This essay by Josh Chasin over at the MediaPost's Metrics Insider Blog is the best piece I've read on behavioral marketing & privacy in a long time. I like this analogy, in particular:

Let's say you are a tall, dashing, smartly dressed Chief Research Officer at a major Internet audience measurement company, and you walk into Nordstrom's. A sales clerk you recognize comes up to you and says, "Hey, your wife's birthday is coming up in a few weeks, and we just got in those sweaters she likes. Should I put a couple of them away for you in her size and color?" Now let me ask you. Does this hypothetical Chief Research Officer perceive this to be: (a) an egregious violation of his privacy, causing him to immediately rush home and write his state assemblyman; or (b) another example of Nordstrom's world-class customer service? If you answered (b), then you're tracking with me so far.

So how come if this exact same thing happens on the other side of the screen, it stops being outstanding customer service and turns into a violation of privacy?

Great question! And yet some over-zealous privacy advocates make this stuff out to be the coming endtimes and call for comprehensive regulation using scare tactics and twisted logic, as Chasin notes:

If Big Brother barges into your home at midnight and takes you away because someone doesn't like the books you've been reading, that's an invasion of your privacy (and way worse.) But if the ads you see on Yahoo are increasingly relevant to your life, that's not an invasion of privacy. That's just the digital version of that nice lady at Nordstrom's. Let's not confuse the two.

Exactly.

As I noted in previous installments of this series, our government seems to have an increasingly hard time keeping tabs on sensitive data. Unfortunately, there's been another incident on this front. The Washington Post reported this morning that:

"A government laptop computer containing sensitive medical information on 2,500 patients enrolled in a National Institutes of Health study was stolen in February, potentially exposing seven years' worth of clinical trial data, including names, medical diagnoses and details of the patients' heart scans. The information was not encrypted, in violation of the government's data-security policy. NIH officials made no public comment about the theft and did not send letters notifying the affected patients of the breach until last Thursday -- almost a month later. They said they hesitated because of concerns that they would provoke undue alarm."

Undue alarm? Geez, I can't imagine why! My friend Leslie Harris of CDT notes in story that, "The shocking part here is we now have personally identifiable information -- name and age -- linked to clinical data. If somebody does not want to share the fact that they're in a clinical trial or the fact they've got a heart disease, this is very, very serious. The risk of identity theft and of revealing highly personal information about your health are closely linked here."

But hey, we wouldn't want to provoke "undue alarm" by telling those folks about the data breach! Pathetic. As I've pointed out before, if this happened in the private sector, trial lawyers would be salivating and lawsuits would be flying. By contrast, when the government loses personal information—information that his usually more sensitive than that which private actors collect—about the most that ever comes out of it is another GAO report calling for “more accountability.”

I can't wait to see how well all our health care records are "secured" once we have socialized medicine in this country.

Hmmm.. This sounds like trouble waiting to happen for kids in the UK. According to News.com:

British students aged 14 to 19 will have their school records permanently placed on an electronic database accessible to prospective employers. The project, called Managing Information Across Partners (MIAP), will launch in September. The record will include personal details and exam results and will remain with the pupil for life.

The system will be based on a Unique Learner Number. "The Unique Learner Number, necessary to acquire a learner record for the diploma is a unique identifier that can be used by a learner for life," MIAP said on its Web site. "It is a national number that is validated and is therefore deemed to be unique." The aim is to expand the system to include other information and to allow details already available but scattered across many databases to be brought together, it said." The pupil would have control over the record and would be able to restrict the information shared.

Maybe. Or maybe not. As the story goes on to point out:

This morning in New York City, social networking website operator MySpace.com announced a major joint effort with 49 state Attorneys General aimed at better protecting children online. (Coverage at CNet, NYT and Forbes). At a joint press conference, MySpace and the AGs unveiled a “Joint Statement on Key Principles of Social Networking Safety” involving expanded online safety tools, improved education efforts, and law enforcement cooperation. They also agreed to create an industry-wide Internet Safety Technical Task Force to study online safety tools, including a review of online identity authentication technology.

Generally speaking, the agreement is step forward for online safety. Indeed, many of the principles in the agreement could form a potential model “code of conduct” that other social networking sites could adopt. In a report I authored for the Progress & Freedom Foundation in August 2006, I argued that it was vital for companies and trade associations to take steps such as this to avoid the specter of government regulation or censorship:

All companies doing business online… must show policymakers and the general public that they are serious about addressing [online safety] concerns. If companies and trade associations do not step up to the plate and meet this challenge soon—and in a collective fashion—calls will only grow louder for increased government regulation of online speech and activities. What is needed is a voluntary code of conduct for companies doing business online. This code of conduct, or set of industry “best practices,” would be based on a straight-forward set of principles and policies that could be universally adopted by [a] wide variety of operators...

In particular, this code of conduct proposal called for companies to make specific pledges regarding improved online safety tools, expanded education / media literacy efforts, and ongoing assistance to law enforcement regarding investigations of online crimes.

An interesting essay on the downstream effects of keeping government from collecting data about race, ethnicity, or religion in France from the National Journal.

The European vision of privacy has always puzzled me. On the one hand, given the power of their welfare state, it makes sense to take some prophylactic measures to prevent a second holocaust. But why grant the powers to begin with, if one believes the risk of their abuse is so high that the government cannot be trusted with information to administer them?

Previous installments (1, 2, 3, 4 & 5) in this series have documented how our government seems to have a difficult time keeping tabs on laptops and personal information. The latest on this front comes from the Energy Department which notified Congress yesterday that it has lost 1,415 laptop PCs over the past six years. However, according to this report in Government Computer News, the DOE stressed that none of the laptops contained classified information. I guess that qualifies as good news on this front.

In late March, I hosted a congressional seminar entitled "Age Verification for Social Networking Sites: Is It Possible? And Desirable?" I brought together 5 experts in the field to debate the issue, including:

* John Cardillo, President & CEO, Sentinel
* Jay Chaudhuri, Special Counsel to North Carolina Attorney General Roy Cooper
* Raye Croghan, Vice President, IDology, Inc.
* Tim Lordan, Executive Director, Internet Education Foundation
* Jeff Schmidt, CEO, Authis

It was an outstanding discussion and I'm happy to report that the transcript is now available online here. Also, you can listen to the audio from the event here. Also, you can find the big study of mine that we discussed that day here.

A debate is raging over at the Second Life blog about Linden Labs' (LL) annoucement that the company plans on imposing age verification requirements on its users starting in mid-May. LL says they are making this move "to insure that minors do not inadvertently access Second Life or have access to adult content in-world. In addition, age verification provides an additional layer of trust for in-world businesses and Residents."

Those are certainly worthy goals. But LL face two very challenging issues in attempting to implement this plan:

Jennifer Medina of the New York Times penned an article yesterday on the debate over social networking fears leading to calls for age verification mandates. She noted that measures are moving in several states that would require social networking sites to age-verify users before they are allowed to visit the sites or create profiles there. But Medina also noted that there are many difficult questions about how age verification would work and how "social networking" would even be defined. (I summarize these questions in my recent PFF report, "Social Networking and Age Verification: Many Hard Questions; No Easy Solutions.")

Ms. Medina was also kind enough to interview me for the story and she summarizes some of what I had to say in her piece. In a nutshell, I stressed that the most effective way to deal with this problem is to get serious about dealing with sex offenders instead of trying to regulate law-abiding citizens. We need to be locking up convicted sex offenders for a lot longer in this country to make sure they behind bars instead of behind keyboards seeking to prey on our children.

I also stressed the importance of online safety education as part of the strategy here. But my comments on that didn't make the cut in the story. But you can read my big recent paper on this issue for additional details.

Previous installments (1, 2, 3 & 4) in this series have documented how our government seems to have a difficult time keeping tabs on laptops and personal information. The latest on this front comes from the Transportation Security Administration (TSA). Last week, the TSA informed us that a computer hard drive containing the personal, payroll and bank information of 100,000 current and former TSA workers has apparently gone missing and is assumed stolen. The FBI and the Secret Service have apparently opened a criminal investigation into the matter.

I was about to launch into another rant on this front, but then I picked up this morning's Washington Post and their editorial on this issue really nails it: