Forrester Research analyst Fatemeh Khatibloo recently tried to understand which types of data people are most concerned about sharing, by conducting a large survey of North American Internet users.

The big distinctions aren’t that surprising — for instance, 71 percent of those surveyed were concerned about companies accessing their credit card numbers, while only 38 percent were concerned about companies accessing their social profile data.

But there’s less agreement about which other data users feel okay about handing out, Khatibloo found. About half of the 37,350 people surveyed said they are willing to share their Internet browsing history, mailing address and email address — while half said they are not.

Do people actually act on their privacy concerns? Forty-four percent of all those surveyed said they had not completed an online transaction because of something they read in the company’s terms of use or privacy policy. That’s up from 38 percent in 2008.

Age was a significant factor in just about everything Forrester looked at, though. For instance, the survey found that more than half of consumers aged 18 to 34 are willing to share their personal data with brands in exchange for discounts. That willingness “declines precipitously” with age, Khatibloo said — less than 25 percent of those over age 55 will trade data for discounts.

Government agencies and courts sent a total of 5,950 user data requests between January 1 and June 30, 2011, covering 11,057 separate users and accounts. Google said that it fully or partially complied with 93 percent of them.

Read the rest of this post on the original site »

Facebook is not necessarily targeting Google specifically, but it’s an obvious omission. The social networking giant said ad providers can join the list if they agree to certain restrictions on advertising, which include a commitment to never utilize Facebook user data.

Facebook and Google have warred over transmitting user data in the past, with a back-and-forth over exporting user email addresses turning nasty in public last fall.

Facebook will start enforcing the whitelist ad provider policy starting Feb. 28. At that point, app developers who run Google ads–which seems a natural thing to do, given so many publishers use Google ads on other platforms–will have to shut them off and find another provider.

A spokesperson for Facebook said, “We are continuing to work with various ad providers and will add them to the list as they sign the terms. Note that the policy doesn’t go into effect for a few more weeks.” Meanwhile, a spokesperson for Google declined to comment.

The CEO of an approved ad provider commented that Facebook’s efforts to “restore control and authority of how third-party companies work within its platform” make sense and are generally good for users. (And also good for him, with Google out of the hunt!)

Image via Flickr user bulliver.

Please see the disclosure about Facebook in my ethics statement.

“My office will lead a multistate investigation–expected to involve a significant number of states–into Google’s deeply disturbing invasion of personal privacy,” Blumenthal said in a statement. “Street View cannot mean Complete View–invading home and business computer networks and vacuuming up personal information and communications. Consumers have a right and a need to know what personal information–which could include emails, web browsing and passwords–Google may have collected, how and why. Google must come clean, explaining how and why it intercepted and saved private information broadcast over personal and business wireless networks.”

Blumenthal says some 30 states have expressed concern over the matter, and he expects a number of them to ultimately join the investigation, which will determine the legality of Google’s collection of data from personal wireless networks.

Google (GOOG), for its part, insists the practice wasn’t illegal–just stupid.

“It’s still too early to say what will happen as a result of this investigation,” the CNIL said. “However, we can already state that…Google did indeed record e-mail access passwords [and] extracts of the content of e-mail messages.”

Now, recording passwords and extracting them are two entirely different matters, and there’s no evidence of the latter. That said, this is still an unfortunate revelation for Google (GOOG), which has sought to downplay the implications of the breach by portraying it as a mistake and the data collected as inconsequential. Indeed, last month CEO Eric Schmidt excused the company for its misstep, saying, “There was no harm, no foul.”

No harm, perhaps, but there was certainly a foul–particularly since it now appears the data collected may have been protected by privacy laws.

Ironically, such data collection is a non-issue for all who actually heed the universal advice to secure their Wi-Fi networks–advice that comes in the documentation of every router and advice that Google itself gives the customers of Google WiFi. The FAQ for the service states: “In order to make our service easily accessible to a large number of WiFi-enabled devices, Google WiFi is an open-access wireless network, and our signal is not encrypted. However, users can achieve a secure connection by using GoogleWiFiSecure if their device supports WPA, WPA2 or 802.1x protocols (most laptops do)….As with any wireless network, users should take certain precautions to secure their online experience from security violations by third parties or unintentional security breaches.”

Plainly, Google feels its transgression falls into the latter category–not illegal, but an unintentional intrusion. As Google’s director of public policy, Pablo Chavez, wrote in a recent letter to the House Energy and Commerce Committee, “As an initial matter, collection of network information broadcast by WiFi routers (such as SSID and MAC address) is used to improve location-based services and is a lawful, established business practice….We believe it does not violate U.S. law to collect payload data from networks that are configured to be openly accessible (i.e., not secured by encryption and thus accessible by any user’s device). We emphasize that being lawful and being the right thing to do are two different things, and that collecting payload data was a mistake for which we are profoundly sorry.”

“We understand you may not want everyone in the world to have the information you share on Facebook; that is why we give you control of your information. Our default privacy settings limit the information displayed in your profile to your school, your specified local area, and other reasonable community limitations that we tell you about.”

–Facebook Privacy Policy, 2006

“When you connect with an application or website it will have access to General Information about you. The term General Information includes your and your friends’ names, profile pictures, gender, user IDs, connections, and any content shared using the Everyone privacy setting….The default privacy setting for certain types of information you post on Facebook is set to “everyone.”…Because it takes two to connect, your privacy settings only control who can see the connection on your profile page. If you are uncomfortable with the connection being publicly available, you should consider removing (or not making) the connection.”

– Facebook Privacy Policy, 2010

Perfect.

Facebook has enlisted a former senior Bush administration regulator to defend its privacy practices in Washington. Tim Muris, an attorney at law firm O’Melveny & Myers who served as chairman of the Federal Trade Commission from 2001 to 2004, is advising the company, whose privacy disclosures and fast and loose handling of user data are increasingly drawing scrutiny on Capitol Hill.

Indeed, on May 5, the Electronic Privacy Information Center filed a complaint with the FTC alleging that Facebook has engaged in unfair and deceptive trade practices in violation of consumer protection law.

“[The site] continues to manipulate the privacy settings of users and its own privacy policy so that it can take personal information provided by users and make it widely available for commercial purposes,” the Washington-based advocacy group said. “The company has done this repeatedly and users are becoming increasingly frustrated and angry.”

Clearly, the Facebook privacy backlash, which has been building for years now, has begun in earnest.

What better time, then, to seek the help of someone like Muris, who created the popular U.S. Do Not Call Registry and just last week received the Miles W. Kirkpatrick Award “for his significant and lasting contributions to the FTC, antitrust law, and the cause of consumer protection.”

Reached for comment, Facebook said Muris is not an official employee. “There have been some reports that Tim Muris has joined Facebook,” the company told me. “Muris has not joined Facebook.”

But he is serving as a consultant, something sources close to the company have told me, though Facebook declined to comment on.

The way Google (GOOG) handled the Buzz rollout was “irresponsible,” said Harbour. “Google constantly tells the public to ‘just trust us,’” she said. “But based on my observations, I do not believe consumer privacy played any significant role in the release of Buzz….When Gmail users created their accounts, they signed up for e-mail services. Their expectations did not include social networking.”

Indeed, they did not, as evidenced by the breadth and volume of the outcry over the service. And while Google, to its credit, quickly adjusted Buzz to address privacy complaints, the fact that it had to do so at all is cause for concern. Publicly exposing user data first and addressing questions about the exposure later is poor form and sets a lousy precedent.

Said Harbour: “Technology companies are learning harmful lessons from each other’s attempts to stretch the privacy envelop. Even the most respected and popular online companies, those who say they respect privacy, insist on launching products where the guiding privacy policy seems to be, ‘Throw it against the wall and see if it sticks.’”

Tough to argue with this given what we saw with Buzz, though I’m sure Google will try. I’ve asked the company for comment and will update here if I hear back.

UPDATE: Google spokesman Brian Richardson just called in with the following statement: “User choice and transparency are top of mind for us. When we realized that we had unintentionally made users unhappy, we worked quickly to make immediate changes.”

[Image credit: Asaf Hanuka, Tropical Toxic]

Introduced by U.S. Sen. John Cornyn, a Texas Republican, the “Internet Stopping Adults Facilitating the Exploitation of Today’s Youth Act,” or Internet Safety Act, states that “a provider of an electronic communication service or remote computing service shall retain for a period of at least two years all records or other information pertaining to the identity of a user of a temporarily assigned network address the service assigns to that user.”

Sounds a bit broad, doesn’t? And indeed, privacy advocates say that it applies not just to the Wi-Fi access points of Internet service providers, but to those of libraries, schools, businesses and individuals as well.

To mine. And to yours.

An unsettling thought. Said Greg Nojeim, senior counsel at the Center for Democracy & Technology: “[This is] invasive, risky, unnecessary, and likely to be ineffective.”

Perhaps. But it’s for the children. “While the Internet has generated many positive changes in the way we communicate and do business, its limitless nature offers anonymity that has opened the door to criminals looking to harm innocent children,” Sen. Cornyn said Thursday. “Keeping our children safe requires cooperation on the local, state, federal, and family level.”

Introduced by U.S. Sen. John Cornyn, a Texas Republican, the “Internet Stopping Adults Facilitating the Exploitation of Today’s Youth Act,” or Internet Safety Act, states that “a provider of an electronic communication service or remote computing service shall retain for a period of at least two years all records or other information pertaining to the identity of a user of a temporarily assigned network address the service assigns to that user.”

Sounds a bit broad, doesn’t? And indeed, privacy advocates say that it applies not just to the Wi-Fi access points of Internet service providers, but to those of libraries, schools, businesses and individuals as well.

To mine. And to yours.

An unsettling thought. Said Greg Nojeim, senior counsel at the Center for Democracy & Technology: “[This is] invasive, risky, unnecessary, and likely to be ineffective.”

Perhaps. But it’s for the children. “While the Internet has generated many positive changes in the way we communicate and do business, its limitless nature offers anonymity that has opened the door to criminals looking to harm innocent children,” Sen. Cornyn said Thursday. “Keeping our children safe requires cooperation on the local, state, federal, and family level.”