Friday, March 25, 2011

Yale Law School, From Mad Men to Mad Bots: Advertising in the Digital Age

Welcome Remarks
Laura DeNardis, Yale Information Society Project

Technology, advertising, and social control. Info tech has a profound effect on advertising, and businesses are redesigning advertising and how it works. Targeted ads; new tech can test and measure reactions in response. Mobile devices/GPS allow other kinds of behavioral/contextual/locational tracking and realtime analysis.

Opening Interview With Ed Felten: The Evolution of Online Advertising
Interviewer: David Robinson, Yale ISP
Ed Felten, chief technologist, Federal Trade Commission

Q: What is behavioral advertising?

A: Ad shown depends on user’s behavior in the past. Contextual = you see an ad depending on what you’re doing right now—reading about golf, for example. Or the ad might be served based on demographics of publication’s readership. Behavioral goes beyond that: If you’ve been reading a bunch of articles on golf, you get golf ads. First-party: Amazon does that based on what you’ve been looking at on Amazon. Third-party: connecting the dots between different sites. Behavioral advertising thus drives a desire to track people over time.

Q: Should individuals be worried?

A: Sure. The collection of this kind of information leads to creation of files about what people have done. Following someone around and gathering info about what they do can be quite revealing about personal matters: family, health, personal relationships, work, etc. Even if you’re fine with seeing the ads, the tracking done to enable it poses potential dangers. Worst-case scenario: using this information for health insurance, employment, housing decisions. People self-censoring to avoid creating a misimpression. Internet has historically been a great place to explore, but now, it’s not just that on the internet people know you’re a dog, they know which dog you are.

Q: These are prospective harms. If they’ve happened, they’ve happened quietly. Where is our BP oil spill moment?

A: That could happen. Someone with access to a large/sensitive body of data could use it in a really dangerous way. Or there could be an intrusion that was exploited.

Q: People don’t know what to do about it—don’t know they’re being tracked. But there are opt-out extensions; few who are vaguely worried have worked that hard to avoid being tracked.

A: if you start to describe how these things work, you quickly start to get into complicated technical issues and complicated privacy policies. Clarity would benefit consumers; the challenge is how to make that possible. Today consumers can use various tools like cookie controls on browsers, extensions and plugins, browsers themselves; you might avoid certain kinds of sites; but none of these really provide comprehensive protection. If a consumer asked him “in 60 seconds, what should I do to be safe from tracking online,” he’d be hard pressed to give an answer because there are so many different ways to track. Simplification and broad protection is important.

Q: about a billion people use services using behavioral advertising/tracking. What if people say “I don’t mind the ads, I don’t even care about persistent tracking, but I worry about my health information”? Is there a middle ground for avoiding really bothersome possibilities, not opting all the way out?

A: not an easy way today to opt out of just non-advertising, secondary uses of data. Self-help mechanisms in existence focus on blocking collection of data in the first place. It’s hard to draw the line between personal and aggregated information because the databases are big; what people often mean when they say “anonymous” is “we haven’t connected it to a name yet.” Consumers don’t want to be engaged in careful case-based reasoning about which situations should be connected, so you get a general intuition that the less released, the better.

Q: what can we do then?

A: people are agreed on broad types. First-party uses are generally ok. Third-party tracking using invisible technologies that are difficult to turn off and that may be used for dubious purposes are not. Debate is in the middle. We can deal with consensus cases through government or the private sector. There are issues with the scope of the opt-out being proposed in the industry, but at least the debate is going on.

Q: do we need a law?

A: we can get to a result consumers will be more comfortable with even without a new law, if the industries get together. But we may also find ourselves in a situation where new laws are on the table. (Disclaimer: he is not a spokesperson for the FTC.) Attention from policymakers sometimes focuses the mind of industry on what should happen. Consensus among stakeholders, if it provides appropriate protection, is preferable—but that’s the very question: will that process give consumers the protection they need and expect?

Q: what would you tell outsiders?

A: he’s only been at FTC a little while. Characteristic mistakes in dealing with the government: assuming we know less than we do. The FTC functions well and is very competent in the area in which it works.

Q from Chris Hoofnagle: Microsoft has a paper saying how hard it is to detect behavioral ads. How would we detect compliance or noncompliance? Network Advertisers Initiative: 4 employees, only 1 dedicated to compliance; all 4 employees are shared with other companies—how can that person ensure compliance for 66 member companies.

A: First, there are nontechnical measures: if they are doing behavioral advertising, presumably they have clients they’re telling about it. The technical task depends in part on what the promises are—some may be easier to monitor than others. Also, the goal is to deter rather than prevent 100%--don’t hold ourselves to a standard that we don’t apply to other law enforcement goals. We look for deterrence to reduce the harm of the activity. (I wonder what DRM Ed Felten would have to say to FTC Ed Felten on that point. I’m guessing it would be something about the worthiness of the things suppressed by the rule as well as the magnitude of what got deterred v. what remained.) Technically, you can set up systems to see what behaviors predictably produce what results.

Q: what about opt-outs who “free ride” on advertisers’ willingness to subsidize content?

A: depends on size of opt-out cohort. We can also ask: what will the site publisher choose to do with an opt-out? Will they show ads that bring less revenue? Will they say, sorry, you can’t see our site unless you agree—FTC staff report in Dec. asks for comment about that. In that case the consumer’s not free riding. FTC hasn’t said that sites should be compelled to provide a service to opt-outs.

Q: what about access to this data for litigation purposes? A divorce, law enforcement?

A: that question can’t be answered in the abstract. Availability of accurate evidence is in the abstract a good thing but needs to be balanced against ways in which info can be extracted & used in ways other than helping courts discover truth.

Seeta Gangadharan, ISP: is the FTC speaking to other agencies about privacy? NTIA/Rural Utilities Service, trying to bridge the digital divide.

A: there is definite interaction.

Q: Watson—a computer that can analyze language and come up with answers—how does the deployment of tech like this change the issues?

A: computers are getting better at dealing with freeform text and can extract more from it.

Q: how do you distinguish between first and third parties if there’s a recognizable affiliation in an ad network?

A: present proposals take a reasonable consumer approach: would a reasonable consumer think these entities are affiliated? (Consider how here we are using “affiliated” in a way more narrow than trademark owners usually use it. If we used their definition, then nobody would be a third party.)

Q: consumers think do not track means that data won’t be collected, not that data won’t be used. How to deal with that gap in expectations?

A: A bunch of proposals out there defining tracking. Some just say that when you opt out, what you’re opting out of is seeing ads, not gathering/use of information. That’s not what consumers really want or expect. Others tend to say info won’t be collected except—now we add exceptions—click fraud, frequency capping ads; different lists tend to be anti-fraud and bookkeeping oriented.

Q: how to tell consumers that?

A: most consumers want the experts to figure this out. Do Not Call: Congress made the framework about what counted as a covered call and what didn’t. Actual definition is more nuanced than most consumers probably expected/expect now. Bottom line, though: fewer calls during dinner, and that’s satisfying.

No comments: