Your Guide to Online Privacy

    by Mark Glaser
    February 13, 2008

    i-b7450e560bdc7c8f771a55957072b2a7-personal privacy.jpg

    From time to time, I’ll give an overview of one broad MediaShift topic, annotated with online resources and plenty of tips. The idea is to help you understand the topic, learn the jargon, and take action. I’ve already covered blogging, citizen journalism, social networking and other topics. This week I’l look at online privacy.


    With the advent of the Internet and a growing number of security breaches, people worry that their personal information can be seen and exploited around the world in an instant. If you have incriminating photos online, a potential employer or love interest might find them and make snap judgments. If you shop online with a credit card, a merchant might steal your information and run up charges on your card. If you surf online around major media sites, publishers might use your “data trail” to target advertising to you.


    In the U.S., the “right to privacy” is not enshrined in the Bill of Rights, but it has long been a critical issue for many Americans. In 1890, Louis Brandeis and Samuel Warren wrote a treatise defending “the more general right of the individual to be let alone.” American courts and legislation have had a mixed record in protecting privacy, curbing data-sharing in medical records and other areas, and regulating data collection from children online. But there has never been comprehensive national legislation in the U.S. to protect people’s personal and financial information online, or standards for the way businesses collect, save and share data.

    As we share more information online via myriad site registrations, online social networking profiles, e-commerce sites and search engines, the desire by companies and governments to mine that information is increasingly at odds with the desire of users to protect it. While online businesses can create their own privacy policies, average folks often can’t comprehend them — or opt out from data collection without leaving the site entirely. And government agencies and law enforcement increasingly are watching what people do online to fight crime and terrorism.

    Luckily for frustrated web users, there are many ways to protect your privacy online, from deleting your computer’s cookies (identifying information about your computer and surfing trail) to using alternative web browsers, to opting out of a website’s ability to share your data. (For more, see “What You Can Do” below.)


    i-3c3627a1fdeb693ca039b90b8a361cbd-EPIC iwantyou.jpg

    Plus, there are various privacy groups such as the Electronic Privacy Information Center, the Electronic Frontier Foundation and Privacy International that have helped fight court cases and defend the rights of people to keep their data private thanks to some regulations that have passed. These groups often take the side of individuals online who are trying to keep law enforcement or businesses from accessing their personal data without just cause.

    Search Engines Under Scrutiny

    When it comes to protecting personal data, users have worried most about identity theft and credit card fraud, and with good reason: The Privacy Rights Clearinghouse found that more than 218 million personal records have been exposed because of security breaches in the U.S. since the beginning of 2005. What is less apparent to many is that search engines we use every day are saving the data on what we search for and where we click after searching.

    That came to the fore on August 6, 2006, when AOL released the anonymous search data from 650,000 users, taken from a three-month period. The intent was to let academics use the material to help improve search queries, but soon people were able to guess the identities of various people because of their string of searches. AOL apologized, calling it a “screw up” and taking down the information, but sites were quick to mirror and save the material. The lesson was that any action you take online could be recorded, saved and broadcast by that company at a later date.

    The most widely used search engine of them all, Google, known for its “Do No Evil” mantra, also began to feel pressure over its open-ended privacy policy, in which it saved your search strings indefinitely. After a News.com article cited personal information on CEO Eric Schmidt — found using Google searches — Google called for a ban on any interviews with News.com for a year. The search kingpin later relented in the face of criticism on the ban, and eventually changed its data retention policy to saving search strings for 18 months before deleting them, responding to European regulators.

    “We believe that we can still address our legitimate interests in security, innovation and anti-fraud efforts with this shorter period,” wrote Peter Fleischer, Google’s global privacy counsel, on the company’s Public Policy blog.

    Google also came under scrutiny when it announced plans to buy out Internet display ad server DoubleClick for $3.1 billion, because privacy groups were worried that the combined company would be able to aggregate so much information on our web trails and actions. The Federal Trade Commission and U.S. Congress held hearings on the matter, and the FTC eventually allowed the merger to go forward. But the FTC also called for guidelines on online behavioral advertising, including the following:

    > Every website where data is collected for behavioral advertising should provide a clear, consumer-friendly, and prominent statement that data is being collected to provide ads targeted to the consumer and give consumers the ability to choose whether or not to have their information collected for such purpose.

    > Any company that collects or stores consumer data for behavioral advertising should provide reasonable security for that data and should retain data only as long as is necessary to fulfill a legitimate business or law enforcement need.

    > Companies should obtain affirmative express consent from affected consumers before using data in a manner materially different from promises the company made when it collected the data.


    Of course, these guidelines are only voluntary, but might well end up as a framework for legislation if consumer outcries continue over online privacy. Meanwhile, Google rival Ask.com announced a new privacy function called AskErase that lets you do web searches that are only saved “for hours” except in rare circumstances. Google does allow people to erase their web search history, but by default, the company does keep records on what you search and click on for 18 months.

    Google should be given credit for producing a video series explaining online privacy on its various services — from Gmail to Google Docs — found on a YouTube channel.

    Facebook and Data Portability

    Social networking sites have been stuck in a conundrum: How do they serve up ads targeted to users based on their personal profile information without angering them over invasion of privacy? While all large social networks have been teetering with this balancing act, Facebook has had the biggest spotlight on its privacy troubles. First, Facebook took considerable criticism for its “News Feeds” feature that updated a person’s friends on every move they made on the service, from updating a photo to having a new “relationship status.” After the hubbub died down, the service then drew the wrath of MoveOn.org and privacy groups for its Beacon feature that alerted “friends” about your purchases on other sites — without asking permission first.

    i-673c3289caa2d435d1f2f30fac686846-Mark Zuckerberg.jpg
    Mark Zuckerberg

    After this more prominent round of criticism, Facebook relented and made Beacon an opt-in system instead of opt-out, meaing you had to give Facebook permission for this type of sharing before it went into effect. Facebook CEO Mark Zuckerberg later had to apologize for his company’s mishandling of the Beacon launch:

    Facebook has succeeded so far in part because it gives people control over what and how they share information. This is what makes Facebook a good utility, and in order to be a good feature, Beacon also needs to do the same. People need to be able to explicitly choose what they share, and they need to be able to turn Beacon off completely if they don’t want to use it.

    But Facebook’s troubles were far from over. It was hit by a series of body blows over privacy in the past few months, including:

    > The service’s new Social Ads might place your photo in ads for products without your express permission.

    > Facebook applications by outside developers were used to install adware on people’s computers.

    > Facebook gave outside developers more personal data than they needed, opening up possible security breaches of personal data.

    > If you decide to leave Facebook and delete your profile, the service retains your data forever — just in case you decide to return.

    > Popular blogger Robert Scoble was temporarily banned from Facebook for using a programming script to remove his 5,000 contacts from the service.

    Facebook garnered a much more positive response when it joined the DataPortability Working Group. The idea of the group is to help set standards so people can move their personal profiles, data, photos, financial info and more from site to site without technical headaches — and without fear of security breaches. The list of companies supporting the DataPortability Working Group is impressive: Google, Digg, LinkedIn, Microsoft, Yahoo, Dow Jones, and BBC, to name a few. It’s too early to judge the output of the group as they are mainly working behind the scenes, but frustrated web users everywhere will be happy if they can accomplish even a fraction of their goals for data portability.

    What You Can Do

    If you are worried about your privacy online, here are some practical tips for protecting yourself:

    > Read privacy policies on sites you visit. If you read through their policies, you can better understand what they will do with your personal data, how long they will store it and how they might share it with outside businesses.

    > Clear your cookies. Your web browser allows you to accept or reject cookies from sites, clear them after each session online, or keep them until they expire. You might want to choose which cookies to accept as you surf the web, or simply clear them at various times. Keep in mind that you might have to remember all your log-ins and passwords if you delete the cookies.

    i-18cc77bfa97529c23ed04488a364332f-NAI logo.jpg

    > Use the National Advertising Initiative site to opt-out of targeted ad networks. Most people don’t know about this useful site but it checks your system and then allows you to opt out of getting cookies from ad networks such as DoubleClick and 24/7 Real Media.

    > Be careful of every click you make online. As you use web email, instant messaging, social networks, photo-sharing sites and more, keep in mind that every one of those sites is likely storing that information indefinitely. That means your personal information will live on in a database long after you delete your MySpace profile or IM client.

    > Limit personal information online. If you don’t want to be easily tracked down, use pseudonyms when registering for websites or making blog or forum comments. However, keep in mind that people will still be able to unmask your identity — it might just take a few extra steps.


    To learn more about online privacy, check out these blog posts, news articles and privacy manifestos.

    News Articles & Blog Posts

    Are Google’s Moves Creeping You Out? at News.com

    Call for global privacy standards at Google’s Public Policy blog

    Facebook Lets Me Back In… at Scobleizer

    Facebook privacy chief: Data portability dangers overlooked at InfoWorld

    Google’s Paltry Privacy Proposal

    Google, Facebook add support for social content portability at PC World

    Group says Ask’s privacy feature is flawed at News.com blog

    How to Safeguard Your Privacy Online at GigaOm

    Questions to Consider in the Coming Privacy Wars

    Study: Online Privacy Concerns Increase from the AP

    Who Owns Your Data? at the LinkedIn blog

    Privacy Sites

    APEC Privacy Framework — supported by Google

    CDT’s Guide to Online Privacy

    CDT’s Top 10 Ways to Protect Your Privacy Online:http://www.cdt.org/privacy/guide/basic/topten.html

    EFF’s Top 12 Ways to Protect Your Online Privacy

    EFF’s Privacy Page

    EPIC Online Guide to Practical Privacy Tools

    Explanatory Video of Data Portability at Cubic Garden

    Privacy Rights Clearinghouse’s FAQ About Online Privacy

    Network Advertising Initiative’s Opt-Out Page

    Privacy International’s Overview of Privacy]=x-347-559062

    Privacy.org News, Information and Action

    A Race to the Bottom — Privacy Ranking of Internet Services Companies

    Privacy Manifestos

    A Bill of Rights for Users of the Social Web at Open Social Web

    A Privacy Manifesto for the Web 2.0 Era at GigaOm

    The Web Privacy Manifesto on MediaShift

    What do you think about online privacy? Are you worried about sharing personal information online? How do you protect your privacy? Share your tips, thoughts and horror stories in the comments below.

    — Additional reporting for this story by Jennifer Woodard Maderazo

    Photo of man shying away from spotlight by Erin via Flickr.

    [UPDATE: Strangely enough, I found out later that the man in this photo is actually Kevin Bankston, an attorney for the EFF]

    Photo of Mark Zuckerberg by Scott Beale via Flickr.

    Tagged: data trail online privacy targeted advertising
    • joe

      Thanks for raising awareness on this issue, Mark.



    • igmuska

      excellent privacy article, Mark

      but on the other hand, this does mean that the privacy of the Internet trolls and other simliar vermin are protected.

      Moral of my comment:
      The Internet is inherently insecure, and don’t hang out your dirty laundry where your neighbors can see!

    • That’s a complete article with lot of good resources proposed, but they are some errors :

      “The search kingpin later relented in the face of criticism on the ban, and eventually changed its data retention policy to saving search strings for 18 months before deleting them”
      Google do not delete your logs, they are just obfuscating them : they remove the last byte of your IP address, that’s all. So your request are mixed with the request of (at most) 253 other neighbors. For companies (which have more than 253 computers) this is a problem. I don’t actually understand why they do that…

      “Google does allow people to erase their web search history, but by default, the company does keep records on what you search and click on for 18 months.”
      The web search history and the search logs are two different things. Even if you clear your history, they still have the logs with you IP address (which is a personal information in EU).

      “Google should be given credit for producing a video series explaining online privacy on its various services”
      I have seen the videos about web search privacy, and they are quite confusing about the difference between web search privacy and logs. Furthermore they say that logs keep no personal information (which is not trust since IP is one). They do not explain why they keep obfuscate logs after 18 months …

    • Online provacy has really become an issue that is bieng discussed everywhere in the world. This id due to the increased number of security breaches and stealing of data.

    • Online provacy has really become an issue that is bieng discussed everywhere in the world. This id due to the increased number of security breaches and stealing of data.

    • Online provacy has really become an issue that is bieng discussed everywhere in the world. This id due to the increased number of security breaches and stealing of data.

  • Who We Are

    MediaShift is the premier destination for insight and analysis at the intersection of media and technology. The MediaShift network includes MediaShift, EducationShift, MetricShift and Idea Lab, as well as workshops and weekend hackathons, email newsletters, a weekly podcast and a series of DigitalEd online trainings.

    About MediaShift »
    Contact us »
    Sponsor MediaShift »

    Follow us on Social Media