Announcement | CalPSAB -- WPF executive director Pam Dixon has been appointed by California Secretary of Health and Human Services Kim Belshe to the California Security and Privacy Advisory Board. Dixon will serve as interim co-chair of the board, which is tasked with addressing health information exchange (HIE) privacy and security efforts in California. The board's meetings will be open to the public.
This report is an in-depth analysis of the history and current operations of the National Advertising Initiative (NAI) self-regulatory agreement.
Roadmap: The National Advertising Initiative – Failing at Consumer Protection and at Self-Regulation: Difficulties with the NAI When people sit at their computers and browse for new car information or to learn about the latest treatment for diabetes, when people walk down the street reading stock quotes on their mobile phones, and when people text a response for more information based on a television commercial they saw, their actions speak louder than words. A new realm of consumer tracking has grown up to translate these activities into advertisements. This kind of advertising is behaviorally targeted advertising. Behaviorally targeted advertising is as controversial as it is lucrative.
In 1999, when online advertising was still a fresh segment of the advertising sector, widespread concerns arose about the ways that consumers could be tracked and targeted online for advertising purposes. The Federal Trade Commission held a workshop on online profiling in November 1999. [6] The concerns of the day were distilled in a FTC report to Congress in June 2000, Online Profiling: A Report to Congress. In that report, the FTC found that online profiling presented privacy problems for consumers. The FTC found that online profiling was primarily accomplished through banner ads, cookies, and web bugs, also called web beacons. [7] The Commission also concluded that online profiling was largely invisible to consumers:
The essential activity of the NAI is to define terms, discuss a handful of abbreviated consumer rights, which the NAI calls its “principles,” and to set up a structure of “opt-out cookies.”
Although it is possible to identify many aspects of the NAI that are broken, this report focuses on four areas in particular: 1) the effectiveness of the NAI opt-out cookie as the primary tool for stopping tracking; 2) the applicability of the NAI to types of tracking that extend beyond the traditional cookie and to business models not expressly covered by the NAI; 3) the constantly shifting membership of the NAI; and 4) auditing and enforcement of the NAI.
Report | Internet privacy | NAI -- The World Privacy Forum published a new report today, The Network Advertising Initiative: Failing at Consumer Protection and at Self-Regulation. The report is an in-depth analysis of the history and current operations of the National Advertising Initiative (NAI) self-regulatory agreement. The NAI was created to protect consumers' online privacy in the behavioral advertising arena. The report finds that the NAI has failed. The report discusses the failure of the NAI opt-out cookie, the uses of persistent consumer tracking technologies that go beyond cookies, such as Flash cookies, browser cache cookies, XML super cookies, and other issues. The report also discusses the practice of re-setting cookies after cookie deletion. The report gathers the details of the difficult membership history of the NAI, as well as the enforcement history of TRUSTe regarding NAI.
A traditional cookie as defined by the NAI is not the only persistent identifier and tracker available to network advertisers and marketers anymore. New technologies and techniques have become routine business practice since the original NAI was written, particularly in the area of persistent identifiers and tracking technologies. A rich array of browser cache cookies, Flash cookies, and other non-NAI-covered tracking techniques not only exist, but are in use today.
For a formal self-regulatory group, the NAI membership includes only a fraction of the industry engaging in behavioral ad targeting. The low numbers have plagued the NAI for its entire existence. One aspect of the problem has been the establishment of a non-full compliance membership category.
One of the issues raised in the FTC reports to Congress about online behavioral profiling was notice. The FTC and the NAI promised “robust” enforcement of notice. Unfortunately, because the foundational understandings of the NAI are out of date, the NAI ideas of notice that flow from those understandings are also out of date.
TRUSTe began reporting on NAI complaints in March 2002. It used its Watchdog Reports to do this. In the intervening years, TRUSTe public reports regarding the NAI reveal a troubling, systematic reduction of transparency regarding the NAI. (See Appendix B for a complete listing of all TRUSTe NAI complaints.)
Oversight of the NAI has been neglected. As a result, there are many things the public simply does not know about the program, in particular, its effectiveness. To date, the public does not know how many consumers participate in the program. The public does not have numbers comparing consumers who have visited opt-out pages with consumers who have successfully opted out. How many consumers actually have opt-out cookies, and for how long? Where are the reports on whether or not it is effective for those who do opt-out? Are NAI members actually complying with the obligations?
The NAI has failed. The agreement is foundationally flawed in its approach to what online means and in its choice of the opt-out cookie as a core feature. The NAI opt-out does not work consistently and fails to work at all far too often. Further, the opt-out is counter-intuitive, difficult to accomplish, easily deleted by consumers, and easily circumvented. The NAI opt-out was never a great idea, and time has shown both that consumers have not embraced it and that companies can easily evade its purpose.
To compile this list, the World Privacy Forum relied on saved pages of NAI available on Archive.org. NAI membership from 1999- 2007
Roadmap: The National Advertising Initiative – Failing at Consumer Protection and at Self-Regulation: Appendix B - Listing of TRUSTe Complaints Regarding NAI From 2000 – 2007 Note: The World Privacy Forum relied on the TRUSTe WatchDog reports to compile this table. For the reports, see: <http://www.truste.org/consumers/watchdog_reports.php>.
The online tracking and targeting of consumers –– both in its current form and as it may develop in the future –– needs to be limited so that consumers can exercise meaningful, granular preferences based on timely and contextual disclosures that are understandable on whichever devices consumers choose to use. Consumers must be free to act in their own self-interest. Companies engaged in monitoring and tracking must respect consumer privacy by implementing Fair Information Practices,2 and there must be a structure that allows for enforcement of these rights. A right that is selectively enforced, or that is without effective enforcement, is not a meaningful right.
Consensus document | Consumer rights and protections -- Nine privacy and consumer groups, including the World Privacy Forum, unveiled a consensus document outlining key consumer rights and protections in the behavioral advertising sector. The document is directed toward the Federal Trade Commission, and urges the FTC to take proactive steps to adequately protect consumers as online and other forms of behavioral tracking and targeting become more ubiquitous. The consensus document was filed with the Secretary of the FTC and its commissioners. Behavioral advertising is the focus of the FTC's eHavioral Advertising Town Hall meeting taking place November 1-2 in Washington, D.C. The network advertising sector has a self-regulatory plan, the Network Advertising Initiative, in place, and has had this plan in place since 2000. The consensus document addresses the many areas where the NAI plan has failedto protect consumers.
Ten privacy and consumer groups, including the World Privacy Forum, unveiled a consensus document outlining key consumer rights and protections in the behavioral advertising sector. The document is directed toward the Federal Trade Commission, and urges the FTC to take proactive steps to adequately protect consumers as online and other forms of behavioral tracking and targeting become more ubiquitous. The consensus document was filed with the Secretary of the FTC and its commissioners. Behavioral advertising is the focus of the FTC's eHavioral Advertising Town Hall meeting taking place November 1-2 in Washington, D.C. The network advertising sector has a self-regulatory plan, the Network Advertising Initiative, in place, and has had this plan in place since 2000. The consensus document addresses the many areas where the NAI plan has failed to protect consumers.
Version 1: October 16, 2007 The World Privacy Forum, as part of its ongoing in-depth research into medical identity theft issues and responses, has outlined 8 best-practice responses to the crime by the health care sector. These best practices are based on interviews with victims, providers, and other stakeholders. These ...
Medical identity theft | AHIMA -- Executive director Pam Dixon spoke to thousands of AHIMA delegates in Philadelphia sharing the latest information on medical identity theft and outlining 8 best practice responses to the crime for the health care sector. Dixon specifically asked for the creation of national guidelines for helping medical identity theft victims, the ability for victims to set red flag alerts in their health care files, that providers train and have dedicated personnel to help medical identity theft victims, "john and jane doe" file extractions, a focus on addressing insider access to patient information, risk assessments specifically for medical identity theft, and educational efforts. The information in the speech was based on the latest World Privacy Forum research in the area of medical identity theft.
Medical identity theft | Best practice responses -- The World Privacy Forum has outlined 8 best practice responses to medical identity theft for the health care sector. The best practice responses are based on research the Forum is conducting for its second report on medical identity theft, and is a work in progress. The 8 best practice responses were presented to AHIMA delegates October 9; the Forum is soliciting and accepting feedback on the 8 best practices.
Medicare - CMS -- The World Privacy Forum filed extensive pubic comments on the substantive changes to the Medicare database release policy that the Centers for Medicare and Medicaid Services (CMS) has proposed in a System of Records Notice. As it currently stands, CMS is planning to release the individually identifiable protected health information of patients in the Medicare database to third parties in some circumstances. CMS has not established strong enough checks and controls on its release policy, and it has not explained how it is able to do this under HIPAA. The comments state that CMS has an obligation to explain how each routine use in its new policy is consistent with the authority in the HIPAA privacy rule. If a routine use allows disclosures that are broader than those permitted by HIPAA, then the routine use must be narrowed so that it is consistent with HIPAA. The comments also note that nothing in the CMS notice discusses substance abuse rules and other legal restrictions of the protected health data. The World Privacy Forum asked CMS to specify that the qualifications of any data aggregators who may potentially receive the data exclude any entity that sells other consumer data for any general business, credit, identification, or marketing purpose.
Medical identity theft is a crime that harms people and it is a crime that hides itself. This combination makes medical identity theft an insidious crime. It can cause extraordinary damages and harms to its individual and institutional victims. And once begun, the harmful effects of this crime can linger in the lives of its victims for years or even decades.
The World Privacy Forum filed extensive pubic comments on the substantive changes to the Medicare database release policy that the Centers for Medicare and Medicaid Services (CMS) has proposed in a System of Records Notice. As it currently stands, CMS is planning to release the individually identifiable protected health information of patients in the Medicare database to third parties in some circumstances. CMS has not established strong enough checks and controls on its release policy, and it has not explained how it is able to do this under HIPAA. The comments state that CMS has an obligation to explain how each routine use in its new policy is consistent with the authority in the HIPAA privacy rule. If a routine use allows disclosures that are broader than those permitted by HIPAA, then the routine use must be narrowed so that it is consistent with HIPAA. The comments also note that nothing in the CMS notice discusses substance abuse rules and other legal restrictions of the protected health data. The World Privacy Forum asked CMS to specify that the qualifications of any data aggregators who may potentially receive the data exclude any entity that sells other consumer data for any general business, credit, identification, or marketing purpose.
NHIN update -- The National Health Information Network, or NHIN, is part of a major undertaking to digitize and network the health care sector. From electronic health records to multi-state health information hubs, the U.S. government's goal is to modernize and move health care information from paper to digital. The Department of Health and Human Services is the primary mover behind this initiative, which is complex and multi-faceted. The World Privacy Forum keeps a chronology of NHIN events as a public service. The NHIN timeline has been updated to reflect changes in AHIC, a group that is charged in part with ensuring privacy and confidentiality in the NHIN and other aspects of health care modernization. AHIC is set to transition to a "public-private partnership," a move that will need to be watched closely to ensure robust consumer involvement.