In A Race to the Bottom: Privacy Ranking of Internet Service Companies, Privacy International spray-paints the façades of landmark companies that line today's Main Street on the Web. The painted colors are assessments of each company's performance on privacy issues. Though the rankings are colorful, what they say isn't pretty.

Nobody in the "interim rankings" (.pdf) gets the top (green) mark for "Privacy-friendly and privacy enhancing". The bottom (black) mark, for "Comprehensive consumer surveillance & entrenched hostility to privacy", goes to just one company: Google.

Here's the color-band system by which each service is rated:



Privacy-friendly and privacy enhancing Generally privacy-aware but in need of improvement Generally aware of privacy rights, but demonstrate some notable lapses Serious lapses in privacy practices Substantial and comprehensive privacy threats Comprehensive consumer surveillance & entrenched hostility to privacy





None of the ranked companies were spared rebuke. Here's a sort of the marks, with the summary justification for each

Green : None

: Blue : BBC  "Rare in its openness about processing, what for, and how to access data and manage cookies. eBay  "Good responsiveness. Web beacons and lack of information on retention detracts from score." LastFM  "More openness on how to appeal would help case. Explicit use of anonymized data is promising, though more detail on how this is done technologically would increase confidence." Wikipedia  "Lacking in some information, such as contact details. Good statement on retention policy, though unless there is a contact, this is unverifiable."

: Yellow : Bebo  "Prior problems has led to some innovation. Lack of information is problematic. User control increasing. Amazon  "Amazon has improved much over the years but consumers should be informed on how their clicking, reading, and purchase habits are profiled and used. Friendster  "Insufficient information to draw compelling conclusions. Lack main point of contact problematic. LinkedIn  "Use of email addresses of non-users and beacons is questionable. Accessibility of personal profiles could be better managed. Can close account but only via email." LiveJournal  "More clarity about privacy enhancing innovations is needed. Lax attitude towards addresses is problematic. Good have procedure on breaches." MySpace  "A mixed bag, with some strong protections and lot of ambiguities. Problematic interpretation of IP addressing data. Invitation recipients can opt-out. Account deletion is unclear." Skype  "Good promises on deleting invitation email addresses. Lack of contact details is problematic. Lack of openness about software capabilities is problematic. Deletion of traffic data is good statement though less ambiguity about role of laws would help."

: Orange : Microsoft  "More information on retention is required. Policy is too basic despite application to a number of services. Have embedded privacy into many product and service designs, but terrible track record, including recent WGA debacle." Orkut  "No Orkut-specific privacy contact information. Limited privacy policy. Account deletion good sign. Checkered history in cooperating with governments. Requires registration to view information, but registration applies across Google services." Xanga  "Invitation process could be better managed. Treatment of IP data is vague. Profiling is mentioned but more clarity is required. Information should not be shared by default. May limit information collected." You Tube  "Considering the size of YouTube and its owners, the vague information about sharing of personal information with affiliated companies leaves much to be desired. Tracking email reading habits is problematic. Videos are not considered personal information. Explicit statement that 'consent' is presumed in transborder data flows is questionable."

: Red : AOL  "No privacy enhancing innovations apparent though points to privacy services from other companies." Apple  "Vague privacy policy does not address the advanced level of services offered by Apple,  "Could be quite promising if Apple was more open. Good that firm offers access to data subjects. Responsiveness has been poor to date." FaceBook  "Problematic track history. Uses data from 'other sources', and has not maintained strong security mechanisms. Does not inform on measures being taken now to protect data." Hi5  "Preposterous use of advertising technique (pop-up window) when clicking on privacy policy. Point of contact being a General Counsel leaves little confidence is responsiveness." Reunion.com  "Promising for use of email relaying. Data sharing is dangerously vague. Tracking usage is problematic. Historical ethics problems." Windows Live Spaces " Problematic use of personal information, without clear statements about retention. Uses almost every means identify users and track movements." Yahoo  "Vague privacy policy prevents us from understanding the dynamics of data processing. Using information from other sources is highly problematic. Account closure possibility is good (and honest statement about retention is relatively positive). Lack of information on search and IP data is problematic. Poor track record."

: Black : Google  "Track history of ignoring privacy concerns. Every corporate announcement involves some new practice involving surveillance. Privacy officer tries to reach out but no indication that this has any effect on product and service design or delivery.

:

According to the report, "The analysis employs a methodology comprising around twenty core parameters. We rank the major Internet players but we also discuss examples of best and worst privacy practice among smaller companies." The "initial assessments" describe performance in ten areas:

Company administrative details Corporate leadership Data collection and processing Data retention Openness and transparency Responsiveness Ethical compass Customer control Fair gateways Privacy enhancing or invading innovations

As for motivation, Privacy International says,

We are increasingly concerned about the recent dynamics in the marketplace. While a number of companies have demonstrated integrity in handling personal information (and we have been surprised by the number of 'social networking' sites which are taking some of these issues quite seriously), we are witnessing an increased 'race to the bottom' in corporate surveillance of customers. Some companies are leading the charge through abusive and invasive profiling of their customers' data. This trend is seen by even the most privacy friendly companies as creating competitive disadvantage to those who do not follow that trend, and in some cases to find new and more innovative ways to become even more surveillance-intensive. We felt that consumers want to know about these surveillance practices so that they can make a better-informed decision about how, whether and with whom they should share their personal information. We also believe that companies need to be more open about how they process information and why it is processed. Most importantly, we wanted to indicate to the marketplace that their surveillance and tracking activities are being scrutinised.

So the idea here isn't just to expose shortcomings, but to put pressure on these services.

But one wonders... Why would all these companies suck so badly at respecting privacy?

I believe there are two reasons: 1) Growth in adoption of advertising-based revenue model that Google pioneered, and now provides for millions of companies, and 2) Absence of privacy (or any) control on the user's side other than refusal to cooperate.

As Privacy International puts it, privacy and advertising are strange bedfellows:

The current frenzy to "capture" ad space revenue through the exploitation of new technologies and tools will result in one of the greatest privacy challenges in recent decades. The Internet appears to be shifting as a whole toward this aim...

Although the Net itself isn't shifting anywhere (it's a quibble, but "the Internet" is not the same as the collection of websites and services that reside on it), there is a failure of imagination around business models other than retailing and advertising. Especially advertising. And there's a pile of money in advertising. Especially for Google, which is moving toward a de facto monopoly on the business, if it isn't there already.

In March ComScore published its latest numbers on share of online searches. Google was a hair under 50%, and going steadily up while everybody else was going down. In "searches per user" nobody else came close to Google.

But Google's business model isn't search. It gets because effects off search. Search is free. But because of search, Google makes money with advertising. That's its business model. Part of that business model is putting millions of individuals and companies into the same business. You don't need to sell a single ad to support your site or your blog with advertising. Google AdSense does all the work. It not only does that work for millions of businesses, but creates millions of businesses where before there were none.

The Internet Advertising Bureau and Price Waterhouse say online advertising was $4.9 billion in Q1 of 2007. Google advertising revenues in the same quarter were $3.627450 billion. Do the math. "Google Network Web Sites" reveneues were $1.345329 billion. Those revenues were Google's side of the advertising take. The rest of the money went to the site owners.

To make advertising of this sort work best requires maximizing intelligence about users. Does this also require privacy violations? The last quoted paragraph above seems to suggest as much. So I have a question for both Google and Privacy International : Could Google and its partners do as good a job in the advertising business if they did everything it takes to get a green score?

While we're pondering that, let's look at the second problem. Online privacy as we know it today is almost entirely at the grace of the vendors we deal with. The terms are theirs. We accept them or we don't. Other than opting out, we don't have much control on our side. We can't, for example, make a global assertion of anonymity to the world, and then selectively reveal pieces of identity information to vendors, on a private and need-to-know basis that we determine. For the most part we have those privileges when we shop at stores in the physical world. But in the online world we are much more compromised by conditions that are beyond our control. We can be tagged and tracked like animals and never know it.

These conditions will stay out of our control as long as we continue to believe that markets are about supply chasing down and "capturing" demand. There has to be a better way  one that serves demand at least as well as it serves supply. Whatever that better way is, advertising is part of the problem, not the solution.

Even as Google and others put millions more of us into business, it's still the advertising business. And that business is driven entirely by its supply side. Follow the money. Advertisers pay Google and its partners for click-throughs. By making advertising accountable for performance, Google moved the whole category forward an enormous distance. But it's still advertising. And advertising is still woefully inefficient. For every click-through there are hundreds, thousands or millions of "impressions" or "exposures" that are actually neither. They are noise. Instead of wasting trees (as print media do) or time (as broadcasting does), they waste server cycles, packets and pixels. Those come cheap, but they're still waste, still noise, still clutter. They are distractions, and they get in the way.

We can't leave privacy solutions entirely up to large suppliers. That can't work. We can only solve privacy problems by equipping individuals with better ways to control and reveal private information while also finding what they want in the networked world. Until we do that, Privacy International will still be ranking sites with colors other than green.

By the way, next week in San Francisco, leading up to Supernova 2007, there will be an open space workshop at Wharton West. While the Supernova theme is "The New Network", the open space workshop can cover any topic we like. Vendor Relationship Management (which seeks to solve the "advertising problem", among other things) is on the list of proposed session topics (we'll choose those as a group at the start of the day). So are some other excellent topics  including whatever you want to add to the wiki or tell the group about when the day starts. The cost is $25. Includes lunch.

My own fantasy about this is that we get actual developers  folks who write code  to come and help the rest of us work this out. If that's you, please come. There are some pretty big itches to scratch here.