On Thursday, March 1, 2012, Google updated its privacy policies in a combined effort to allay criticism from several communities, and to consolidate its seventy-something policies into a single-source to better target their online advertising. The move was prompted by law suits from several consumer groups, and Google has also taken some heat from some thirty-six states‘ attorney generals who said their online policies were too invasive and filed complaints to the online giant.

In a recent interview, I asked copyright, trademark, and web domain legal expert, David Weslow, Attorney At Law, with Wiley Rein, LLP, to comment on the state of Google’s privacy policies:

Weslow: The March 1 privacy policy changes also come a few weeks after publication of a research study suggesting that Google was circumventing browser settings designed to prevent setting of third-party cookies. This revelation led to the ‘Consumer Watchdog’ group filing a request with the Federal Trade Commission to investigate whether Google’s actions violate a prior settlement agreement between the FTC and Google concerning the now retired Google Buzz.

The publicity and scrutiny associated with Google’s recent website privacy practices and policy changes are evidence of increased focus on website privacy practices and policies by governments, the media, and Internet users. For example, the Obama Administration recently released a report titled, “Consumer Data Privacy in a Networked World: A Framework for Protecting Privacy and Promoting Innovation in the Global Digital Economy,” which calls for the U.S. Congress to pass a Consumer Privacy Bill of Rights for Internet users. While it may be some time before Congress passes a federal consumer privacy law, there are various state- and industry-specific federal laws that presently apply to use of online consumer data. Therefore, developers and website publishers should be mindful of how sites are collecting visitor data, using the data, and advising visitors of the collection and use of this information.

Weslow

More questions

So, how does all this online tracking work, and what is the impact to the typical online user? Also, on the flip side, do your users know when and where they are being tracked by your websites and online applications? Retargeting of online advertising is more prevalent that you might suspect. Every time you log into an online application or website, it is quite possible that your profile, search history, and the location where you accessed the search and information may be tracked and stored for future targeted advertising. Cookies and the newer web bugs are the little bits of code that make targeted advertising possible. For example, a recent search for air flights to Europe resulted in a flurry of advertising for vacation rentals, flights, and vacation packages on several social networking sites. However, how often do you see advertising for products and services that match your web search interests? Or was it just a coincidence?!

When a web site has an online form that is filled out, once you submit the information, that web site has a legitimate reason to add a tracking cooking. However, there are situations when websites will track your information without your knowledge, and this is where ethics and online privacy issues arise. In particular, with Google, the issue was brought to light with their ability to circumvent privacy settings and gain access to Apple’s Safari browser. Now known as “Safarigate”, essentially Google had bypassed privacy settings on the browser for iPhones and IPads, and this was originally reported by the Wall Street Journal Online.

Submitting invisible forms and planting cookies without user knowledge or permission is a known abuse case involving four companies, including Google’s Safari snafu. The sites implicated are ones that suppress an invisible form that obtains information without user knowledge and submits the form without any user interaction using embedded scripts. Google’s response was that it was looking for a way to use social networking to share user information, but that the application’s engineers got it wrong when it came to Apple’s Safari browser settings.

“Tricking” the privacy protections

There appears to be a lengthy record of companies “tricking” users’ and Internet browsers’ built-in privacy protections. Lorrie Faith Cranor, the Computer Science professor who specializes in usable privacy and security issues at Carnegie Mellon University stated recently on NPR’s Morning Edition, “There are a large number of companies that have been circumventing Internet Explorer’s privacy protections for a long time.” A 2010 analysis that Cranor conducted found that from an evaluation of the compact policies (CPs) of 33,139 websites that over 11,000 company websites had been found that manipulated privacy settings on Internet browsers through the misuse of P3P CP tokens.

While it is clear that users need to understand their own responsibility with respect to privacy policies of the websites they visit, it is essentially the companies that should be held accountable for clearly stating their privacy policies and making them transparent to the user. Today we have cookies and tokens; yet, newer technologies such as web bugs including beacons, pixel tags, tracking pixels, and clear gif are making online tracking more advanced and lasting.

Jonathan Mayer is working toward creating a “Do Not Track” list of companies that would be blocked from tracking your browsing. In essence, all an online user would have to do is make one click to tell websites that they do not want to be tracked, and then the Internet browser would handle the settings. The Digital Advertising Alliance, of which Google is a member, also supports and has agreed to adopt Mayer’s “Do Not Track” technology, and has even launched a consumer education campaign to promote their “AdChoices” effort. However, the exact detail of how this deal pans out for Internet users has not been sifted out just yet, especially since networking giants such as Facebook and Twitter are not getting on the “Do Not Track” bandwagon.

Will the digital “Posted” sign actually mean anything to Internet users? Will companies respect the user’s actual privacy, or will there continue to be an illusion of privacy? And who are the “victims” supposed to call or report to when companies infringe on their privacy settings? Will users even know when a company has encroached upon their privacy settings?

As a web developer does your company or organization utilize tracking technologies? If you answered yes, what information and data about user interaction is important to your company? And how does this tracking information influence your website design?