My response to Safecount

Thank you to all the people who emailed me their thoughts, and those who left comments on my previous blog post regarding Safecount's request that their cookie not be included in TACO.

After thinking things through, I sent Tom Kelly, the company's COO this response:

Hi Tom,

The feedback I received on my blog was not particularly supportive of your request.

I have thought things through, and decided to do the following:

1. I have added a note to the TACO home page, which states:

"Safecount argues that they are not a behavioral advertising company. However, they are a member of the Network Advertising Initiative, and do collect detailed data on the browsing and ad-viewing habits of Internet users. Furthermore, this data is often collected with no notice provided to the user on the web page where Safecount's tracking code has been embedded. "

2. If you or your engineers would like to spend a day or two creating the code necessary to enhance TACO, which will provide users with a list of the companies whose opt-out cookies are available and or active, and a way for users to disable individual opt-outs, I would be happy to look over such a patch, and if it is decent, consider applying it to the mainline TACO codebase.

Such a feature would be nice, but frankly, it isn't important enough for me to spend my own time developing it. However, just to be clear, even if such an ability to disable individual opt-out cookies existed within TACO, I would have them all turned _on_ by default. That is, users would need to go into a preferences window, scroll down through 60 or so company names (since Safecount is not at the beginning of the alphabet), and then choose to disable your opt-out cookie.

As you know very well (and in fact, your business model depends upon it), few consumers ever take the time to dig through preference windows or look into privacy policies in order to learn about particular company's activities. Thus, were such a feature to exist, I highly doubt if more than a handful of consumers would ever make use of it.

In any case - I would be happy to consider such a patch, but I suspect that it probably isn't worth your engineers' time to work on it.

Cheers

Chris

Thoughts on the DMCA exemption process

On Friday, we sent off our 11 page reply letter to the Copyright Office, in response to the questions they sent us regarding our Digital Millennium Copyright Act exemption requests for DRM abandon-ware.

There is a semi-decent chance that I will be either employed or engaged in consulting work half-time starting in September, which could make it difficult for me to blog (particularly given the style and tone that I tend to use). Thus, I want to take this opportunity now, while I still have the freedom to fully express my thoughts, to reflect on this process, and thank the many who assisted me.

First, I originally had the idea for the exemption request in May or so of last year. In the process of writing a law paper on the hacking of subsidized electronic goods by consumers, I spent a lot of time studying the cell-phone unlocking exemption that Jennifer Granick had won back in 2006. I think it would be fair to say I was inspired by her actions.

The DMCA process is one of the few ways through which an individual can actually make a difference to impact federal cyber law and copyright policy. It doesn't matter how many former Senate staffers you have working for your cause, nor are donations to PACs a necessary requirement for access. As someone with both a desire to make a difference, and a lack of money/access, the appeal was clear.

Writing up the request

My exemption submission simply wouldn't have been possible without the assistance of a skilled legal team, lead by Phil Malone at the Harvard cyberlaw clinic. While lay-persons do submit requests every year, they are never taken seriously (and when you read some of them, you understand why). The process is fairly straight-forward, but still requires some knowledge of the specifics of the DMCA.

I had the idea for both the consumer and researcher exemptions, and probably provided around 50-60% of the text in the original exemption request comment and in our reply letter. After reading Slashdot every day for the past 14 years, it was easy for me to dig up citations to all the past instances of failed media stores, a task which would have taken a clinical intern significanly more time.

I gather that most clinical clients do not participate as much, nor directly contribute as much to the final work product. However, since I know the DMCA fairly well, and knew the specifics of situation which we were examining, I think my participation helped quite a bit. Plus, it is (for a copyright policy geek) quite a fun activity.

However -- my participation alone was not enough. Phil Malone and Arjun Mehra turned my rantings of repeated industry abuse and a plea for relief into a compelling legal document. To be clear -- while I strongly encourage technologists and copyright activists to get involved with the DMCA exemption process, you really are wasting your time without the assistance of tech-savvy lawyers.

Arguing for the exemptions in DC

Before going to DC in May to argue in-person for my exemption requests, I went to a Federal Trade Commission town-hall focused on DRM. This event was something of a trial run, with many of the same characters who would later show up in DC.

The industry folks who argued on behalf of DRM at that event, were frankly, clueless shills masquerading as experts, and as such, they seemed to do a good enough job revealing their ignorance that I didn't need to do much to help.



As one copyright expert tried to warn me ahead of time, most of the people at the FTC town hall were on the "B-team", while the industry would make sure to send the "A-team" to the DMCA exemption hearing.

Unfortunately, I didn't really listen to him, and so when I did go to Washington to argue for my exemptions before the Copyright Office, I was a tad bit over-confident.

An important note for future copyright geeks: If you are considering asking for a DMCA exemption, and end up arguing for it in person, do not under-estimate Steve Metalitz, the industry's main attack dog on DMCA related issues. He is very good, and very quick on his feet. Unless you are a seasoned lawyer, do not allow him to drag you into the weeds in a discussion of the specifics of copyright law -- stick to issues of consumer harm and industry abuse.

The hearing itself was thrilling, exciting, and sort of like a court room -- with a panel of judges (well, copyright office lawyers) on a podium at the front of the room, and with the "good guys" (me) and the "bad guys" (Metalitz and someone from Time Warner) at two tables, seperated by an aisle.

My only real regret from the hearing was not having a hot-shot lawyer sit next to me, who I could defer to on legal related questions. It wasn't until the hearing was over that I looked back, and saw that both Wendy Seltzer and Fred von Lohmann had snuck into the hearing after it started, and had thus been watching it from the back row.

While I handled things pretty well, on questions relating to the specifics of section 1201, I wasn't as strong. Luckily, the Copyright Office attorneys didn't really hammer me with legal questions, and focused the questions on topics that I could actually provide expert testimony.

A word on timing and legal clinics

A DMCA exemption is a perfect, small, self-contained project for Law School legal clinics. Exemption requests are due in the fall, optional reply comments are due in the spring, the hearings are in the late spring, and then question reply comments are due over the summer. The entire process, from start to finish, is over in less than 9 months. Furthermore, it is something that can be done by a single (supervised) clinical intern.

As a result, it is not terribly surprising that university law clinics are now playing an increasingly prominent role in the DMCA exemption process.

In 2009, 3 different groups of exemptions were sought by individuals represented by the Harvard cyberlaw clinic, the Samuelson-­Glushko Technology Law & Policy Clinic at the University of Colorado School of Law, and the Glushko-Samuelson Intellectual Property Law Clinic at the Washington College of Law, American University. Clinics have played a similarly strong role in previous years.

Unfortunately, it does not appear that the copyright office realizes the role that these clinics play (and the students who provide the manpower). As a result, the DMCA exemption hearings were scheduled for May 1 at Stanford, and May 6,7, 8 in Washington DC. For those of you not (or no longer) in academia -- this is right before, or during the middle of final exams for many law students.

Had the copyright office scheduled the hearings two or three weeks earlier, they would have made the lives of the clinical students much easier. I know from my own experience that it was very difficult to get much in the way of time as I tried to prepare for the hearings from Arjun Mehra (my clinical student) and Phil Malone (who teaches classes in addition to his role running the clinic, and thus had class projects and term papers to grade).

Likewise, sending out questions during the middle of the summer, when the clinical students are off working internships is not particularly helpful. Luckily, Berkman has a few fantastic students who are interning at our cyberlaw clinic for the summer. As a result, I was able to get the help of another fantastic clinical student, Rachel Gozhansky, who helped in drafting our reply to the Copyright Office's questions.

I am not sure if the two other clinics were able to gather the student summer labor necessary in order to work on the responses to the copyright office's questions.

Given the increasingly important role that law school clinics are playing in the DMCA process, I hope that the Copyright Office will consider the realities of the academic calendar for future DMCA exemption rulemakings.

Safecount: Please opt us out of TACO

This afternoon, I received an interesting set of emails from Tom Kelly, the Chief Operating Officer at Safecount.

Hi Christopher -

A colleague forwarded us a link to your Taco download page where we were surprised to see Safecount listed with the likes of many ad networks.

While we, and I, find your development efforts to be interesting, and nicely in line with the entrepreneurial spirit of the web, some of the classifications on your page are quite mis-leading to consumers.

Safecount is a research company and we occasionally invite certain website visitors randomly to volunteer their opinions. We don't sell any products, we don't target anyone with advertising based on behavior or attitude, and we only work with publishers who give us permission to perform research on their sites.

That's the danger of generic 4th party cookie blocking, it ends up blocking web efforts OTHER than ad revenue, behavioral targeting profiteers. Maybe you'll consider removing Safecount from your list.

Respectfully,

- tom

After asking him if I could post his email to my blog, he followed up with this:

Sure thing, Chris. My point is that, while Safecount does place cookies on user's browsers based on certain ads they've seen:

A) we don't use that info to target any marketing or advertising to them - we're not a behavioral targeting group
B) we're 100% transparent in the cookies we do place

As a matter of fact, one can go to www.safcount.net and view ALL of the info we have for their computer (not personal info). There they can also delete that data and tell us how often they'd agree to be invited to take a quick survey, including "never". We're as much about control and transparency as I think you are.

Thanks, Chris.

- tom

It has been nearly four months since the first version of TACO was first released. The latest version supports 84 different behavioral advertising firms, has been downloaded nearly 250,000 times, and is in daily use by nearly 80,000 users. That means that my tool is responsible for 6.7 million opt-out cookies (actually, it's more, due to the fact that some networks require multiple cookies for different advertising domains). Holy cow!

In those four months, this is the first time that an advertising industry executive has asked me to remove his company's opt-out cookie from TACO, and so I am honestly not quite sure how to react.

My initial reaction is to say no, for the following reasons:

1. I have created TACO for fun, as a side project. I don't charge for TACO, and I have a day job (well, actually, several). I really don't have time to evaluate each advertising company one by one to figure out if the company engages in a good or bad activity. If consumers want that level of analysis, they are free to use the "complete" or "selective" opt-out tools provided by PrivacyChoice -- which is run by a former Yahoo! advertising executive who has Seen the Light, Loves Privacy And Who You Should Totally Trust (TM).

2. Picking individual advertising industry companies who should or should not be included in TACO is a slippery slope, which will open me up to criticism, and accusations of abuse of power. TACO currently includes every generic, non-identifiable opt-out http cookie of all the online advertising industry companies that I know about. This is an easy standard to adhere to, and should protect me from accusations of bias.

3. Safecount, WPP (the mega advertising firm which owns it), the Network Advertising Initiative and others are free to make their own competitors to TACO which provide users with more choice, which provide users with less choice, which make it more or less difficult to opt out, or which make you dinner and do your laundry. TACO is open source, so they are even free to fork my code, and save themselves the weekend of coding it will take to create it from scratch.

4. Safecount is an advertising industry firm, which uses long term cookies to track the browsing and other activities of end-users. The company might not be in the behavioral advertising business, but it is certainly in the collection of consumer data business, which is still creepy.

5. Safecount has provided consumers with the ability to opt-out of its data collection/use, but then objects when tools like TACO actually make it easy for consumers to opt-out. 99% of consumers have never heard of the company, and so wouldn't even know to visit their opt-out page in the first place.

6. If the company is really "as much about control and transparency" as I am, they could switch from an opt out model to an opt in model. Let consumers who value the survey taking experience choose to have data on their browsing across multiple websites collected and analyzed. If the company switched to this model, the opt-out mechanism provided by TACO would be moot.

7. Likewise, while consumers can "go to www.safcount.net and view ALL of the info we have for their computer (not personal info)," this simply isn't good enough. It is totally unrealistic to expect consumers to visit the websites of 90-100 different advertising firms to "view the data collected on them", evaluate it, consider each company's 20+ page privacy policy, and then evaluate the kind of business and data relationship that they'd like to have with that firm.

Consumers don't opt-out of telemarketing from individual advertising firms after evaluating each firm's policy on calling during dinner hours -- No. They sign up for a single do-not call list, and are then free of the annoyance. We need the same for the online advertising industry. A single opt out for all data collection and usage.

After writing this all down, I think I am even more convinced that leaving Safecount in the list of opt-outs provided by TACO is a good idea.

However, I suppose a reasonable case can be made that the company is not a behavioral advertising firm -- and so I am open to at least changing the language on the TACO page to note that Safecount is merely an advertising firm that collects detailed information on the browsing and web viewing activity of Internet users.

Blog readers -- do you have any thoughts on this? Please leave a comment.

Copyright geeks: please provide feedback

Dear Copyright Experts of the Internets,

Tomorrow (Friday) at 5PM EST, we must submit our reply to the Copyright Office's questions regarding our request for two exemptions to the Digital Millennium Copyright Act.

Over the past week, we have worked feverishly to prepare the following draft, which I now feel is in pretty good shape.

However, we would love comments and suggestions.

Soghoian Response to DMCA Questions (draft)

Guess the party: Why privacy is different

By and large, the US political parties have fairly predictable positions on most issues. The GOP is pro life, pro torture, and pro gun. The Democrats are pro choice, mostly anti-torture, and usually anti-gun.

However, privacy is one of those rare issues for which the parties don't seem to have official positions. As a result, you get extremely interesting statements from various members of Congress.

Case in point, consider the following three short video clips from the June 18th hearing on behavioral advertising in the House Energy And Commerce Committee. Watch the clips, and see if you can guess the parties of the the three House members. I suspect that many of you will be quite surprised.



Click here for a video of Rep. Stearns' full opening remarks.


Click here for a video of Rep. Boucher's full opening remarks.


Click here for a video of Rep. Barton's full opening remarks.

(Thanks to Dan Jones from the Berkman Center for helping me to turn the House video feed into something YouTube friendly.)