Newer posts are loading.
You are at the newest post.
Click here to check if anything new just came in.

April 01 2012

What is smart disclosure?

Citizens generate an enormous amount of economically valuable data through interactions with with companies and government. Earlier this year, a report from the World Economic Forum and McKinsey Consulting described the emergence of personal data as of a new asset class." The value created from such data does not , however, always go to the benefit of consumers, particularly when third parties collect it, separating people from their personal data.

The emergence of new technologies and government policies has provided an opportunity to both empower consumers and create new markets from "smarter disclosure" of this personal data. Smart disclosure is when a private company or government agency provides a person with periodic access to his or her own data in open formats that enable them to easily put the data to use. Specifically, smart disclosure refers to the timely release of data in standardized, machine readable formats in ways that enable consumers to make better decisions about finance, healthcare, energy or other contexts.

Smart disclosure is "a new tool that helps provide consumers with greater access to the information they need to make informed choices," wrote Cass Sunstein, the U.S. administrator of the White House Office of Information and Regulatory Affairs (OIRA), in a post on smart disclosure on the White House blog. Sunstein delivered a keynote address at the White House Summit on smart disclosure at the U.S. National Archives on Friday. He authored a memorandum providing  guidance on smart disclosure guidance from OIRA in September 2011.

Smart disclosure is part of the final United States National Action Plan for its participation in the Open Government Partnership." Speaking at the launch of the Open Government Partnership in New York City last September, the president specifically referred to the role of smart disclosure in the United States:

"We’ve developed new tools -- called 'smart disclosures' -- so that the data we make public can help people make health care choices, help small businesses innovate, and help scientists achieve new breakthroughs," said President Obama. "We’ve been promoting greater disclosure of government information, empowering citizens with new ways to participate in their democracy," said President Obama. "We are releasing more data in usable forms on health and safety and the environment, because information is power, and helping people make informed decisions and entrepreneurs turn data into new products, they create new jobs."

In the months since the announcement, the U.S. National Science and Technology Council established a smart disclosure task force dedicated to promoting better policies and implementation across government.

"In many contexts, the federal government uses disclosure as a way to ensure that consumers know what they are purchasing and are able to compare alternatives," wrote Sunstein at the White House blog. "Consider nutrition facts labels, the newly designed automobile fuel economy labels, and ChooseMyPlate.gov.  Modern technologies are giving rise to a series of new possibilities for promoting informed decisions."

Smart disclosure is a "case of the Administration asking agencies to focus on making available high value data (as distinct from traditional transparency and accountability data) for purposes other than decreasing corruption in government," wrote New York Law School professor Beth Noveck, the former U.S. deputy chief technology officer for open government, in an email. "It starts from the premise that consumers, when given access to information and useful decision tools built by third parties using that information, can self-regulate and stand on a more level playing field with companies who otherwise seek to obfuscate." The choice of Todd Park as United States CTO also sends a message about the importance of smart disclosure to the administration, she said.

The United Kingdom's “midata” smart disclosure initiative is an important smart disclosure case study outside of the United States. Progress there has come in large part because the UK has a privacy law that gives citizens the right to access their personal data held by private companies, unlike the United States. In the UK, however, companies have been complying with the law in a way that did not realize the real potential value of that right to data, which is to say that a citizen could request personal data and it would arrive the mail weeks later at a cost of a few dozen pounds. The UK government has launched a voluntary public-private partnership to enable companies to comply with the law by making the data available online in open formats. The recent introduction of the Consumer Privacy Bill of Rights from the White House and Privacy Report from the FTC suggests that such rights to personal data ownership might be negotiated, in principle, much as a right to credit reports have been in the past.

Four categories of smart disclosure

One of the most powerful versions of smart disclosure is when data on products or services (including pricing algorithms, quality, and features) is combined with personal data (like customer usage history, credit score, health, energy and education data) into "choice engines" (like search engines, interactive maps or mobile applications) that enable consumers to make better decisions in context, at the point of a buying or contractual decision. There are four broad categories where smart disclosure applies:

  1. When government releases data about products or services. For instance, when the Department of Health and Human Services releases hospital quality ratings, the Security and Exchange Commission releases public company financial filings in machine-readable formats at XBLR.SEC.gov, or the Department of Education puts data about more than 7,000 institutions online in a College Navigator for prospective students.
  2. When government releases personal data about a citizen. For instance, when the Department of Veterans Affairs gives veterans access to health records using at the "Blue Button" or the IRS provides citizens with online access to their electronic tax transcript. The work of BrightScope liberating financial advisor data and 401(k) data has been an early signal of how data drives the innovation economy.
  3. When a private company releases information about products or services in machine readable formats. Entrepreneurs can then use that data to empower consumers. For instance, both Billshrink.com and Hello Wallet may enhance consumer finance decisions.
  4. When a private company releases personal data about usage to a citizen. For instance, when a power utility company provides a household access to its energy usage data through the Green Button or when banks allowing customers to download their transaction histories in a machine readable format to use at Mint.com or similar services. As with the Blue Button for healthcare data and consumer finance, the White House asserts that providing energy consumers with secure access to information about energy usage will increase innovation in the sector and empower citizens with more information.

An expanding colorwheel of buttons

Should smart disclosure initiatives continue to gather steam, citizens could see “Blue Button”-like and "Green Button"-like solutions for every kind of data government or industry collects about citizens.  For example, the Department of Defense has military training and experience records. Social Security and the Internal Revenue Service have the historical financial history of citizens, such as earnings and income. The Department of Veterans Affairs and Centers for Medicare and Medicaid Services have personal health records.

More "Green Button"-like mechanisms could enable secure, private access to private industry collects about citizen services. The latter could includes mobile phone bills, credit card fees, mortgage disclosures, mutual fund fee and more, except where there are legal restrictions, as for national security reasons.

Earlier this year, influential venture capitalist Fred Wilson encouraged entrepreneurs and VCs to get behind open data. Writing on his widely read blog, Wilson urged developers to adopt the Green Button.

"This is the kind of innovation that gets me excited," Wilson wrote. "The Green Button is like OAuth for energy data. It is a simple standard that the utilities can implement on one side and web/mobile developers can implement on the other side. And the result is a ton of information sharing about energy consumption and in all likelihood energy savings that result from more informed consumers.

When citizens gain access to data and put it to work, they can tap it to make better choices about everything from finance to healthcare to real estate, much in the same way that Web applications like Hipmunk and Zillow let consumers make more informed decisions.

"I'm a big fan of simplicity and open standards to unleash a lot of innovation," wrote Wilson. "APIs and open data aren't always simple concepts for end users. Green Buttons and Blue Buttons are pretty simple concepts that most consumers will understand. I'm hoping we soon see Yellow Buttons, Red Buttons, Purple Buttons, and Orange Buttons too. Let's get behind these open data initiatives. Let's build them into our apps. And let's pressure our hospitals, utilities, and other institutions to support them."

The next generation of open data is personal data, wrote open government analyst David Eaves this month:

I would love to see the blue button and green button initiative spread to companies and jurisdictions outside the United States. There is no reason why for example there cannot be Blue Buttons on the Provincial Health Care website in Canada, or the UK. Nor is there any reason why provincial energy corporations like BC Hydro or Bullfrog Energy (there's a progressive company that would get this) couldn't implement the Green Button. Doing so would enable Canadian software developers to create applications that could use this data and help citizens and tap into the US market. Conversely, Canadian citizens could tap into applications created in the US.

The opportunity here is huge. Not only could this revolutionize citizens access to their own health and energy consumption data, it would reduce the costs of sharing health care records, which in turn could potentially create savings for the industry at large.

Data drives consumer finance innovation

Despite recent headlines about the Green Button and the household energy data market, the biggest US smart disclosure story of this type is currently consumer finance, where there is already significant private sector activity going on today.

For instance, if a consumer visits Billshrink.com, you can get personalized recommendations for a cheaper cell phone plan based on your calling history. Mint.com will make specific recommendations on how to save (and alternative products to use) based on an analysis of the accounts it is pulling data from. Hello Wallet is enabled by smart disclosure by banks and government data. The sector's success hints at the innovation that's possible when people get open, portable access to their personal data in a a consumer market of sufficient size and value to attract entrepreneurial activity.

Such innovation is enabled in part because entrepreneurs and developers can go directly to data aggregation intermediaries like Yodlee or CashEdge and license the data, meaning that they do not have to strike deals directly with each of the private companies or build their own screen scraping technology, although some do go it alone.

"How do people actually make decisions?  How can data help improve those decisions in complex markets?  Research questions like these in behavioral economics are priorities for both the Russell Sage Foundation and the Alfred P. Sloan Foundation," said Daniel Goroff, a Sloan Program Director, in an interview yesterday.  "That's why we are launching a 'Smart Disclosure Research and Demonstration Design Competition.'  If you have ideas and want to win a prize,  please send Innocentive.com a short essay.  Even if you are not in a position to carry out the work, we are especially interested in finding and funding projects that can help measure the costs and benefits of existing or novel 'choice engines.'" 

What is the future of smart disclosure?

This kind of vibrant innovation could spread to many other sectors, like energy, health, education, telecommunication, food and nutrition, if relevant data were liberated. The Green Button is an early signal in this area, with the potential to spread to 27 million households around the United States. The Blue Button, with over 800,000 current users, is spreading to private health plans like Aetna and Walgreens, with the potential to spread to 21 million users.

Despite an increasingly number of powerful tools that enable data journalists and scientists to interrogate data, many of even the most literate consumers do not look at data themselves, particularly if it is in machine-readable, as opposed to human-readable formats. Instead, they digest it from ratings agencies, consumer reports and guides to the best services or products in a given area. Increasingly, entrepreneurs are combining data with applications, algorithms and improved user interfaces to provide consumers with "choice engines."

As Tim O'Reilly outlined in his keynote speech yesterday, the future of smart disclosure includes more than quarterly data disclosure from the SEC or banks. If you're really lining up with the future, you have to think about real-time data and real-time data systems, he said. Tim outlined 10 key lessons his presentation, an annotated version of which is embedded below.

The Future of Smart Disclosure (pdf)
View more presentations from Tim O'Reilly

When released through smart disclosure, data resembles a classic "public good" in a broader economic sense. Disclosures of such open data in a useful format are currently under-produced by the marketplace, suggesting a potential role for government in the facilitation of its release. Generally, consumers do not have access to it today.

Well over a century ago, President Lincoln said that "the legitimate object of government is to do for the people what needs to be done, but which they cannot by individual effort do at all, or do so well, for themselves." The thesis behind smart disclosure in the 21st century is that when consumers have access to that personal data and the market creates new tools to put to work, citizens will be empowered make economic, education and lifestyle choices that enable to them to live healthier, wealthier, and -- in the most aspirational sense -- happier lives.

"Moving the government into the 21st century should be applauded," wrote Richard Thaler, an economics professor at the University of Chicago, in the New York Times last year. In a time when so many citizens are struggling with economic woes, unemployment and the high costs of energy, education and healthcare, better tools that help them invest and benefit from personal data are sorely needed..

March 27 2012

FTC calls on Congress to enact baseline privacy legislation and more transparency of data brokers

Over a century ago, Supreme Court Justice Lewis Brandeis "could not have imagined phones that keep track of where we are going, search engines that predict what we're thinking, advertisers that monitor what we're reading, and data brokers who maintain dossiers of every who, what, where, when and how of our lives," said Federal Trade Commission Chairman Jon Leibowitz yesterday morning in Washington, announcing the release of the final version of its framework on consumer privacy.,

"But he knew that, when technology changes dramatically, consumers need privacy protections that update just as quickly. So we issue our report today to ensure that, online and off, the right to privacy, that 'right most valued by civilized men,' remains relevant and robust to Americans in the 21st century as it was nearly 100 years ago."

What, exactly, privacy means in this digital age is still being defined all around us, reflected in the increasing number of small screens, cameras and explosion of data. The FTC's final report, "Protecting Consumer Privacy in an Era of Rapid Change: Recommendations For Businesses and Policymakers," makes a strong recommendation to Congress to draft and pass a strong consumer privacy law that provides rules of the road for the various entities that have the responsibility for protecting sensitive data.

The final report clearly enumerates the same three basic principles that the draft of the FTC's privacy framework outlined for companies :

  1. Privacy by design, where privacy is "built in" at every stage that an application, service or product is developed
  2. Simplified choice, wherein consumers are empowered to make informed decisions by clear information about how their data will be used at a relevant "time and context," including a "Do Not Track" mechanism, and businesses are freed of the burden of providing unnecessary choices
  3. Greater transparency, where the collection and use of consumer data is made more clear to those who own it.

"We are demanding more and better protections for consumer privacy not because industry is ignoring the issue," said Leibowitz today. "In fact, the best companies already follow the privacy principles we lay out in the report. In the last year, online advertisers, major browser companies, and the W3C -- an Internet standard setting group -- have all made strides towards putting into place the foundation of a Do Not Track system, and we commit to continue working with them until all consumers can easily and effectively choose not to be tracked. I'm optimistic that we'll get the job done by the end of the year."

According to the FTC, the nation's top consumer watchdog received over 450 comments on the draft online privacy report that it released in December 2010. In response to "technological advances" and comments, the FTC revised the privacy framework in several areas. (For a broad overview of the final FTC privacy framework, read Dan Rowinski's overview at ReadWriteWeb and the Information Law Group's summary of the commission report on consumer privacy).

First, it will not apply to "companies that collect and do not transfer only non-sensitive data from fewer than 5,000 consumers a year," which would have been a burden on small businesses. Second, the FTC has brought action against Google and Facebook since the draft report was issued. Those actions -- and the agreements reached -- provide a model and guidance for other companies.

Third, the FTC made specific recommendations to companies that offer mobile services that include improved privacy protections and disclosures that are short, clear and effective on small screens. Fourth, the report also outlined "heightened privacy concerns" about large platform providers, such as ISPs, "operating systems, browsers and social media companies," seeking to "comprehensively track consumers' online activities." When asked about "social plug-ins" from such a platform, chairman Leibowitz provided Facebook's "Like" button as an example. (Google's +1 button is presumably another such mechanism.)

Finally, the final report also included a specific recommendation with respect to "data brokers," which chairman Leibowitz described as "cyberazzi" on Monday, echoing remarks at the National Press Club in November 2011. Over at Forbes, Kashmir Hill reports that the FTC officially defined a data broker as those who “collect and traffic in the data we leave behind when we travel through virtual and brick-and-mortar spaces."

During the press conference, chairman Leibowitz said that American citizens should be able to learn see what information is held by them and "have the right to correct inaccurate data," much as they do with credit reports. Specifically, the FTC has called on data brokers to "make their operations more transparent by creating a centralized website to identify themselves, and to disclose how they collect and use consumer data. In addition, the website should detail the choices that data brokers provide consumers about their own information."

While the majority of the tech media's stories about the FTC today focused on "Do Not Track" prospects and mechanisms, or the privacy framework's impact on mobile, apps and social media, the reality of this historic moment is it's world's world's data brokers that currently hold immense amounts of information regarding just about everyone "on the grid," even if they never "Like" something on Facebook, turn on a smartphone or buy and use an app.

In other words, even though the FTC's recommendations for privacy by design led TechMeme yesterday, that's wasn't new news. CNET's Declan McCullagh, one of the closest observers of Washington tech policy in the media, picked up on the focus, writing that FTC stops short of calling for a new DNT law but "asks Congress to enact a new law that "would provide consumers with access to information about them held by a data broker" such as Lexis Nexis, US Search, or Reed Elsevier subsidiary Choicepoint -- many of which have been the subject of FTC enforcement actions in the last few years." As McCullagh reported, the American Civil Liberties Union "applauded" the FTC's focus on data brokers.

They should. As Ryan Singel pointed out at Wired, the FTC's report does "call for federal legislation that would force transparency on giant data collection companies like Choicepoint and Lexis Nexis. Few Americans know about those companies’ databases but they are used by law enforcement, employers and landlords."

Would we, as Hill wondered, be less freaked out if we could see what data brokers have on us? A good question, and one that, should the industry coalesce around providing consumers access to their personal data in that context, just as utilities are beginning to do with energy data.

Another year without privacy legislation?

Whether it's "baseline privacy protections" or more transparency for data brokers, the FTC is looking to Congress to act. Whether it will or not is another matter. While the Online privacy debate was just about as hot in Washington nearly two years ago as it is today, no significant laws were passed.The probability of significant consumer privacy legislation advancing in this session of Congress, however, currently appears quite low. While at least four major privacy bills have been introduced in the U.S. House and Senate, "none of that legislation is likely to make it into law in this Congressional session, however, given the heavy schedule of pending matters and re-election campaigns," wrote Tanzina Vegas and Edward Wyatt in the New York Times.

The push the FTC gave yesterday was welcomed in some quarters. "We look forward to working with the FTC toward legislation and further developing the issues presented in the report," said Leslie Harris, president of the Center for Democracy and Technology (CDT), in a prepared release. CDT also endorsed the FTC's guidance on "Do Not Track" and focus on large platform providers. Earlier this winter, a coalition of Internet giants, including Google, Yahoo, Microsoft, and AOL, have committed to adopt “Do Not Track technology” in most Web browsers by the end of 2012. These companies, which deliver almost 90 percent of online behavioral advertisements, have agreed not to track consumers if they choose to opt out of online tracking using the Do Not Track mechanism, which will likely manifest as a button or browser plug-in. All companies that have made this commitment will be subject to FTC enforcement.

By way of contrast, Jim Harper, the Cato Institute's director of information policy studies, called the framework a "groundhog report on privacy," describing it as "regulatory cheerleading of the same kind our government’s all-purpose trade regulator put out a dozen years ago." In May of 2000, wrote Harper, "the FTC issued a report finding “that legislation is necessary to ensure further implementation of fair information practices online” and recommending a framework for such legislation. Congress did not act on that, and things are humming along today without top-down regulation of information practices on the Internet."

Overall, the "industry here has a self-interest beyond avoiding legislation," said Leibowitz during today's press conference. Consumers have very serious concerns about privacy, he went on, alluding to polling data, surveys and conversations, and "better, clearer privacy policies" will lead to people having "more trust in doing business online."


This FTC privacy framework and the White House's consumer privacy bill of rights will, at minimum, inform the debates going forward. What happens next will depend upon Congress finding a way to protect privacy and industry innovation. It will be a difficult balance to strike, particularly given concerns about protecting children online and the continued march of data breaches around the country.

Making technology more accessible

I interviewed Princeton professor Ed Felten, the FTC's chief technologist and co-author of "Government Data and the Invisible Hand" (2009) after yesterday's FTC press conference at FTC headquarters in D.C. In December 2010, we spoke about the FTC's 'Do Not Track' proposal, after the release of the draft report.

Felten launched "Tech at the FTC" last Friday morning, a new blog that he hopes will play a number of different roles in the discussion of technology, government and society.

"It will combine Freedom to Tinker posts," he said, "some of which were op-ed, some more like teaching. The latter is what I'm looking for: explanations of sophisticated technical information that cross over to a non-technical audience."

Felten wants to start a conversation that's "interesting to general public" and "draws them into the discussion" about the intersection of regulation and technology. One aspect of that will be a connected Twitter account, @TechFTC, along with his established social identity, @EdFelten.

Possible future topics will include security issues around passwords and authentication of people in digital environments, both of which Felten finds interesting as they relate to policy. He said that he expects to write about technology stories that are in the news, with the intent of helping citizens to understand at an accessible level what the take away is for them.

Social media and the Internet are "useful to give people a window into the way people in government are thinking about these issues," said Felten. "They let people see that people in government are thinking about technology in a sophisticated way. It's easy to fall into the trap where people in government don't know about technology. That's part of the goal: speak to the technical community in their language.

"Part of my job is to be an ambassador to the technology community, through speaking to and with the public," said Felten. "The blog will help people know how to talk to the FTC and who to talk to, if they want to. People think that we don't want to talk to them. Just emailing us, just calling us, is usually the best way to get a conversation started. You usually don't need a formal process to do this -- and those conversations are really valuable."

In that context, he plans to write more posts like the one that went live Monday morning, on tech highlights of the FTC privacy report, in which he highlighted four sections of the framework that the computer science professor thought would be of interest to techies:

  1. De-identified data (pp. 18-22):   Data that is truly de-identified (or anonymous) can’t be used to infer anything about an individual person or device, so it doesn’t raise privacy concerns.  Of course, it’s not enough just to say that data is anonymous, or that it falls outside some narrow notion of PII.   But beyond that, figuring out whether your dataset is really de-identified can be challenging. If you’re going to claim that data is de-identified, you need to have a good reason-the report calls it a “reasonable level of justified confidence”-for claiming that the data does not allow inferences about individuals.  What “reasonable” means-how confident you have to be-depends on how much data there is, and what the consequences of a breach would be.  But here’s a good rule of thumb: if you plan to use a dataset to personalize or target content to individual consumers, it’s probably not de-identified.
  2. Sensitive data (pp. 47-48):  Certain types of information, such as health and financial information, information about children, and individual geolocation, are sensitive and ought to be treated with special care, for example by getting explicit consent from users before collecting it.   If your service is targeted toward sensitive data, perhaps because of its subject matter or target audience, then you should take extra care to provide transparency and choice and to limit collection and use of information.  If you run a general-purpose site that incidentally collects a little bit of sensitive information, your responsibilities will be more limited.

  • Mobile disclosures (pp. 33-34): The FTC is concerned that too few mobile apps disclose their privacy practices.  Companies often say that users accept their data practices in exchange for getting a service.  But how can users accept your practices if you don’t say what they are?  A better disclosure would tell users not only what data you’re collecting, but also how you are going to use it and with whom you’ll share it.   The challenging part is how to make all of this clear to users without subjecting them to a long privacy policy that they probably won’t have time to read.   FTC staff will be holding a workshop to discuss these issues.

  • Do Not Track (pp. 52-55): DNT gives users a choice about whether to be tracked by third parties as they move across the web.  In this section of the report, the FTC reiterates its five criteria for a successful DNT system, reviews the status of major efforts including the ad industry’s self-regulatory program and the W3C’s work toward a standard for DNT, and talks about what steps remain to get to a system that is practical for consumers and companies alike.


  • When asked about what the developers and founders of startups should be thinking about with respect to the FTC's privacy framework, Felten emphasized those three basic principles -- privacy by design, simplified choice, greater transparency -- and then offered some common sense:

    "Start with the basic question of 'what Section 5 means for you,' he suggested. "If you make a promise to consumers in your privacy policy, consumers are entitled to rely on that. The FTC has brought cases against companies that made them and didn't hold up their responsibility around privacy. You have a responsibility to protect consumer data. If not, you may find yourself on the wrong side of the FTC act if there's a breach and it harms consumers."

    Older posts are this way If this message doesn't go away, click anywhere on the page to continue loading posts.
    Could not load more posts
    Maybe Soup is currently being updated? I'll try again automatically in a few seconds...
    Just a second, loading more posts...
    You've reached the end.

    Don't be the product, buy the product!

    Schweinderl