Future of Privacy Forum to Host Expert Panel: “Do Not Track” Demystified

September 27, 2010 - 12:00pm - 1:30pm
The Information Technology and Innovation Foundation
1101 K Street NW

From blogs to Facebook profiles to Twitter messages, individuals are increasingly choosing to share information about themselves online. More personal information online brings both risks and rewards. How are companies using this digital information and how do consumers benefit from increased data sharing? Read more »

Future of Privacy Forum to Host Expert Panel: “Do Not Track” Demystified

September 27, 2010
Audio and video from the event "The Future of Privacy Online."

From blogs to Facebook profiles to Twitter messages, individuals are increasingly choosing to share information about themselves online. More personal information online brings both risks and rewards. How are companies using this digital information and how do consumers benefit from increased data sharing? Perhaps more importantly, do consumers have enough control over their personal information or is there a need for government regulators to step in? Read more »

See video

Stricter Privacy Regulations for Online Advertising Will Harm the Free Internet

September 8, 2010
| Reports

A study shows that overly strict privacy laws inhibit the effectiveness of the Internet ecosystem.


Privacy legislation under consideration could reduce the effectiveness of online advertising and thus reduce the available revenue to support free or low-cost content, applications and services. Before passing such legislation, policymakers should review the empirical data on the importance of online advertising, the effectiveness of targeted ads, and the impact of regulations on online advertising. They should be aware that data privacy regulations could sharply limit the principal funding mechanism for most of the free Internet enjoyed by consumers today and result in lost jobs, investment and Internet innovation.

It is surprising that policymakers would want to tamper with one of the most successful drivers of economic activity in the United States as the national economy struggles to rebound from a recession. Let’s be clear—the Internet is a critical component of the economy both globally and domestically. ITIF estimates that the annual global economic benefits of the commercial Internet equal $1.5 trillion, more than the global sales of medicine, investment in renewable energy, and government investment in R&D, combined.[1] Moreover, the Internet has a substantial impact on the U.S. economy. A 2009 study co-authored by the Hamilton Consultants and Harvard Business School professors John Deighton and John Quelch found that in the United States the Internet generates at least $300 billion of economic activity annually, or approximately 2 percent of the U.S. GDP.[2] And while the U.S. has lost leadership and jobs in an array of industries, it still leads the world—by a considerable margin—in the Internet industry.

The Internet is important to our economy and online advertising is the dynamo powering the Internet’s rapid growth. Many of the websites that millions of Americans depend on for work and play would not be around today without online advertising. In fact, the top five websites in the United States—Google, Facebook, Yahoo, YouTube and—all use online advertising to support their products and services.

As shown in Figure 1, Internet advertising has grown dramatically over the past decade. In the United States, non-search online advertising expenditures have grown from $6 billion in 2002 to $13 billion in 2007. Similarly paid search has grown from $1 billion in 2002 to $8 billion in 2007.[3] The Internet Advertising Bureau estimated cumulative Internet online advertising market to be $21.1 billion as of 2007. The Kelsey Group found that worldwide Internet advertising reached approximately $45 billion in 2007, out of a total $600 billion advertising market, and predicts online advertising will grow to over $147 billion by 2012.[4] IDC reports similar figures estimating that worldwide spending on Internet advertising reached $61 billion in 2009. In addition, IDC predicts that advertisers will increasingly use the Internet for advertising, with online ad spending growing from 10 percent of all ad spending in 2009 to almost 15 percent by 2013.[5]

U.S. Internet Ad Revenue Since 2001

Figure 1: U.S. Quarterly Internet Ad Revenue since 2001, Source: IAB/PWC[6]

Internet advertising supports the creation of new content, applications and services. A case in point is the newspaper industry. Policymakers concerned with the decline of print media should note that greater revenue from targeted online advertising will likely be necessary for journalism to survive in the Internet age.[7] We are already seeing some evidence of this. For example, the Los Angeles Times announced in 2009 that its online advertising revenue was sufficient to cover its entire editorial payroll.[8] And online advertising will be important for the so-called “long tail” of small websites and content producers supported by ad revenues. After Google introduced a revenue-sharing program in 2007 for YouTube, various Internet entrepreneurs began turning their videos into a lucrative business. For example, Josh Chomik, a teenager in New Jersey earns around $1,000 a month from ad revenue generated by his YouTube videos.[9]

If online advertising is important to the Internet ecosystem today then ensuring that online advertising revenues continue to grow will be central to the Internet’s growth and success tomorrow. One way websites gain more value from online advertising is by providing more relevant ads—a benefit both to consumers who get more utility from these ads and advertisers who are willing to pay more to reach their target audience. Targeted ads based on information about a user—such as the user’s browsing history or other user-specific data—help deliver higher-value ads. Yet even though the importance of online advertising to the greater Internet economy has been well-documented, policymakers seem intent on imposing data privacy regulations that would limit the ability of Internet publishers to tailor advertising to users based on their interests.

Part of this may be due to a misconception about how targeted advertising works. When Google offered ads to its Gmail users based on contextual information in emails, privacy advocates objected to Google “reading people’s email.”[10] Yet these claims do not distinguish between ads delivered to web users through automated computer technology and an individual snooping through personal emails. In the former, providing targeted computer-matched ads poses no more privacy threat to users than simply having their emails stored on remote servers. Similarly privacy concerns have been raised about Facebook with fictional claims of the company selling its user’s data because of misunderstanding about the mechanisms of targeted advertising. Targeted advertising works by matching ads to users based on the information in their profile. For example, a wedding photographer in Dallas can pay Facebook to serve an ad to everyone in Dallas who switches their relationship from “single” to “engaged.” This benefits everyone—the photographer gets more clients, the users get more relevant ads, and Facebook is better able to fund its free services. And at no time does the photographer learn who sees the ads, unless a user chooses to make contact.

These benefits from targeted advertising are clearly documented. Howard Beales, a professor in the School of Business at George Washington University and former Director of the Bureau of Consumer Protection at the Federal Trade Commission, has described how targeted advertising leads to higher value for Internet publishers and consumers. In 2009, Beales authored a report which found that advertising rates for online ads that used behavioral targeting were significantly higher than online advertising that did not use behavioral targeting (2.68 times as much).[11] Moreover, targeted ads are more relevant to consumers. This fact is supported by the data—click-through-ratios, or the percent of web users that click on an ad, for targeted ads are as much as 670 percent higher than non-targeted ads.[12] Beales looks at conversion rates—or the percent of online advertisements that turn into sales—and finds that the conversion rate for ads using behavioral targeting is twice that of ads not using it.

Now a new research paper by Avi Goldfarb at the University of Toronto and Catherine Tucker from MIT takes this research a step further and documents how privacy laws can negatively impact the efficacy of online advertising.[13] Specifically Goldfarb and Tucker analyzed the impact of the European Union’s Privacy and Electronic Communications Directive (2002/58/EC) which was implemented in various European countries and limits the ability of advertisers to collect and use information about consumers for targeted advertising. The authors find that after the new privacy laws went into effect they resulted in an average reduction in the effectiveness of the online ads by approximately 65 percent (where the effectiveness being measured is the frequency of changing consumers’ stated purchase intent). The authors write “the empirical findings of this paper suggest that even moderate privacy regulation does reduce the effectiveness of online advertising, that these costs are not borne equally by all websites, and that the costs should be weighed against the benefits to consumers.”

All of these analyses support the larger conclusion that targeted advertising is crucial for supporting the websites responsible for the majority of the free and low-cost content online. This is particularly true for general-interest sites (like news websites) that have little ability to determine what ads their users would be most interested in without the cues that better targeting enables (in contrast to some special-interest sites which can do so somewhat more easily). Not surprisingly, Goldfarb and Tucker found that the negative impact on ad effectiveness from the European privacy regulations was strongest among these sites. The negative impact was also stronger for non-obtrusive ads (e.g. smaller ads or ads not using multimedia) which suggests that small, text ads will be significantly less effective unless they can be tailored to a user’s interests. The authors also note that if advertisers reduced their spending on online advertising in line with the reduction in effectiveness resulting from stricter privacy regulations, “revenue for online display advertising could fall by more than half from $8 billion to $2.8 billion.”[14] And as Beales notes, a reduction in ad revenue directly hurts online publishers since more than half of ad network revenue goes to publishers who host the ads.

It is therefore not surprising that U.S. Internet companies lead the world and European companies do not. European companies are at a disadvantage compared to U.S. companies because the government is essentially limiting their revenue to less than half of what they could otherwise earn. As a result, Europe has struggled to be an effective player in the Internet economy compared to the United States where there are significantly fewer restrictions.

As ITIF has noted, proposed privacy legislation provisions in the United States would restrict targeted online advertising by limiting the collection of certain types of data, requiring opt-in consent for collecting data, or providing mechanisms to encourage users to opt-out of targeted ads.[15] Like the European privacy regulations, these types of restrictions would limit targeted advertising and harm the Internet-powered economy. The kinds of privacy legislation now being proposed in Congress will reduce revenue flowing into the U.S. Internet ecosystem, which means not only fewer web sites and less valuable content, but also less spending by Internet companies on servers and bandwidth. The net result will be fewer jobs. In addition, if the Internet is less valuable to consumers because there is less useful content, applications and services, users are less likely to subscribe to broadband. In addition, privacy regulations such as requiring opt-in to collect or use data for targeted advertising will likely increase costs. Goldfarb and Tucker report that anecdotal evidence suggests that obtaining opt-in consent costs organizations approximately 15 Euros per user.[16]

Does this mean that policymakers should avoid all privacy regulations? Of course not. But it does suggest that policymakers should tread lightly and focus more on preventing harms from privacy violations than on legislating expensive and revenue-reducing regulations.[17] The evidence clearly suggests that the tradeoffs of stronger privacy laws result in less free and low-cost content and more spam (i.e. unwanted ads) which is not in the interests of most consumers.

Proponents of stricter privacy laws often ignore the benefits that online advertising confers on consumers. For example, Google and Facebook, two of the companies most vilified by privacy fundamentalists, are at the forefront of offering low or no-cost content, applications and services to consumers unimaginable a decade ago. Yet when these companies use targeted online advertising to fund their operations, privacy fundamentalists object. Unfortunately, these objections reflect the prevailing message of privacy fundamentalists that privacy trumps all other values. However, policymakers should recognize that privacy, as with any other value, must be balanced against other competing interests and can, as it will here, comes at a real financial cost—fewer jobs, less investment and a less robust Internet.

The Internet is a vital part of economic and social life and federal data privacy legislation should ensure that beneficial uses of data are not curtailed by overly-restrictive data sharing policies. Congress should not implement across-the-board reforms to privacy regulations without seeking a better understanding of how these changes will affect the Internet economy, and by extension, the overall economy and society.


[1]   Robert Atkinson et al., “The Internet Economy 25 Years After .com,” (Washington, D.C.: Information Technology and Innovation Foundation, 2010)

[2]   John Deighton and John Quelch, “Economic Value of the Advertising-Supported Internet Ecosystem,” (Hamilton Consultants, 2009)

[3]   Ibid.

[4]   “Interactive Advertising Revenues to Reach US$147 Billion Globally by 2012, According to The Kelsey Group’s Annual Forecast,” press release, (Chantilly, VA: The Kelsey Group, 2008)

[5]   “Number of Mobile Devices Accessing the Internet Expected to Surpass One Billion by 2013, According to IDC,” IDC, press release, December 9, 2009,

[6]   “Internet Advertising Revenues Hit $5.9 Billion in Q1 ’10, Highest First-Quarter Revenue Level On Record,” IAB, May 13, 2010,

[7]   Robert D. Atkinson, “Federal Trade Commission Workshop on Journalism in the Digital Age,” (Washington, D.C.: Information Technology and Innovation Foundation, 2010)

[8]   Jeff Jarvis, “History in the making in LA as online ads hit target,” The Guardian [UK] 12 Jan. 2009,

[9]   “YouTube channel earns college money for N.J. teen,”, 7 April 2009,

[10]  Robert Atkinson, “Google E-mail, What's All the Fuss About?” (Washington, D.C.: Progressive Policy Institute, 2004)

[11]  Howard Beales, “The Value of Behavioral Targeting,” (2009)

[12]  Jun Yan, Gang Wang, En Zhang, Yun Jiang, & Zheng Chen, “How Much Can Behavioral Targeting Help Online Advertising?” (Madrid, Spain: WWW, 2009)

[13]  Avi Goldfarb and Catherine E. Tucker, “Privacy Regulation and Online Advertising,” (2010)

[14]  Ibid.

[15]  Daniel Castro, “ITIF Comments on Draft Privacy Legislation,” (Washington, D.C.: Information Technology and Innovation Foundation, 2010)

[16]  Avi Goldfarb and Catherine E. Tucker, “Privacy Regulation and Online Advertising,”

[17]  Daniel Castro, “Data Privacy Principles for Spurring Innovation,” (Washington, D.C.: Information Technology and Innovation Foundation, 2010)

ITIF Statement on Restrictions of Blackberry Smart Phone Use

Following reports that India, Saudi Arabia and the United Arab Emirates plan to restrict the use of BlackBerry smart phones, ITIF President Robert D. Atkinson made the following statement: Read more »

The US Senate Dives Into Privacy Issues

August 4, 2010
| Blogs & Op-eds

ITIF Senior Research Fellow Richard Bennett explains the changing nature of personal privacy in the Internet era and why Congress should take such changes when attempting to regulate the Internet.

Data Privacy Principles for Spurring Innovation

June 10, 2010
| Reports

As data on individuals or their actions increasingly is collected and stored electronically, it is important for policymakers to consider the effect this has on privacy. The Department of Commerce's notice of inquiry provides a welcome opportunity to explore the best ways of protecting individual privacy while avoiding constraints on business innovation and unintended negative impacts on consumers as a whole. Privacy is important, but it must be balanced against competing goals including usability, cost and future innovation. While many technologies can be misused, they should not be banned simply because they come with some risk. Privacy fundamentalists often overstate privacy concerns as a rationale for opposing certain innovations: we have seen this in everything from RFID to biometrics to electronic health records. Moreover, restrictive privacy regulations for the private sector would likely result in less innovation, fewer free services for the average user, and higher costs for consumers. Instead, policymakers should embrace principles that support consumer privacy, but not at the expense of productivity and innovation.

ITIF Statement on Facebook's New Privacy Controls

Statement by Daniel Castro, senior analyst for the Information Technology and Innovation Foundation on new Facebook Privacy features:

"These new features give consumers more choice and more control over their information--a win for both Facebook and its users. Facebook's latest changes show that companies are responding appropriately to their customers' concerns about privacy.

ITIF Comments on Draft Privacy Legislation

May 25, 2010
| Testimony and Filings

Comments submitted by ITIF Senior Analyst Daniel Castro to the House Energy and Commerce Subcommittee on Communications, Technology and the Internet Subcommittee Chairman Rick Boucher and Ranking Member Cliff Stearns on the discussion draft of privacy legislation.

Google’s WiFi Controversy Deserves a Slap on the Wrist, Not a Punch in the Nose

May 24, 2010
| Blogs & Op-eds

On May 14, 2010 Google announced that while developing its location-based services, it had been inadvertently collecting samples of payload data from wireless network traffic since 2007. This means that Google had captured data packets sent over unencrypted wireless networks—data packets that could include sensitive Internet traffic such as email and web browsing activity. The disclosure from Google followed an internal review prompted by the German data protection authority’s request for an audit of Google’s data collection for wireless networks. The company has apologized for its mistake and it has halted its wireless network data collection indefinitely.

Not surprisingly, this mistake has prompted outrage and criticism among privacy advocates and consumer protection agencies in the United States and Europe. While no company should be illegally collecting information about citizens without their permission, this situation is not as straightforward as some would like to make it seem. Certainly the legality of Google’s actions should be explored, as with any alleged crime, but this incident should not be used to impose punitive sanctions on Google unless it is found that the company caused consumer harm or did not act in good faith. To do so, would send a chilling warning to other companies that they face severe risks if they engage in fast-paced innovation of information-based services.

The initial facts show that Google has acted responsibly. For example, Google publicly disclosed the unintentional data collection and asked a third-party to review the incident and ensure data is properly destroyed. More importantly, no user harm has been identified. Of course the magnitude of the incident remains unclear. Some questions remain unanswered or unverified including how much information was collected, how the data was used during this time (Google says it was not used in any Google products), and whether any copies of this data were made. These facts should determine how government agencies proceed.

Unauthorized recording of electronic data should not be condoned or encouraged. However, while we may wish that companies never make mistakes, this is simply an unreasonable expectation given the complexity of many applications today. This does not mean that companies should be given a free pass to break laws or be absolved from negligent behavior, but it does mean that issues such as harm and intent should weigh heavily when mistakes are made. The goal of government should be to strike a balance that protects consumers while still encouraging socially-responsible and economically-beneficial innovation.

Unfortunately, as ITIF has argued previously, the current debate on electronic privacy has been driven largely by privacy fundamentalists who object to virtually all instances of for-profit companies providing unregulated services in the information economy. Yet, overall, consumers have benefited widely from the unbridled creativity of the private sector with innovative products and services. For example, Google collected this wireless network traffic as part of the development of its location-based services. Google’s location-based service allows users to pinpoint the location of their computer or mobile device on various Google products and services. Google also has created a Geolocation application programming interface (API) that developers can use to integrate Google’s location-based services in non-Google products. Consumers have benefited from this service with many useful location-aware applications from location-based social networking to online maps that show users their location and nearby points of interest to “location-based security” that locks or unlocks certain features on a mobile device based on where it is (e.g., unlocked at home).

To determine a device’s location, Google uses a variety of signals and data sets, including GPS, cell towers, and wireless access points. Different location indicators are used depending on the situation and the device, for example, some devices may not use GPS if they do not have a GPS receiver or cannot receive a signal. By “fingerprinting” wireless networks, Google is able to use this data to determine the geographic location of a mobile device. Other companies, such as Skyhook Wireless, have created similar products that map wireless networks to specific geographic locations.

Google collected the wireless data using the same vehicles it uses to collect imagery for its Street View service, although the two programs are otherwise unrelated. Specifically, Google used wireless receivers in its vehicles to record the beacon frames broadcast by wireless networks as its vehicles traveled through different areas. These data packets include the Service Set Identifier (SSID) which identifies the network name and the Media Access Control (MAC) address which is a unique identifier for each network device. Google also recorded data on signal strength, broadcast channel, and the wireless networking standard used (e.g., 802.11g, 802.11.n, etc.). Google does not share its data set about wireless networks with third parties but rather provides an API to interface with this data. This means that Google does not make public some potentially sensitive information, such as a list of all open wireless networks in a neighborhood.

Google’s accidental data collection also raises the question of whether users should have an expectation of privacy when transmitting unencrypted information wirelessly. Arguably if users transmit data without encryption they should not expect the information to remain private since the data packets can be visible to others. This should be especially true today now that encryption is standard and easy to use on consumer-grade wireless routers and web browsers. However, in general, the existing law protects both encrypted and unencrypted data transmissions equally. This differs from oral communications where legal protections only apply to “oral communication uttered by a person exhibiting an expectation that such communication is not subject to interception under circumstances justifying such expectation.”

An analogy here provides a useful comparison: are wireless transmissions more like a mailbox or a window? If they are more like a mailbox, then wireless transmissions should be protected. A mailbox may not be locked, but that does not give others permission to look inside. However, if wireless transmissions are more like a window, then—unless individuals take action to cover the windows—we do not have a high expectation of privacy. (Of course, even with windows we have Peeping Tom laws, which vary by jurisdiction, that protect people from intrusive actions by others. However, in many cases, these laws require the victim to demonstrate harm.)

Objections have been raised about this for many years. For example, in 1986 when Congress updated the Electronic Communications Privacy Act (ECPA), a New York Times op-ed highlighted the legislation’s failure to distinguish between wired and wireless transmissions: “To disregard the medium is to ignore the essence of the privacy issue. Some media, such as wire, are inherently private. That is, they are hard to get at except by physical intrusion into a residence or from a telephone pole. Other media, notably radio signals, are inherently accessible to the public.”1 Given the ease with which electronic data transmissions can be encrypted, perhaps this incident should serve as a red flag that privacy laws should be clarified to give more legal protection to private data when it is encrypted (i.e., to prevent unauthorized decryption of encrypted data) and less when it is not encrypted. Such an update would align legal rights with technical realities.

Again, we are not excusing Google’s mistake or seeking to reduce the privacy of individuals. However, this incident should not be seen as just another opportunity to criticize Google for its use of information and demand more regulation of electronic data. Instead, it is an opportunity to highlight the need for the private sector to implement better internal controls, for consumers to protect their sensitive information, and for nations to ensure that their laws protect both consumers and the spirit of innovation.


1. Robert Jesse, “How not to protect communications,” New York Times (September 13, 1986), p. 27.