18 Dic Your Privacy Is Protected Only if You Are Really Sick
New York Times, By SAUL HANSELL, December 17, 2008
The advertising trade group that proposed that people with cancer deserve more privacy protections than those with heart disease has adopted a new version of its guidelines for how ad networks use data about Internet users. It is no longer trying to distinguish between different diseases. But it is drawing another line that may appear equally arbitrary: Whether people’s Internet surfing indicate they actually have a disease, rather than being simply curious about a medical topic. “General interest in a condition is not sensitive data,” said J. Trevor Hughes, executive director of the Network Advertising Initiative. Mr. Hughes said the new guidelines, which take effect later this month, impose tough protections on information gathered, for example “on a community page for prostate cancer sufferers” because anyone visiting such a page could be assumed to have the disease. But no such protections need be accorded to someone reading a Web page that simply describes the symptoms or treatment of prostate cancer. The reader of such a page might be researching the condition of a friend or relative. And thus it would not be intrusive if that person was shown a series of ads about the same disease, Mr. Hughes explained. The trade group, which represents two dozen companies including Google, Yahoo, Microsoft and AOL, wants to show that the Internet advertising industry can address privacy concerns through self regulation, to head off potential legislation on the topic. The incoming Obama administration and some in Congress have been interested in exploring new privacy rules. The group also wants to help its members preserve their advertising revenue. And drug ads aimed at people with diseases have become a quite lucrative business. Privacy advocates praised some aspects of the proposal, but said it did not go far enough. “They ended up with a low common denominator, not the lowest,” said Ari Schwartz, the deputy director of the Center for Democracy and Technology. He said that the group needs to add rules for other sorts of advertising and data use, like when it is a particular advertiser, rather than a network, doing the targeting. The proposals do create some new standards for how long advertising companies keep data about users and impose some new auditing procedures to make sure they comply with the rules. Moreover, the group restrict a few practices that companies might do in the future, like collecting data about people under the age of 13. In one rule that may well prove to be significant, the group said that ad networks must get permission before they use information about where an Internet user is from a GPS system built into a phone or mobile computer. (The now common practice of using information from the users’ Internet Protocol address, which can identify the city or neighborhood a computer is in, is permitted without authorization.) Mr. Hughes said that the association intended to continue to explain and modify the guidelines to deal with changing industry practices. The new rules are binding on the group’s members. Any violation could prompt sanctions from the Federal Trade Commission or state regulators on grounds of deceptive trade practices. Networks such as AOL’s Advertising.com and Yahoo’s Blue Lithium place ads on a range of sites and they identify the computers of the users who see each of those ads by placing a unique identifying number, called a cookie, in that computer’s browser. By following what sort of sites users visit, the networks develop profiles of their interests they use to show them ads for products they might buy. These networks are of particular concern to privacy advocates because they increasingly are collecting a great deal of data and they are largely hidden from view. Most Internet users have no way to know the networks exist and what they do. Any one Web site can accept ads, and thus feed data to, an ever-changing array of different networks.