by William Lee and Grant Nelson
The FTC held PrivacyCon 2017 on Thursday, January 12th. Eighteen researchers were selected from about 70 submissions to present their findings to attendees and participate in short audience Q&A. The presentations were delivered through 5 sessions: "Internet of Things and Big Data," "Mobile Privacy," "Consumer Privacy Expectations," "Online Behavioral Advertising," and "Information Security." Please see the agenda with links to the presented research is here.
Here are the highlights for NAI members:
- Overall, PrivacyCon 2017 was less critical of the online advertising industry than PrivacyCon 2016.
- Researchers continued to focus on the prevalence of trackers across the mobile and online ecosystems, particularly in the context of cross-device.
- Research noted the rise in adblockers, but equivocated the growth with an increased consumer interest in privacy.
- Consumers recognize the value of targeted advertising when done in a privacy-respecting manner, some research shows.
- Machine learning and AI-enhanced research and analysis methods are increasingly common in privacy research papers.
Below we've outlined some of the research highlights relevant to NAI members.
Researchers continued to focus on the prevalence of trackers across the mobile and online ecosystems, particularly in the context of cross-device.
Several presentations focused on various methods of analyzing data collection using different trackers. For example, Princeton researchers are running a monthly scan of the top one million websites and tracking how many third party URLs are called, and comparing changes. They noted that fewer companies enjoy an increasing share of the total trackers deployed. Research on mobile devices is also picking up, with researchers developing an app that allows a non-rooted Android device to intercept and modify all network traffic in order to analyze third party connections. Increasingly, research shows that consumers are less concerned about their data being collected and more interested in knowing the specific information about them that is being collected and shared. For example, every respondent in one study (n=21) reported they cared more about the information collected than they cared about tracking in general. The researcher emphasized that companies collecting information should clearly explain what data they collect. For NAI members, these findings are in line with the Code requirements to provide clear notice of data collection practices for IBA.
Research noted the rise in adblockers, but equivocated the growth with an increased consumer interest in privacy.
One researcher presented an anti-anti-ad-blocker. The extension blocks websites' requests to users to disable their adblockers. During the presentation, the speaker claimed that the rise in adblocker installs could be primarily explained by users who are seeking to protect their privacy. The paper, however, also mentions consumer "annoyance" with ads as being a major issue facing the online advertising ecosystem, motivating adblocker use. Through the Code and other efforts, the NAI is constantly working to address consumer privacy concerns. Regarding consumer annoyance, the NAI is working on solutions with the Coalition for Better Ads. Beyond those issues, a number of audience questions for this presenter pushed back on the feasibility of requiring consumers to pay for content that they'd otherwise receive for free via the ad-supported model. One audience member even questioned the free speech implications of potential consolidation in media sources if consumers were required to buy subscriptions.
Consumers recognize the value of targeted advertising when done in a privacy-respecting manner, some research shows.
One study (n=35) analyzing the pros and cons of online tracking from a consumer perspective asked respondents to identify settings in which they found tracking to be either beneficial or not. 74% of respondents found online tracking "beneficial" when it delivered them targeted ads rather than generic ads. At the same time, only 31% of respondents cited website customization as a benefit of online tracking. Meanwhile, 60% of respondents said ads could be "not beneficial," largely when they found the ads objectionable. The concerns cited included seeing the same ad repeatedly, using sensitive information to target the ad, or seeing the ad out of context. Another study investigating consumer reactions to privacy choices found nearly identical results. Namely, that consumers dislike seeing the same ad repeatedly, do not want ads targeted based on sensitive information, and are more comfortable with ads that match the content of the page on which they are displayed. The NAI Codes address these concerns by permitting ad frequency capping to limit the number of times a consumer sees the same ad and prohibiting ad targeting on sensitive information unless the consumer opts in.
Machine learning and AI-enhanced research and analysis methods are increasingly common in privacy research papers.
A common theme among both the submissions and accepted papers was the increased use of automation and machine learning for research into and investigation of privacy practices. Researchers presented papers that utilized machine learning and automation to analyze thousands of privacy policies and compare the policies to apps' or websites' observed behavior. Other research attempted to interpret a user's past privacy choices using machine learning to automate future ones, only prompting the user when the system is unsure of the user's preference. Two presentations utilized automated analysis of network traffic between a device, including a non-rooted one, and the internet to identify what information is being shared, including PII leaks. The NAI has been using automated technical monitoring tools for several years and appreciates the efforts of the community to adopt such technology. Further, the NAI is investigating how to improve our automated tools by incorporating machine-learning techniques.