chapell View

It's pretty amazing to me that a significant segment of the RFID world continues to move ahead on individual tagging. If RFID advocates want to know how consumers feel about item level tagging and tracking, they need only look across the street at the scrutiny faced by the online profiling industry. If consumers are a bit skittish about online tracking, they are downright anxious about RFID. Knowing what sites you've visited is nothing compared to knowing the physical places you visit. And given that RFID codes are typically linked to credit card or other sensitive PII, the risk of ID theft is significantly higher.

 

I've been saying this for a while, but the RFID industry needs to do two things:

1.  Establish a valid value proposition for RFID - they are starting to do that with the "hassle free" returns of items tagged with       RFID chips. The RFID purveyors need to continue along these lines.

2.  Establish reliable security measures - They still aren't talking enough about security when it comes to RFID. The biometric       component is interesting, but needs to be thought out - and communicated in a meaningful way.

 

A brief summary of today's top privacy-related stories can be found here.

 

Monday, April 18, 2005

Personal Data Theft: It's Outrageous Business Week - April 15, 2005

It's long past the time to hold companies that collect personal info to higher legal standards when it comes to protecting that data. Americans seem to be concerned, but not outraged, by news in recent weeks that two big data collectors sold detailed personal information on nearly 500,000 people to buyers who had absolutely no business getting it. Maybe this is because we've become inured to the supposed inevitability of our personal data being available to anyone who looks hard enough.

 

The Chapell View

Business Week's Stephen Wildstrom correctly points out the lack of outrage amongst consumers over recent data breaches. I'm not sure that consumers are engaged enough to be angry. If ID Theft doesn't impact someone directly, I'm not sure they care. Moreover, consumers tend to show their outrage in other, more subtle ways - such as tuning out advertising, and providing fake data when companies ask.

 

I agree that the data aggregators need to be regulated. I don't think that class actions are necessarily a long term solution.

 

Thursday, April 14, 2005

Consumer's Not Told of Security Breaches, Data Brokers Admit Washington Post - April 14, 2005

Executives of two major data brokers acknowledged to a Senate panel yesterday that their companies did not tell consumers about security breaches that occurred well before recent incidents exposed more than 400,000 people to possible identity theft. ChoicePoint Inc. and LexisNexis also suffered breaches before passage of a California law in 2003 that requires companies doing business in the state to notify consumers that their data might be at risk, officials said. But the companies chose not to alert the public in those cases.

 

The Chapell View

The position of the data aggregators (and frankly, the DMA) on this issue has been so badly discredited by now that it is barely worth mentioning. For those organizations to attempt to position what happened with Choicepoint and other data aggregators as simple cases of identity theft is absurd. Organizations such as Bank of America, who by comparison don't seem nearly as culpable, will be forced to pay for the sins of others in the industry.

 

What is worth mentioning, however, is Federal Trade Commission Chairman Deborah Platt Majoras' opinion that companies should only have the obligation to disclose the breach if they determine that ID theft will likely result from that breach. If such a discretionary provision is ultimately added to the eventual Federal breach disclosure act, if could create a loophole that might be so large as to swallow the law. Providing too much leeway to data aggregators was what got us into this mess in the first place, no?

 

Wednesday, April 13, 2005

Study: We're Getting Used to the Taste of Spam CNET - April 11, 2005

Fewer people find spam as annoying or unpleasant as they did a year ago, according to a study by the Pew Internet and American Life Project. Currently, 67 percent of e-mail users say that spam interferes with their online experience, compared with 77 percent a year ago. People are also recovering their trust in e-mail, to a degree, with 53 percent of respondents saying spam has sapped their confidence in e-mail, down from 62 percent a year ago.

 

The Chapell View

Seems like many of the prognostications around spam and the demise of email may have been overstated. Of course, just because email has not completely been blown to smithereens as a communications channel, that doesn't mean it hasn't been seriously crippled by spam and other non-consumer friendly applications. You can either interpret this as "consumer acceptance" or "continued decline of consumer engagement." Which interpretation proves to be closer to the truth may ultimately determine the future of data sharing, online profiling, and direct marketing in general.

 

Monday, April 11, 2005

Deal May Mean Shifting Adware Model CNET - April 8, 2005

Adware company 180Solutions has quietly agreed to purchase CDT, one of its own distributors, in a deal that may foretell shifting business practices in a controversial corner of the Net advertising world. 180Solutions has been working over the past few months to overcome persistent criticism of its business model, including accusations that its distributors use security flaws in Microsoft Windows and misleading pop-up boxes online to trick people into downloading the software. By purchasing CDT, one of its largest distributors, 180Solutions says it's hoping to "clean up" its distribution channels.

 

The Chapell View

I agree that 180 is executing a plan to separate themselves from their Spyware past, but I'm not convinced that this move much to do with that plan. There are certainly other ways to ensure that distribution partners are doing the right thing. 180 could have established a series of M&P's for their distributors. They could have contractually required distributors to adhere to best practices. They could have insisted upon audit rights. And although it may be easier to reign in a business partner if they are under your proverbial roof, there is no guarantee that CDT will adhere to best practices unless 180 makes a conscious effort to keep them under control. I think there may have been other reasons for this move, which are not entirely clear to me right now.

 

Friday, April 8, 2005

The Implications of Cookie Cutting iMediaConnection - April 7, 2005

ThinkMetrics CEO Brandt Dainow writes in about Jupiter's recent cookie-deletion report: the news is both good and bad. Jupiter Research announced last month that 58 percent of users delete their cookies regularly, with 40 percent deleting them every month. This means that metrics relying on tracking visitors via cookies are not as reliable as people have believed. However, only 1 percent delete cookies set by the site itself - it is third - party cookies that people are deleting.

 

The Chapell View

Brandt Dainow is an extremely bright guy, but I don't think he gets it entirely right here. Part of the issue may stem from the fact that he offers an EU perspective on privacy - a perspective that has very different historical and cultural underpinnings from the U.S. perspective. I agree with his initial point - that consumers don't necessarily see cookies as positive things. (OK, many see them as the Devil's spawn...) However, I disagree with his conclusion - that third party cookies should not be used.

 

Most of the research that I've read and conducted focuses on the U.S. online consumer market, so my comments will also focus upon that market. Online advertising isn't going anywhere. And most consumers would prefer to have ads that are more relevant to their interests. (Incidentally, most would also prefer not to see the same ad multiple times - and it's pretty difficult to provide frequency caps without some form of profiling tool.) Unfortunately, the only way to increase relevance is to know something about the person viewing the ads, and the best way to know something about the viewer while maintaining any semblance of privacy is to use cookies.

 

I agree that many consumers are deleting cookies via anti-spyware and/or anti-virus software programs. However, I would seriously question whether or not U.S. based consumers fully understand what they are deleting when using one of those software programs. Case in point - I know of anti-spyware programs that automatically delete software programs that consumers have paid for. The lack of standards in the anti-spyware software market has been well covered on these pages. It is wrong for any company to download a piece of software onto my desktop without my full knowledge and consent. Similarly, it is wrong for any company to DELETE a piece of software from my desktop without my full knowledge and consent.

 

Our industry has not done a good job of educating and engaging consumers in a meaningful way when it comes to online profiling and cookies. Perhaps this has to do with our cultural underpinnings. Much of our culture was inherited from the "don't ask - don't tell" culture of the direct marketing world when it comes to consumer data. Until recently, the DM'ers have done well keeping their data collection initiatives below the radar of scrutiny. However, over the past few years, the lack of transparency and accountability have clearly begun taking their toll.

 

Perhaps many of us thought that the whole cookie debate had been put to rest years ago with the publication of the NAI's lauded principles for online profiling.

 

Our industry needs to act now. We need to educate consumers on the benefits of cookies. We need to convince them how profiling is safe. We need to assure them that we're not going to step over the line. And we need to do it pretty quickly.

 

I understand that Nick Nyhan and Cory Treffiletti are starting up an initiative to combat this and other issues in the online world. I wish them well.

 

Thursday, April 7, 2005

Identity Theft: The Next Corporate Liability Wave? Law.com - March 31, 2005

Your phone rings. It's Special Agent Bert Ranta. The FBI is investigating a crime ring involved in widespread identity theft. It has led to millions of dollars of credit card and loan losses for lenders, and havoc in the lives of the 10,000 victims. By identifying links between the victims, the FBI has discovered where the personal data appear to have come from: your company. The victims are some of your customers. Your mind begins to whirr. Are there other customers affected who haven't been identified yet? Is it a hacker or an inside job? Is your company also a victim here, or could it be on the wrong end of a class action lawsuit?

 

The Chapell View

New legislation regulating corporate security of personal customer information is no longer a matter of if, but a matter of when. Responsibility for ensuring the safe stewardship of customer data needs to be placed squared on the shoulders of the company holding the personal information.

 

Wednesday, April 6, 2005

Company files 'pay per click' ad lawsuit SiliconValley.com - April 5, 2005

A Texarkana gift shop that advertises on the Internet has filed a lawsuit against America Online, Google, Yahoo and other Web-centered companies alleging they knowingly overcharged the shop and other companies for "pay per click" advertising. Lane's Gifts and Collectibles says in a Miller County lawsuit that the Internet companies charged it for advertising traffic not generated by bona fide customers. Lane's Gifts hopes to represent numerous other companies in a class-action lawsuit against the Internet companies. Lane's alleges a conspiracy in which the companies worked with one another to create an online environment that harms advertisers.

 

The Chapell View

The issue of click-fraud has been bubbling for a long time now. And advertisers are increasingly expecting Google and others to effectively police their affiliates and other business partners. Clearly, those expectations are not being met, so in response, here come the lawsuits.

 

This is one of those stories that actually transcends the specifics of the allegations. A similar story was published in today's Wall Street Journal....This is bad news for the online advertising world - we need to address this in a meaningful way before it begins to have a significant impact upon ad spending.

 

Tuesday, April 5, 2005

Patriot Act to be scrutinized ZDNet - March 31, 2005

The tumultuous process of reviewing portions of the USA Patriot Act is about to begin. Sen. Arlen Specter, R-Penn., said Thursday that his Judiciary Committee will begin a series of three hearings starting April 5 to examine the 2001 law and consider which sections should be renewed before their Dec. 31 expiration date. Only some portions are set to automatically expire.

 

The Chapell View

As we all know, the Patriot Act was enacted back in 2001, whilst many of us were swept up in the emotional aftermath of 9/11. We as a society (or at least our noble Legislators) made a decision to trade off some of our civil liberties in exchange for better security. I may not agree with it, but that's the value exchange that was debated back then. So while the Judiciary Committee is holding its hearings, I'd like to get a sense of the benefits that our society has reaped in exchange for giving up those liberties. Are we safer? How many terrorist plots have been averted as a result of Section 215 of the Patriot Act?

 

I'm all for debating the merits of the Patriot Act. But without some tangible evidence of the benefits of the Act, the debate should be short lived. We've spent the capital known as our civil liberties for over three years - time to show some ROI.

 

Thursday, March 31, 2005

Frenzy Begins Over Cookie Alternative ClickZ - March 31, 2005

An existing technology offering cookie-like functionality is gaining attention from publishers, marketers and others as a possible replacement for the ubiquitous, but potentially endangered, text files. The technology, based on Macromedia's Flash, is getting attention as awareness spreads of an apparent increase in user deletion of cookies. A Jupiter Research study recently found nearly 40 percent of Web users clear these text files from their machines on a regular basis. Because of the enormous consequences of cookie deletion for online marketing, analytics experts and ad technology vendors have since begun overtly addressing the potential of the "Flash cookie."

 

The Chapell View

We can debate the severity of the cookie problem, but make no mistake - there IS a significant problem with cookies. Too many consumers don't like them, and they are uncomfortable with the notion of having their movements tracked online. And far too many consumers really don't understand cookies - how they work, and the benefits that they offer. With that in mind, I don't think the solution lay in developing a new kind of cookie-like tool. A device that consumers will ALSO not understand, and one they are unlikely to trust. AND one that many will certainly remove once they figure out how. At best, this is a short-term fix.

 

We in the online ad business need to figure out ways to address consumers in a meaningful way. Education is the answer.

 

The Argument for P2P MediaPost - March 31, 2005

PEER-TO-PEER COMPUTING HAS BECOME THE coolest application in the Internet Age since the browser itself. It has made real what the Internet promises to do and how it will deliver on those promises. No one could have foreseen just how immensely popular these applications would become. Looking back, it seems almost awkwardly obvious. The recording industry, always late to the party with respect to new media (phonograph records from cylinders, records to tapes) were again tardy to the game of digital distribution of music. The movie industry, strangely enough, was also terribly clumsy about its attempts to deal with the digitization and decentralization of content distribution. But both industries seemed certain that as the 10,000-pound gorillas they could bide their time and the masses would wait.

 

The Chapell View

Jim Meskauskas pens a nice outline of the P2P debate. If the Supreme Court rules against Grokster, it may have a temporary negative impact upon certain adware companies what bundle their ad clients with P2P software. However, over the long term, it will have a very minor impact upon file sharing. Many of the file sharing companies will likely move offshore, or find other ways of...err...dealing with the new legal environment. As Jim points out, P2P is here to stay. And unless we're prepared to go after everyone who uses the software (I wonder how many members of Congress have kids/grandkids who regularly use P2P software) it's going to be a difficult row.

 

I was born and raised a musician, and am extremely sympathetic to the notion of being paid for one's creative works. The best bet is to figure out ways to monetize P2P. Whether or not the recording industry is creative enough to find ways to make money from P2P in a way that meets consumer expectations is an open issue. Throwing more lawyers at the problem doesn't seem to be working...

 

Wednesday, March 30, 2005

Marketers tap chatty young teens, and hit a hot button Christian Science Monitor - March 30, 2005

Think your talkative, trendy, Web-surfing 13-year-old might have a future in sales? She might already be in business. New forms of peer-to-peer, buzz-marketing campaigns - ignited and fanned by firms - are growing fast. In a practice still widely unregulated, marketers enlist youths they see as having real sway over friends. The goal? Solicit the help of these influential kids in broadening sales in exchange for products and the promise of a role in deciding what the marketplace will offer.

 

The Chapell View

There is such a subtle line between influencing public perception of your brand, and manipulating that perception. And when it involves engaging people who are younger than 18, the line becomes ever murkier. Teens and tweens put a good deal of trust in the opinions of peers. If one of their peers is essentially being paid to speak about a certain product or service, and then hides that fact, I call it manipulation.

 

Not to be too näive, but what kind of message are we sending to children by saying that this type of behavior is ok?

 

Friday, March 25, 2005

Users To Blame For Spam InternetWeek - March 23, 2005

We have met the enemy and he is us. So says the Radicati Group, which Wednesday released preliminary results of a survey showing that it's bad behavior on the part of users -- us, in other words -- driving the spam and virus threat. And you thought it was spammers and hackers. "Frankly, it surprised us that users are still responding to [spam], and opening [unsolicited] mail," said Sarah Radicati, the chief executive of the Palo Alto, Calif.-based market research firm which conduced the online poll.

 

The Chapell View

I already beat this to death earlier in the year on the blog, and in the DMNews article, which focused on the Forrester Spam purchaser study. But here goes one more time: future studies need to focus on WHO is purchasing from Spam, and WHY. We need to understand more about the Spam purchaser. But given that the study results are not even out yet, I'll refrain from making any other comments, at least for now.

 

Thursday, March 24, 2005

IBM aims to spam the spammers Chicago Tribune - March 23, 2005

Electronic mail touting cut-rate Viagra or how to make big bucks working from home will get pitched right back to the senders by a free program from IBM Corp. The program, announced Tuesday, will identify computers that originate unwanted e-mail, or spam, and bounce it back at the sender--in effect spamming the spammer. The program, designed for use by large businesses, underscores the frustration felt by companies that see the vast majority of their e-mail flooded with junk.

 

The Chapell View

This seems like a variation on the Lycos Europe "Make-Love-Not-Spam" debacle from a few months ago. (Although this one stops way short of the glorified denial of service attacks that our friends from Lycos wrought last year.) The idea of punishing those that Spam is tempting indeed. There are a few inherent problems with this approach, and its not clear (not at this point anyway) that IBM has addressed them.

 

The first issue lay in defining Spam. How does the software determine which emails are in fact Spam? One man's Spam is another man's treasure. And what happens if and when the system determines that a large advertiser (or a large email service provider) is a Spammer and starts sending messages back to them, crashing their system?

 

The other issue involves the increase of Internet traffic. One of the problems with Spam is that it clogs up the Internet - accounting for almost 95% of Internet traffic. So what happens to internet traffic if the IBM software gains some traction in the marketplace and a significant percentage of Spam is bounced back?

 

Also, aren't most Spammers pretty good at concealing their identity? How will the software know which email address the spam is coming from? Spammers are also pretty clever. If one or more of them can fool the IBM software into thinking that their Spam messages are coming from say, IBM.com, would the returned messages flood the IBM servers?

 

Wednesday, March 23, 2005

Anti-Spyware Companies Promote Cookie Deletion ClickZ - March 23, 2005

Search for terms like "Coremetrics," "WebSideStor y," "DoubleClick," "ValueClick" or "Atlas DMT" on Google, and some of the most prominent paid results seem to cast aspersions on these well-known interactive marketing brand names. You'll see ad text like "Coremetrics Removal Tool," "Kill AtlasDMT.com Now" and "Websidestory Removal." These ads -- promoting anti-spyware tools like NoAdware, XoftSpy, and PC Orion -- urge users to buy and download software that remove these companies' cookies from their computers. Such campaigns -- many of them run by the anti-spyware companies' affiliates -- may provide some explanation for the findings of a recent JupiterResearch study, which reported that 40 percent of online consumers delete cookies from their primary computers as often as once a month. "Anti-spyware companies are unfairly preying on analyzing vendors," said Eric Peterson, the lead analyst of the JupiterResearch report. "To target companies like Coremetrics or WebSideStory in that way, I think is unfair targeting. It implies it is spyware, which it is not."

 

The Chapell View

The anti-spyware software companies need to be reigned in. But perhaps more importantly, those in the industry that rely on cookies need to start thinking seriously about a public education campaign on cookies and online profiling. It's time.

 

Tuesday, March 22, 2005

Word-of-Mouth Marketing: Temper Your Enthusiasm? ClickZ - March 22, 2005

Next week, several hundred word-of-mouth marketing enthusiasts and practitioners will descend on the University of Chicago's Business School for the first-ever Word of Mouth Marketing Association (WOMMA) summit. I'll be among the legions of word-of-mouth cheerleaders, complete with case study pompoms, spirited R-O-I letters on my sweatshirt, and a host of "Hey-hey, ho-ho, word of mouth's the way to go" cheers. As one of the association's founders, how can I be anything but pumped about the potential and power of word-of-mouth marketing? I'll let you in on a little secret: I'm nervous about word-of-mouth marketing's future. It's hard to put my finger on, but it's the same feeling I had when marketers went hog-wild over targeted e-mail's potential.

 

The Chapell View

Funny, I was just reading an article on the Word of Mouth Marketing Association's (WOMMA) inaugural conference. WOMMA chief Andy Sernovitz was hyping up the event as only Andy can do. (Believe me, I'm a big fan of Andy.) But somewhere in the back of my mind, I can only wonder how long its going to be until the buzz marketing industry begins to soil into its food dish. Don't get me wrong, there's some great stuff happening with Word of Mouth. But until and unless we as marketers learn from the mistakes of the past, we're doomed to relive them.

 

Pete Blackshaw of Intelliseek makes so many good points it's hard to know where to begin. I agree, Pete. Word of Mouth ain't the Holy Grail. If marketers choose to look at the medium with the lust of a sailor who's been out to sea for the past six months, Word of Mouth will lose credibility, and have a very short lifespan.

 

It's all about trust. Consumers generally don't trust companies - sometimes even companies that they patronize.

 

Pete's asking the right questions. If you're considering offering Word of Mouth to your media mix, take a look at this article.

 

Monday, March 21, 2005

Consumers Don't Bite the Cookies ImediaConnection - March 21, 2005  A Chapell Article

Jupiter Research's latest report should have marketers shuddering. By now you've probably heard about the latest report from Jupiter Research -- concluding that two out of five internet users delete their cookies from their browser. Like most stats that make one's eyes pop out, this one was a bit hard to fathom. Seth Godin penned an insightful blog rant regarding the validity of the data. I agree with much of Seth's logic, and perhaps he has a point. Yes, it is extremely difficult to believe that 40 percent of internet users are knowledgeable enough to know how to delete their cookies.

 

Friday, March 18, 2005

Internet Sites Transform Cursors Into Advertising Space Investors Business Daily - March 18, 2005

Online ads are so prevalent, advertisers are running out of room for them on Web sites. So they've found a new spot to park their ads: at the tip of your computer's cursor. With so-called cursor ads, your cursor changes into a company logo or ad image when you enter a sponsoring Web site. You can see an example by visiting the Web page of the Los Angeles Lakers basketball team (nba.com/lakers) - part of the National Basketball Association site.

 

The Chapell View

I'd encourage you to visit the Lakers team site on nba.com before reading on.

 

Ok. Let me just say that some of my opinions are probably colored by the fact that I found the McD's icon to be fairly annoying. The cursor switches from the McD's logo to a Laker's logo as it slides to a clickable link, which is a bit distracting. And the McD's logo is a fair bit larger than my beloved cursor arrow. As a result, my aim is a bit off - I found myself clicking onto the wrong link a few times. Maybe I'll develop more accuracy at it as I get used to the new logo. But I don't plan on spending much time on NBA.com - I'm much more of a college hoops guy.

 

Btw, I don't remember giving permission to anyone at nba.com to alter my cursor. If an adware firm had altered my user experience in that way without asking permission, there would be an uproar.

 

It would be one thing if I WANTED my cursor to look like a McD's logo, or a unicorn, or Richard Nixon's head, or whatever. If I wanted a snazzy new cursor, I could download some software which would make that happen.

 

I guess we're back to the age old question - WHO owns the desktop?

 

Wednesday, March 16, 2005

Online Advertising 3.0 iMediaConnection - March 16, 2005

Revenue Science's Bill Gossman believes behavioral targeting will become increasingly important as we enter a third era of online advertising.

 

The Chapell View

It's almost always a good read when penned by Omar or Bill from Revenue Science. To me, the most interesting takeaway is this:

 

When you buy a Microsoft software application, you write them a check. Google, on the other hand, gives you a free application -- whether it's a web search engine, translation, hard drive search, photo organizer, blog software or something else -- and gets paid by selling advertising that runs on the application.  That's nice, you say, but why is it so important?  It's important because Google has blurred the line between media and desktop applications.

 

Google and Microsoft have entered the adware space? I'll bet you anything that they aren't going to call themselves             adware.

 

Many in the industry have recently called for the establishment of best practice definitions for adware. We'd best hurry, because if Google or Microsoft are defining the standards, it could spell trouble other companies that exchange software for advertising.

 

Large Databases Bring Large Responsibility DMNews - March 14, 2005   A Chapell Article

While attending the IAPP privacy conference in Washington last week, I decided to stop by the Senate hearing on identity theft. The hearing was prompted by a number of recent events, including: the information breach at a division of LexisNexis; the loss of several data tapes by Bank of America; and the emerging scandal at data broker ChoicePoint.

 

Tuesday, March 15, 2005

Study Showing Consumers Purge PCs Of Cookies Casts Doubt On Analytics, Targeting MediaPost - March 15, 2005

IN NEWS THAT UNSETTLED MANY in the online advertising world, a new study by Jupiter Research revealed that four out of 10 Internet users delete cookies from their primary computers at least once a month. The report found that about 12 percent of Internet users delete cookies on a monthly basis, 17 percent do so weekly, and 10 percent purge cookies every day. What's more, more than half--52 percent--said they had rid their computers of cookies at least once in the last year. For the study, announced yesterday, Jupiter Research surveyed 2,337 U.S. online consumers in March. This study marks the first time Jupiter has examined how Internet users react to the cookies that wind up on their personal computers, said Eric Peterson, Jupiter Research analyst and author of the report. "It was commonly assumed, before this study, that users didn't have the sense or the inclination to fool with cookies," Peterson said, "so advertisers and marketers didn't factor the possibility into their tracking and targeting measurements."

 

The Chapell View

I'd like to understand Jupiter's methodology a bit better. But if even 10% of users are deleting their cookies every day, that's significant. As a publisher or marketer, what do you do about it? Without cookies (or some other non-PII identifying technology), it becomes exponentially more difficult to deliver ads which are relevant to consumer tastes.

 

These results are particularly interesting in light of the cookie controversy created by HR 29 (The Spy-Act) over the past several months. Some in the industry had predicted the end of online advertising if third party cookies were outlawed. In some ways, the Jupiter research renders that argument moot.

 

I've looked at a good deal of research over the past year. Consumer research conducted by Forrester, Yankleovich, Ponemon, as well as my own firm's research have all concluded that consumers feel bombarded by ad clutter while surfing the web. Ironically, the silver bullet to problems of ad clutter was believed to lay in information collected in cookies. Information about what sites a user visits, and the pages he views. Information about the products he's purchased and the searches he's conducted. All this information was supposed to be captured in cookies, and used to deliver more relevant ads. But now, as a result of cookie blockers, and consumer initiated cookie deletions, all that is in jeopardy.

 

The problem is a huge one, and goes back several years, to the inception of the internet as a consumer medium.  Consumers want their online experience to be free of charge. They want to be able to read the content for free, but they don't necessarily want to see advertising. They want the free piece of software, but aren't necessarily interested in viewing additional ads in exchange for that software. And as this report bears out, many are reluctant to share any of their data with marketers and publishers - even non-personally identifiable data.

 

Back in the golden era of television, advertisers did a very wise thing. They spent time educating consumers on the value proposition of television. In other words, they'd say something like: "We're going to show you 15 minutes of this really funny guy named Milton Berle. And in exchange for that content, you agree to actively watch this important message from our sponsor Maytag, who will tell you about this wonderful new invention call the automatic dish washer - it'll change your lives."

 

Somewhere along the way, we in the online world have never been able to get consumers to embrace the idea that there's a value exchange between content and advertising. And until that happens, we're going to be stuck in a spiral of created by intrusive, irrelevant ads, and consumers increasingly tuning those ads out.

 

Monday, March 14, 2005

FTC Bars Bogus Anti-Spyware Claims FTC.gov - March 11, 2005

An operation that offered consumers free spyware detection scans that "detected" spyware even if there was not any, to market anti-spyware software that does not work has been barred from making deceptive claims by a U. S. District court at the request of the FTC. The FTC will seek a permanent halt to the marketing scam and redress for consumers. In papers filed with the court, the FTC alleges that Spyware Assassin and its affiliates used Web sites, e-mail, banner ads, and pop-ups to drive consumers to the Spyware Assassin Web site. After exposing consumers to a litany of the dire consequences of having spyware on their computers, the Web site warns, "you WILL eventually experience credit card and/identity theft and your computer will ultimately crash and cease working for good . . . It's not a matter of if, but truly a matter of when."

 

The Chapell View

It's been a while since I took the SAT, but here's a riddle for you -- Spyware is to adware, as Spyware Assassin is to anti-spyware software. Spyware Assassin is assumes the most nefarious aspects of anti-spyware software - by misrepresenting the amount of Spyware that is resident on a users computer, by overstating the damage being caused by Spyware, and by generally trying to scare the hell out of the end user.

 

I've seen what often passes for legitimate anti-spyware software. Harmless cookies are "mistakenly" listed as adware or spyware cookies so that most users have dozens of pieces of Spyware loaded onto their desktops. How else are you going to justify charging $35 per year for the software?

 

In the same way that we need best practice standards for adware/Spyware, we need best practice standards for anti-Spyware software.

 

Btw, Dan O'connell, CPO of Weatherbug has some interesting things to say on this subject.

 

Friday, March 11, 2005

Spam Buyers: 'Who Are These People?' DMNews - March 9, 2005  A Chapell Article

I've always been a big "Seinfeld" fan. I even remember watching his first appearance on "The Tonight Show With Johnny Carson" back in the day. One of Seinfeld's most quoted lines from his standup routine was, "Who are these people?" He'd ask that question in his signature, whiny tone before describing dozens of quirky and annoying habits exhibited by our fellow citizens.

 

Thursday, March 10, 2005

Privacy Rings True for Bell Canada Inside 1to1: Privacy - March 10, 2005 (Scroll Down)

Charles Giordano, Bell Canada's associate director of CRM strategy and privacy, is well aware that pundits might view his job title as something of a contradiction. CRM strategy folks, conventional wisdom holds, spend their time trying to get their hands on as much customer information as possible. The privacy people, on the other hand, are generally regarded as the night sentries of the customer-data world.  Giordano, however, firmly believes that marketing and privacy can coexist without invading each other's turf. "The two are not oil and water," he argues. "That my position exists shows that there are ways to make them work together."

 

The Chapell View

Good piece on my friend Charles Giordano of Bell Canada. The key nugget in this article is that Charles sits on Bell Canada's Marketing team, AND it's privacy team. I've always thought that there is a particular segment privacy professionals have the skill set to help marketers understand how to use data to improve customer value. Charles def fits within that segment. I would challenge all privacy professionals - even those who are mostly in compliance roles - to reach out to the revenue generating side of their organization. What better way to extend your influence further into the company?

 

Wednesday, March 9, 2005

Television Ads It Up Motley Fool - March 8, 2005

Sunday was a surreal night of television viewing for me. After reading a story about how Campbell Soup (NYSE: CPB) had managed to buy the right to weave an essay contest promoting its tomato soup into a series of episodes on NBC's drama American Dreams, I probably shouldn't have been surprised at what I saw when I tuned in to Fox (NYSE: FOX) for a bit. First, it was Malcolm in the Middle pitching Applebee's (Nasdaq: APPB) as a place to meet for great food and great service. Then Arrested Development managed to get away with a pair of Google (Nasdaq: GOOG) screen shots and a favorable mention of the new Ford (NYSE: F) Mustang. While The Simpsons was clearly lampooning Wal-Mart (NYSE: WMT) when Homer Simpson started working at Sprawl-Mart, I was so cynical by this point that I almost started to question the show's own brand of cynicism.

 

The Chapell View

Warning: This paragraph may waste your time. Proceed with caution. I remember watching an episode of the Simpsons a few years ago. Homer was cast as one of "freaks" in what was clearly a parody of the Lollapalooza concert tour. While the band Smashing Pumpkins was playing, one college aged kid turned to the other and said, "wow, this music is cool." His friend asked, "are you being sarcastic, dude." To which the kid replied, "I don't know anymore." Fact is, sometimes I can't tell the difference between a "Simpsons" style of parody and "the Apprentice" style of product placement. One man's satire is another man's soup commercial. And I wonder if the Simpson's parody of "Sprawlmart", or their caricature of a shopping mall filled mostly with Starbucks might be helping the Walmart and Starbucks brands. Who knows.

 

Here's what I do know. We're already starting to reach critical mass on this whole product placement trend. I'm seeing more and more shows use product placements, and as Rick from Motley Fool asserts, its starting to negatively impact the quality of programming - not that the quality was that high to begin with.

 

This is perhaps the fatal flaw in the advertising business. Someone comes up with a good idea for an ad vehicle, and everyone adopts it until it is beaten to death. On some level, that what's happened to the email channel, as well as the online ad channel. And just you watch as a similar trend occurs for word of mouth and wireless messaging. It's a spiral - advertisers think of new ways to cram messages into the consumer consciousness, whilst the consumer increasingly tunes out.

 

Spyware, Adware... What to Do? ClickZ - March 6, 2005

Spyware is killing us. And maybe adware is, too. That's because most people -- even most people in the interactive marketing community -- have a hard time understanding the difference between spyware and adware. For some of us, the difference is simple: Spyware is something you never want to recommend to clients. Adware is something you're reluctant to recommend to clients, yet the lines have been blurred and continue to blur.

 

The Chapell View

Another article discussing adware and spyware from Agency guru Pete Lerma. Pete's right, there really isn't an industry accepted definition for adware or spyware or research-ware for that matter.

 

Pete also offers some best practice tips for selecting an adware partner, most of which make sense. I'm not sure that requiring adware companies to embrace a double opt-in regime is very practical, however.

 

Tuesday, March 8, 2005

F.E.C. to Consider Internet Politicking NY Times - March 6, 2005

Federal election commissioners are preparing to consider how revamped campaign finance laws apply to political activity on the Internet, including online advertising, fund-raising e-mail messages and Web logs. Anyone who decides to "set up a blog, send out mass e-mails, any kind of activity that can be done on the Internet" could be subject to Federal Election Commission regulation, Bradley A. Smith, a Republican commissioner, said in an interview posted Thursday on the technology news site Cnet.com.

 

The Chapell View

A few years ago, both major political parties "discovered" the power of email marketing. Both parties embarked upon aggressive acquisition campaigns in order to "shore up their base," communicate to the masses, Etc. Unfortunately, they also succeeded in ticking off a good deal of voters, who were concerned that their email inboxes were being pelted with political emails - even worse when they were assaulted by emails from the "other" party. I wonder if the heads of both parties realized that in fact THEY were the spammers. (:

 

About a year ago, a number of political operatives - many of whom were directly responsible for ensuring the election of our current president, began using Co-reg programs to mobilize voters around certain issues. That story, while probably just as effective (if not more so given who's sitting in the White House) as Howard Dean's initiatives, received much less press.

 

With all the holes in the election finance laws, I wonder why they are even looking at the Interactive channel. It's pretty effective, but most of the money is still going into television ads, no?

 

Monday, March 7, 2005

They know what we are listening to MSNBC - March 4, 2005

If you are one of the 10 million people who have purchased an Apple iPod, you've almost certainly loaded it up with songs from your favorite CDs. And, rest assured, Gracenote Inc. knows about it. Gracenote Inc. knows almost any time a CD is "ripped" for use in a portable music player. Apple, Creative and Rio use its service, as do hundreds of software products devoted to playing and recording music CDs. Yet, few consumers know much about Gracenote.

 

The Chapell View

If Gracenote doesn't collect any personally identifiable information, I'm having trouble understand what the harm is here. Yes, the company can tell a little bit about the CD ripper from the IP address. But that's not much different from the way an online ad server can make determinations about the user of a particular browser.

 

For a while now, I've thought that the NAI principles should be expanded to include online video games, digital recorders such as Tivo, and Cable boxes. Almost of the profiling issues surrounding many of these devices are surprisingly similar.

 

The one issue I would take with Gracenote is for their apparent lack of transparency. A privacy professional could help this type of business find a way of communicating this kind of information to consumers without trying to freak them out. But how does one do this? Should there be (yet another) pop-up message that the user sees every time (s)he rips a CD? Perhaps, although I fear that many consumers already tune out the dialog box warnings that they currently receive. Playing lip service to the concept of consumer notice is not the same thing as providing actual notice.

 

Thursday, March 3, 2005

ChoicePoint had another ID theft case in 2002 SilliconValley.com - March 3, 2005

A newly revealed case shows that the vast commercial database of personal information at ChoicePoint Inc. was tapped by identity thieves in 2002 -- contradicting a statement by its CEO that a much more recent breach was the first of its kind. A Nigerian-born brother and sister were charged in 2002 with a scam in which they posed as legitimate businesses to set up ChoicePoint accounts and gain access to its massive database. They then made 7,000 to 10,000 inquiries on names and Social Security numbers in the database and used some of those identities to commit at least $1 million worth of fraud, Assistant U.S. Attorney Mark Krause in Los Angeles said Wednesday. Last week, after a similar case became public, ChoicePoint chief executive Derek Smith told The Associated Press in an interview that the company had never been victimized by that kind of criminal operation before. He did not mention the 2002 case.

 

The Chapell View

I'm not sure who is advising ChoicePoint, but this appears to be a pretty significant blunder. The company's CEO had indicated that the company had never been victimized by this type of operation. And it now appears that his statement was untrue. If so, the company has completely undercut their credibility as they navigate through this mess.

 

From now on, when the CEO says that ChoicePoint has the most rigorous standards in the industry, who is going to believe him? When he says that they have specific M&P's to handle fraud, how effective is anybody going to think those M&P's are? And how credible is the CEO's statement that company has taken extra steps to ensure that this never happens again?

 

Wednesday, March 2, 2005

Calif's identity theft laws aren't enough, experts say USA Today - March 2, 2005

Despite pioneering legislation aimed at clamping down on rampant identity theft, California is a top target for thieves and was the only state last year believed to have more than 1 million victims. That unflattering distinction forced cash-strapped law enforcement officials to ask for help from politicians, businesses, consumer advocates and even victims who gathered Tuesday during the state's first identity theft summit.

 

The Chapell View

And I thought that California was doing as much or more than any other State to help fight ID theft.

 

Tuesday, March 1, 2005

'Perfect storm' for new privacy laws? Cnet - March 1, 2005

A series of security break-ins is kick-starting a political drive to reshape federal laws that dictate how companies protect personal information--and what they have to do if that data leaks out. What began with the leak of tens of thousands of records from data broker ChoicePoint earlier this month was quickly compounded by a series of rapid-fire incidents involving Bank of America, Science Applications International Corp., an online payroll services company and the T-Mobile Sidekick of hotel heiress Paris Hilton.

 

The Chapell View

A perfect storm? The Exxon Valdez? The Enron of privacy? Regardless of what you call it, the ChoicePoint affair is a mess. There is certainly a good deal of momentum right now in favor of additional privacy legislation at the national level. I wonder how many of the politicians who are calling for this legislation had purchased compiled data around election time? Similarly, how many of them have advocated enhanced security screenings? Where do they think the data that the DHS uses is coming from? Just a thought.

 

Friday, February 25, 2005

Congress to Address ID Protection Washington Post - February 24, 2005

A Senate committee will hold hearings on identity theft and information brokers following the revelation that a databank with information on millions of people was accessed by criminals, the committee chairman said Thursday. Democrats, including Sens. Patrick Leahy of Vermont, Dianne Feinstein of California and Charles Schumer of New York, have been calling for a Judiciary Committee inquiry into whether more regulation of companies such as ChoicePoint Inc. that buy and sell personal data is needed.

 

The Chapell View

The Choicepoint story continues to have legs.

It's easy to frame this as simply a case of identity theft. Yes, there's identity theft involved, but there are privacy and security implications here too.Whether or not Choicepoint did the right thing here is an open question that won't be answered until all the facts are out. Nevertheless, with large databases goes large responsibility. And culturally, American business has not yet come to terms with the impact of these databases - some of which contain massive amounts of sensitive consumer information.

 

So no - this is not just a case of identity theft. There are other implications here. First, this crime brings us one step closer to additional privacy legislation. Perhaps we'll just see Congress fixing some of the alleged loopholes in the FCRA. But this could also usher in additional legislation. For example, there are a handful of state assemblies which are introducing freeze legislation, and others which are discussing legislation similar to California's SB 1386 law. And then there's the Senate Judiciary Committee.

 

And there's another, more subtle implication that impacts many companies looking to market to consumers.  So far, 145,000 people have been directly impacted by this crime. And by the end of this week, its safe to assume that millions upon millions of people will have read about it. And all they are going to remember are large databases and identity theft. And the next time that a company asks any of these people to hand over their personal information, they just might think twice.

 

Thursday, February 24, 2005

How to Select an Adware Partner iMediaConnection - February 24, 2005  A Chapell Article

Adware is a viable option for some advertisers, but first do some independent research of best practices.

 

Wednesday, February 23, 2005

Paris Hilton's Sidekick hacked MSNBC - February 23, 2005

Racy photos of Paris Hilton again spread across the Internet Tuesday - this time accompanied by celebrity phone numbers, e-mail addresses and other information hacked from her mobile phone. The heiress to the Hilton Hotels fortune, who featured in a sexually explicit videotape posted online in 2003, has now had her star-studded contact list, personal notes and topless self-portraits from her Sidekick II "smart phone" splattered all over the Web.

 

The Chapell View

The Hilton family must be so embarrassed. Imagine, nude pix of your child thrown all over the Internet. (sigh.)

 

Ok, lets assume that this was NOT some kind of publicity stunt. The real issue is to what extent T-mobile knew about the initial breach, and whether or not the company had a duty to notify their customers that their data MIGHT be at risk. I say that at the very least, T-mobile should have urged their customers to change their password information as a precaution.

 

CA's SB 1386 notification law is looking better and better.

 

Tuesday, February 22, 2005

Europe takes lead on online privacy Techworld - February 22, 2005

Europe is leading the way on online privacy. The EU's committee on data privacy, also known as the Article 29 Working Party, issued a guidance on corporate privacy notices late last year, calling for layered, easy to read privacy statements. The move comes at a time when website privacy notices, written in obscure legalese, are doing little to reassure them to web users that their privacy is being adequately protected. The guidance, which is not mandatory, is beginning to take hold as companies such as Microsoft and Proctor & Gamble have already rolled out revamped notices. Privacy statements are considered crucial in telling Internet users how their personal information will be used by companies. They explain whether data can be sold to third parties, for instance, and what the users' rights are in accessing or correcting data. The working party coordinated with privacy experts and corporate leaders to call for layered privacy notices in which information is presented in three tiers: short, condensed and full. Each layer should contain certain relevant information, such as the full name of the Web site controller and the purpose for processing information, and users can click through from the short notice to the full notice, depending on their level of interest.

 

The Chapell View

I'm a big fan of the EU Article 29 working party's layered approach, as well as its American cousin, the short-form privacy notice, championed by Marty Abrams, among others. The emphasis on clarity and readability enhance the likelihood that consumers might actually read them.

 

My one concern - and this applies primarily to the U.S. - is this. What happens with someone sues to enforce a right they interpreted as being part of a short and sweet privacy notice? Are courts going to look to the more complex legal language in the longer notices to make their interpretation? If the answer to that is "No", then business isn't going to feel as confident in the shorter notices. If the answer is "Yes," then it reduces the value of the short notice to the consumer.

 

Monday, February 21, 2005

Calls for federal regulation grow as data retailer scandal widens MercuryNews - February 19, 2005

When word first emerged this week that scammers had illegally obtained detailed dossiers on 35,000 people by posing as legitimate customers of ChoicePoint Inc., the data-brokering company portrayed it as a relatively minor criminal case, limited to California. But by week's end, it was shaping up to be a full-blown scandal with as many as a half million people nationwide potentially vulnerable to identity theft. Outraged, attorneys general from 38 states demanded that ChoicePoint warn any victims in their states as well, and politicians, consumer advocates and security experts called for more federal oversight of a lightly regulated industry that gathers and sells personal data about nearly every adult American.

 

The Chapell View

I'm not ready to comment on ChoicePoint's culpability at this time - although the facts speak for themselves. Here are my thoughts:

 

·         Enron of Privacy? Perhaps - Many privacy experts, myself included, have predicted that there will be an organization that is critically wounded by a data privacy scandal. (Of course, some of these predictions are similar to the "the world will end tomorrow" nuts we used to see at the airports. No matter what, eventually, the prediction will come true.) We may indeed be witnessing the infancy of the privacy Enron. The saga is barely a week old, and we've got over 700 confirmed ID theft victims in one state alone, 38 State Attorneys General up in arms, as well as the involvement of the Secret Service and FBI. And we have Senators Nelson and Feinstein calling for a national version of California's SB 1386. Fortunately, while Choicepoint's initial response may not have been at light speed, the company seems to be taking steps to notify potential victims in other states. Stay tuned - this is gonna get worse before it gets better. At the very least, Choicepoint is going to be wearing the proverbial 'bulls-eye blazer' for a little while.

 

·         Spotlight on Offline Privacy Issues - Historically, or at least since 1999, there's been a good deal of focus upon online data collection standards. And HIPPA and GLB notwithstanding, much of the push for new privacy legislation has focused upon online profiling. In other words, the large databases that are amassed by companies such as Experian, infoUSA and Axciom have been able to exist with virtually zero governmental oversight. As the Choicepoint issue received increased scrutiny, don't be surprised if these firm's data collection, privacy and security practices are questioned. If these firms are doing a good job of protecting the data they've amassed, and are able to document their practices, they'll be in good shape. If not, then we're looking at a new round of privacy and security legislation.

 

·         California and Privacy - I've been openly critical of certain aspects of the California Privacy agenda. My primary reason for concern is that it makes it difficult to do business when there are to many differing standards in many of the states regarding the handling of customer data. Having said that, I'm pretty impressed with the apparent effectiveness of California's SB 1386 which requires businesses to notify CA residents in case of a privacy breach. In the past, organizations who had this type of data breach might be tempted to downplay the breach. SB 1386 requires notification of CA residents. And once the scope of an incident is known about in CA, the rest of the state citizenry will likely want to know if they're data has been compromised.

 

 

Friday, February 18, 2005

'Spyware' Label Slapped on Legit Research Software ClickZ - February 18, 2005

Some anti-spyware programs zap comScore's tracking software from its own panel members' PCs, ClickZ has learned. The same programs likely pose threats to other online research firms' applications. The growing popularity of such programs has increased the churn rate in comScore's online research panel. While the research company's panel has grown from two to six million participants since 2003, churn raises uncomfortable questions about the consistency of the market research advertisers rely upon.

 

The Chapell View

I was speaking at the iMedia Summit last week on the topic of adware/spyware. In attendance were representatives from several companies that place software onto consumer's desktops. Many of these companies are trying to position themselves as NOT adware companies. Some say they are not adware because they don't use pop-up ads. Others say they are not adware because they don't engage in any form of online profiling. And research firms say they are not adware because of the altruistic and beneficial nature of market research. We're going to continue to see these firms lobby the industry to accept their definitions as gospel whilst the technological landscape continues to change at nearly light speed. There isn't a ton of cooperation amongst these firms. While most are careful not to bash each other publicly, they all seek to distinguish themselves from "the rest."

 

Many of them are also engaging each of the anti-spyware software firms in an attempt to have their product 'whitelisted.' The problem with this approach is that it attacks the symptoms without going after the disease. The real problem that needs to be addressed is the relative lack of standards for anti-spyware software. Many anti-spyware programs are overly broad in their definitions. When I run an anti-spyware software search on my desktop, and the search returns with over one hundred instances of "spyware cookies," it calls into question the accuracy of their results. And when those spyware cookies are coming from companies such as DoubleClick, Amazon, and other companies that I know and trust, I begin to suspect that many of the other items the software has red-flagged are not in fact Spyware.

 

Why is that an issue? First, it stretches the definition of 'informed consent.' In many instances, when consumers remove those cookies, as instructed by the program, they believe they are cleaning and fixing their computer. If consumers really understood the impact of removing all that information from their computer, I doubt that many of them would still go ahead and do it. It is almost as if I paid someone to clean my apartment and came home to discover that they've also removed the furniture. And to that I'd say, "That's not what I'd signed up for!"

 

The second problem is that many (and probably most) consumers have no idea how removing those cookies will impact their surfing experience. When a web surfer suddenly realizes that he needs to retype passwords (assuming he can remember them) to access his favorite news website, or when he wonders why he can no longer see any of the items he just left in his shopping cart, his online experience suffers.

 

I would strongly encourage each of those firms the adware players, the researchware firms, and the adware hybrids to come together to address these types of issues. Banding together may make for some strange and uncomfortable bedfellows, but if the sub-industry group can speak with one voice, they stand a much better chance of acceptance of what are very similar business models.

 

 

Thursday, February 17, 2005

House Cuts Cookies from SPY ACT Internetnew.com - February 16, 2005

With little fuss and no debate, a House subcommittee today amended an anti-spyware bill to clarify that the legislation does not cover third-party cookies. H.R. 29, the Securely Protect Yourself Against Cyber Trespass Act (SPY ACT), prohibits unfair or deceptive practices related to spyware and requires an opt-in notice and consent regime for legal software that collects personally identifiable information from consumers. The spyware practices prohibited by the legislation include phishing, keystroke logging, homepage hijacking and ads that can't be closed except by shutting down a computer. Violators could face civil penalties of up to $3 million.

 

The Chapell View

This is a very positive development. I was at the recent hearing on HR 29, and was a bit concerned by the posturing of several members of the commerce committee regarding online profiling. The original draft of HR 29 - the one that did not except third party cookies - would have been disastrous for the Internet economy.

 

Many have suggested that the real purpose of the Spy-Act was to curb the file sharing software programs that are often bundled with adware programs. I do know that the Recording and Movie Industries have lobbied hard in favor of this bill because they view file sharing as a major threat to their business. And it is no small coincidence that the bill's main sponsor is Rep. Mary Bono, wife of the late Sonny Bono, and recipient of a good chunk of royalty revenue from her late husband's music.

 

Tuesday, February 15, 2005

Claria To Launch Behavioral Targeting Network MediaPost - February 15, 2005

Claria Corp. today will announce that it intends to start a behavioral targeting service. With the new service, Claria, known as an adware provider, will send targeted ads to consumers based on their surfing activity. The service, called BehaviorLink, will build detailed--but anonymous--profiles about consumers by combining information from cookies that track behavior across a limited number of commercial Web sites with information about the surfing habits of 40 million existing subscribers gleaned from the company's ad-serving software.

 

The Chapell View

First, a comment on Claria's privacy advisory board. We're continuing to see the major adware firms differentiate themselves from the rest of the pack. Claria, the company that began this trend when they hired Reed Freeman just about a year ago, has done a fantastic job of separating themselves from their Spyware past. I know Richard Purcell and Larry Ponemon very well, and have a tremendous amount of respect for their contributions to the field of privacy. Claria has certainly assembled a veritable "murderers row" of the privacy profession. On the one hand, it seems like a lot of resources dedicated to not a large organization. But perhaps Claria is wise to have erred on the side of caution.

 

Claria has historically been one of the most highly visible of the adware companies. And as a result has served as a lightning rod for much of the controversy that has surround the adware business model. They have tremendous name recognition - for good, and for bad - within the online marketing world. As some of you may remember, the company made plans to go public - which generated a whole new level of attention on the company. So maybe one person's overkill is another's prudent planning. I, for one, am interested to see whether all of this talent and experience will equate to a significantly better reputation with advertisers.

 

Regarding Behaviorlink -- I really like the concept of an adware driven behavioral targeting network. As we all know, consumers are clamoring for more relevant ads. Claria (as well as any other adware company who choose to launch a similar product) has a distinct advantage over the behavioral targeting networks like Tacoda and Advertising.com. The behavioral targeting firms are relatively limited in their tracking capabilities. Many of them are only able to track visitors across individual sites. Conversely, adware companies have an advantage because they can track track their end users just about wherever they go online. So with a broader array of surfing data, the adware companies are better able to target their end users with more relevant ads.

 

However, lest we get too excited about Behaviorlink, and other products like it- there's a catch. In order for adware companies to incorporate true behavioral targeting, they must be able to forge deals with the major web properties who are getting the lion's share of premium eyeballs. If an adware behavioral network (i.e., the sites from which an adware company can display a standard banner ad) is limited to low tier sites, then all they'll have is a nice ancillary revenue stream. However, if any adware network can include significant sites such as MSN or NYTimes, then we're talking about a major revenue stream.

 

Clearly, amongst many web publishers, there remain some bad feelings regarding the adware model. So it will be interesting to see how this works out.

 

Monday, February 14, 2005

Revise privacy law to protect public, not offenders TheStar.com - February 14, 2005

In the coming months, Industry Minister David Emerson will lead the federal government on a review of Canada's national privacy law, the Personal Information Protection and Electronic Documents Act (PIPEDA). Critics are likely to call for tougher enforcement measures, better reporting of decisions, and an end to the Federal Privacy Commissioner's policy that shields organizations that are the target of successful complaints

 

The Chapell View

Professor Michael Geist advocates reforming Canada's PIPEDA law to require that organizations notify customers impacted by a privacy breach. His proposal is modeled after California's SB 1386, which was enacted about 18 months ago and is generally considered to be successful.

 

Friday, February 11, 2005

Majority Of European Consumers Worry RFID Threatens Their Privacy, Survey Says Information Week - February 9, 2005

Consumers surveyed see privacy-protection laws as way to make them feel more comfortable with buying RFID-enabled merchandise. More than half of 2,000 European consumers surveyed in a recent Capgemini study say they had privacy worries about radio-frequency identification tags. European consumers participating in the study by the business and IT consulting firm consider legislation on privacy protection as the key that would make them more likely buy RFID-enabled products. Other factors survey respondents considered crucial: the ability to disable RFID tags at the store after purchase, a customer opt-in/opt-out choice regarding information collected via the tags, and clear labels that state the tag is RFID-enabled.

 

The Chapell View

Needless to say, there is a disconnect between consumers, retailers and technology companies regarding the benefits of RFID. According to this study, European consumers have not week been well educated on the benefits of RFID. And frankly, many in Europe don't have any idea of what RFID is. Absent a clear understanding of what RFID is, and how it will benefit them, consumers are reluctant to accept the technology on the retail floor. Although the Europeans have historically been more willing than the Americans to look to legislation to salve their privacy related fears, I believe this is changing. Increasingly sensitive regarding data sharing, and suspicious that data isn't really benefiting their lives, U.S. consumers are also looking to their elected officials to sort things out on their behalf.

 

Thursday, February 10, 2005

Privacy-Assurance Seal Yanked Off Web Site - Washington Post - February 9, 2005

TRUSTe, the business community's guarantor of Internet privacy, abruptly ended on Wednesday its relationship with the company operating FreeiPods.com and other Web sites, alleging unspecified violations of privacy promises to consumers. TRUSTe said Gratis Internet LLC of Washington no longer could display on any of its Internet properties the industry's broadly recognized seal intended to assure consumers that a Web site complies with privacy-protection guidelines.

 

The Chapell View

Sad to say, but there almost HAS to be an organization that gets kicked out every once in a while. Otherewise, some folks may begin to assume that TRUSTe isn't effectively policing its seal holders. "If every website is in full compliance, maybe their standards are not stringent enough," or so the argument goes.

 

I'm a big fan of TRUSTe. I think they do a great job over there. Having said that, TRUSTe (and BBB Online for that matter) had a reputation for being overly lenient back in the late 1990's. And that reputation hurt the organization's credibility, and the effectiveness of the seal. It's definitely been a while since a seal holder was ousted from the program. I'm not privy to any of the facts behind this decision, but in sort of an odd way, I'm glad to see this happen. If I were a TRUSTe seal holder, I'd feel just a little bit better about the value of my seal right about now.

 

Some of the advocates have complained that they want additional information outlining the precise reasons for the dismissal, and TRUSTe is naturally unwilling to release that information. It will be interesting to see whether the advocates concerns gain any traction.

 

Tuesday, February 8, 2005

Attorney General Wants DNA Of Criminals, Arrestees TheHawaiiChannel.com - February 8, 2005

The Attorney General wants Hawaii to have a law just like California's to require DNA testing of all convicted felons and persons arrested for felonies, even juveniles. The measure is generating a lot of opposition from defense attorneys and civil libertarians. Hawaii currently requires blood samples of DNA only from sex offenders and killers. The Attorney General wants Hawaii's DNA database expanded using implements to gather saliva samples.

 

The Chapell View

Requiring a convicted felon to relinquish some privacy rights is one thing. Requiring someone who is merely suspected of having committed a crime to permanently relinquish his right to privacy is another thing entirely.  Bad, Bad idea.

 

Monday, February 7, 2005

Security issues swamp RFID Techworld - February 7, 2004

Radio frequency identification is a part of the present and may well be a major part of our future. This situation is, at best, a mixed bag (see Wal-Mart's RFID plans will fail, and RFID doesn't work - so live with it!).  It would not be quite so bad if vendors of RFID products and companies that say they want to use them better understood security and privacy.For those of you who have been cave dwellers over the last few years, RFIDs are small electronic devices, normally with no battery or power supply, that can interact wirelessly to identify themselves to a scanner. The best-known examples are the very simple devices that companies such as Wal-Mart are asking suppliers to put on pallets of goods and that drug companies are beginning to attach to containers in the distribution chain. These RFIDs are basically wireless bar codes that respond with a unique serial number when queried by a wireless scanner. Companies with large database infrastructures, like Wal-Mart, can keep track of where individual cartons of goods are in their supply chain or, someday far too soon, what individual products are in a shopper's physical cart.

 

The Chapell View

A good article on RFID and the challenges of encryption - or lack thereof. How long before item level RFID tags are synonymous with Spyware in the consumer mindset? There are too many security issues behind most of the RFID deployments recently. So, despite the fact that many consumers are happily using EZ-pass to help them get through the toll booth more quickly, item level tagging will have a hard time receiving consumer buy-in without the security gaffes.

 

Thursday, February 3, 2005

ID theft again tops list of FTC complaints MSNBC - February 1, 2005

For the fifth year in a row, identity theft topped the Federal Trade Commission's list of most-reported frauds, the agency announced Tuesday. The number of complaints about ID theft jumped 15 percent from the previous year, the agency said -- and represent about 40 percent of all complaints. Some 250,000 consumers complained to the agency about ID theft last year, up from 215,000 in 2003.

 

The Chapell View

Some of the data from this report is in contrast to the report released last week by BBBOnline and Javelin Research. And I believe that the Ponemon Institute weighed in on this issue towards the end of last year. Tomorrow, I'll look to make sense of all this.

 

Editor's note: OK, I never got around to commenting further on this. If you want more information on ID theft, take a look at Bob Sullivan's book, Evil Twin. I've read the summary, and it sounds very interesting...

 

Wednesday, February 2, 2005

Tesco 'spychips' anger consumers BBC News - January 26, 2005

A US consumer privacy group has called for a global boycott of Tesco stores over the company's trial of Radio Frequency Identification (RFID) chips. The technology allows products to be tracked via radio waves. Privacy groups have labelled them "spy chips" because they fear the tags attached to products, can be used to track the behaviour of customers. But Tesco said the tags, being trialled on high value items in 10 stores, were only to help its distribution process.

 

The Chapell View

I was moderating a group discussion of privacy professionals at a luncheon this afternoon. One of the questions raised by the group was: What is the total impact of a privacy snafu? How do we measure brand devaluation? How can one quantify consumer resentment? All good questions indeed. Here's an example of a consumer group that is exercising a boycott in response to a companies privacy practices - or at least they are attempting to. Whether the effectiveness of this protest is closer to Berkely in '68, or Uconn in 98 remains to be seen. (btw, the Uconn kids, of which I am one, tend to skew a bit apathetic.)

 

One other observation. Retailers who employ RFID need to stop telling us that the tags won't be read outside the store. First of all, nobody's buying it - a buy-product of low consumer trust, perhaps. Second of all, even if the tags can't be read from a distance at the present time, surely, that will change. Within the foreseeable future, someone will figure out how to read these tags from 30 feet away. And if there isn't some kind of encryption imbedded into these chips, then RFID is rife for abuse.

 

Without some significant safeguards, RFID should remain a tool of the back office supply chain.

 

Monday, January 31, 2005

Fireman attempted to set fire to house, charges say Seattle Times - October 7, 2004

A 25-year veteran of the Tukwila Fire Department was charged yesterday with attempting to set fire to his home in Mountlake Terrace while his family was inside. Prosecutors claim that Lt. Philip Lyons, 48, on Aug. 10 set fire to a cardboard box beneath a bay window outside his home on 72nd Place West while his wife and three children were inside.

 

Information in this article, originally published October 6, was corrected October 7. A previous version of this story on Tukwila firefighter Lt. Philip Lyons being charged with first-degree attempted arson incorrectly stated that police reports indicated he had used his Safeway Club Card to purchase 16 fire-starters between June and August. Lyons had actually purchased only one fire-starter during that time, according to charging papers. The police report indicated that 16 fire-starters were purchased by all customers at the Safeway store where Lyons purchased his fire-starter between June and August.

 

The Chapell View

Thanks to Adam over at Emergent Chaos for posting the link to this story. How and why were Lt. Lyons' purchase information from Safeway disclosed?

 

Friday, January 28, 2005

Online Yellow Pages take you on virtual stroll USA Today - January 26, 2005

Internet retailer Amazon late Wednesday introduced a new way of finding local business information online with pictures. Like search engines Google and Yahoo, Amazon's A9 search engine gives users text and map results, but with a twist: A9 has added 20 million thumbnail pictures of storefronts to its new business directory. "You may not remember the exact name of the sushi restaurant you liked, but you remember what the storefront looked like," says A9 CEO Udi Manber.

 

The Chapell View

I'm sure there will be those who have privacy issues with A9's Yellow Page offering. Many of the pictures of the storefronts and streets were taken at busy times, and thus have dozens of people included in the pictures. And the faces of many of these people are clearly visible in the pictures.

 

Perhaps it's a sign of the times  - that there really isn't an expectation of privacy when you're out in public. The television cameras will often zoom in on unsuspecting fans at sporting events. And every morning when I watch my local news show, I almost always see people walking by as the weatherman reads today's forecast.

 

If you'd like to know where I draw the line - it would be at the public security cameras in towns such as Malapan, FL. These cameras take pictures of cars as they drive through town, and record your license plate number, time, date, and location. Much of this information winds up in law enforcement databases. I would hate to be the "out-of-towner" who happened to drive through Malapan on a day that someone's house was robbed.

 

But what's happening here is nowhere near as intrusive. Also, Amazon is generally well regarded (and well trusted) for using data to enhance the customer experience, and this program is no exception. I like the ability to take a look at a restaurant or shop before I go there, and I think others will take comfort in that ability, to some extent. I'd like for A9 to add some additional functionality such as driving directions, and a texting option like the one offered by www.dodgeball.com.

 

Offline ID crimes still more severe CNET - January 26, 2005

Though identity theft using the Internet seems to get all the attention, most of the financial loss linked to fraud is still from offline crime, a new study shows. Losses related to an average case of Internet-initiated fraud were $551, compared to $4,543 lost from fraud tracked back to paper statements, according to the 2005 Identity Fraud Survey conducted by the Better Business Bureau and Javelin Strategy & Research. The survey, which follows an earlier study carried out by the Federal Trade Commission in 2003, indicated that Internet-related crimes are actually less severe, less costly and not as widespread as previously thought.

 

The Chapell View

I had lunch with Gary Laden over at  BBBOnline last week, and Gary gave me some background on this study. There are some very interesting findings. For example:

 

·         Online privacy and security issues - I was surprised to read that less than 12% of the identity theft cases had to do with computer crime. Perhaps the Internet isn't all that dangerous after all.

 

·         Spyware - I was at the recent HR29 hearing in DC. A number of Representatives who said (with authority) that there was a significant connection between Spyware, keystroke logging and ID theft. Of course, these were probably the same folks who insisted that there was a correlation between Saddam and weapons of mass destruction. Anyway, this study would seem to strongly contradict that -  given that only 5.2% of the respondents had their identity stolen using Spyware.

 

Thursday, January 27, 2005

Spyware: IT's public enemy No. 1 ZDNet - January 20, 2005

What's the biggest threat to business networks in 2005? Front-line IT managers and security firms increasingly peg spyware as public enemy No. 1. "We now often scan for spyware before we check for viruses" -- Dave Higgins, Saturn Electronics & Engineering at Saturn Electronics & Engineering, a Detroit-based provider of manufacturing outsourcing services, the problems began last summer. The company's 500 users noticed that Web browsing was sometimes slow. Very slow. IT Manager Dave Higgins suspected virus activity, but manual virus scans turned up nothing. He then scoured the machines with Lavasoft's Ad-Aware and found the culprit: spyware. Once removed, the systems returned to normal operation.

 

The Chapell View

Seems like most people (IT pros, consumers, Legislators, etc) have a hard time defining spyware. Most are either unable or unwilling to make a distinction between Adware publishers (such as WhenU and Claria) and the much more nefarious purveyors of spyware. The adware players have a long way to go in terms of differentiating themselves from spyware.

 

Btw, I was at the HR 29 hearing yesterday. More on that later today or tomorrow.

 

Wednesday, January 26, 2005

US clothes firm comes clean on RFID plans Silicon.com - January 25, 2005

US clothing manufacturer Abercrombie & Fitch has finally admitted it is using RFID. Last year, clothing labels belonging to the preppy clothing favorite - with the shop name blacked out but the company's logo still visible - were found at an RFID trade show. At the time, representatives from the company displaying the tags, Checkpoint, said they were for display purposes only and Abercrombie & Fitch representatives said they could neither confirm or deny the clothing company's involvement with the technology.

 

The Chapell View

Seems like the people at A&F are in way over their heads regarding positioning RFID to the public. When you make public statements such as, "We already gave our privacy away," and "We can't even get the stupid thing to work," you're going to have trouble getting consumer buy-in. Tell us why RFID will ultimately help consumers. Tell us why the privacy concerns are unfounded. And for goodness sake, provide analogous examples without telling consumers that they have no privacy anyway, and should just get over it.

 

Tuesday, January 25, 2005

Employees Don't Want 'Big Brother' Watching Them for the Wrong Reasons Yahoo Finance - January 18, 2005

Technology allows organizations to easily monitor employee activities at work but employees believe that management is watching over them for the wrong reasons, according to the 2005 Workplace Privacy Survey of 336 HR professionals and 520 employees released today by the Society for Human Resource Management (SHRM) and CareerJournal.com. The survey found that employees think the motivations behind monitoring at work are to check employee productivity levels and job performance, and because management does not trust employees. However, according to HR professionals, the reasons organizations monitor employee behavior is to prevent computer viruses, hackers and others from interfering with business operations, and to protect the organization's proprietary information.

 

The Chapell View

I'd be curious to take a deeper look at the survey. What kind of companies were surveyed? Were they primarily white collar? primarily people who work desk jobs and use computers, IM, and other apps?

 

The reason I'm wondering is that there are plenty of firms using GPS to track drivers.  And clearly, in these instances at least, the reason that workers are being tracked is to ensure that they are doing the right thing. I have some issues with that type of tracking because it would seem to stifle the workers creative abilities to solve problems...

 

But more to the point -  It's important to recognize that corporations are spending millions of dollars trying to keep viruses and other nefarious actors from harming their IT infrastructure. So it is certainly a significant problem for employers. sometimes, there are ways to ensure that employees don't download viruses (by restricting internet access, for example) or misuse customer data or company IP (by establishing data governance programs) that don't necessitate the use of outright employee monitoring and tracking.

 

If an employer does need to monitor employee behavior (as is commonplace in the FS world, for example), then they need to be crystal clear with employees regarding what actions are being monitored, what the boundaries are for employee conduct, how long monitoring data will be kept, how it will be used, Etc. Also, they should give a plausible reason for the monitoring: Is it a productivity

issue? Is it to prevent viruses and hacker attacks? Does it prevent a business partner from reneging on a verbal agreement? The more clarity that the employer is able to provide the employees, the easier it will be for the employer to obtain a basic level of buy-in (not to mention trust) from the employee.

 

Thursday, January 20, 2005

Spammed man sued by alleged spammer wants cash Silicon.com - January 18, 2005

A man who claims he has been receiving unsolicited emails from a US company for two years is now being sued by them, for branding them spammers and reporting their actions to ISPs. Jay Stuler is now on the receiving end of a lawsuit from New Hampshire firm Atriks, which alleges Stuler caused financial harm to the firm and caused it to lose contracts. The suit also states that Stuler had been making defamatory statements, including calling CEO Brian Haberstroh a "criminal" and the company "a notorious spam gang", which the suit denies.

 

The Chapell View

I've taken a quick look at the Writ of Summons filed in this case. Atriks is suing Mr. Stuler for Defamation and Tortuous Interference of Contract for allegedly complaining to Atriks ISP and getting the ISP to turn off service to Atriks. On it's face, it seems like Atriks is displaying a bit of moxie for filing this suit, but it's difficult to draw too many conclusions until everything until the facts are out.

 

I'd be curious to find out how many people have sent a donation to his legal aid fund.

 

Wednesday, January 19, 2005

Value of Message is Key for Consumers iMediaConnection - January 19, 2005    A Chapell Article

New research from the Ponemon Institute reveals consumer attitudes towards permission and privacy.

 

Monday, January 17, 2005

Brave New Era for Privacy Fight  Wired - January 13, 2005

As the nation prepares for President Bush's inauguration next week, privacy activists on both sides of the political spectrum are bracing for a White House push to augment controversial domestic surveillance powers gained under the Patriot Act and other legislation passed since 9/11. "The administration has made it clear that they do intend to continue their move to dramatically reduce privacy and constitutional protection for our citizens," said former Republican congressman Bob Barr, who now works as a speaker and consultant to organizations like the American Civil Liberties Union.

 

The Chapell View

There's a lot of things that are cause for alarm in the privacy world. This article provides a good summary. A few thoughts:

 

·         Large Databases - The article outlines the way that Government contracts with large data companies such as Acxiom and Experian on data mining projects. I think the problem goes well beyond what the Government is doing. Regardless of who's using them, large databases are potential weapons of mass destruction. The more data that is linked together, the more dangerous they become. I'll acknowledge that linked data can be very valuable if used appropriately. So I'm NOT saying that we need to outlaw these large-scale databases - but we DO need to place some limits on them. We need to start developing some industry-wide, platform agnostic principles for the use and collection of data in the U.S. We're still in the wild, Wild West in terms of data collection standards, while consumers are still in the dark ages in terms of their awareness. To beat this dead horse of a metaphor even more, I'd say that the technology is way ahead and moving at twice the speed.

 

·         The DNA Fingerprint, Unsolved Crime and Innocence Protection Act - Brought to you by our good friends from California, this relatively new law has some severe implications - particularly if, as expected, it is copied by other states. The law allows for DNA samples to be taken from convicted felons. Now, I understand that convicted felons are stripped of certain citizenship rights. And despite the fact that I (somewhat naively) think back to the days when a felon could walk out of prison with a clean slate. err. if that time ever really existed outside of Andy Griffith and My Three Sons reruns.

 

Anyway, you can certainly make a case that convicted felons have a lowered expectation of privacy. However, I am extremely concerned when DNA samples are taken from the perpetrators or misdemeanors, or worse - from people who are simply arrested for committing a crime. 

 

1984? Gattica? Minority Report? We are there, my friends.

 

Friday, January 14, 2005

To Try to Net Killer, Police Ask a Small Town's Men for DNA NY Times - January 10, 2005

In an unusual last-ditch move to find clues to the three-year-old killing of a freelance fashion writer, police investigators are trying to get DNA samples from every man in this Cape Cod hamlet, all 790 or so, or as many as will agree. Raising concerns among civil libertarians and prompting both resistance and support from men in Truro, the state and local police began collecting the genetic samples last week, visiting delicatessens, the post office and even the town dump to politely ask men to cooperate. Legal experts said the sweeping approach had been used only in limited instances before in the United States - although it is more widely used in Europe - and in at least one of those cases it prompted a lawsuit. Sgt. David Perry of the Truro Police Department and other law enforcement authorities here say that the program is voluntary but that they will pay close attention to those who refuse to provide DNA. "We're trying to find that person who has something to hide," Sergeant Perry said.

 

The Chapell View

"Probable cause? We don't need no stinking probable cause!"

 

With all due respect to this poor woman, and her even more unfortunate daughter, we may need to accept the fact that not every crime is solvable. If we're not willing, as a society, to make that concession, then I guess it is entirely reasonable to hunt down almost 800 innocent men and harass them into providing a DNA sample. Perhaps it makes sense to place any man under suspicion simply because he refuses to provide his DNA. Even more troubling is the possibility that the person who's DNA was inside this woman may very well have had nothing to do with the crime. But rest assured, that won't matter to the hundreds of police, FBI, press, and other onlookers who will descend upon this town like the proverbial locusts. All those good people who just want to get a glimpse of the person who 'may' be the murderer.

 

You're right. I can't understand why ANYONE wouldn't want to provide his DNA.

 

Wednesday, January 12, 2005

Ponemon: Consumers Willing To Cede Privacy MediaDailyNews - January 11, 2005

The vast majority of online consumers--89 percent--say they approve of marketers they trust sharing personal customer information without advance permission, if it leads to improved quality of services or products, according to a report the Ponemon Institute plans to release today. But one in five Web users think marketers should get permission before sharing personal information about consumers, if the marketers' goal is tracking purchases in order to influence buying decisions, according to the study, sponsored by Boston, Mass.-based Internet marketing firm Dotomi.

 

The Chapell View

In the interest of full disclosure, I'm a big fan of Larry's work      and I consider him a friend. I'm a research fellow on the Ponemon RIM council, which helped put together the questions for this study, and I conducted a similar study of consumer perceptions last year with Larry and Revenue Science. There's some great information to be culled from this study, and not necessarily the stuff you'll read in the online media. For example:

 

·         Consumers mean it when they opt-out of your marketing programs. sort of - According to the study, most consumers wouldn't mind being contacted by an online merchant - even after they've specifically opted out of the merchants marketing programs. In fact, nearly all (92%) of the respondents indicated a willingness to receive post opt-out marketing messages "If the new product or promotion would be of great value to me based on my past purchasing habits." The net/net of that statement is that consumers are overwhelmingly accepting of marketing messages that are relevant to their interests, and are looking for marketers to use their data intelligently to increase relevance. Consumers don't mind getting marketing messages, but they don't want to be deluged by them.

 

·         Personalized messaging is not necessarily the same thing as relevant messaging - The Ponemon study notes that understanding customer interests is a far better way for a marketer to demonstrate that they value a customer's business than simply sending personalized messages. In fact, over twice as many respondents indicated that understanding interests (56%) is a key way for companies to demonstrate that they value a customer's business. Only 25% of respondents felt the same way about personalization. Permission marketers are wise to take this lesson to heart.

 

The email marketing space is rife with examples. Email marketers like to pull customer name and some basic preference data from their database, and use that to personalize a message to the email recipient. While I certainly don't think that's a bad thing, the real trick is to take personalization to a much higher level. Using data so you know to send me the red banner instead of the blue banner is nice. Using data to help you understand that I'd be interested in the new Flaming Lips album is better.

 

·         The Consumer really does want control of this relationship - 84% of respondents indicated that having direct control over the types and frequency of Internet ads sent by online merchants would be preferred. Over half (56%) indicated that the ability to exercise control is a way for web merchants to demonstrate that they value the consumer's business. I strongly believe that in the not so distant future, smart marketers will provide a preferences page for their customers similar in nature to many email preference pages that you see today. The new preference pages will offer consumers a much more granular level of choice regarding how often they receive marketing and other outreach messages. Moreover, consumers will be offered a choice regarding which channels they'd prefer that the marketer use. Perhaps, the customer would rather be contacted via text message, or email, or RSS, or Tivo, or phone, or postal mail, or via something else that comes down the pike in the next year or two. Part of the problem today is that there are too many messages trying to get through too many pipelines. Companies that are able to offer a simple way for their customers to exercise control of the preference marketing process will be in a good position.

 

·         Consumers worry less about their privacy when they feel there's a value exchange - Let's face it, folks. Consumers tend to be a fickle lot. The want the power of the SUV, but they don't want to pay for the gas. They want the $250 million dollar infielder, but they don't want to pay $9 for the stadium hot dog. And they want to receive ads that are relevant to them, but they are skittish about having their behaviors tracked across the web.

 

According to the Ponemon Study, Only 20% (the lowest number) would let a marketer share information in order to track their buying behavior and project future buying decisions. Conversely, many more (71%) of respondents would be willing to let that same marketer share information if that helps to better understand what they as customers want. And nearly all (89%) respondents would be willing to let that marketer share their data if it would improve the quality of the products or services that the consumer would receive.

 

Why are consumers unwilling to have their buying habits shared, but willing to allow marketers to share their preference data? My sense is that consumers are generally more willing to share their data if they believe that a marketer will use that data to directly benefit them. If they are certain that a marketer can be trusted to handle their data with care, AND to use that data to benefit them in some way, consumers will be much more willing to share that data.  Having said that, I think this is an area that definitely merits some additional research.

 

Tuesday, January 11, 2005

We're From Washington, and We're Here to Help - Spyware Legislation Is Coming MediaDailyNews - January 11, 2005

If your organization cares about the future of eCommerce and/or interactive advertising, make sure you or someone on your team is watching what's going on here in your nation's capital. In case you missed it, Congressman Joe Barton of Texas introduced last week HR 29 which looks to be a strong signal of what Spyware legislation will look like. And while there is time to work through its ins and outs, most experts think some law will be passed this year.

 

The Chapell View

A very good piece outlaying many of the issues pertaining to the re-introduction of the Spy-Act. I just can't imagine that the final bill is not going to exempt out third party cookies. If they are not, the economic impact of would be devastating.

 

Monday, January 10, 2005

eBay takes on phishers with email service ZDNet UK - January 5, 2005

eBay has moved to squelch spoofed email bearing its name by introducing a private mail service. In recent weeks, the online auctioneer introduced My Messages, a free, personalised in-box for eBay customers that contains communications only sent from eBay. That way, members can be sure to avoid spam in disguise or phishing scams designed to lure people to a fake eBay Web site in order to capture credit card numbers or other personal information.

 

The Chapell View

While I recognize that spoofed emails are a significant problem for eBay, I'm not sure that this is the right approach. I suppose that fervent eBay users won't mind checking into their eBay My Messages account on a regular basis. But the more casual eBay users are not going to log into My Messages as frequently so are likely to miss out on many time sensitive messages.

 

Also, what happens if/when retailers and financial institutions follow eBay's lead and setup their own email systems?  How does that impact the consumer? I personally have relationships with my bank, a couple of credit card companies, and a whole bunch of online retailers. If they rely on me to log onto their systems in order to receive their marketing and other messages, it'll be months before I get around to looking at those messages.

 

For example, if I have to actually go in and log into my credit card company's email system in order to receive my statement and payment notification email alerts, it pretty much destroys the convenience of getting the alerts in the first place, doesn't it?

 

eBay has historically been a savvy company, and I know that they've been hard hit by spoofing, but I think this decision could cost them in the long run.

 

2005 Privacy & Marketing Predictions iMediaConnection - January 10, 2005    A Chapell Article

Regular contributor Alan Chapell weighs in with his take on what's coming in 2005 for adware, user-generated content, HR 2929, email marketing and more.

 

Thursday, January 06, 2005

Bosses keep sharp eye on mobile workers via GPS USA Today - January 3, 2005

Ciro Viento commands a platoon of 110 garbage trucks, so when a caller complained after seeing one of the blue and white trash tanks speeding down Route 22, Viento didn't know which driver to blame. Until he checked his computer.  With a few taps on the keyboard, Viento zeroed in on the driver of one particular front-loader which, the screen showed, had been on that very road at 7:22 a.m., doing 51 miles per hour in a zone restricted to 35. Gotcha. More employers are adopting technology like the system used by Viento's company. As they do, many workers who have long enjoyed the freedom of the road are rankling over the boss' newfound power to watch their every move via satellite.

 

The Chapell View

My first job out of college was working at a MailBoxes Etc. (Now called the UPS store.) We had a regular UPS guy, Joe, who came to the store just about every night to pick up the days packages. Joe was a bit older, maybe in his 50's, and had been with the company for at least 25 years. I remember that he was a pretty cool guy. Almost every night, we'd chat about something or other. And I got the impression that he did the same with all of his customers. One day I asked him how he was able to spend/waste so much time with his customers each day. Joe mentioned that he really enjoyed chatting with people, and that he would usually give up all or part of his lunch hour on days where he spent too much time talking. If Joe's movements had been tracked with GPS, he would not have been able to take the time to mingle with his customers.

 

The problem with all of these tracking devices is that they dehumanize the work that people do. You gain certain efficiencies, and you are more likely to catch the employees who aren't doing the right thing, but you lose any willingness (or ability) for those employees to take ownership of their jobs. They stop thinking of new and better ways to do those jobs because there's no incentive (i.e., ten minutes extra at lunch) for them to do so. Moreover, there's the potential problem of abuse of these tracking powers.

 

Wednesday, January 05, 2005

Cell industry pushes toward directory AZCentral - December 25, 2005

At a time when millions of Americans have become more concerned about privacy, cellphone companies are pushing ahead with a plan to put customers' numbers in a wireless directory. The industry will begin laying the groundwork to integrate wireless numbers into the existing 411 directory assistance service in January. By spring, most wireless-phone companies will start asking customers if they want their number listed. Most customers are likely to say no, according to surveys.

 

The Chapell View

More info on the wireless directory. According to TNS and TRUSTe survey, only 11% of consumers would volunteer to list their cell # in the directory. Why move forward with a project that your customers clearly don't want?

 

Monday, January 03, 2005

Real User Recognizes a New Take on Security Washington Post - January 3, 2005

Jim Melonas wants you to forget the dozen passwords you use to log in to your employer's computer systems and applications, your online banking account and your e-mail, and concentrate on remembering that attractive face in the top right corner. Melonas is executive vice president of Real User Corp., an Annapolis company that has created a "cognometric" user verification system called Passfaces that relies on the ability to recognize familiar faces. The system can be used with or instead of traditional password systems based on numbers and letters.

 

The Chapell View

One of my predictions for 2005 is that we're going to start moving away from passwords, and start moving towards other forms of user identification and verification.

 

I like Real User's basic premise. This could work. The way I see it, there are TWO problems with most approaches to user verification systems. The first problem is that it's been a challenge to develop a system that is easy for people to use, relatively inexpensive and secure.

 

Most of the other authentication systems seem pretty expensive, although costs for biometrics are certainly coming down. Passwords are fairly easy, and certainly inexpensive, but are not always secure. Passwords are problematic because people often insist on writing their password down on a sticky pad next to their computer, or else they name their password after their first born child, or something else that's pretty easy to guess. Conversely, the Real User platform only requires that the user be able to remember a number of faces. I'm pretty good at recognizing faces, and I'll take their word that most people wouldn't have too much problems either.

 

The second problem with user verification is that one generally has to verify their identification with multiple entities. For example, I have a separate string of passwords for my bank, to access my email program, and for the websites I patronize. And I'm supposed to have a separate password for each in order to maintain my security. So somebody need to invent a universal identifier so that I only need to verify and authenticate my identity once per session. I glanced through one of Real User's white papers which suggests that their platform could work across multiple sites and/platforms.

 

Will Real User be the company to break through? I think it's a bit too early to tell. But so far, I like what I see.

 

 

 

 

© 2004 by Alan Chapell & Associates LLC