comScore and Sears came in for a bit of criticism for this “community installation” of the comScore panel tool - by most reports it seems pretty deceptive. comScore has built an amazing business off of offering one thing (web accelerator software in the early days) and then of course using the data they collect to track users and provide research to companies. I wonder if these users know they have hundreds of gigabytes of data on each of them in exchange for the benefits they have received. Ah, they probably don’t care, consent aside Ben.

I think it’s a bit naive to be dismissive of the “silly apps” such as those that dominate the Facebook app world. After all, this is a very new medium, the Facebook ethos is mostly communications-oriented with a semi-serious college-style bent, and everyone is experimenting and trying new things out. Quite a few app creators have been able to establish rapid critical mass, such as you can when you add 1mm new users in a week, but we really haven’t seen very much fungible liquid monetary value created in the app world yet. That’s okay.

I don’t think OpenSocial brings that automatically, but the number of possible partners and bits of data expand,  and de facto standards reduce the risk of creating orphan applications, and increases the ability to port them to multiple platforms. I don’t really think that the kinds of “serious” apps that are going to get built change that much; I think it’s more a function of time until those things are built anyway. What I’m more interested in is the “emergent privacy dilution” (a theme that seems to be bubbling to the surface currently when you overlap the behavioral targeting attempts by online ad companies with the increasing aggregation and subtle but complex interactions of consumer data) we’re going to see from these things getting stitched together. Everyone is going to follow the money, and right now the conventional wisdom says more aggregation is better and means more CPM revenue.

I have my doubts, but for now, I’ll keep playing with the silly apps and eagerly hold my breath for the serious ones we’re sure to see roundhouse kicking us from just over the horizon.

The NY Times article from yesterday discussing a “Do Not Track List” being advocated by various consumer groups taps into what will become an increasingly sensitive issue. It already is, amongst privacy advocates, but not as certainly among the consumer population at large, yet. Today’s article mentions the FTC looking more closely at this issue. These groups are right to be scrutinizing some of the actions of firms looking to improve advertising targeting, because as I have sometimes mentioned on this blog there network-effect-style emergent dangers. With so much more information about us out there, these dangers are real: a single player can take somewhat-interesting partially-identifiable data about a person, and combine it (or if compromised, have someone else take that data and combine it) with other freely available data from online social networks, news stories and whatever - and who knows what they might discover.

I support efforts to create centralized “opt-out” mechanisms, and especially efforts to educate the consumer about these resources (supporting the stance that AOL wants to take here hopefully not in a preemptive tobacco-”you’re going to make me tell kids that the product I sell is bad for them”-soon so I should start doing it first because I own Advertising.com and Tacoda now-kind of way) but this debate is a different one from that around advertising annoyance.

The do-not-call list for telemarketers reduces the amount of telemarketing activities, it turns off ads that are annoying or intrusive. Contacting the DMA and paying your dollar to be taken off lists or working with other services to do so will also reduce the volume of attention-sapping junk, but the do-not-track list will not do that. It may actually make ads less relevant. But I cannot complain: because I still fear that unfortunately as it stands right now, with many players going after consumer data in a myriad of ways, the market will not accurately price the negative end of unbridled data aggregation until it is too late for us to do anything about it…

I came across VentureBeat’s coverage of AdInfuse, which apparently is taking phone call data directly from carriers in order to create profiles of consumers that can be used for ad targeting. The VentureBeat article says that AdInfuse believes that consumers “will be less sensitive about privacy issues on phones”. Really? Consumers are already fairly insensitive about privacy online, but I struggle to see them being as freewheeling when it comes to a device that is physically with them at least two thirds of their lives. Mashable asks if scraping phone number records with a box at the carrier level leads to too creepy of an ad targeting solution. My position is, that the consumer should be made aware of the potential use of their data and should be asked to opt into it (not opt out). If it can lead to lower mobile phone bills or the freedom to get out of signing 2-year contracts to get the latest handset, many consumers will play along… but it should be their choice, fullstop.

The annual privacy notices that have been required since GLB took effect several years ago are typically a joke, but once in a while there’s a good one… and none other than ING Direct whose different approach to banking has garnered them a lot of friends over the last few years:

Banks have assumed for too long that they can share information about you, and then ask if you mind; requiring you to tell them not to, or “Opt - Out” of their information sharing. ING DIRECT will not share your information unless you ask us to, or “Opt - In” to us sharing your information.

Good work guys.

I read the NY Times take on the Verizon privacy issue (them disclosing to customers that unless they opt out, Verizon can share their calling data with its affiliated companies and third parties): there has been some speculation about Verizon using its customers’ calling records for marketing.

The Verizon representative (in the article) says that they do not use this information for mobile advertising currently, though the opt-out language gives them the right to do so. I don’t think this is that big of a deal… yet. I have to wonder out loud though when the consumer is going to ask for more control over how their data is used or not used.  I have previously been disappointed at the lack-of-usefulness of these annual privacy notices (they could be much more useful, better administered etc.), but just think that without them we would have no idea about the impending over-use of our personal information.

We’re probably still confused about all the privacy language and think that our data is protected while they’re telling us it’s not. Here’s a post I made in 2003 - 57% of consumers believe that the existence of a privacy policy on a website meant that a site would not share their data with other companies! Uh no, it means they’re telling you how they’ll share your information (or “may” share your information at some unspecified point in the future). There is still a burden of consumer education here, no doubt.

With behavioral ad firm M&A happening at highish valuations, new behavioral advertising startups are able to raise a large amount of money. Like NebuAd, which has raised over $30 million in funding but inevitably faces privacy concerns since it operates at the ISP level and watches user packet traffic for signs of interesting behavior.

I feel like there are periodic privacy “episodes” that get privacy interest groups, the media and some consumers all worked up, but the reality is that the negative effects of these episodes is relatively small and short-lived. It’s often unfortunate, I feel, that there is such a short public attention span / memory.

I myself have not personally dug into NebuAd in any great detail (though it sounds like they’re at least trying to anonymize profiles… if that is entirely possible, probably not), but if past history is any guide, the consumer is probably not directly the one who will determine whether the privacy attention greatly affects their business plans…  in Silicon Valley where perception is such reality, small nasty incidents would more likely have larger impacts on their potential customer base. If the more sensitive consumers at potential advertiser, agency and publisher clients have problems with it, that’s more where the rubber will meet the road for their business.

A data leak that has been widely discussed online in affiliate fora already but I only found out about it this weekend, which I thought was surprising (was there any coverage of this out there in mainstream press?)… wow, this is a pretty nasty thing.

> From: “Patrick McCarthy” <********@rightmedia.com>
> Date: March 7, 2007 15:32:42 PST
> To: “Patrick McCarthy” <********@rightmedia.com>
> Subject: RMX Direct Data Breach
>
> Dear RMX Direct Customer:
>
> We regret to inform you that there has been an unauthorized access to
> the portion of our Right Media Exchange (yieldmanager.com) platform
> that RMX Direct networks use to manage their buys on RMX Direct
> publisher sites. The information accessed is that contained on the
> Linking Details page which could include, depending on which fields
> you have populated, your Contact Name, Email Address, Payee Name,
> Billing Address, EIN/ SSN, Payment Method, and Websites. We do not
> believe that any of your billing, ad serving data or revenue data was
> compromised.
>
> Upon discovering the unauthorized access, we worked as quickly as
> possible to investigate the incident and secure the access route. We
> have identified and taken action against the party behind the
> unauthorized access. To ensure the integrity of our systems, we are
> also conducting a system wide internal audit to identify any other
> potential access vulnerabilities.
>
> Based on the information we have gathered, we believe that the access
> violation was focused on obtaining your email contact information for
> the purpose of soliciting you to do business directly with the
> perpetrator. However, your Employee Identification Number (EIN) or
> Social Security Number (SSN) may have been obtained if you had
> populated that field during the setup process in RMX Direct. To the
> best of our current knowledge, your EIN or SSN has not been used
> inappropriately.
> However, you may wish to exercise caution and place a fraud alert with
> the three (3) major credit bureaus (Equifax, Experian and Trans
> Union).
> Each agency has an automated fraud alert system that will notify the
> other two agencies to also place a fraud alert on your accounts. You
> can also obtain a free copy of your credit report from the agencies.
>
> The contact information for the credit agencies is:
>
> Equifax - 1(888)-766-0008 - www.equifax.com
>
> Experian - 1(888) 397-3742 - www.experian.com
>
> Trans Union - 1(800) 680-7289 - www.transunion.com
>
> In addition, if you did populate the EIN/SSN field, we will make
> credit monitoring available to you, at our expense, for the next year.
> You will receive on email with instructions on how to take advantage
> of this service in the next few days.
>
> Again, we apologize for this incident. We appreciate your
> participation in RMX Direct and are committed to providing you with a
> reliable, safe and beneficial experience.
>
> If you have additional questions about this, please feel free to call
> me at (541) 255-2070 or email me at *******@rightmedia.com directly.
>
> Sincerely,
>
> Patrick McCarthy
> Director of Business Development
> Right Media Inc.

I sometimes wish I could easily rearrange the posting order of blog entries automatically (well I probably can and just don’t know how), but wanted to mention that James Van Dyke wrote some very worthwhile comments on the shredder market size issue. Check it out — part of our problem is the amount of printing we do, though I would also say that I’d love it if I could just turn all my paper records easily into electronic versions that would be safely, securely stored off-site and accessible via a secure Web connection (perhaps with accompanying USB key for extra safety)?

The Chronicle uncovered the dumping by the Indian Consulate of boxes of files and data from visa applications. Forget shredding, or secure document disposal — these ended up in a municipal dumping ground (and not the “drive up to miles away from anything else” type either…). Quite shocking and arrayed alongside my former colleague Jim Van Dyke’s survey results indicating that losses due to identity theft have dropped slightly in the last year partially due to increased consumer and business awareness of the issue.

The Chronicle article ends with a comment about an official being on their way to Best Buy to get a shredder. Thinking about the consumer side of this, the former market research analyst in me quickly did a few searches to see what kind of penetration numbers I could find online for in-home shredders — here are some quickies:
5/31/2006, Fellowes PR:

Americans spent more than $400 million on in-home shredders last year

5/2004, Information Management Journal:

According to a Staples spokesperson, the market potential for shredders is huge because the current household penetration is only 20 percent… Shredders are one of Staples’ hottest-selling items, with 1.3 million units sold in 2003 - a more than 50 percent increase from a year earlier.

But here is a very informative article from as far back as 9/1998 (Office World News):

Tony Storrie, vice president and general manager of the shredder division of Fellowes, Inc., estimated that the industry is doing $300 million in annual sales, but market statistics show that consumer awareness has not yet reached its highest level.

He continued, and here’s where there’s a really interesting leap for me:

Last year, 2.5 to 3 million personal shredders were sold in the U.S. while 22 million computers were sold. “That means that there are 22 million people who are potential customers for a shredder,” said Storrie. “A lot of people haven’t grasped the need yet,” he continued, “unless they’ve become a victim [of identity theft].”

So basically — the potential universe of in-home shredder owners = people who bought computers (??). Anyway, it looks according to Fellowes that this market grew from about $300 million in 1997 to $400 million in 2005, which looks a bit rough but turns out to be a CAGR of 17% which is nothing to sniff at but really less than I would have expected based on some of the brouhaha. I’d love to get more thoughts from Jim on the subject… perhaps he will comment for us?

Now that Rapleaf has their product (surprisingly, it doesn’t seem to say ‘beta’! bravo!) up and running, I created an account and started playing around with it. I haven’t had a chance to look yet at some of the integrations they discuss on their blog, but I have to think that this is clearly the key to their model because a rating system without some tight easy, no-effort integration into actual web transactions will just make it another stillborn system like Andrew Maltin’s really weird RepCheck.com (the website still works, 6 years later).

Side note: Maltin is behind another site now focussed on helping women navigate the online dating marketplace and find the supposed-30% of men on these sites who are in an existing relationship, MateCheck (funnily I found an article also talking about a private detective by the same business name who apparently hires fakesters to get in-relationship individuals to try to go on dates with them). MateCheck appears to be both a scraper as well as a Classmates-esque “build the database as you signup more people” play. I didn’t really have a good way of confirming the 1mm plus profile number ticking up on the site - but it combines these approaches with a basic database system that tries to get prospective women customers (it is free for now) to not only do the rating work for it but also have them enter the names and aliases of their male dates along with their own comments, their IM addresses, email addresses and phone numbers for cross referencing. According to their PR release MateCheck’s goal is to 1) be the “E-Bay [sic] rating system of dating” and 2) to seeming cut across the pseudonyms and multiple identities some of these people (men) may use: DateScore™ determines a man’s authenticity based on objective information provided by women with first-hand knowledge—the women who have already dated him! RepCheck took the approach of solving the issues of no-negative postings and of creating entries in the database by grabbing all the phone records from at least LA County (perhaps other LA counties too - Maltin started it in Los Angeles) and throwing them in there. I browsed and found some rather unflattering reviews of random individuals back in 2000 when I looked, though I mostly found nothing, and also found some people I knew who lived in LA at that time who had no knowledge there was now an open forum for comments on them. On the site you can post ‘graffiti’ anonymously but can only “rate” and officially comment on another person under your own name - but of course there is no verification of your name, not everyone is in the phonebook and thus you can create multiple accounts to talk trash about real people, essentially. I’m surprised the site is still up - the lack of adoption probably means there is no significant legal risk to the erstwhile principals.

Coming back to Rapleaf… There’s potentially great value in having a site-independent reputation system, ideally something that could take into account reputation or other information available on other sites already (like eBay, LinkedIn etc.) but that’s a much more thorny set of intellectual property issues. But this site-independence is the very thing that makes it much more difficult to achieve critical mass of course and create what appears to be Rapleaf’s aim of a large-scale reputation system that cuts across various different websites, pseudonyms and identities and gets down truly to the individual level, or down to the phone number or email address which often (inadvertently) may be the same thing. Rapleaf encourages people to search or rate by phone number and/or email address as the key.

While I love craigslist, I have definitely had issues where people have dropped out of a transaction having agreed to complete it. I felt in many of these cases this would never have happened on eBay were their eBay scores at stake. But eBay’s system isn’t perfect: the issue at the margin is that if new sellers can’t successfully sell something until they are rated and nobody would buy from an unrated seller, then there should never be any sales and thus no feedback (and of course this isn’t the way it works because (a) not everyone looks at feedback before deciding whether to buy or sell and (b) most people who use eBay are buyers and not sellers, and because you can build up a reputation ‘number’ based on buying that may not stand up to further scrutiny since the detail is there, but may still be enough to allow you to sell to many people).

Does Rapleaf wish to create for each person a universal transactional reputation?

I don’t think this is a realistic aim. I believe that people want to segregate different parts of their online experience and world whether as a seller/buyer or other transactor, and that a universal identity is potentially dangerous and scary to a lot of people. Although a lot of the cross-correlation and consolidation of identifiable information is ongoing and inevitable and may happen without us really knowing it, people (and not just the bad actors out there) will resist this convergence. Also in our online folksonomy-world the other piece that comes into play is how to properly collapse and combine multiple identities. Email is a weak form - of course you can have a million different email addresses but some like gmail have made it a bit more difficult through new sign-up procedures - but it’s still a mess. Phone number is much stronger and easily verifiable not to mention trackable often to a real person for less than 20c through an online real-time database call; not to mention a free lookup vs. the reverse phone-number database. Some may say that “big deal, he sold a set of golf clubs on craigslist” but it doesn’t take a genius (or an AOL snafu - which I still don’t think most people care that much about… ) to see that this could get pretty ugly pretty soon as technology allows us to start stringing some other things together like a shouldn’t-be-public calendar.

In sum I think Rapleaf will be an interesting, niche offering with the potential to provide some valuable exploratory use cases around online identity, reputation and trust. Rapleaf is perhaps one of the pieces of “Reputation 1.5″ and along with some of the existing online 1.0 players out there like eBay and existing social networks, as well as general online community feature developments that come along, will help ordinary people really start to understand the power, perils, potential and pitfalls of online reputation systems. Side note to Auren: you guys need to work on your privacy policy which needs some attention right now and is pretty confusing.

Zabasearch is another in a long line of personal/private information aggregators, starting with phone -book type data and then layering on other public records and trying to make money from selling premium services like background checks and so on. One “feature” it has which I assumed was kind of an interesting anonymous email/messaging service is something where you can “send a message” to a person. I put in a fake message to myself with no other details as I am somewhat of a skeptic, but I assume they would attempt to deliver the message to the person in question if they were able to match them with an email address, for example. How wrong I was. It’s like a public message board that is no doubt catching a lot of people unawares as evidenced by messages that INCLUDE personal info, email addresses and phone numbers. This may not be AOL but some of this information is far more personal, damaging (”you have a son that is 35 years old now”) and directly tied to people’s names and addresses for all the world to see.

This is crazy.

Referencing my colleague Greg’s comments about the AOL search data sharing ‘incident’ as it may come to be known, I had to ask the question if anyone will really care about this (I emphasize the word really). Again and again we see consumers say that they care about privacy but not really taking any actions that support that they actually do. Naturally AOL has apologized, and it has been pulled down but of course enough data voyeurs have no doubt had the chance and will still have the chance to somehow download this information. Perhaps a good rule of thumb might be that anything that is made available as a 450Mb+ zipped download is probably too much information to be putting out there in the public domain.

You could always take the Google Trends approach, make it kind of interesting but also methodologically opaque instead to keep everyone guessing about what’s really in there and not in there. Let’s see what kind of sh1tstorm they’re left to deal with if any. I’m guessing it won’t be that bad…

How do you validate that someone calling you actually works for a specific company? This occurred about a year ago when I worked at LinkedIn and a person called me representing that they were an attorney for a well-known software company. They were making a request to have a person’s profile removed from the site for some reason, and I had to validate that I was indeed speaking to the appropriate person at the company. They suggested I look up the main number for their company and ask for him by name etc. etc. So I went through that rigamarole and ended up back speaking to him and proceeded along with the business at hand.

As I think about when a company calls me up and asks for information - combine that with our experiences from the online space with phishing - online the veneer of authenticity is very achievable and offline as well there is a long history of ’social engineering’ to gather information from unwitting people. But what about the next level, with the costs of phone calls coming down and offshore call-centers increasingly being utilized, how are we going to keep the callers honest, the folks who call us and start asking for personal information (or already have some personal information and ask for more). It’s a serious set of questions that need a lot more discussion and thought. So I’m going to think and write about it… let me know your thoughts!

“there are no coincidences, only the illusion of coincidence”

- V, “V for Vendetta”

Fabulous movie, had to throw in the quote. Two articles I “happened” to come across in the same online session, one regarding getting paid [CNNMoney] for other people using your data to make money, and the other about a not-that-widely-known company called PayTrust whose customer base last year was sold to Intuit (having previously being sold to electronic billing company Metavante in 2002). When confronted with the choice of having to agree to new terms and conditions of service for something that you have come to rely on and that really saves you a lot of time (the PayTrust service, which I’ve always thought was cool if for a somewhat limited audience), that include the new company being able to share your data with any of their subsidiaries/affiliates, what do you do?

What do you do? I’m guessing, if you’re like most people, you accept the new terms and continue. But do you have the option to take your data back and go to a new service? There’s the rub…

According to this Walter Mossberg as quoted in this article, “we are living through a digital siege”.

Yikes, what next? Found article on MSN via AdRants:

Lisanti suggested brain fingerprinting will offer new insights by tracking which particular ad led a consumer to buy a product. Brain Fingerprinting aims to have its tests cost the same as focus group studies.

The United States lags behind Europe when it comes to protection and safeguards for consumer data, as discussed in The Economist this week (subscription required). The EU data protection directive (1995) requires companies to assess and and document their procedures for handling sensitive information. As the article points out, what it lacks is any requirements for making breaches public - the California laws requiring this are what have led to many of the disclosures of late - and thus it is hard to say how effective it has been.

I somewhat agree with the main finding of the piece that it would be preferable to convince companies to do more here, and that harsh direct regulation is probably not the right course of action. Given the pace of growth and expansion, governments will probably not be savvy enough to put in place regulations and requirements around data that offer true protection to consumers, take into account the rapid pace of change, and still allow valuable data-centric services to exist and thrive. Sunlight and the danger of adverse publicity for now is a good disinfectant, but if it happens in the US that there are myriad state-level regulations it could become quite messy and expensive for firms to comply with this not to mention potential “cry wolf” effects for the man in the street if there are too many minor incidents publicized.

As consumers, we need to start to take a more active stance and interest in how companies treat our information — I would be in favor of a kind of “nutritional ingredients” label approach — where it’s easy and clear to see what’s involved in simple terms, how they use your data and how they keep it safe. Then we can act as consumers and make decisions based on practices and safeguards we can agree with. Part of the problem that I’ve pointed out before is that it is difficult or impossible for consumers to know what constitutes good, safe practices (though like with nutrition, some people learn things - ie. partially hydrogenated=trans fat=bad; which then later becomes a formal part of the label). So this might require third party “seals” from reliable entities (and it’s not clear to me who would be a good candidate/s for providing these services).

Most firms don’t really “sell” their services on the basis of consumer privacy and security protections - but I predicted several years ago that we would see that happen at some point soon and that firms could take the initiative here. Some have done a bit of this around identity theft protection. But there’s much more related to the things that we can’t see (like who’s carrying those backup tapes, how they’re encrypted and where they are being stored). Those times may thus be near at last…

Amazon is looking to help suggest gifts to people by mining more of their behaviors on the site including reviews and previous gifts given. Privacy advocates are up in arms about this - but I’m not sure why. This doesn’t seem like it is anything more than what Amazon has been doing already - they profile you currently by what you buy and suggest things to you that you might find interesting. I’d say a lot of their suggestions are off the mark *because* I buy a gift for someone that takes me outside of my normal purchasing pattern — and even with this limitation, in the 10+ years I’ve been a customer I’ve had them provide numerous valuable suggestions that I’ve acted upon. Amazon is currently doing a fair number of things that are reasons enough to stop shopping there (its hard to see now when its a third party who is providing the product vs. Amazon itself, and the time wasted and sticker shock when I came to a $26 shipping fee on a $54 item made it a really bad customer experience for me), but helping you choose items via filtering is not one of them.

My response to the usual suspects (it’s always the same privacy people, haven’t you noticed: Hoofnagle, Catlett etc.) is: get over it; the kind of data that ChoicePoint, Lexis-Nexis and the IRS (!) have on us is much more worthy of your time to monitor! And it would be nice in one of these privacy stories to get some other people’s opinion as well…

Long article in News.com today about comScore’s Marketscore being discussed as spyware in some corners. I’ve worked for Jupiter Media Metrix and NetRatings, and am a big advocate for the business insights that online behavioral data can provide. I think comScore has done a great job of marketing their data to their business customers.

I do think that many of their panelists (and those of other research companies, to be fair) probably don’t know how their information is being used for commercial research purposes, and have no idea of the potential risks that there might be (the article details several related to proxy servers). I think that just as we allow market research companies to call us (overriding do-not-call) at home, we can allow it on our PCs as long as everyone knows where they stand and how to get out if they so choose. The industry should help establish some clear privacy and security guidelines for research and other client-applications, and these firms must spend some of those dollars to help educate the consumer. Should: we will see if it happens!