Justifiable Paranoia

Justifiable Paranoia
Growing databases of unregulated information should have you spooked

by Lawrence J. Magid
from Computer Currents

Most frequent Web surfers have probably submitted personal information online, whether it's to ask for tech support, gain access to more in-depth information, or register for a contest. If you're concerned about how that information might be used, you're not alone. And based on my investigations, you have a right to be worried.

I subscribe to The New York Times online (www.nytimes.com), and you can't get past its front door without divulging your name, e-mail address, gender, and age. To its credit, The New York Times Company has a posted privacy policy that states, "Personal information on individual subscribers will not be provided to any third party."

I subscribe to the online version because of its privacy policy and my belief that the New York Times is fundamentally an ethical company. I'm not so sanguine about other sites. According to a study by the Electronic Privacy Information Center (EPIC, www.epic.org), 49 of the 100 most frequently visited Web sites "collect personal information through online registrations, mailing lists, surveys, user profiles, and order fulfillment requirements." Only 17 of the top 100 Web sites have a privacy policy, and none "meet basic standards for privacy protection." (For more information on the study methods, see www.epic.org/Reports/surfer-beware.html.)

Privacy on the Web is not just an issue for individual consumers. It also has enormous economic implications. A 1997 study conducted by the Boston Consulting Group (BCG) for TrustE (www.truste.org) found that "70 percent [of the respondents] worried about online purchases," and "42 percent refuse to provide registration information on the Internet because of privacy concerns." In a blow to marketers and demographers, the study also reported that "27 percent sometimes falsify information because of privacy concerns." When users feel their privacy is being invaded, they're less likely to conduct online transactions or reveal information about themselves that could be used to tailor ads.

Take a Number

Some people say Internet privacy problems are overblown, and solutions to the valid concerns are already here. Engage Technologies (www.engagetech.com) is in the business of collecting and disseminating anonymous, detailed information about the Web sites you and I visit. The company doesn't collect names, e-mail addresses, or any other identifying information, according to spokeswoman Diane Elavsky. Instead, it "develops profiles that identify individuals uniquely by number."

It's a simple concept. Let's say you visit a clothing company's Web site and look at the winter clothing. The site permanently assigns you the number 1234, which identifies you as a unique individual but has no information about who you are. A travel site you use to buy tickets to Vail identifies you the same way. Both of these sites also keep tabs on your habits by recording the pages you viewed, how long you stayed on each page, and how many times you came back. That information is sent to Engage Technology's central database, where it is correlated with yet another number that tracks you across all your sites. Engage sells these viewing records to companies that use the information to tailor advertising to you. For example, you might surf a news site and see ads for ski equipment, even though you haven't filled out a form indicating such interests.

On the surface, it's a win-win situation. Companies can maximize their marketing efforts by presenting you with targeted information, and you're more likely to receive information that's of interest while remaining anonymous. Because Engage knows you as a number, not a name, Elavsky says the company couldn't possibly correlate its information with your actual identify even it was ordered by a court of law.

The Times May Be a Changin'

But remember The New York Times site's promise that your name and e-mail address won't be revealed to a third party? Look a little closer and you'll see that the company "reserves the right, at its discretion, to change, modify, add, or remove portions of this Subscriber Agreement at any time." Other Web sites have similar loopholes that could allow their creators to rewrite policies and correlate the personal information with the data they send to Engage or similar companies. Once that link is made, all guarantees of privacy fly out the window.

Engage says (and I believe it) that this won't happen on its watch. The company is on the forefront of the privacy issue and is a strong supporter of industry programs to guarantee consumer privacy protections. But as EPIC general counsel David Sobel points out, "a year from now it could change its policy." After all, Sobel says, policies, management, and even ownership of companies are in a constant state of change. What appears to be a safe and reasonable privacy policy today could be modified and abused in the future.

Technology is making it easier to warehouse information about individuals, and the only protection we have is the goodwill of companies that say that they won't abuse this information. Sobel says that is "why none of these self-regulatory approaches is sufficient. We need real legal protections."

Bring In the Feds

EPIC isn't endorsing legislation yet but is studying the Consumer Internet Privacy Protection Act of 1997 by Rep. Bruce Vento, D.-Minn. It would require that an "interactive computer service shall not disclose to a third party any personally identifiable information provided by a subscriber to such service without the subscriber's prior informed written consent." (For the full text of the bill, go to thomas.loc.gov and type the bill's title in the Search by Word/Phrase box on the left.) Like any law, this act could be abused or broken and probably isn't enforceable outside of the United States. Yet, it's far more binding and enforceable than the self-regulating policies of any company.

I think long and hard before endorsing any plan to call in the Feds to police the Internet. But when it comes to protecting individual privacy, it's clear that market forces aren't sufficient. While there is money to be made in information, companies will mine as much data as they can. The government shouldn't meddle with commerce, but it does have an obligation to protect the innocent. Vento's bill is on the right track.

Of course, if the government doesn't step in, we could always rely on technology initiatives created by private industry. Firefly Network (www.firefly.net) has developed the Passport program, which lets users create their own personal profiles on participating sites. Then at the user's discretion, it authorizes other Passport-equipped sites to access all or part of the data. Users decide what information to register with Passport and then judge how much to reveal to a particpating site. This set-up eliminates the possibility of information mining without a user's permission. As a bonus, users don't have to retype information at scads of sites. The concept has a lot going for it, but like so many other innovative companies, Firefly was just acquired by Microsoft. Need I say more?