Tue

Oct 30
2007

Marc Hedlund

Marc Hedlund

Infiltrating the privacy movement

I had a fantastic teacher in high school named Rick Takagaki, who once played a class of mine two speeches in a row: Martin Luther King Jr.'s "I Have a Dream," and Malcolm X's "Message to the Grassroots." The speeches, while both incredibly compelling, couldn't be more different (and certainly couldn't be more different from what passes for rhetoric today). "Grassroots" contains a famous passage in which Malcolm X derides the March on Washington (at which King gave his "Dream" speech) as a watered-down revolution, infiltrated and controlled by the white power structure:

It's just like when you've got some coffee that's too black, which means it's too strong. What you do? You integrate it with cream. You make it weak. If you pour too much cream in, you won't even know you ever had coffee. It used to be hot, it becomes cool. It used to be strong, it becomes weak. It used to wake you up; now, it'll put you to sleep.

While the topic is far less momentous, I always think of that quote when I read privacy stories like the one in today's New York Times: "Online Marketers Joining Internet Privacy Efforts." Marketers joining a privacy movement?

It's not like there's a privacy revolution in the United States; there never has been. But there are certainly a lot of "Chief Privacy Officers" whose Orwellian role seems to be spinning encroachments on privacy to look like a revolution of freedom. The closest the U.S. has gotten to a privacy uprising is the National Do Not Call Registry. According to a January, 2007 Times article, since its launch in 2003, "more than 137 million phone numbers have been placed on the list by people tired of interruptions during dinner or their favorite TV show." 137 million! The seeds of a movement are there, at least. While probably nothing else has risen to that level of response, news coverage of ChoicePoint, identity theft, and the like make privacy a popular topic of lip service -- but usually, unfortunately, little else.

The significant quote in today's Times piece comes in the fifth paragraph:

There is a silver lining for marketers, however: the AOL site will try to persuade people that they should choose to share some personal data in order to get pitches for products they might like. Most Web sites, including AOL, already collect data about users to send them specific ads — but AOL is choosing to become more open about the practice and will run advertisements about it in coming months.

I don't have a problem with AOL's effort -- it seems like a good development to me. Explicit labels are good. It's definitely interesting to see search engine providers competing on how comfortable they can make people with their practices. But this isn't a privacy effort. The goal here is to find tracking that consumers will accept.

Back to Malcolm, who warns that the only one who would resent his teachings would be "a wolf, who intends to make you his meal." Real privacy comes from removing tracking altogether, not adding small labels to it, festooning it with compliance badges, and providing an opt-out from it buried somewhere on a site. (I've put my money where my mouth is on this topic; see "Super Ninja Privacy Techniques for Web App Developers" in (IN)SECURE number 11 [PDF], pages 47-53, which I co-wrote with my colleague Brad Greenlee.) Marketers can't join a privacy movement without it being an infiltration; the headline of the Times piece is in itself an impossible contradiction. Having more options for types of marketing is fine, but don't mistake this wolf, or his intentions, for anything else. My old teacher, Takagaki, would never have let me get away with calling something what it isn't, and this isn't privacy. It's marketing.


tags: backstory  | comments: 5   | Sphere It
submit:

 
Previous  |  Next

0 TrackBacks

TrackBack URL for this entry: http://blogs.oreilly.com/cgi-bin/mt/mt-t.cgi/6003

Comments: 5

  David [10.31.07 09:40 AM]

This is basically Google's argument - that the benefits provided by highly targeted ads and/or promotions etc outweigh privacy concerns.

The analogy with the do not call list is not particulary instructive because the principal goal, at least as described by AOL and Google, is a move away from disruptive advertising (e.g. the 30 second spot, a telemarketer's call) towards ads that reflect a given user's preferences, whether stated or derived from behavioral data.

Of course, the question is whether people will follow along. FWIW Google had already been scaring the f--- out of me; their new social network API is even more disturbing.

  Karl Fogel [11.01.07 02:32 AM]

Interesting to call the Federal "Do Not Call" database a "privacy" initiative...

We really need separate words for

  • information you don't want others to know, and
  • not wanting to be disturbed or interrupted

Right now, we use "privacy" for both of these concepts, even though they're quite distinct.

The issue with the sales calls at home isn't that they know your number, after all, it's that they're using it, to disturb your peace. An unlisted number is a means to an end, not an end in itself (and the Do Not Call registry is another means to that end).

Yet what bothers people about the online service providers is not that potential for unexpected interruption. It's that the providers will know your medical history, or the graph of your friends, or whatever, and possibly misuse this data. Sure, some of those misuses might result in disturbances (they email or call you, trying to sell you something), but other misuses might be that (say) you don't get a job you wanted, because information leaked when it shouldn't have.

Like "health insurance" versus "health care", there are two very different things going on here. It's a pity that, by using the same word "privacy" for both, we mix them up

.

  Sachin [11.01.07 03:22 AM]

Well written post Marc, the reason I keep coming back to radar is that the quality of writing here is generally very good. But I digress.

I don't know how much weight there is in the argument that if the marketers collect a lot of data about me - as a clearly identified individual - they will be able to make highly targeted ads that I will be compelled to click. I have never clicked on a Google served advertisement on any website. Amazon sends me recommendations based on my book purchasing habits, never bought a book they've recommended. iTunes has been trying in vain over past several months through 'Just For You' music recommendations based on what music I already own.

These are the best marketers we have got, and they know a lot about me. More than they should. It doesn't benefit me.

On the other side of the argument: users own their data. Just the thing to do but there isn't much there for the marketers.

  Shaun Dakin [11.02.07 07:03 AM]

An update on the number of numbers on the Federal DNC registry:

Approx 150 million as of the latest FTC's numbers.

As an aside, a new non-partisan, non-profit org is fighting the loophole in the Federal reg that exempts politicians from calling you at home during dinner.

We are at http://www.stoppoliticalcalls.org

Regards,

Shaun Dakin
CEO and Founder
The National Political Do Not Contact Registry

  Marc Hedlund [11.02.07 09:14 AM]

David, I think you've characterized Google's public argument correctly, but my read on the internal discussion (to which my access is very limited) is that people should trust Google, and that if they behave in a trustworthy way then specific privacy controls are not necessary or useful. In fact they have done, in some cases at least, a much better job of protecting their users' privacy than other large web companies (see particularly their resistance to goverment subpoenas for web search data, contrasted with the actions of other search engines).

I'm not even sure what privacy controls for Google would look like any more. How many settings would that need to have? Given the experience on the other side of the wire, with people's use of their cookie controls, the most likely use case would be a one-button "delete all," which in, say, the GMail case probably wouldn't be what you'd want. I don't know how Google would be able to provide meaningful privacy control to its users while still providing the services it does (although I think that's a really interesting problem).

Back to your original point, I personally believe the "ad relevance" argument is very difficult for Googlers to judge. Their company is growing enormously due to those ads; your mind cannot help but give greater weight to arguments that support the justness of your own success. You certainly can't argue that the ads are useless (Sachin, I think there's a lot of data that you're atypical, at least in the Google case): Google keeps growing because the ads work.

Karl, I do think of the Do Not Call list as a privacy movement. I'm not sure I buy the distinction you draw. Does it matter for me to draw a distinction between nuclear power and radiation poisoning as distinct issues, if we want to talk about nuclear energy? If you believe one leads to the other inevitably, you're probably opposed to both. Isn't the objection to a database of information about me that it could lead to me being "disturbed" in one way or another -- a phone call from a marketer or a stalker on my doorstep or public embarrassment or all of the above? I care that the database exists because of what happens when it leaks.

People react to privacy issues in direct proportion to their experiences being disturbed. If your worst disturbance is a phone call at dinner (a very common experience before Do Not Call), then you'll be motivated to act against that disturbance. If you've had personal email read by an office sysadmin, you might have a different level of concern. If your experience is identity theft, again, you might want more protection (although good luck with that -- the risks are far more diffuse). If you've been stalked, especially if you couldn't do anything about it, your reactions to privacy issues are probably very extreme.

So should we call privacy two issues because one group of people has had more mild experiences, and another more extreme? I don't think that's right. It's a problem or it isn't, and I don't think you should wait for Chernobyl to decide.

(For the record, I am generally in favor of nuclear power -- the worst option except for all the others. I'm sure that others would make that argument about privacy, too, that the web would be useless if we created the tools that would be needed to meaningfully protect privacy. On that latter point, I can only point to my own company, Wesabe, and what we're trying to do to protect our users' privacy (see link in the original post, above). I think you can both make very useful and very private web services, and that the challenge of that is difficult but completely surmountable.)

Post A Comment:

 (please be patient, comments may take awhile to post)






Type the characters you see in the picture above.