Social sites told to clean up tracking act by FTC

Social networking sites which track users without their knowledge, or which make it so difficult to stop them doing it that most people don't bother, have been warned to clean up their acts by the US Federal Trade Commission.

In a report entitled Protecting Consumer Privacy in an Era of Rapid Change (2.3MB PDF) the FTC says that, although some companies manage their customer data responsibly, many others treat it in "an irresponsible or even reckless manner".

The FTC, a US consumer protection agency created in 1914 in order to prevent unfair methods of competition, is unlike many similar UK institutions in that it actually has some teeth and is able to create Federal laws.

The commission recognises that consumer information is an important tool for many modern businesses but says that many of them - both off-line and on-line - don't adequately address public concerns and interests.

"Although privacy often has been said to mean 'the right to be let alone,' the application of this concept in modern times is by no means straightforward," says the report. "Consumers live in a world where information about their purchasing behaviour, on-line browsing habits, and other on-line and off-line activity is collected, analysed, combined, used, and shared, often instantaneously and invisibly.

As Thinq pointed out in a recent article about the way social notworking giant Facebook tracks your every move - even if you aren't a registered user - the FTC warns, "If you browse for products and services online, advertisers might collect and share information about your activities, including your searches, the websites you visit, and the content you view.

"If you participate in a social networking site, third-party applications are likely to have access to the information you or your friends post on the site. If you use location-enabled smartphone applications, multiple entities might have access to your precise whereabouts.

"And if you use loyalty cards at a grocery store or send in a product warranty card, your name, address, and information about your purchase may be shared with data brokers and combined with other data."

Tech-savvy Thinq readers will, of course, be aware of all of these underhanded shenanigans but, the simple truth of the matter is that the a large of people are not.

There are, of course, lots of people who willingly trade their personal data in exchange for convenience, innovation and personalisation.

And there are others - some teens, the FTC suggests - who know they are being tracked but aren't aware of the implications or consequences.

"Some consumers may be unconcerned about the collection and sharing of discrete pieces of information about them because that information, by itself, may seem innocuous," warns the report. "However, they may find the compilation of vast quantities of data about them surprising and disturbing."

The FTC currently uses two models to protect consumer information which it calls 'Notice and Choice' and 'Harm Based'.

But both of these models have failed to keep up with the march of technlogy.

'Notice and Choice', which should allow users to make an informed decision at the time of signing up to a service, has been abused by many companies who create tedious and practically indecipherable privacy notices which the vast majority of people don't bother to read. We've all scrolled through dozens of pages of legal mumbo-jumbo which could just as easily sign away your first-born for scientific experimentation and impatiently clicked the 'I Agree' button.

It's a deliberate ploy on behalf of the companies who do just enough to stay on the right side of the law.

The 'Harm Based' model focuses on protecting consumers from specific harms - physical security, economic injury, and unwanted intrusions into their daily lives - but in its current form fails to recognise the kind of privacy-related concerns, including damage to reputation or the fear of being monitored, which come when you head into Internet territory.

"Industry efforts to address privacy through self-regulation have been too slow, and up to now have failed to provide adequate and meaningful protection," says the report, which is partly the result of round-table discussions with technologists, privacy experts, consumer advocates, representatives from industry, and regulators.

The Commission is now proposing a new framework which dictates that companies should adopt a 'privacy by design' approach, building privacy protection into everything they do.

"Such protections include providing reasonable security for consumer data, collecting only the data needed for a specific business purpose, retaining data only as long as necessary to fulfil that purpose, safely disposing of data no longer being used, and implementing reasonable procedures to promote data accuracy," reads the report.

Companies will also be required to institute sound privacy practices by appointing or training staff and conducting privacy reviews each time they develop a new products.

The Commission is also proposing that companies should provide choices in simpler, more streamlined way which should see an end to the aforementioned EULA chicanery.

"For data practices that are not 'commonly accepted', reads the report, "consumers should be able to make informed and meaningful choices. To be most effective, choices should be clearly and concisely described and offered when – and in a context in which – the consumer is making a decision about his or her data."

Apart from being more transparent about the way they collect and distribute personal data, companies will also be required to allow consumers 'reasonable access' to that data, particularly in the case of data brokers.

Finally, the Commission proposes that companies should make a broad effort to educate consumers about how and why their personal data is collected, how it might be used, and what choices they have to protect themselves.

The FTC will issue a final report in 2011 based on feedback on the draft proposal, and says it intends to continue its vigorous law enforcement in the privacy area.