The Chapell Blog has moved. If your browser does not automatically redirect, please click here
|
Chapell Blog: The Chapell view on privacy issues of the day.To receive a weekly summary of the Chapell Blog, please click
here. Friday, July 1, 2005 Cable's
Big Bet On Hyper-Targeting BusinessWeek
- June 29, 2005 Time Warner will test new software that sends different ads to different viewers Imagine the scene. You're relaxing at home, engrossed in the flickering images on your big-screen TV. Ahhh, nothing like really great programming. Except in this case, it's not a show that's got your attention; it's a 30-second commercial. The Chapell View You really know that behavioral targeting has hit the mainstream when the cable and television people start to use it. I’m a big fan of any technology that promises to increase the relevance of advertising IF it does so in a privacy neutral way. Of course, that’s a big IF. In the context of the Internet, behavioral targeting is generally conducted in a way that is privacy safe. The online folks have learned from the sins of the past, and (thanks to my friend Trevor Hughes and the NAI) have developed a set of principles and best practice standards for online profiling. As I think about using behavioral targeting in the context of cable and network television, a few questions come to mind. For example, how will the cable companies notify their subscribers about this type of program? Will TV viewers have the ability to opt-out from this type of profiling? How is this information stored? Will viewing habits be combined in some way with other offline demographic information – for example, the billing address of the cable subscriber? If a cable subscriber also subscribers to the cable companies’ ISP and phone service, will any of that information be used to augment the targeting database? Ad relevance is wonderful, but if these questions are not adequately addressed on the front end, the burgeoning set-top behavioral industry will be set back several years via consumer backlash, advocacy and perhaps new legislation. This type of targeting was not really envisioned by the drafters of Cable Television Consumer Protection and Competition Act of 1992. In many respects, set-top box behavioral targeting is similar to online behavioral targeting, and will need to address many of the same issues. I’d like the see the NAI Principles expanded to incorporate this and other new vehicles for behavioral targeting. Thursday, June 30, 2005 Grokster:
Get Over It Mediapost - June 30,
2005 BY NOW, EVERYONE IN THE industry knows that the United States Supreme Court ruled earlier this week that file-sharing services could be held liable for copyright infringement by consumers using their services. This is big. It means that companies can no longer operate such services without assuming some liability for how they are used. Many in our industry are disappointed by the decision, concerned that holding the creators of technology liable for any one of a myriad of uses will discourage innovation. The Chapell View I have a tremendous amount of respect for Dave Morgan and Tacoda – sharp guy, great company. Dave revealed a number of his personal and professional biases – except for one. I dunno, maybe he thought it was too obvious to bother mentioning. Tacoda is in direct competition with many of the Adware companies that bundle their software alongside file sharing programs. In other words, the Tacoda network is in many instances vying for the same ad dollars as the Adware companies. And this competition is only going to intensify if/when other Adware players move towards Behaviorlink (behavioral network) type networks. To the extent that Adware company distribution efforts are hurt by the Grokster decision, Tacoda may enjoy a relatively better position in the marketplace. I’m not here to take Dave to task for this – just to make a larger point. One of the most interesting and exciting aspects about the whole Adware / online profiling / behavioral targeting debate is that each group is morally convinced that they are in the right. And it just so happens, that their definition of what’s right seems to line up in near-perfect symmetry with the business goals of their respective companies. Perhaps this is why our friends at Microsoft can simultaneously (and with a straight face, I might add) offer THAT operating system, develop an anti-spyware software program AND contemplate the purchase of Claria. (As an aside, I can remember an episode of the old Batman TV series where the Penguin poisoned the water supply and then tried to charge people for the antidote. Talk about reality imitating art – of course, that assumes you define the Batman series as “art.”)
Thomas Jefferson believed that factions were a good thing for society because they diffused the power of the elite. I wonder if this is what he had in mind? (: And just for the record - I have and continue to work with some of Tacoda’s competitors, including some in the Adware space. Tuesday, June 28, 2005 Equifax
CEO says no easy answers for identity theft MercuryNews - June 28, 2005 The public's fear of identity theft has led to big profits for Atlanta-based credit-reporting agency Equifax Inc., but the company's outgoing CEO said Monday that he worries whether concerns over data security could eventually stifle consumer spending. "It's an epidemic that worries me to death," said Thomas Chapman, chairman and CEO of Equifax, one of the nation's top three credit-reporting companies, following a speech to about 50 people in attendance at the Commonwealth Club of California, a public affairs forum. The Chapell View Daddy, where does ID theft come from? I’ve read many articles that outline the connection between ID theft and Spyware, keystroke logging, and other nefarious creatures of the online universe. I’ve also read about the 100 million consumer records that have been breached over the past nine months, and their connection to ID theft. I ALSO looked at the study conducted earlier this year by BBBOnline, which indicated that most ID theft was perpetrated by people who know the victim. My question – does anyone know what the leading cause of ID theft is? Seems to me, that if we want to know how to stop it (or at least do a better job of protecting ourselves from it) we should have a more complete answer to that question. Friday, June 24, 2005 Only YOU Can Prevent
… Privacy Concerns?
iMediaConnection - June 23, 2005 A Chapell Article At OMMA-West in The only trouble is -- we’re not there yet. Thursday, June 23, 2005 Pentagon
Creating Student Database The Defense Department began working yesterday with a private marketing firm to create a database of high school students ages 16 to 18 and all college students to help the military identify potential recruits in a time of dwindling enlistment in some branches. The program is provoking a furor among privacy advocates. The new database will include personal information including birth dates, Social Security numbers, e-mail addresses, grade-point averages, ethnicity and what subjects the students are studying. The Chapell View As the U.S. Government increasingly turns to the private sector as a means to circumvent the spirit of the Privacy Act, it’s difficult to avoid feeling somewhat helpless. While I recognize that the cultural and political pendulum swings to the far right these days, I’d like to think that much of the progress made during the 1960’s & early 70’s isn’t going vanish in the proverbial haze of post 9-11 America. But little by little, our nation is heading towards a type of surveillance society that was unimaginable even ten years ago. Tuesday, June 21, 2005 Gov't
Collected Data on Airline Passengers
NY Times June 22, 2005 Air travelers who have been concerned about the
government collecting their personal information from airlines now have a
second source to worry about: commercial data aggregators. The federal agency
in charge of aviation security revealed that it bought and is storing
commercial data about some passengers -- even though officials said they
wouldn't do it and Congress told them not to. The Transportation Security
Administration is testing a terrorist screening program called Secure Flight
that uses information about The Chapell View Congress needs to completely deconstruct the TSA – and I mean completely. Take apart the TSA office buildings a la the Abu Grave prison. Salt the earth like the Ancient Greeks used to do. Let’s just take a mulligan on this one – and start over. Adding to their list of questionable decisions, the TSA has engaged data aggregators to help… Ahh yes, the data aggregators. The same group that
disenfranchised votes in Anyway - I have a brand spankin new data aggregator story for you. Bear with me – I going somewhere with this. A friend of mine works at a large Ivy League Medical Research lab. Her office engaged one of the data aggregators to compile updated information on study subjects. (Ensuring HIPAA compliance, of course.) As you probably know, some of the large data aggregators have recently undergone some significant changes to their methods and procedures in light of the ChoicePoint scandal. About a year ago, ChoicePoint was bamboozled by a group of Nigerian credit card scammers. The scoundrels (the Nigerians, not Choicepoint) had posed as legitimate businesses in order to obtain access to ChoicePoints’ data products. In order to ensure that their company doesn’t succumb to a similar fate, the data aggregator put the Ivy League Research Lab through three months of hoops – requesting copies of the university’s charter, photos of the building, etc. – in order to ascertain that the university is, in fact, a legitimate entity. Seems like a bit much for me given that the University is pretty much a household name, but whatever – rules are rules. And ensuring privacy is a priority, right? Once satisfied, the data aggregator accepts the University’s data file, and begins work. After a few weeks, the data aggregator returns a file that “they’re pretty sure was encrypted.” Again – great idea – ensuring privacy is a priority, right? Unfortunately, the data company must have done too good a job encrypting the data, as it was completely unreadable to the University staff. When the University complained, the data company sent over another file to the University. The good news is that the file was completely readable. The bad news is that it was the wrong file. The new file included some other company’s data – including names, addresses, phone #, and private health information. By now you’re probably wondering – is there a point to this story? I have two: 1. All the planning and due diligence in the world can sometime be undone by one careless mistake. 2. Data is becoming more burdensome to obtain. And it will only get more bureaucratic as additional privacy legislation is ushered in. Friday, June 17, 2005 Marketers
Seek To Make Cookies More Palatable WSJ – June 17, 2005 Online marketers are scrambling to protect one of the key tools of their trade: the cookie. Faced with reports showing that more and more computer users regularly delete the tracking files automatically downloaded by Web browsers, marketers and Web site publishers are launching a "cookies can be good for you" campaign. They argue that cookies -- small files that Web sites use to identify users and to serve up targeted ads -- don't deserve their bad reputation and shouldn't be lumped together with such Web scourges as spyware and viruses. "There is a culture of fear in the marketplace" when it comes to consumer attitudes toward cookies, says Nick Nyhan, president of New York-based Dynamic Logic Inc., which uses cookies to measure the impact of online ads for companies such as General Motors Corp., PepsiCo Inc. and Yahoo Inc. "The industry needs to respond to that fear." The Chapell View I’m a big fan of SafeCount, and absolutely support their mission. On a side note, I am extremely concerned about the use of Flash technology to “replicate” the tracking functionality. Using flash to track consumer movements is a bad idea: 1. Consumers are already concerned about having their online movements tracked. 2. Cookies can be removed, while it’s unclear how do disable the Flash functionality. In fact, I’m not even sure that Macromedia places the flash program in the add/remove. 3. The average Internet user would have no idea that Flash was being used to track their movements. 4. This would seem contrary to the mission of SafeCount, which seeks to reach out and educate consumers. 5. We’re playing into the hands of the anti-spyware companies, who will eventually be able to detect the presence of the flash technology (if they can’t already) and remove it from consumer desktops. I’ve heard members of the advocacy community refer to cookies as Spyware. I don’t agree with that characterization. Having said that, if your organization begins to use Flash (or any other downloadable program) to track consumers, and you don’t tell them about it, and there’s no reliable way of removing the program from the desktop --- don’t know about you, but that’s starting to sound a lot like Spyware to me. What
Will Erode Confidence in Online Next? Try Click Fraud MediaPost.com –
June 17, 2005 Let's see now...consumers are so dismayed and frustrated with how online marketers track them around the internet, they download programs to sweep their hard drives of any programs they're unfamiliar with, including the harmless cookies that we use to quantify our campaigns, and their results. That's bad enough - but the real darling of interactive for the past two years has been Search, of course. And Search is quantified on clicks - not cookies. Search - or SEM, more precisely - has been responsible for the lion's share of the increase in online ad spending during the past two years, no matter how you slice it. The Chapell View Pure, Darwinian market forces are achieving less than stellar results. We as an industry need to do a better job of self-regulating the markets that we’ve created. More on this in the very near future. Wednesday, June 15, 2005 Senate Takes
up Data Security Law InternetNews.com
– June 15, 2005 With growing evidence that Americans want new data privacy laws, the U.S. Senate opens a series of hearing today on legislative solutions to data breaches and identity theft. Thursday's full Senate Commerce Committee hearing will not specifically address any of the several bills introduced in the 109th Congress, which combat identity theft and force data brokers to disclose breaches of personal information to consumers. The Chapell View Not much new information here. Consumers are drawing a connection between ID theft and Internet usage – and in some cases are curtailing their use of the Internet as a result. While Spyware and online scams certainly have played a part in ID theft, most of the ID theft cases of any significance over the past six months are a result of offline data breaches. The Choicepoint scandal had nothing to do with the Internet – neither did the recent MasterCard data breach. Monday, June 13, 2005 Cash-Strapped
Airlines Try In-Flight Advertising MSNBC – June 7, 2005 On a recent Alaska Airlines flight, passengers
were told to remain buckled and seated for the last 30 minutes before landing
at The Chapell View Sooner or later, I’m going to be on one of these airplanes. I’ll be heading out to make some big presentation – which, by the way, I won’t have even begun writing until I get onto the plane. I’ll feel particularly lucky as the infant in the seat behind me has fallen back to sleep. And then just as the plane reaches the 20,000 feet mark and the captain has OK’d the use of my laptop, I’ll hear some voice come over the PA – telling me about the wonderful new “mile-high” card from Visa. And I won’t be able to silence the voice. That DAMN voice. Hitting the “stewardess service” button above won’t make it stop…. AAAARRGGGGG! When are advertisers going to stop focusing on intrusion, and start focusing on relevance? Thursday, June 9, 2005 Symantec
Sues Hotbar.com in Adware Case MSNBC – June 7, 2005 Symantec Corp., which makes Internet security
software, on Tuesday said it filed a lawsuit against an Internet company
Hotbar.com to seek the right to label some of its program files as adware.
The company said it is not seeking monetary damages as part of the lawsuit
filed in U.S. District Court in The Chapell View Is this a case of man bites dog – or dog bites man? The Scarlet “A” --- “Adware” is now so politically charged that companies are actually taking legal measures to avoid having the term applied to their company. Any way you look at it, the term “adware” is not meaningfully different than “spyware” – and certainly not in the mind of the consumer. Tuesday, June 7, 2005 Citi
notifies 3.9 million customers of lost data MSNBC – June 7, 2005 CitiFinancial, the consumer finance division of
Citigroup Inc., said Monday it has begun notifying some 3.9 million The Chapell View I shudder every time another data breach is
announced. It seems like we hear about another one almost every week. And it
occurs to me that the NUMBER of breaches has not changed, just the DUTY to
disclose. I wonder how many of these breaches have occurred over the past
five years? And how many people’s lives have been ruined by ID theft as a
result of a breach. Ironically, up until now, Citicorp has done a
pretty good job using privacy as a marketing tool. Will claims that Citicorp
is a privacy safe organization continue to resonate with consumers after this
incident? We’ll see. Btw, offering three months of credit protection
is an insult to customer intelligence. Monday, June 6, 2005 Phishers
get smarter ZDNET Phishing attacks are getting harder to spot as cybercriminals become increasingly skilled at disguising their fraudulent Web sites. Phishers are becoming increasingly sophisticated in their attempts to grab user names, passwords and other personal data from users of commercial websites, according to latest industry research. April's report from the Anti-Phishing Working Group, published on Monday, indicates an 11 percent drop in the number of reported attacks using simple IP address domains. The overall number of reports continued their upward trend to reach 14,441 for the month, said the APWG, which compiles its report with the help of WebSense. The Chapell View Given that the number of phishing emails has reached epic proportions, I am amazed when I receive (or hear of) traditional, legit brands who still send their customers email messages asking them to update their address and/or account information. C’mon folks, consumers are already confused enough. Let’s not muddy the waters further by imitating the bad guys! Tuesday, May 31, 2005 I.B.M.
Software Aims to Provide Security Without Sacrificing Privacy NYTimes –
May 24, 2005 International Business Machines is introducing
software today that is intended to let companies share and compare
information with other companies or government agencies without identifying
the people connected to it. Security specialists familiar with the technology
say that, if truly effective, it could help tackle many security and privacy
problems in handling personal information in fields like health care,
financial services and national security. "There is real promise
here," said Fred H. Cate, director of the Center for Applied
Cybersecurity Research at The technology for anonymous data-matching has been under development by S.R.D. (Systems Research and Development), a start-up company that I.B.M. acquired this year. The Chapell View Hurrah for Big Blue!!! While I recognize that
this technology is still in development, I like what I see so far. Any time
you can enhance an organization’s (in this case Government) use of data while
simultaneously decreasing the risk to privacy rights, you’ve got a win/win. Monday, May 30, 2005 After
theft, Bank of America tightens online security InfoWorld – May 26, 2005 Just days after confirming that information on
about 60,000 of its customers had been stolen by an identity-theft ring, Bank
of America on Thursday announced plans to tighten security for its online
banking customers. Beginning next month, the The Chapell View I like the SiteKey program – a lot!!! To date,
Citicorp is one of the few banks to actively use privacy and security as
differentiators. I hope that Bank of America will use this program as a way
to set their company apart from the competition. I do see one problem with SiteKey, however. And
this is a similar problem faced by almost all security and authentication
programs. Users tend to have trouble remembering their passwords. There’s an
inherent difficult when setting up a password or challenge response answer.
You want to make it complex enough so that the bad guys don’t get a hold of
it, but not so complex that you can remember it. And it would be bad enough
if you only had to remember one or two passwords, but many of us have dozens
of different passwords to remember. I, for example, have a separate password
for: ·
My Computer ·
My Hotmail Account ·
My Yahoo Account ·
My Gmail Account ·
The ChapellAssociates.com Server. ·
My Business Online Banking Account ·
My Personal Online Banking Account ·
My ATM Pin ·
The UID and Password to access my Blackberry. ·
Half of the web sites that I visit regularly… And that’s just off the top of my head. My point being, that in order for me to be smart
about my security, I would need to remember a dozen different passwords.
Given that I can just about remember my own bank account number, that’s a
difficult task. Someone in the technology world needs to come up
with a better method of authentication.
Friday, May 27, 2005 Assigning
a Value to E-Mail Addresses E-mail addresses have a shelf life. Nearly a third of them go bad every year. Some e-mail addresses are gold, others are duds, and some only behave the way you want them to at particular times of year. What's a marketer to do? First, you must understand the customers and prospects these addresses represent. Analyze customer spending, behavior, and the acquisition source. Though most marketers associate an e-mail address to an individual, far fewer associate a value with that e-mail address. A Jupiter Research report I wrote last year finds 71 percent of e-mail marketers surveyed didn't associate a value to their e-mail addresses. The Chapell View A nice piece by Dave Daniels of Jupiter. It’s too
bad that so many companies aren’t willing to put the extra work into their
email campaigns. Here’s what I don’t get about email marketing.
And for the purposes of this rant, I’m talking primarily about companies that
use email to move merchandise (as opposed to companies that use it for
branding, to drive traffic, Etc.) Nearly two years ago, just about everyone
using email as a marketing tool was in a near panic as the specter of But that was then… And once marketers became comfortable with the
relatively toothless Can-Spam Law, many seem to have reverted back to their
old ways. Do you need some additional revenue to meet your quarterly number?
Blast out another email. Is your company seeing declining response rates? No
worries, simply sharpen your pencil and offer deeper discounts. It’s a shame,
really. Thursday, May 26, 2005 A
Matter Of Public Record Betty (but call her BJ) Ostergren, a feisty
56-year-old from just north of The Chapell View A good article by Jonathan Krim. Ms. Ostergren is part of a legion of independent stalwart privacy advocates. More and more regular folks are increasingly frustrated by the amount of privacy, personal data that is publicly available. And they are “taking it” to our elected officials any way that they can. Part of the problem is that we as a society still don’t fully understand the ramifications of placing large amounts of data into databases. The other part of the problem is that proposing the painstaking task of having each municipality scrub their records and remove sensitive information isn’t going to propel any politician up the next rung of the political ladder. It’s much sexier to address consumer nuisance issues such spyware and spam. I find it unlikely that the victims of identity theft care much about the specific source – be it spyware or a title search they conducted twenty years ago. Tuesday, May 24, 2005 Friendster
is no friend of privacy Q Daily News – May 20, 2005 Wow, Friendster just violated their own Privacy Policy and gave my email address out to a third party for use in administering a survey. How do I know it was them? Here’s the story. At 4PM today, I received an email asking me to participate in an online survey about online social networks. Since it was about a topic other than penis pills, breast enlargement, poker, and child porn, the email immediately seemed different than the normal spam that slips through my filters, so I opened it to see what it was all about. It was sent to the unique email address I used ages ago to sign up for Friendster, so by that measure, it was clear that this wasn’t just a blanket spam that happened to land in the inbox of someone who actually has used a social network site. Interested in how the third party (Q&A Research) had obtained the email address, I went to the survey website to see if I could find a way to call and ask; not finding any such contact information, I checked the company’s WHOIS record, and called the listed number. The Chapell View I usually don’t post other blog postings unless I know and trust the poster. In this case, I don’t know Jason from Q Daily News, so I can’t make any representations about the accuracy of his posting. Having said that, I thought it was an interesting read nonetheless. User generated Content (UCG) continues to proliferate. Some of it is insightful – some of it is crap. Business will increasingly need to deal with UCG, although many companies are choosing to ignore UCG for the most part. I think that’s a mistake, because there is a good deal of information that can be minded from UCG. The key is figuring out a way to sort through all the clutter in order to find information that is useful. And that can be like finding the proverbial needle in a haystack. Case in point – I spend a certain amount of time each day sorting through various anti-spyware blogs. Some of them are right on the money, while others are confused, convoluted rants from people who could barely operate a cash register let alone run a business. But if I want to get to the good stuff, I need to wade through the bad. I wonder if someone couldn’t figure out a way to automate this process? This posting also gets me to revisit a previous rant regarding the privacy policy of an online travel website. Back when I first blogged on this subject, I was reluctant to mention the websites’ name. I figured that with a little bit of patience, that I’d be able to convince the company to do the right thing. Well, it’s been well over a month, and I haven’t gotten anywhere with these people. In case you were wondering the site is www.Hotels.com, a wholly-owned subsidiary of IAC/InterActiveCorp. Anyway, here’s the story… As a result of a purchase I made on this Hotels.com, I was somehow enrolled in a “Travel Rewards” program from one of their affiliates. Now I have ZERO recollection of signing up for this program, and but for the $10 charges to my credit card, I would not have even known that I was enrolled. When I confirmed that I’d been enrolled as a result of a purchase I’d made on the Hotels.com, I decided to end my relationship with Hotels.com. Here’s where the fun started… I sent an email to Hotels.com’s Customer Service group – asking them to remove all my personal information from their records. One would figure that this isn’t a very big deal as their web site privacy policy states: “If a visitor’s personally identifiable information (for example, their zip code, phone, email or postal address) changes or if a user no longer desires our service, we provide a way to correct, update or delete/deactivate visitor’s personally identifiable information.” (I paraphrased this to protect the company)
Well, I’m on my TENTH email requesting that they remove all my info, and here are the responses I’ve been getting from their CS group. · “Thank you for your reply. We can remove your e-mail address from our system so that you will not receive anymore offers. However, we are unable to remove your account from our site. Once you have registered with our services the account always remain active.” · “Please be advised your email address has been deleted from our newsletter.” · “Due to security reasons, we do not hold your personal & confidential information.” · “Please be advised if you have made a reservation or submitted information to us, this information will remain. This is not to be deleted, nor is your confidental information given out.” I’ve also called a number of times, and was assured that they would have my information removed. Finally, I asked them repeatedly to have their general counsel contact me. The CS person finally agreed, indicated that someone from their legal team would contact me. That was at least two weeks ago. If you are a reporter and are looking for a good story, here it is. I am happy to provide any information you’d like. And needless to say, I will NEVER patronize Hotels.com again! Thursday, May 19, 2005 Personal
Data for the Taking NYTimes.com – May 18, 2005 Senator Ted Stevens wanted to know just how much
the Internet had turned private lives into open books. So the senator, a
Republican from The Chapell View A few years ago, while working for email marketing Yesmail/ClickAction, I was given the tour of parent company infoUSA’s data facilities. They walked us through the process of aggregating all the data. Most of the basic data they have is obtained and updated via public sources. First, I’ve got to award a gold start to whomever at infoUSA devised the M&P’s for obtaining the data. Mussolini could not have been so well organized, or thorough, in his approach. It’s like watching a scene from Willie Wonka. Hundreds of employees doing painstaking work which in and of itself seems irrelevant to the task at hand. But once all the work has been done, and all the data has been accounted for, the end product is like magic. The trouble with magic (as I well remember from
many a childhood storybook) is that it can be used for good or for evil.
Similarly, large databases of information are by definition agnostic. They
can be used to help to enrich lives – and if used irresponsibly, can
literally ruin lives. Wednesday, May 18, 2005 Store's Floor
Model Computer Loaded With Woman's Personal Info TheDenverChannel.com – May 7, 2005 Imagine receiving a phone call from a stranger who
knew your most private thoughts, knew what you looked like, knew your Social
Security number, and even knew how much you make and where you work. That
happened to a The Chapell View Companies are just plain weird when it comes to data. Perhaps its because data is not a tangible thing like a book, or a car, or a cheeseburger. But common sense seems to go out the window when it comes to data. Case in point - I could certainly see how a
teenaged I realize that we don’t have all the facts yet, but nonetheless… OIY! This seems like a situation that could have been completely resolved with a sincere apology and a gift certificate. Now its going to cost a lot more… Tuesday, May 17, 2005 Protect
passwords? Not if latte is free MercuryNews.com – May 6, 2005 Would you give up your computer passwords for a Starbucks latte? “imasexyguy'” did. So did “raiderfan.'” The football fanatic even gave it to a radio reporter -- to put on the air. And then he told the interviewer he still wasn't going to change it. In a marketing stunt designed to shine a light on sloppy personal cybersecurity, VeriSign on Thursday offered passersby in downtown San Francisco $3 coffee coupons if they would reveal their passwords to survey-takers. Two-thirds of the 272 respondents turned over their passwords without flinching. The rain and then a BART bomb scare seemed more problematic. A few who said they simply would give a made-up password were dropped from the results, though they did get free coffee. And with a little coaxing, 70 percent of those who said ``no way'' gave up significant hints, like wife's name, anniversary date and the ever popular pet's name. The Chapell View OK. Before I even get to the article, I’ve gotta comment on the MercuryNews’ registration process. Holy smoke, people. Two full pages of offers to cull through and then I get a series of pop-overs. It’s their web site, and they can do whatever they want, but I’m unlikely to visit that site again soon… When making the exchange between free content and advertising, its very difficult sometimes to find the right balance. Mercury’s gone over the line, at least according to this cowboy. Anyway, this is all a bit ironic given the topic of the article. One of the challenges that privacy professionals consistently come up against is that consumers generally don’t take responsibility for ensuring the safety of their own personal information. Consumers will give up whatever they have to in order to get WHAT they want WHEN they want it. How do you help someone who won’t help themselves? How seriously can you take the concerns of someone who doesn’t want pop-up ads, but doesn’t bother reading the EULA before downloading the P2P software? Trouble is… privacy professionals (and marketers and publishers for that matter) don’t have the luxury of not taking consumer concerns seriously. So what do we do? Should we gradually continue to push the envelope on privacy and hope that consumers (and lawmakers) will simply continue to grumble and not take real action? Or do we push forward trying to broker deals on industry best practices for privacy? I genuinely believe that the latter is the best course. But I have to admit – when I hear of stories such as “coffee for your password,” it makes me wonder… One other comment – What is the nexus of most ID theft crimes - unguarded computer passwords or data aggregators with insufficient privacy and security procedures? Wednesday, May 11, 2005 Police keep an eye on city NY Times – May 5, 2005 Allison Davis, who lives in the suburbs and works
downtown, was strolling past Lexington Market on her lunch break yesterday
when she first noticed the small glass orb mounted on the side of a building.
"I don't think it is such a bad thing in this area," Mrs. Davis,
27, said of the police surveillance camera, one of 43 that The Chapell View I find it interesting that the cameras were
purchased with “homeland security” funds. If God forbid a terrorist unleashes
a dirty bomb on the West side of Monday, May 9, 2005 Cookie Saga: Consumer
Education Needed iMediaConnection.com – May 9, 2005 – A Chapell Article Mark Twain once quipped, “Rumors of my death have been greatly exaggerated.” I can only wonder what he’d have to say about our industry’s recent dialog around cookies. My former colleagues at Jupiter are no doubt pretty happy to have their numbers vindicated, after a good deal of skepticism was leveled against their report from many -- including me. Of course, which research methodology was right is ultimately far less important than the action items that each of us can take away from the research as a whole. And I think there are still a few things we can draw from the recent body of research on cookies. Friday, May 6, 2005 Warnings That Madison Avenue Needs to Be Nimble About Changing NY Times – May 5, 2005 The Chapell View It’s very encouraging that senior advertising professionals are addressing issues of ad clutter and consumer burn-out. Many of us in the privacy space have been thinking about these issues for some time. In fact, this is an area where the privacy folks could really be an asset to advertisers. I’m working on a White Paper with the Ponemon RIM council which should address some of these issues. Think about how much trouble the Entertainment industry is in right now – in part because they stopped listening to their customers, and their customers eventually cast them aside. Look for an article from my colleague Isaac Scarborough. The article will compare various ways that consumers have veered away from “legitimate” (read traditional) media consumption – from P2P file sharing to ad-blocking technologies. Thursday, May 5, 2005 Intermix is just the start - Commentary: Ramifications of adware suit are broad Marketwatch – May 3, 2005 As I stepped ashore on the The Chapell View Overall, this is one of the best written articles on the relationship between advertisers and some of the more nefarious elements in the online universe. A few items of note: · Size of the Adware Market - I wouldn’t take Webroots #’s too seriously. The anti-spyware software company recently released a report indicating that revenues for adware companies was $2 billion per year, which is over 20% of the total online advertising market. If you were to ad up the adware revenues of six of the largest adware firms - Claria, WhenU, Direct-Revenue, 180 Solutions, Ask Jeeves and eXact Advertising – I don’t know that you’d reach $500 million. Moreover, I participated in the CNET Spyware event yesterday, and David Moll of Webroot wasn’t able to effectively back up his $2 billion number – and NONE of the other software firms on his panel were willing to estimate the adware market to be higher than $800 million…. I wonder if it might be in their interest to create a perception that the adware problem is larger than it actually is? · Eyes wide shut – no more! – The real takeaway with this study is that it is imperative for any online advertiser to have firm understanding and control of their data, distribution and/or advertising partners. This includes; vetting your partners, establishing contractual accountabilities, and requiring audit rights. I’ve already penned some steps that advertisers should take when selecting an adware partner. Bottom line - it’s crucial for advertisers to have a firm grasp of the data governance issues. · Eyes wide open – I’ve spoken with several companies in the online space over the past week. There’s a level of concern that I haven’t seen since late 2003 when it looked like that CA Spam bill was going to pass without Federal Pre-emption. Wednesday, May 4, 2005 Patients Not Notified That Their Health Records Were Stolen CNET - April 26, 2005 Detailed health records of more than 1,600 The Chapell View When there is a data breach that potentially puts at risk hundreds of people's information, I think it's incredibly irresponsible for those entrusted with the information to sit on their hands. People's lives are being absolutely ruined by ID theft. I think there’s a larger “trust” issue at stake here. I am shocked that anyone would be enrolled in a public health study without their consent – regardless of the altruistic nature of the research. But since I don’t know much about the medical research world, I figured I’d ask an expert. Fortunately, my brother Rich has a PHD in Pharmacology (I don’t know what the heck that means either) and works as an analyst at a medical research firm. And he’s smart as a whip. Here’s what Rich had to say… “I'm amazed that they were able to collect and
share this information without the knowledge or consent of the participants.
The article mentioned that there is no state law against it, but it violates
the declaration of · ‘It is the duty of the physician in medical research to protect the life, health, privacy and dignity of the human subject.’ · ‘The subjects must be volunteers and informed participants in the research project.’ · ‘Every precaution must be taken to respect the privacy of the subject, the confidentiality of the patient's information, and to minimize the impact of the study on the subject's physical and mental integrity and on the personality of the subject.’ According to the Helsinki Principles, not only should the patients, or their parents, have been informed of the study and given the option to refuse to participate, but they should also have been informed that the data was stolen. That's part of that pesky "privacy and dignity" thing.” Thanks Rich! I believe there may also be some Federal Privacy Issues at play here. I’m certainly no expert in HIPAA, but I believe that medical institutions are required to provide notice and obtain consent from patients prior to using their information for medical research. However, there may be an exemption for the CDT. And according to the news story, both federal and state laws allow CDC to survey health records without notice to patients. So let’s assume that there’s no legal requirement to obtain consent here. Regardless of the legal and ethical requirements, it is just plain stupid to fail to notify the victims of a data breach. Why? · Because word of the data breach inevitably gets out into the public domain. · Because people will be less likely to hand over their data once they’ve been screwed. · Because law and policy makers tend to look at these types of scenarios when weighing the need for an additional regulatory framework. · Because eventually, it become more difficult to conduct important medical research as a result. Talk about soiling your own food dish… Monday, May 2, 2005 Pick your battles with Internet privacy CNET - April 26, 2005 The recent flurry of hype over ZabaSearch got me thinking about privacy. For those who didn't have the pleasure of receiving a frantic e-mail from a friend about it, ZabaSearch is a search engine for personal information. Folks across the Internet were shocked to find that not only their current addresses and phone numbers but even information from the past several years came up in ZabaSearch. Even unlisted numbers appeared. I received several e-mail messages with the Internet equivalents of gasps and expressions of horror attached. The truth is that ZabaSearch is no evil Big Brother. It's a search aggregator, and a rather efficient one at that. All the information in its database can be found elsewhere on the Web. Its crime, if any, was making personal information supereasy to find. The Chapell View Interesting article by Tom Merritt over at CNET. I don’t want to come down on ZabaSearch. They certainly aren’t the only company out there that’s taking publicly available data and aggregating it into a useful tool. In fact, I agree with Tom and give the company kudos for capitalizing on ‘newsworthiness’ of privacy issues to land some free press coverage. There’s one point that seems lost on Tom, as well as many others who cover privacy. We as a society have not come to terms with the impact of large scale data aggregation. So while I’ll concede that ZabaSearch isn’t doing anything illegal or inherently evil by aggregating publicly available data, its important to note that the sum of that data is inherently much more powerful than the individual parts. In other words, large scale data aggregation is in and of itself a potentially dangerous thing. I’m not saying that it should it should be illegal to aggregate data, but I do think that more thought needs to go into the implications of collecting, storing and using large databases. I’ve often drawn an analogy from the world of science. A few atoms of hydrogen are completely harmless. However, if you put enough of them together, you’ve got something that is extremely powerful – and a potential weapon of mass destruction. If you don’t subscribe to my analogy, I offer the following question. How many people’s credit (and potentially their lives) was ruined by the data breaches of the past six months alone? With large databases goes large responsibility. Thursday, April 28, 2005 Whoa,
Canada: SSN Request Doesn't Add Up |
