Using the PrivacyChoice dataset, Ensighten launched the first privacy-driven tag management solution back in 2011. Now Ensighten has folded Do-Not-Track compliance into their powerful framework, and is offering it for free. Adding one line of JavaScript to your site instantly gives effect to user tracking preferences. The Ensighten DNT tag takes control of the other tags, and allows or blocks them from firing in line with the user’s choice.

From the release, here are the key highlights of the service:

Simple installation – just one line of JavaScript per Web page

Covers all tags on site – no need to modify any tags or move into a TMS

Recognizes and lists all tags on website

Privacy categorization of tags based on data from consumer e-privacy leader PrivacyChoice

Simple to configure and maintain – intuitive dashboard for modifying DNT tag blocking

Automated new tag detection, auto-classification and email alerts

Detection of consumers’ DNT preferences and corresponding blocking or allowance of tag firing

Ongoing updates to web service to stay up to date with emerging DNT standard

Here’s my hope: by removing the technical barriers to DNT compliance, we can let publishers focus on what they do best — creating great content — and also open up a more meaningful conversation with their users about how they use and share data.

The process for creating the badge is dead simple and takes only a few seconds.

Here’s what you should keep in mind:

• Each possible badge combination is available on Amazon S3 with a unique link for embedding. Or feel free to take the image and embed it directly.
• This is not a substitute for a privacy policy or parental consent (when required under COPPA). We suggest that wherever you present the badge, it should be linked to your full privacy policy, and we provide you with the code you need to do so. If don’t already have a privacy policy or want to upgrade your policy, just continue through the process after setting up your badge.
• We suggest that you place the badge on the website where you promote your app, so parents can see it before they decide whether to download the app. Hopefully the time will come when the app stores also will make room for this kind of visual element in the app store.
• This is version 1.0. Please share your comments and suggestions.
• For the history of the badge effort, check out this post at Moms With Apps.

1. People don’t understand the different privacy zones of Facebook.

When it comes to privacy, the Facebook app universe is a very different place from the areas Facebook completely controls (like the timeline and newsfeed). Facebook-controlled areas have relatively little third-party tracking, and are subject to relatively strict limitations on commercial sharing by Facebook (which is not to say that Facebook’s user controls for their own sharing don’t need improvement, or that they don’t make it too easy for the government to grab user data). In dozens of conversations with users, it’s clear that Facebook users don’t understand that the Facebook “privacy zone” for apps is very different, not only because your personal data becomes subject to the app’s own privacy policy, but because many apps bring in third-party ad companies who compile user data. This is why the Privacyscore add-on is truly eye opening for so many users, since it brings those differences into stark relief with numbers.

2. You’re in Facebook’s world now.

In creating the Privacyscore app, we often found ourselves confronting the difference between what we wanted to do and what we could do within Facebook’s framework. Facebook’s timeline view is not necessarily the way I would present Privacyscore and our company. But when you’re in the Facebook universe, you quickly get used to doing things their way, and understanding the it won’t necessarily be easy. Facebook’s systems can seem idiosyncratic at times — like the different URL patterns used for permission pages, and the different permission formats in use. Getting things to work like we wanted, like customizing the sharing experience to show specific Privacyscores in the newsfeed, took more time than we expected.

On the other hand, I do love how little overall developer time we needed to spend on the Privacyscore timeline (that was left to me), and it’s a relief to know that Facebook’s worrying about how things look across browsers and devices. I’m also really glad we went through the app development and launch with our privacy antennae up; to see, for example, that Facebook embeds a privacy policy requirement into their app publishing platform (something we haven’t yet seen from other platforms, like Android Market or the App Store).

3. It’s awesome to build inside of a giant focus group.

For this launch more than any before, we’ve tapped into the collective consciousness (and passion) of Santa Cruz Nextspace. This time around we not only took advantage of the technical and professional resources of the community, we also got a ton of live input from living, breathing people. One pivotal decision, to hold launch until we had interstitial warnings for app permissions pages, came directly from one of our cafe demo sessions. A last minute obviously-what-we-should-have-done-in-the-first-place upgrade to searches came from a reality check with the folks next door. We’re really grateful to this group, and we hope this is just the start of involving them more and more in the PrivacyChoice adventure.

Privacyscore brings transparency to Facebook apps
Browser tool warns users of privacy risks when apps ask for data

April 23, 2012 – Santa Cruz, CA - PrivacyChoice today announced the launch of Privacyscore for Facebook, the first and only privacy guide to the Facebook app universe. With Privacyscore, Facebook users can now see and instantly understand which apps protect their privacy and which don’t, and can know if they’ll be tracked and by whom. Like a privacy warning system, the Privacyscore add-on shows users an instant privacy rating (0-100) for the apps they use, before they give the app permission to use their Facebook profile.

“Hundreds of millions of people use Facebook apps every day, sharing personal profile information widely across thousands of app providers,” said Jim Brock, PrivacyChoice Founder and CEO. “Each app provider has its own privacy policies, which in many cases lack even minimal assurances. Our research also revealed that those apps bring in scores of third-party tracking companies, which in many cases also lack basic protections, choices and oversight.”

“Facebook doesn’t control or enforce app privacy practices, so it’s up to users to know the privacy risk of sharing personal data with apps. Now users can easily check the Privacyscore for an app before allowing access to their own personal data and their friends’ profiles.”

A privacy benchmark for app publishers

PrivacyChoice today also published research comparing the Privacyscores of the top app publishers based on scans of their most popular apps, giving Playdom the most favorable rating of 93 out of 100 Privacyscore points. Electronic Arts (91) was the only other top app publisher with an A-level rating. Other popular app publishers fell below that standard, with Zynga at 82 and K-Factor Media at 72. The average Privacyscore for all Facebook apps reviewed was 78 of 100.  “Facebook users deserve better than a C-plus when it comes to their privacy,” said Brock.

A privacy barometer for the social network

As a service to the Facebook community, PrivacyChoice also unveiled the Facebook Tracking Heatmap, a stunning visualization of privacy risk across hundreds of top Facebook apps. Orange and red zones on the heatmap, which indicate companies with heightened privacy risk, represent a significant portion of all tracking activity on Facebook apps. Built on the Privacyscore Analytics platform, the Heatmap links to detailed evaluations of over 640 tracking companies in the exhaustive PrivacyChoice trackerlist index.

“A glance at the Heatmap shows that there’s a lot of work to do to bring popular apps into line with best privacy practices, “ Brock said. “By publishing this information in real-time, we’ve created the first privacy barometer for the Facebook app universe. We now have an objective way to measure progress toward better app privacy practices all across publishers and ad companies collecting user data through Facebook.”

An essential element for better online privacy

Today’s launch comes at a critical time for online privacy. In a major privacy report last month, the Federal Trade Commission called for greater transparency in the communication of privacy practices to users. The Commission specifically cited Privacyscore as a new tool with promise to enable consumers to better compare website privacy practices.

“The industry is moving toward a Do Not Track standard premised on a high degree of trust in compliance by tracking companies,” Brock said. “Tools like Privacyscore help web users, websites and advertisers understand which companies have stepped up to compliance and which have not. The success of industry-wide privacy efforts depends on the kind of transparency that Privacyscore provides.”

Links

Privacyscore for Facebook Apps: http://apps.facebook.com/privacyscoreapps
Facebook Privacy Heatmap: http://www.privacyscore.com/heatmaps/facebook-apps
Privacyscore FAQ:  http://www.privacyscore.com/faq
PrivacyChoice Blog:  http://blog.privacychoice.org

About PrivacyChoice

The PrivacyChoice mission is to make online privacy easier. Founded in 2009, PrivacyChoice offers a suite of privacy tools and data for tracking awareness, tracking control, privacy analytics, and automated website and app privacy disclosure. PrivacyChoice also powers privacy applications by companies like Reputation.com and Keynote Systems, and have been featured multiple times in the Wall Street Journal’s online privacy coverage and Federal Trade Commission reports.

Contact:

Jim Brock
PrivacyChoice
101 Cooper Street
Santa Cruz CA 95060
jim@privacychoice.org
408-641-9290
@privacychoice

Graphics

Average Privacyscores for top app publishers

“It’s a little bit like Big Brother watching Big Brother.”

RockYou’s privacy policy had a typical statement about data security, including the standard disclaimer of liability:

RockYou! uses commercially reasonable physical, managerial, and technical safeguards to preserve the integrity and security of your personal information. We cannot, however, ensure or warrant the security of any information you transmit to RockYou! and you do so at your own risk. Once we receive your information, RockYou! makes commercially reasonable efforts to ensure the security of our systems. However, please note that this is not a guarantee that such information may not be accessed, disclosed, altered, or destroyed by breach of any of our physical, technical, or managerial safeguards.

The FTC found that RockYou breached this promise through the following shortcomings (emphasis added):

a. unnecessarily collecting personal information from consumers in the form of email address passwords;

b. storing user’s RockYou passwords, with associated email addresses, in clear text;

c. failing to segment its servers; once a hacker entered Defendant’s network he or she was able to access all information on the network, including consumers’ email addresses and RockYou passwords;

d. not protecting its website from such commonly known or reasonably foreseeable attacks from third parties attempting to gain access to customer information stored in Defendant’s databases. Defendant failed, for example, to address vulnerabilities in its system to web-based application attacks such as “Structured Query Language” (SQL) injection attacks and “Cross-Site Scripting” (XSS) attacks. During the relevant period, SQL injection and XSS attacks were well-known and well-publicized forms of hacking attacks, and solutions to prevent such attacks were readily-available and inexpensive.

Here are the lessons:

1. Don’t count on privacy policy disclaimers to keep you out of trouble if you don’t implement appropriate safeguards.
2. Don’t collect more personal information than you need.
3. Don’t store passwords in clear text.
4. Segment servers to minimize the impact of hacking attacks.
5. Stay aware of and use readily-available means to prevent known hacking exploits.

Check out our other privacy resources for developers >>

Here are the takeaways that I found most significant (particularly #13!):

1. Companies can establish a “safe harbor” by taking reasonable measures to de-identify data, publicly commit to keep it that way, and contractually prohibit recipients from re-identifying it. (20-21) “De-identifies” means ensuring that data cannot be reasonably linked to a particular user, computer or device.
2. The Google and Facebook consent decrees provide the roadmap for an internal privacy compliance program. (31)
3. Choice is not required for “internal operations” such as website analytics, when consistent with the context of the user’s interactions with the service. (39) “Context” matters, not whether practices are “commonly accepted.”
4. Do Not Track should apply when a website shares data with a third party, but need not apply to “security and frequency capping.” (71)
5. Retargeting is “tracking” that requires notice and choice like other online behavioral advertising. (41)
6. Affiliated companies are “tracking” when they share data across sites unless the affiliate relationship is explicit. (41-42) Choice is required unless common branding is used.
7. Data enhancement through appending does not require prior consent, but does require disclosure, limitations on collection and retention and a facility to contact the source of enhanced data. (42-43) These requirements apply, for example, when a website buys profile data to match with its email database.
8. Use of medical and other sensitive data for marketing requires consent, even for first-parties, unless it is incidental. (47-48) Amazon recommending a health-related book based on past purchases is “incidental.”
9. Facebook’s and Google’s social plug-ins aren’t pervasive enough to warrant special consent requirements. (56) They don’t raise the same concerns as “deep packet” inspection by ISPs.
10. Consumers need not be provided with access to their data when kept solely for marketing purposes, but should have access when kept for purposes of employment, credit, insurance or other sensitive areas. (65)
11. Data brokers raise special privacy concerns that justify legislation and a centralized disclosure framework. (69-70) Consumers could visit one site to see what data is being brokered and exercise their choices.
12. Privacy policies should be shorter, more iconic and standardized, and also be suitable for mobile devices. (61) We’re on it.
13. “New tools like privacyscore.com may help consumers more readily compare websites’ data practices.” (62) Wow, we’re grateful to the FTC for the mention and charged up to make privacyscore even better for users and publishers!

Why does it matter?

Pinterest involves widespread copying and sharing of copyrighted information (something I’ve studied a bit in founding my last company). Individual users may have liability in copyright law for their own actions in Pinterest, meaning that it’s easy to see user data drawn into copyright actions, as it was in the epic battle between Viacom and YouTube. This risk is compounded by the legislative push to strengthen copyright enforcement, which is far from over.

When the government or litigants come calling for your data on Pinterest, you should expect more than this:

Pinterest cooperates with government and law enforcement officials and private parties to enforce and comply with the law. We can disclose any information about you to government or law enforcement officials or private parties as we, in our sole discretion, believe necessary or appropriate to respond to claims and legal process including, but not limited to, subpoenas, to protect the property and rights of Pinterest or a third party, to protect the safety of the public or any person, or to prevent or stop activity we may consider to be, or to pose a risk of being, illegal, unethical or legally actionable activity.

What you should expect is some assurance that, when the government comes calling, at the very least you’ll receive notice that it’s happening.

If you’re a developer, please don’t follow this advice, because it could get you into trouble if you misrepresent your privacy policy in your P3P code.

I want to add another definition of boundaries to the mix: Facebook’s ad guidelines, which say:

Ad text may not assert or imply, directly or indirectly, within the ad content or by targeting, a user’s personal characteristics within the following categories:

- race or ethnic origin;
- religion or philosophical belief;
- age;
- sexual orientation or sexual life;
- gender identity;
- disability or medical condition (including physical or mental health);
- financial status or information;
- membership in a trade union; and
- criminal record.

These categories are familiar, and the list is commendably comprehensive (far more so than the  standards from industry groups like the Network Advertising Initiative). What matters most is that the targeting itself can’t “assert or imply” these characteristics, “directly or indirectly.” It reminds me of how Google defines boundaries when they say, for ad networks certified for Google’s exchange, that neither ”inferred or actual” medical conditions may be used for targeting.

Now, it’s an entirely separate question of how Facebook or Google actually enforce these standards on other advertising companies that they allow to reach users in their ecosystems. More on that soon.