A VC

Musings of a VC in NYC

« Song of the Day - North Country Girl | Main | Monetizing YouTube »

Opt In or Out?

Comments (16) | Posted August 22, 2006 in Venture Capital and Technology

Comments

while i tend to agree -- caveat emptor is probably a better mantra than government regulation -- fred, i have to strongly differ on how you get there.

Google, Amazon, Rhapsody and the rest do NOT use profiling and database mining to make their services better for consumers. They do so to make their services better businesses, e.g. drive sales and revenues and profits.

As an example, Google's justifiably famed search results are arguably best in the biz not because of profiling (Google is just starting trippingly down that path) but because of what people are now calling "the wisdom of crowds" -- in Google's case, algorithms that look at collective anonymous behavior (e.g. links) and make decisions on search result hierarchies accordingly.

But Google's use of individuals' search queries to profile said individuals is purely a commercial endeavor, designed (they hope) to better place ads on web pages.

If the profit motive perfectly coincides with altruistic motives (that is, to provide better services to consumers) that is welcome. But if interests diverge or conflict -- and lets be honest they do, violently, all the time -- then so be it? Witness AOL's blatantly anti-consumer arguably illegal attempts to use in-bound telemarketing to coerce people who want to cancel into staying.

Likewise, I have had serious disputes with Google, where they allowed some paid search results (ads) but prohibited others, without any policy stated or otherwise -- and even Google's own attorneys couldnt explain to me why they do what they do, instead simply folding their arms and saying "we reserve the right to do what best serves the company's interests without explanation." (That is, "so sue me.")

So the idea of trusting corporate interests to protect consumers strikes me as, well, naive at best.

Of course the alternative is regulation and as I said above, that strikes me as equally naive, and in the end worse, as the market corrects itself a little more quickly than does government.

One last note: Fred, as you seem so comfortable allowing private enterprise to police itself against privacy crimes, do you also grant law enforcement similar latitude? If Google and Amazon and Tacoda can snoop on people without their explicit consent, can the NSA?

Posted by: steve | Aug 22, 2006 8:05:45 AM

Someone should start a company just called "OptOut"... and all you have to do is type in your name, address, phone number, and e-mails, and they just completely wipe you clean from every spam list, snailmailer, etc. You could get little labels to put on your snailmail that say "marked as spam" with a mailing address and postage to send to OptOut. Let them figure out how to get me off all these lists. I think I'd pay $50 for that...and after a while, they'd have corralling personal data down to a science.

Posted by: Charlie | Aug 22, 2006 8:56:19 AM

Fred:

I think that you've nailed this one. I wrote about your piece in my blog, individual relevance (www.individualrelevance.wordpress.com). It is certainly all about consumer empowerment and control.

Nannette Marcus over at iMedia Connections wrote a nice piece on this as it relates to the Behavioral Targeting world a few months back in her article entitled, "4 Ways to Make BT Better" (http://www.imediaconnection.com/content/9389.asp).

Fred, once again, you're dead on. Companies that employ "User Friendly Opt Out" (really employ it, not just give it lip service) will be those that gain consumer trust over the next 3+ years. Those that don't employ this approach will alienate themselves from their customers. It's really that simple.

Posted by: Matt Fleckenstein | Aug 22, 2006 9:27:59 AM

one issue is the the user's interest in privacy is not aligned with the companies interest in data. so it's hard to have the companies self-police when they have such a different interest.

at the beginning of development, one thing that is easier to do is to architect a system figure out how to take data, aggregate and anonymize it, and discard what is personal and unnecessary to retain. this is because often companies don't have much data at the beginning and because they aren't yet profitable based on that data, so they have less diverging interest from users. when a company becomes successful (or not, but data rich) personally identifying data is not there because it's architected to not be there.

the other problem in asking for government regulation is that the government's interest in data is not aligned with user's interest in privacy. there have been a number of suggestions recently by government interests that they need to force companies to retain this data. there have also been subpoenas saying this.

i believe it's actually better business practice to anonymize data, both because making users happy is better business practice and because companies don't really need the individual, personal data. but i think if we tried to legislate that, governments would stop it.

Posted by: mary hodder | Aug 22, 2006 9:43:40 AM

I'm with Fred on this. My personal data can be a powerful aid to companies delivering high(er) quality services. So long as their is is genuine opt out I can simply yank my data when I want to, or if I become worried it is being used nefariously.

Fred is also right to point out that the ability to selectively delete and manage different aspects of it are important. This is essentially about managing your identity online which I posted on yesterday - www.theequitykicker.com.

Posted by: Nic Brisbourne | Aug 22, 2006 10:52:10 AM

Fred,

First, I wholeheartedly agree with your assessment for a "user-friendly" opt-out mechanism. In fact, I believe that there should be a common standard for opt-out that all services that collect data would respect. That is, a common format for opt-out requests that would allow 3rd party services to reasonably manage a users preferences for them.

Let's be honest, users don't want to choose on a per site basis the details of their allowed data collection habits. Today, they have the option of blanket opt-out (or wholesale cookie deletion) or nothing. Nascent services like PrefPass may address this, but only if Google, Amazon, eBay and others agree to a common standard.

Second, there is a more fundamental issue indirectly raised by Steve of whether a users behavior online is like browsing in a shop in SoHo, like walking your dog in Central Park or like having a telephone conversation with your brother. In other words, to what degree is a users browsing behavior public? I would argue that it is most like browsing in that shop.

Government has a reasonable interest in monitoring public behavior to the degree that it also has a reasonable assumption that said behavior is relevant to protecting the rights of it's citizens. Private businesses have the counterweight of market forces to enforce proper behavior - remember the DoubleClick/Abacus fiasco of a few years ago? Government has no such counterweight and as such should be assumed to be even less trustworthy stewards of our data than a private business.

As a private business, however, I am perfectly within my rights to watch what products you look at in my shop (my website) and use that information to draw conclusions about interest (profiling ) and even recommend alternatives that might be of interest (targeted advertising or product recommendations). What Amazon, Google and others are doing is analogous to this, just on a larger scale that by necessity is automated.

Posted by: Joe Wilson | Aug 22, 2006 11:16:50 AM

I do not agree with this at all. Companies should have my permission if they want to store what I do.

Like everyone else, I am all over the web. It is way too burdonsome to have to repeatedly tell companies that I don't want them storing my data.

Why should the burden of protecting my privacy be on me? And what stops these companies from coming to my house and setting up survelliance equipment, to further understand my behavior? Should I have to call up 40 companies and tell them to get off my yard?

If the benefits of storing my data are so compelling to me, then it should be easy for these websites to sell me on the idea. I think the issue here is that the benefits to the website/company greatly exceed the benefits to me, which is why websites, and the VCs that back them, are so against the idea of opt-in.

Pete

Posted by: Pete | Aug 22, 2006 11:24:17 AM

Pete --

How often does the average person read software EULAs during the installation process?

It's one thing to say that companies should be able to convince you to let them store your data and it's another thing entirely to be accosted with a "store your data" sales pitch every time you visit a web site.

I'd rather give my trust freely and have a way of recitifying the situation if that trust is misplaced than deal with the repurcussions of forcing everyone to prove to me in 30 seconds why I should trust them.

Posted by: Eric Marcoullier | Aug 22, 2006 12:29:41 PM

Can we have a middle ground? Have Google (for eg) set up a payment mechanism that recognizes it is mining personal information and is willing to pay the reasonable value of what it obtains?

Start with a pilot project, where it recruits data providers at malls, cinema's etc. It collects a gob of data, shows it to advertisers and says what is it worth (by auction).

It then openly and transparently pays a reasoanble share of that (say 1/3) to
the ultimate data provider (directly or by contribution to schools, minee-selected charity, etc.).

Then minee does not feel like a putz for giving up private information for nothing.

If something disastrous happens with the minee's (identity theft causing money loss) Google quickly steps in and cleans up at Google's expense.

Google discloses and gets verification from Google user that these terms are fair, and accepted. Google updates amount paid as market value of the data changes over time.

Posted by: cfw | Aug 22, 2006 3:24:19 PM

cfw,

I believe that Google would say that they are already paying for the data with free search, free e-mail, free videos, etc.

And the reality is that most data collectors don't want private information (i.e. anything that might lead to identity theft or fraud). There is very little commercial value in most of the data and is far too great a risk.

AOL's recent search disclosure clearly showed that Google, AOL, etc have private information in their DBs (credit-card numbers, SSNs, etc), but I guarantee you that they don't use that data for tracking or profiling. No value and the risk is too high of the data being misappropriated.

Now why someone would be searching for their credit card number or SSN on AOL is completely beyond me. ;o)

Posted by: Joe Wilson | Aug 22, 2006 3:58:53 PM

joe: "no value" in profiling using ssn's and credit card accounts?

on the contrary, such data is arguably the motherlode of motherlodes:

1) using it unlocks all sorts of overlays and correlations and specific individual identifications from other commercially available databases

2) it allows profiling based on specific financial and spending profile elements, and as any direct marketer will tell you, such are the most valuable data elements of all.

Posted by: steve | Aug 22, 2006 4:11:34 PM

Joe:

"I believe that Google would say that they are already paying for the data with free search, free e-mail, free videos, etc."

This is true, but they are in a position to pay more to get more. If they will not, someone else probably will.

"And the reality is that most data collectors don't want private information (i.e. anything that might lead to identity theft or fraud). There is very little commercial value in most of the data and is far too great a risk."

How do you define "private information" - just credit card numbers and SSN? I think it is much broader. For example, if I am hiring a lawyer for $160,000 per year, if I could find out what sorts of web searches and VOIP phone calls he made in the last 12 months, that would be quite valuable (even if it was "anonymized" some). It tells me I can (or cannot) put much weight on his resume. No need for SSN or credit card number. Just tell me how many hours he spent on the phone versus on the internet in a typical work day, general nature of sites visited, etc.

"AOL's recent search disclosure clearly showed that Google, AOL, etc have private information in their DBs (credit-card numbers, SSNs, etc), but I guarantee you that they don't use that data for tracking or profiling."

They can and should, if it is something I have sold to them, for fair value received, without getting me in hot water. I am sick of ads that are a waste of time for me, and want to be considered for opportunities that are "up my alley."

"No value and the risk is too high of the data being misappropriated."

Insurance covers the risk - pretty cheaply these days. No value? Marketing and sales people (among others) would disagree.

Posted by: cfw | Aug 22, 2006 4:38:58 PM

cfw - Private information, to me, means personally identifiable. Address (not just zip), phone number, CC numbers, SSN, etc all fall into this category. Your example of the lawyer may hold true for an individual, but it is not cost effective for a marketer (or any 3rd party service for that matter) to try to provide such highly customized data analysis.

So, I stick to my statement that such data is not generally useful to marketers. And I was not speaking of the financial risk, but the PR risk. Bad press has killed many otherwise flourishing firms. You can't buy insurance against that.

As to the value of the data, there is a difference between not receiving value for the data provided and whether both parties agree that the price is fair. Google offers a wide variety of services. In exchange, they collect, analyze and use the data that you provide while using that service. If you are not satisfied with the price, don't use their service. But it is disingenuous to claim that they are not offering to compensate you for your data.

To be clear, I think the idea of having a marketplace for data is a good one, but I think that it would be a premium offering and would not transact in the anonymous behavioral data that is the bread and butter of online advertising. Eliminating irrelevant ads is precisely what Google, Yahoo, Advertising.com, Tacoda and others are trying to do with the (usually anonymous) behavioral data they collect and they don't need PII to do that.

Steve - this information is only useful if you have the purchase history to tie it to and I would argue that if you have that, you don't need the SSN or CC numbers. Amazon stores your CC numbers as a convenience for you (to make it easier to buy stuff), not because that data has any intrinsic value. Only if you were to use the SNN to access confidential financial records (credit reports, etc) would it have any value, and such activity is quite clearly illegal under existing law, so I don't really think it is worth considering.

Posted by: Joe Wilson | Aug 22, 2006 7:31:08 PM

I completely agree with Fred on this one and think that AttentionTrust principles provide a solid foundation for how user's data should be handled.

We have worked hard at adaptiveblue to implement these principles in our blueorganizer product. I think that all new companies playing in attention space should do the same.

And it also would be great if Amazon and Google got behind this organization and made their software and services compliant.

Finally, I think that from the technical perspective, one of the principles would not be impossible to address: ability to move the data between the attention stores. It works fine for simple things like URL clicks, but it can't work for tracking more complex user behaivior, like purchasing book on Amazon. To put it differently, Amazon can't really store user's data elsewhere. So if this principle is softened, I do not see why Amazon and Google should not be able to follow.

Alex

Posted by: Alex Iskold | Aug 22, 2006 10:01:12 PM

Fred,

The problem with a simple opt-out approach is that it will be abused. Providers such as the ad networks, desktop application providers, analytics vendors and e-mail vendors currently collect behavioral data that can be linked to PII, yet in most cases they have no easy way to allow people to opt out because their service is invisible. How would an ad network allow you to opt-out when they are invisible to you?

Similar problems exist in an opt in environment. E-Mail providers "opt-in" consumers on a very broad basis and then go on to sell those names many times over.

If the opt in is overly broad or the provider collecting the data is anonymous, there are holes large enough to drive privacy violating trucks through.

Of course, the double standard of privacy with offline data is the real story...

Matt

Posted by: Matt Moog | Aug 23, 2006 12:55:52 PM

Joe:

1. Regarding your skepticism about profitability of data mining: I would not bet against the data miners. I suggest our ability to track and learn from all facets of our history is what has made us so successful as a species. It makes sense intellectually (see the history and biography sections of the local library) as well as commercially. I recall seeing we spend $415 billion a year or so for advertising. Improving the efficiency of ads by 30% over 5-10 years could mean we sell as much as we did in 2005 with $125 billion less per year in ad expenses.

2. Objections to data mining based on bad PR are always going to arise, and should always be managed. Risk of uncompensated loss to the individual (or lack thereof) should be returned to as the touchstone.

3. It seems nanny-ish to say I cannot make and sell (or gift) a "mine" of data about my computer use, phone use, library use, etc., since bad people may steal my identity and I might suffer uncompensated loss. Actuaries for the insurance carriers can tell us the frequency of actual damage, and the severity of the damage from violation of privacy rights. They set the rates. The rates are not high. That tells me the PR issue may be more manageable than one might assume.

4. Google does great things but does not deal entirely transparently with consumers about data mining. That should change, or Google may become more beatable.

5. Legalities about trading in credit report type information are routinely overcome by consent forms (generally bought and paid for).

6. We are a society of exhibitionists and voyeurs with respect to private information, perhaps more than we think.

7. I would look for data miners making impact in the "big ticket" areas first (house, spouse, job, investments, college tuitions, autos), then in the more routine commerce.

Posted by: cfw | Aug 23, 2006 6:10:47 PM

Post a comment

This weblog only allows comments from registered users. To comment, please Sign In.

You are currently signed in as (nobody). Sign Out

Comments:

©Fred Wilson, AVC.com • • Design by UX Hero