Reassessing Digital Privacy Standards in Light of Facebook’s Atlas

Chapell Headshot 2_260In late September of 2014, Facebook announced the launch of an extensive new advertising network after having rebuilt the Atlas ad server. By all accounts, Facebook’s new advertising network has an incredibly rich pool of data to draw upon – a pool that apparently includes information collected on Facebook and off Facebook, and by the millions of Facebook like buttons.

In early October, the Electronic Frontier Foundation crafted a blog post that was critical of Facebook’s expansive ad network. No surprise there – privacy advocates critiquing business practices is nothing new. However, I was a bit surprised that the EFF conceded that many of their criticisms were simply “industry-wide privacy issues.” And that made me think – is Facebook’s ad network really just like any other ad network?

Does size matter?

Facebook certainly has more data than any advertising network – the social network has a larger pool of data and more sensitive data than just about any organization this side of the NSA. Now that’s probably a good thing from the perspective of delivering value to advertisers. But having so much data may also raise privacy issues. And that got me thinking about the nature and scale of Facebook’s data collection practices – and whether the scale and sensitivity of data should be taken into consideration when establishing privacy standards for online behavioral advertising.

Privacy controls should be in proportion to the scale and nature of the data collected

In 2012, the FTC issued a report that specifically called out Internet Service Providers, operating systems and browsers for being in position to track all, or virtually all consumer online activity – and concluded that such comprehensive tracking might raise serious privacy concerns. Today, it is generally agreed upon that ISP’s engaging in deep packet inspection as well as browsers and other software that collect web-wide browsing data must obtain the affirmative consent of the User prior to engaging in online behavioral advertising (OBA).

So here’s my threshold question: if collecting ALL of a User’s web-wide data for OBA necessitates an affirmative consent standard, then what is the appropriate standard for collecting MOST of a User’s digital data? Is collecting data across 60% of web pages sufficient to warrant an affirmative consent standard? What about 75%? Do I hear 95%?

Interestingly, the FTC touched on this issue in their 2012 report. The FTC noted that the Facebook Like button appeared on almost 11% of top websites’ front pages in 2011. This percentage has increased significantly since the FTC report – one industry colleague suggested that Facebook like buttons were on nearly 100% of the top 10,000 websites as of 2014. And the reach of Facebook’s like buttons doesn’t take into account the breadth of potentially sensitive data collected on Facebook – including the social graph, photos and personally identifiable information, as well as the granularity of inferences that may be derived from Facebook’s data. And all of this information collected across all of these sites is linked directly to a person’s identity – the very thing that our industry standards were initially designed to guard against.

It will be interesting to see if the FTC revisits some of the analysis pertaining to scale from the 2012 FTC report. But from my perspective, trying to compare the scale and nature of Facebook’s data to that of just about any other ad network is like comparing the size of a single hydrogen atom to the size of the Sun.

Our industry self-regulatory programs were initially conceived to address the collection of non-personally identifiable profiling information collected across a relatively limited number of sites. They just weren’t designed to incorporate the size and nature of the data collected by Facebook. As such, holding Facebook to the exact same online behavioral advertising standard as some tiny retargeting company just doesn’t make good privacy sense.

Alan Chapell is an attorney, industry analyst and certified information privacy professional focusing on digital advertising and privacy. Follow Alan (@chapell68) on Twitter.