Your Guide to Online Privacy

From time to time, I’ll give an overview of one broad MediaShift topic, annotated with online resources and plenty of tips. The idea is to help you understand the topic, learn the jargon, and take action. I’ve already covered blogging, citizen journalism, social networking and other topics. This week I’l look at online privacy.

Background

With the advent of the Internet and a growing number of security breaches, people worry that their personal information can be seen and exploited around the world in an instant. If you have incriminating photos online, a potential employer or love interest might find them and make snap judgments. If you shop online with a credit card, a merchant might steal your information and run up charges on your card. If you surf online around major media sites, publishers might use your “data trail” to target advertising to you.

In the U.S., the “right to privacy” is not enshrined in the Bill of Rights, but it has long been a critical issue for many Americans. In 1890, Louis Brandeis and Samuel Warren wrote a treatise defending “the more general right of the individual to be let alone.” American courts and legislation have had a mixed record in protecting privacy, curbing data-sharing in medical records and other areas, and regulating data collection from children online. But there has never been comprehensive national legislation in the U.S. to protect people’s personal and financial information online, or standards for the way businesses collect, save and share data.

As we share more information online via myriad site registrations, online social networking profiles, e-commerce sites and search engines, the desire by companies and governments to mine that information is increasingly at odds with the desire of users to protect it. While online businesses can create their own privacy policies, average folks often can’t comprehend them — or opt out from data collection without leaving the site entirely. And government agencies and law enforcement increasingly are watching what people do online to fight crime and terrorism.

Luckily for frustrated web users, there are many ways to protect your privacy online, from deleting your computer’s cookies (identifying information about your computer and surfing trail) to using alternative web browsers, to opting out of a website’s ability to share your data. (For more, see “What You Can Do” below.)

Plus, there are various privacy groups such as the Electronic Privacy Information Center, the Electronic Frontier Foundation and Privacy International that have helped fight court cases and defend the rights of people to keep their data private thanks to some regulations that have passed. These groups often take the side of individuals online who are trying to keep law enforcement or businesses from accessing their personal data without just cause.

Search Engines Under Scrutiny

When it comes to protecting personal data, users have worried most about identity theft and credit card fraud, and with good reason: The Privacy Rights Clearinghouse found that more than 218 million personal records have been exposed because of security breaches in the U.S. since the beginning of 2005. What is less apparent to many is that search engines we use every day are saving the data on what we search for and where we click after searching.

That came to the fore on August 6, 2006, when AOL released the anonymous search data from 650,000 users, taken from a three-month period. The intent was to let academics use the material to help improve search queries, but soon people were able to guess the identities of various people because of their string of searches. AOL apologized, calling it a “screw up” and taking down the information, but sites were quick to mirror and save the material. The lesson was that any action you take online could be recorded, saved and broadcast by that company at a later date.

The most widely used search engine of them all, Google, known for its “Do No Evil” mantra, also began to feel pressure over its open-ended privacy policy, in which it saved your search strings indefinitely. After a News.com article cited personal information on CEO Eric Schmidt — found using Google searches — Google called for a ban on any interviews with News.com for a year. The search kingpin later relented in the face of criticism on the ban, and eventually changed its data retention policy to saving search strings for 18 months before deleting them, responding to European regulators.

“We believe that we can still address our legitimate interests in security, innovation and anti-fraud efforts with this shorter period,” wrote Peter Fleischer, Google’s global privacy counsel, on the company’s Public Policy blog.

Google also came under scrutiny when it announced plans to buy out Internet display ad server DoubleClick for $3.1 billion, because privacy groups were worried that the combined company would be able to aggregate so much information on our web trails and actions. The Federal Trade Commission and U.S. Congress held hearings on the matter, and the FTC eventually allowed the merger to go forward. But the FTC also called for guidelines on online behavioral advertising, including the following:

> Every website where data is collected for behavioral advertising should provide a clear, consumer-friendly, and prominent statement that data is being collected to provide ads targeted to the consumer and give consumers the ability to choose whether or not to have their information collected for such purpose.

> Any company that collects or stores consumer data for behavioral advertising should provide reasonable security for that data and should retain data only as long as is necessary to fulfill a legitimate business or law enforcement need.

> Companies should obtain affirmative express consent from affected consumers before using data in a manner materially different from promises the company made when it collected the data.

Of course, these guidelines are only voluntary, but might well end up as a framework for legislation if consumer outcries continue over online privacy. Meanwhile, Google rival Ask.com announced a new privacy function called AskErase that lets you do web searches that are only saved “for hours” except in rare circumstances. Google does allow people to erase their web search history, but by default, the company does keep records on what you search and click on for 18 months.

Google should be given credit for producing a video series explaining online privacy on its various services — from Gmail to Google Docs — found on a YouTube channel.

Facebook and Data Portability

Social networking sites have been stuck in a conundrum: How do they serve up ads targeted to users based on their personal profile information without angering them over invasion of privacy? While all large social networks have been teetering with this balancing act, Facebook has had the biggest spotlight on its privacy troubles. First, Facebook took considerable criticism for its “News Feeds” feature that updated a person’s friends on every move they made on the service, from updating a photo to having a new “relationship status.” After the hubbub died down, the service then drew the wrath of MoveOn.org and privacy groups for its Beacon feature that alerted “friends” about your purchases on other sites — without asking permission first.

After this more prominent round of criticism, Facebook relented and made Beacon an opt-in system instead of opt-out, meaing you had to give Facebook permission for this type of sharing before it went into effect. Facebook CEO Mark Zuckerberg later had to apologize for his company’s mishandling of the Beacon launch:

Facebook has succeeded so far in part because it gives people control over what and how they share information. This is what makes Facebook a good utility, and in order to be a good feature, Beacon also needs to do the same. People need to be able to explicitly choose what they share, and they need to be able to turn Beacon off completely if they don’t want to use it.

But Facebook’s troubles were far from over. It was hit by a series of body blows over privacy in the past few months, including:

> The service’s new Social Ads might place your photo in ads for products without your express permission.

> Facebook applications by outside developers were used to install adware on people’s computers.

> Facebook gave outside developers more personal data than they needed, opening up possible security breaches of personal data.

> If you decide to leave Facebook and delete your profile, the service retains your data forever — just in case you decide to return.

> Popular blogger Robert Scoble was temporarily banned from Facebook for using a programming script to remove his 5,000 contacts from the service.

Facebook garnered a much more positive response when it joined the DataPortability Working Group. The idea of the group is to help set standards so people can move their personal profiles, data, photos, financial info and more from site to site without technical headaches — and without fear of security breaches. The list of companies supporting the DataPortability Working Group is impressive: Google, Digg, LinkedIn, Microsoft, Yahoo, Dow Jones, and BBC, to name a few. It’s too early to judge the output of the group as they are mainly working behind the scenes, but frustrated web users everywhere will be happy if they can accomplish even a fraction of their goals for data portability.

What You Can Do

If you are worried about your privacy online, here are some practical tips for protecting yourself:

> Read privacy policies on sites you visit. If you read through their policies, you can better understand what they will do with your personal data, how long they will store it and how they might share it with outside businesses.

> Clear your cookies. Your web browser allows you to accept or reject cookies from sites, clear them after each session online, or keep them until they expire. You might want to choose which cookies to accept as you surf the web, or simply clear them at various times. Keep in mind that you might have to remember all your log-ins and passwords if you delete the cookies.

> Use the National Advertising Initiative site to opt-out of targeted ad networks. Most people don’t know about this useful site but it checks your system and then allows you to opt out of getting cookies from ad networks such as DoubleClick and 24/7 Real Media.

> Be careful of every click you make online. As you use web email, instant messaging, social networks, photo-sharing sites and more, keep in mind that every one of those sites is likely storing that information indefinitely. That means your personal information will live on in a database long after you delete your MySpace profile or IM client.

> Limit personal information online. If you don’t want to be easily tracked down, use pseudonyms when registering for websites or making blog or forum comments. However, keep in mind that people will still be able to unmask your identity — it might just take a few extra steps.

Resources

To learn more about online privacy, check out these blog posts, news articles and privacy manifestos.

News Articles & Blog Posts

Are Google’s Moves Creeping You Out? at News.com

Call for global privacy standards at Google’s Public Policy blog

Facebook Lets Me Back In… at Scobleizer

Facebook privacy chief: Data portability dangers overlooked at InfoWorld

Google’s Paltry Privacy Proposal

Google, Facebook add support for social content portability at PC World

Group says Ask’s privacy feature is flawed at News.com blog

How to Safeguard Your Privacy Online at GigaOm

Questions to Consider in the Coming Privacy Wars

Study: Online Privacy Concerns Increase from the AP

Who Owns Your Data? at the LinkedIn blog

Privacy Sites

APEC Privacy Framework — supported by Google

CDT’s Guide to Online Privacy

“CDT’s Top 10 Ways to Protect Your Privacy Online:http://www.cdt.org/privacy/guide/basic/topten.html

EFF’s Top 12 Ways to Protect Your Online Privacy

EFF’s Privacy Page

EPIC Online Guide to Practical Privacy Tools

Explanatory Video of Data Portability at Cubic Garden

Privacy Rights Clearinghouse’s FAQ About Online Privacy

Network Advertising Initiative’s Opt-Out Page

Privacy International’s Overview of Privacy]=x-347-559062

Privacy.org News, Information and Action

A Race to the Bottom — Privacy Ranking of Internet Services Companies

Privacy Manifestos

A Bill of Rights for Users of the Social Web at Open Social Web

A Privacy Manifesto for the Web 2.0 Era at GigaOm

The Web Privacy Manifesto on MediaShift

What do you think about online privacy? Are you worried about sharing personal information online? How do you protect your privacy? Share your tips, thoughts and horror stories in the comments below.

— Additional reporting for this story by Jennifer Woodard Maderazo

Photo of man shying away from spotlight by Erin via Flickr.

[UPDATE: Strangely enough, I found out later that the man in this photo is actually Kevin Bankston, an attorney for the EFF]

Photo of Mark Zuckerberg by Scott Beale via Flickr.