June 22, 2010

Privacy Seals - How Useful Are They?

Recently, I've been considering whether to get a privacy seal for my start-up.  A privacy seal (which is a species of a trust seal) is a certification offered by a private company that essentially confirms that a website's privacy policies and other documents/features after testing your privacy policies comply with US law, EU safe harbor, COPPA, etc.

Of course, the first thing to consider (putting on my business hat) is how much does it cost and what is the return?

For a young start-up, the cost of a basic seal (certifying just the privacy policy) is around $1000.  Then, if you start adding services (dispute resolution with customers), certification of Safe Harbor compliance or certification on other features (emails, applications), the cost goes up and can quickly reach $5,000.

In fact, the pricing model of most of the (very few) companies offering privacy seals is based on the amount of revenue generated by the website - the higher the revenues, the higher the cost.  So, if a company has revenues of, let's say, $5 million - the cost of the certification will be about $10,000.  So, relatively speaking, it is not so expensive.

Legal Value.
The seal is just a nice stamp on the website and does not have any specific legal value.  It may represent a good marketing tool, but before starting to pay money for the certification I would consider many different things to assess the potential return.  Moreover, it is important to consider the quality of the company making the certification.

Recently, certification company ControlScan was the subject of charges brought by the FTC for misleading consumers regarding the significance of a ControlScan certification seal.  Theoretically, the companies who used ControlScan certifications could also be subject to suits over this issue.  Obviously, no one is interested in buying a litigation risk.  So, before shelling out the money for a certification, it is advisable to double-check the company doing the certification.

Best Practices.
A good reason to consider having a privacy seal is that many of the major Internet companies have it.  It may be especially helpful to have such a seal in the area of privacy law (where the interpretation is not always straightforward and enforcement is uncertain).  It is always a good idea to be in line with the best practices in the industry.  Theoretically, this could provide a defense against some kinds of litigation.

Of course, improving the website reputation and bolstering users' trust is a revenue driver... yet, before getting too excited, I think it is necessary to consider the specific nature of the services offered by the site and the dynamic of the user base.  For instance, I believe the seal may be more important for an e-commerce site and less important for an search engine or a general portal.

Also, it is very important to understand the meaning/reputation that the privacy seal may have in the specific users' community.  For instance, I believe that certain seals may be more reputable than others in certain jurisdictions while, in some communities, the seals (and privacy issues in general) may not have sufficient relevance to justify the expense.

Additionally, some services may use other tools to enhance users' trust and consumer reliance.  For instance, in B2B services, the reputation of the company and the existence of a close relationship very likely supersede the value of a third party seal.

My call.
For my start-up, I think it is not worth the money. The nature of the service provided, the business model, and the close relationship with users weigh against getting a privacy seal.

On the other hand, moving forward as revenues increase, the cost of the seal may become marginal and it might not hurt to get it.

May 23, 2010

Facebook About to Change Privacy Policy. Again...

It took me a bit to understand and figure out all the privacy options on Facebook... And now it may be time to start all over again.
I concede that some changes were REALLY necessary.  However, updating the policies and modifying the control interface so frequently is also affecting users' ability to understand what is going on.
Perhaps FB will send a notice to inform of the changes and proactively explain...

May 14, 2010

Google: Agreement With Italian Antitrust Authority

Following an investigation by the Italian Antitrust authority, Google agreed to change its terms of use regarding AdSense and to allow more transparency in the rev-sharing with publishers and content providers.  Also, considering the alleged abuse of dominant position with respect to Google News, Google agreed to maintain separation between News and Search indexing.  Accordingly, Google will keep deploying separate set of crawls to feed into its News aggregator.  As a result, publishers and content providers will be able to pull-out of Google News while keeping their visibility intact on Google Search.
Here is the document with the details (in Italian...). 
In fact, I believe that this agreement underscores the powerful connection between Google's two products AdSense and Google News.  Another way to look at the issue could be considering the ongoing negotiation between Google and content providers as to achieve a fair rev-sharing deal with respect to Google News ads revenues.
Probably, AdSense was not considered a viable solution anymore, given the little transparency allowed by Google's trade secrets.  However, it seems that Google and the newspaper industry are moving forward and coordinating their business models since Google is now willing to disclose information about the revenues generated out of the publishers' content.
I have the feeling that more open policies in AdSense may also cast some light on the existence of price discriminations amongst different kinds of content and content providers (i.e. AdSense affiliates).  If this is the case, the ads market will surely benefit from it and even the "little guys" may be able to cut better deals for their content. 

May 13, 2010

Art. 29 Working Party: unacceptable that Facebook changed default settings to the user's detriment

Yesterday Art. 29 Working Party issued a press release where it declared it unacceptable that Facebook radically altered its privacy policies to the detriment of users.
The issue concerns the default settings. The WP recommended:
a default setting in which access to the profile information and information about the connections of a user is limited to self-selected contacts. Any further access, such as by search engines, should be an explicit choice of the user.
However, Facebook users know that it is necessary to navigate the privacy settings and go through a series of opt-outs.
Furthermore, the WP points out to Facebook and other social networks the lesson learned by Google in Italy: when a user uploads some contents involving a third party's personal data it is necessary to "to obtain free and unambiguous consent."
On the latter point there are still some fundamental technical problems. In fact, I am not sure how it would be possible to protect the interests of third parties by assigning such tasks to the social network platform, unless the WP requires that Facebook or other social networking sites add another check-box on their terms ... something like this:
"You represent that the uploaded or shared content (" Content ") does not violate the privacy and / or other personal rights of third parties and that in any case you have previously obtained free and unambiguous consent to the publication of the Content from the owner of any personal data or personal rights relating to the Content."
It would be easy for users to mark this check-box (among the many). Who knows if this will be more effective than similar disclaimers about copyrighted content.

600px-Blue_check.svg.png (600 × 600)

May 8, 2010

Brief History of Online Feedback / Rating... Some Thoughts

Stage 1. Men were created with the ability to have opinions of their own.  Opinions can be complex, simple, logical, contradictory, expressed verbally, non-verbally, etc.

Stage 2. Then men became Internet users and were allowed to give feedback on a 5-star basis.  Internet users still have opinions and share them in form of "Comments".

Stage 3. Following, users had the possibility to give a thumb up OR a thumb down.  Users can reply to comments or even re-post them in their own opinion-stream.

Stage 4. More recently, users can "Like" stuff.  No complexity whatsoever is necessary nor allowed.  Similarly, any negative feedback is unpractical (or curtailed) since it would be bad form with respect to "business partners" of the site in use.   Yes, it is possible to write something if you really, really care (which happens when you are upset about a service you paid for). However, other than in such case, who bothers about typing if they can just click.

But wait, there is more.  The evolution of feedback and rating systems is not limited to the progressive simplification of the tools and the user interface.  It rather (and more importantly) concerns what data are collected and associated with the users' ratings.

The person who is rating content or items (the "rater") has become the center of the action.  This is somehow counterintuitive, yet the most valuable information for the website has nothing to do with the items rated thereby.  In fact, the most valuable information is that one concerning the "rater":  its tastes, preferences, behavior, etc.

Therefore, it is key that such information is made as standard and accessible as possible.  For this reason rating on one dimension ("Like" button) may work better and eliminates certain "noise" in users' behavior analysis.  Hence, simplification is functional to enhance user-profiling and, eventually,  to better target those users with relevant ads.

On the other hand, all kinds of feedback regarding content/items have become a very effective "bait" to incentivize interaction and attract traffic. This happens despite being common knowledge that on-line feedback and ratings are easily manipulated and often unreliable.

I believe we can start looking at feedback and ratings from a different perspective.  In fact, I have the impression that their social significance has changed as they do not represent anymore a vehicle to convey opinions but rather a form of basic interaction to show an acknowledgment that something does exist.  To the contrary, if there is no "Like" button underneath it, such thing cannot be part of the user's profile for advertising purposes.  And, that somehow makes that piece of content invisible on the Internet.

May 6, 2010

Privacy Bill Introduced. More Notices and Consent.

The House of Representatives recently introduced a bill (pdf here)  that, if passed, would significantly change the game of privacy regulation.  The bill requires notice to and, in some cases, consent of an individual prior to the collection and disclosure of certain personal information related to that individual.
This bill will raise the bar for all businesses, whether on-line or off-line.  It also promises to harmonize the US regulation with the higher EU standard.
However, one of the limits of this proposed bill is that it stresses the importance of privacy policies and privacy notices, while both the Internet industry and consumer groups seem to agree that privacy policies are ineffective since very few people read them and even fewer can understand their content.

March 26, 2010

Facebook and Site Open Governance (Again)

Facebook is very aware that every move it makes is recorded and meticulously analyzed by observers from all countries.

Then, Facebook came up with the brilliant idea to turn this attention to his advantage by inviting its user base and said observers to join the debate about the governance of the site.

In other words, Facebook is now going to change its TOS and Privacy Policy and is asking users' feedback.

HERE's blog where the proposed changes are discussed.

I will add my comments  soon (unless in the next few hours they decide to make no changes at all).

March 18, 2010

Facebook Settles Beacon Privacy Class Action

Past December 2009, Facebook contacted its user to inform them of the existence of this class action.
If you were wondering what happened, a $9.5 million settlement has been approved.
Here you find more details.

Definition of Controller and Processor in Data Treatment

On Feb. 16, the Art. 29 Data Protection Working Party released its Opinion 1/2010 on the concepts of "controller" and "processor".  I find it an extremely useful attempt to re-embrace the definition of such concepts, especially after the Google Italia case.

Among the many examples, the opinion also contains some interesting insights about Behavioral Advertising.  

March 4, 2010

Italian Republic v. Google Video. Why Was Google Convicted?

Three of Google's executives were recently convicted by the Court of Milan for violating Italian privacy laws.  Google's executives were held liable because Google Video, hosted, allowed comments and did not promptly (or promptly enough upon notice) take down a video portraying a disabled kid getting abused by his schoolmates.  The schoolmates who actually uploaded the video were convicted and sentenced to 10 months of community service.  You may find a more complete description of the facts here.

The ruling is subject to appeal and Google has said it will challenge the ruling.  Many people have commented on the case reflecting upon its deep implications over freedom of speech, privacy law and the Internet business model.  I personally share the concern that prior control over UGC might dangerously compress freedom of speech, yet the solution certainly is not to neglect users' and third parties’ privacy protection.  The bottom line is that such a ruling may shake the foundations of the Internet industry and that nobody I know has a clear idea about a good trade-off among the many conflicting interests.

In this post, however, I will more simply focus on explaining the probable reasons for the Google conviction.  I say  "probable" because the full opinion has not yet been published.  Still, I have an impression of the probable reasons for the conviction based upon reading the statements released by Google's attorney and the Prosecutor in charge of the case.

Reason #1.  There is no safe harbor for privacy violations.  This may be surprising for most Internet companies but, as a matter of law, EU privacy regulation in general, and the Italian one in particular, do NOT apply the safe harbor exemption to matters concerning the right to privacy.  It may appear like a loophole in the system, but probably, when drafting the E-Commerce directive, the EU legislator did not have in mind a service totally based on UGC, such as a video sharing platform.  Directive 2000/31/CE shields mere conduit, cashing and hosting services against commercial liabilities, but not against the rights "of individuals with regard to the processing of personal data...".

Article 1, §5, lett. b of the E-Commerce directive says:  "This Directive shall not apply to: ...
(b) questions relating to information society services covered by Directives 95/46/EC and 97/66/EC."

Guess what subject matter is regulated by Directive 95/46/EC?

Pretty straight forward, isn't it?  If there is no safe harbor for a privacy violation --> liability of the service provider for contributing to the criminal conduct.

The same regulation applies in Italy by virtue of the Legislative Decree n. 70, 2003  art. 1, comma 2 lett. b which precludes the application of the safe harbor regime (art. 14 and ff.) for matters involving privacy rights.

Reason #2.  Google violated the Italian Personal Data Protection Code.  Google's counsel released a statement indicating the rules allegedly violated by Google, as specified in the indictment: art. 23, 26 and 17 of the Data Protection Code.  art. 23 and art. 26 (here an official version in English) provide that before processing any personal data it is necessary to seek consent of the owner of the data.  This is necessary moreover (written consent is required) if the processing concerns sensitive data, such as the existence of a heath condition.  It is probable that the Court considered that depicting the likeness of a person affected by Down Syndrome is sufficient to constitute "processing of sensitive data", considering the apparent and recognizable existence of a heath condition in the person portrayed.

Art. 17 provides a general obligation to consult with the Data Protection Authority before initiating any potentially dangerous processing of personal data.  The violation of such article may be construed as creating liability for other independent violations. We'll see when the opinion is published...

Reason #3.  Google did not take down the video promptly.  Proof of a prompt take down is crucial to  prove or disprove damages.  In fact, damages are necessary for the application of the criminal sanction set forth in art. 167 of the Data Protection Code.

Google took the video down after the police made such request.  The victim's representative argued that the video was actually accessible for about 2 months and, even after the video was flagged by some users and a take down notice filed by the victim's representative, Google did not respond with the requested promptness.

Thus, the Prosecutor accused Google of being inefficient and untimely in taking down the video since, as Google's deputy general counsel for Europe also admits, Google took the video down only when the police asked to do so, many days after the first flagging.  However, there is no clear information about the timeline of mentioned facts.  We'll see...

Furthermore, the Court probably concluded that the accessibility of the video for about 2 months, coupled with the significant amount of views and comments, gave Google notice (or should have given Google notice) of the existence of the video.  This is my speculation. We'll see...

Unfortunately, there is no black letter law applicable to take down notices for privacy violations.  In fact, nothing like the DMCA exists in the EU even with respect to IP rights. I bet Google misses the clear cut provisions of the DMCA when dealing with the EU.

In fact, the Prosecutor remarked about Google's vague and evasive attitude towards certain requests for discovery.  It turns out that Google was unable to restore the original page with the comments or to produce the first flagging of the video.  Google’s defense is, according to the Prosecutor, that producing this evidence was too costly and complicated for Google's engineers.  Well, the Court might have thought it wasn't...  

February 19, 2010

P2P Sharing and Reasonable Expectation of Privacy

Having a reasonable expectation of privacy is the basis for the application of the 4th amendment of the US Constitution which provides protection against illegal searches and seizures.  If you have a reasonable expectation of privacy in the items to be searched the police must get a warrant before any search.  Of course, there are some exceptions to this rule (exigent circumstances, search incident to arrest, etc.)... but let's talk about a computer.

Do we have a reasonable expectation of privacy in the contents of our hard drives?  It depends on what software you are running.  The law says that if you run a peer to peer, you impliedly accept that people can access the contents of your files.  Therefore, you do not have a reasonable expectation of privacy.  As a consequence, if the police find evidence of illegality, such evidence can be used to prosecute you.

This is what case law says about file-sharing and this  principle was recently reaffirmed in a child-pornography case.

The defense attorneys in this case tried to distinguish the facts arguing the complexity of the tools used by the police to access the computer of the suspect and his subjective mental state.  Of course, the subjective mental state is irrelevant and the argument of "system penetration" (AKA hacking) was trumped by the circumstance that the data was otherwise accessible through a "widespread" exposition to the public.  In fact, there was not any system penetration and the government only used a hash-mark analysis as a sorting mechanism to prevent the government from having to sift, one by one, through suspect's already publicly exposed files.

However, this case is important in clarifying at least one principle.
What if you are using a sharing software that you think is not publicly accessible?  If the functioning of the software implies exchange of communication, you are advised of your reduced expectation of privacy.  

Here is the decision.

February 18, 2010

Europarliament Says No to SWIFT

Last week (on Feb 12) the European Parliament did not renew its commitment to the SWIFT agreement.  Such agreement was adopted after 9.11 as an anti-terror measure that allowed US authorities to monitor EU financial transactions.

The news went under the radar, but it is a very significant change in the EU attitude towards data protection and civil liberties.  Also, this is a result of Treaty of Lisbon, which gave lawmakers the power to review and approve measures that effect internal security.

The political rationale of such position may be summarized as follow: "We need to apply EU standards to EU data", "to give people a right of redress" in the event of misuse of personal data, and to allow access to data "on a case by case basis".

Here the press release of the Civil Liberty Committee.  Here the comment of the WSJ.

February 17, 2010

La SIAE e i Monopoli di Stato contro i Video Poker illegali (in ITALIAN)

La SIAE ha siglato un accordo con i Monopoli di Stato per contribuire alle ispezioni relative all' "utilizzo illegale degli apparecchi da divertimento e intrattenimento" (forse i video-poker manomessi? ).

Premesso che non ho letto l'accordo e non so quale sia la legal-basis per questa collaborazione -- solo alcune riflessioni da profano.

1) Sicuramente e' un importante contributo alle attivita' di enforcement e una interessante soluzione per sfruttare la capillare presenza della SIAE sul territorio. La SIAE indubbiamente svolge un serivizio utilissimo;

2) E' anche un modo creativo di esplorare nuovi "stream of revenues" che poterbbero aiutare la ristrutturazione dell'ente e re-interpretarne (in parte) la funzione sociale (anche a seguito delle polemiche degli ultimi giorni);

3) Ma cosa c'entra il diritto d'autore?  E gli eventuali compensi riscossi (immagino una percentuale delle sanzioni o una flat-fee versata da parte dei monopoli) andrebbero distribuiti agli associati?

In altre parole, e scusate la banalizzazione, a che titolo Adriano Celentano potrebbe ricevere una frazione della multa pagata dal bar di quartiere di Centocelle per avere manomesso il flipper... e in quel bar, peraltro, il mangiacassette e' rotto da anni e non si verifica alcuna diffusione di opere protette...  :)

February 14, 2010

International Patent Filings and Economic Downturn are Correlated

WIPO observed that the number of patent filings under the Patent Cooperation Treaty (PCT) in 2009 was significantly lower that the preceding year.
Here is what WIPO observed in details.
This is probably because the economic downturn that has affected both the inventive activity (less resources for R&D) and the IP protection strategy adopted by firms.
It is arguable than many firms and small inventors preferred a local approach to patent filings, perhaps envisioning that global protection might make sense only at a later stage.

January 28, 2010

Data Protection Day, EC says Privacy will be big challenge in next decade

EU Commissioner Viviane Reding acknowledged the importance of protection of Europeans' rights.  What I liked about this statement is the clear identification of a handful of really hot and complicated issues:

  •  behavioural advertising;
  •  social networking sites;
  •  smart chips used to trace people movements;
  •  Lisbon Treaty and the Charter of Fundamental Rights enforcement with respect to privacy.

The principle, said EU commissioner, is that "EU rules should allow everyone to realise their right to know when their personal data can be lawfully processed... and to say no to it whenever they want."

I know I am silly, but "realise the right to know" is a bit different from actually knowing... :)

January 22, 2010

Floobs to File for Bankruptcy

Floobs, a Finnish livestreaming/video-sharing website, declared it is about to file for bankruptcy.
It is a shame that a well designed and original website is unable to move forward.
Some months ago many people were celebrating a new happy season for Internet start-ups.
Is it really so sunny outside?

January 20, 2010

Privacy Compliance is Optional

NYT today reports that Bing (Microsoft) declared that it would comply with privacy regulation.

Irrespective of any comments on MS's statement, I believe it is interesting how public opinion has become used to privacy NON-compliance.  Insomuch that the news is the statement of compliance.

NYT also notices: “Google and other engines are starting to realize that consumers around the world are placing an increasing value on privacy and that can have business consequences.”

It seems that privacy regulation is considered rather an inconvenient hassle to deal with just to improve corporate reputation before customers.  I wonder what happened to that old principle AKA Rule of Law...

Then I wonder,  is the current situation due to a very cumbersome and barely inapplicable regulation? Or it is rather due to insufficient enforcement mechanism?  Or both?

January 15, 2010

The Economics of Terrorism

I would like to feature this interesting TED talk by Loretta Napoleoni about the Economics of terroristic organizations.  This presentation is IMHO enlightening at least to add perspective to the way we look at terrorism.  For instance, I did not know that Patriot Act had consequences on the monetary system.  Did you know that the currency most used for money laundry is now the Euro?