NEW YORK (CNNfn) - People are following you. They know your name, address, phone number, marital status, number of children, age and approximate income level. They know what publications you read, what catalogs you receive, what Web sites you visit, and what products you buy both online and off.
Are you paranoid? No, you're just a typical Web surfer living in what author and privacy expert Simson Garfinkel calls "a database nation."
Thanks to advances in technology, surfing the Internet is about as private an experience as getting undressed in the window of Macy's in midtown Manhattan. It's as if a camera shutter clicks every time a person's mouse clicks on a Web page or banner advertisement.
Privacy advocates fear the ability of marketers to track your surfing and buying patterns will inevitably lead to abuses.
"Before the Internet, direct marketers didn't have access to every article you were reading," said Tara Lemmey, president of the Electronic Frontier Foundation, an Internet public policy group. "There is a fine line between targeting and stalking, and the advertisers and direct marketers have crossed the line."
 Gathering information about consumers is certainly not new. After all, credit reporting agencies and direct marketing firms have kept detailed files about consumers' payment histories and buying patterns for decades. The credit reporting firm Equifax Inc., for example, was founded in 1899 and kept credit information about individual consumers on index cards before computers were invented.
Information gathering is faster and cheaper today
However, the advent of the Internet has made this type of information gathering much easier, faster, and cheaper. The plummeting costs of data entry, computer processing, storage, and communications are making it economical even for small companies to record every detail of their interactions with customers for later use and sale. In addition, the use of the Internet has raised more questions about who should have access to detailed personal information and whether consumers should be able to own or change information about themselves.
Click here for CNNfn.com and Moneyline's special report on Internet privacy.
"The Internet reduces the cost of gathering information about consumers to practically zero," said Jason Catlett, president of the privacy advocacy and consulting firm Junkbusters in Green Brook, NJ. "Sending a piece of direct mail to a household costs about one dollar, so no one is going to send you 10,000 pieces of mail, but the cost of contacting you in the online world is virtually zero."
"In some ways, gathering marketing information has reached an entirely new level on the Internet," said Andrew Shen, a policy analyst at the Electronic Privacy Information Center, a privacy advocacy organization in Washington, D.C. "Most online information gathering techniques are equivalent to a marketing analyst following you around for a day with a clipboard writing down everything that you do."
It's all about the cookie
The main method Web sites, including CNNfn.com, use to track surfers' online activities is the "cookie." A cookie is a unique identifier, usually a string of random-looking letters, that a Web server places on your computer's hard drive when you access a Web site. While cookies don't give a Web site any personal information, such as your name or address, they create a unique identity for your browser so that a site recognizes you if you visit again using the same computer terminal. In some ways, cookies benefit web surfers; without them, people would have to enter a user name and password over and over to see any personalized content on the Web. However, cookies also act like hidden cameras or microphones capturing computer users' movements.
While almost all commercial Web sites use cookies, the real masters of distributing cookies and deriving marketing data from them are the Internet advertising firms, such as DoubleClick Inc (DCLK: Research, Estimates).
DoubleClick, which places advertising banners on Web sites and keeps track of who views them, is facing inquiries by the Federal Trade Commission, as well as the attorneys general of New York and Michigan over a plan to merge the data it currently collects with people's names and addresses. Last week, the company said it will hold off on merging the data until the government and industry agree on privacy standards.
Click here for more on the DoubleClick controversy.
To be sure, much of this information gathering actually benefits consumers. Detailed marketing databases enable companies to better tailor their products and services to consumer demands.
By performing statistical analysis of database information on consumers, direct mailers have been able to cut from their lists consumers who are unlikely to buy the product being pitched. As an example, the marketing database firm Abacus Direct, now owned by DoubleClick, says that it saved companies from sending out 50 million catalogs last year by enabling them to create more focused and targeted mailing lists.
On the other hand, privacy advocates say that the sheer volume of personal information stored in online and offline databases creates a threat that this information could be used to "redline" some consumers, possibly causing them to be denied employment, insurance, or high quality customer service. Companies already are using Customer Relationship Management software to provide higher quality customer service to their most profitable customers than to their more marginal ones.
"It is an apparent contradiction that to get the marketers to send you fewer things you have to tell them more about you," said Database Nation author Garfinkel.
Lawmakers turn their attention to privacy
Public outcry about the lack of privacy on the Internet has caught the attention of both federal and state lawmakers. There are 131 Internet or electronic mail privacy bills pending in 31 states, and 55 to 60 state legislators have introduced privacy legislation over the past few months, according to Andrew Mathews, communications and research manager at the Internet Alliance, a Washington, D.C.-based trade group owned by the Direct Marketing Association.
The Federal Trade Commission announced in February that it is conducting a broad-based survey of the information collection practices of U.S. commercial Web sites, including all of the 100 most heavily trafficked sites. The FTC also has formed an advisory committee on online access and security. The members of this committee are a "who's who" among e-commerce experts, online businesses, security specialists, and consumer and privacy advocates.
Despite all of the controversy over both online and offline privacy, the U.S. still hasn't enacted any broad-based privacy laws that resemble what the European Union did with its 1995 directive on the protection of personal data. The EU directive lays down common rules to be observed by companies that collect or transmit personal information. It obligates companies to collect information only for "specified, explicit, and legitimate purposes" and to hold that data "only if it is relevant, accurate, and up-to-date."
The directive gives European consumers the right to access information about themselves, the right to know where the data originated, the right to have inaccurate information corrected, and a right of recourse against companies that use their data illegally.
By contrast, the U.S. has taken a more patchwork approach to privacy regulation. Some forms of personal information are shielded from being viewed or sold, while other forms aren't.
"This sectoral approach has several weaknesses," Marc Rotenberg, the director of the Electronic Privacy Information Center, said in testimony before a House committee. "We have federal privacy laws for video records but not for medical records. There are federal privacy laws for cable subscriber records but not for insurance records."
Currently, the FTC can take action against a Web site's information gathering practices only if the site violates its own publicly stated privacy statement. If a site makes no promises to protect the privacy of personal information, then it is pretty much free to do anything it wants with information it collects from surfers. According to an Internet privacy policy survey by Georgetown University, more than one-third of Websites surveyed had no privacy disclosures. Even when sites do have privacy statements, they tend to be written in difficult to understand legal language, and the burden is on the site visitor to read them.
"Many posted privacy statements are hard to locate, read, and understand," said FTC Chairman Robert Pitofsky in a recent speech in Washington, D.C. "Further, other aspects of what have come to be known as fair information practices, like the requirement that online participants have a reasonable opportunity to see what information has been collected about them and to correct errors that creep into a database, have barely been addressed."
Privacy has a dollar value for consumers
Many leading technology companies and Web sites have responded to consumers' concerns with their own voluntary privacy initiatives. They've done this because they realize that privacy has a dollar value for consumers, and the absence of privacy can cause lost revenue. A recent survey conducted by IBM and Harris Poll found that 61 percent of Internet users have refused to purchase a good or service from Web sites because they were unsure about how their personal information would be used. Microsoft Corp (MSFT: Research, Estimates), one of the largest online advertisers, has adopted a policy under which it will not place corporate advertising with sites that don't have privacy statement complying with what the industry and the federal government call "fair information practices."
Web-based companies have increasingly turned to outside organizations to provide independent certifications that their sites comply with their posted privacy policies. A non-profit organization in Cupertino, Calif. called TRUSTe provides its member sites with an online branded seal. TRUSTe awards its seal only to sites that adhere to its privacy principles of "disclosure, choice, access, and security." TRUSTe also provides ongoing oversight of its members' privacy policies and a mechanism for consumers to resolve complaints if a site violates its own privacy policy. To date, about 1,350 Websites have the TRUSTe seal, including half of the top 100 sites and 29 of the top 50.
"The TRUSTe seal is the most prominent symbol on the Internet, ahead of the symbols for Microsoft and America Online," said TRUSTe spokesman Dave Steer.
However, some privacy advocates say that TRUSTe lacks credibility because it has never revoked a member site's seal, even when a site has committed violations of its own privacy policies. TRUSTe's Steer responds that while the organization hasn't yet revoked a seal, it has forced several sites to change their information collection and handling procedures by threatening to terminate their membership.
"In virtually all of the eligible complaints from Web users, we were able to resolve the situation to the user's satisfaction," Steer said. "Our goal is not to punish anyone; our goal is to resolve disputes."
Click here to read CNNfn.com's privacy statement.
However, many large sites, including Amazon.com (AMZN: Research, Estimates), aren't members of TRUSTe. In addition, the private sector's approach of publishing privacy statements places the burden on consumers to read those statements each time they visit a new site and to actively "opt-out" of having information collected about them if they want a greater degree of privacy than the site offers. Amazon.com's privacy statement illustrates this:
"Amazon.com does not sell, trade, or rent your personal information to others. We may choose to do so in the future with trustworthy third parties, but you can tell us not to by sending a blank e-mail message to never@amazon.com," the statement says.
At the end of February, the Web portal AltaVista, which is owned by CMGI Inc. (CMGI: Research, Estimates), became the first major Web site to break from the "opt-out" system. Under its new policy, AltaVista will not share personal information about its registered users with advertisers unless users check a box giving AltaVista permission to do so.
"Our privacy policy has always been based on trust by seeking permission to use people's information," said AltaVista spokesman David Emanuel. "This change leaves no room for misunderstanding or confusion."
A call for government regulation
Privacy advocates say that the private sector's efforts to protect privacy have been inadequate and that Congress needs to pass privacy legislation based on a Code of Fair Information Practices that was developed by a government commission under the Nixon administration.
"We have reached critical mass with people getting concerned about their privacy," said the Electronic Frontier Foundation's Lemmey. "The government allowing the industry to regulate itself has been more of a grace period."
"Almost every privacy abuse comes from the failure of a company or government to uphold the principles of the Fair Information Practices," said author Garfinkel. "There should be no secret databases. You should have a right to see your record in a database and to correct it. Information collected for one purpose shouldn't be used for another purpose without your permission, and companies that collect personal information should treat it with respect, controlling who has access to it."
Consumers aren't waiting for Congress and the FTC to act; they're already starting to protect their privacy using software that filters out banner advertisements or makes their Web surfing activities anonymous. A Montreal-based software company called Zero-Knowledge has released a privacy technology that enables people to surf the Web, send e-mail, post to newsgroups, and chat via untraceable digital identities called "nyms."
An international industry group called the World Wide Web Consortium is working on a technology called Platform for Privacy Preferences, or P3P, that could save Web surfers from having to read the privacy policies of each site they visit. The goal of P3P is to develop a single platform for privacy preferences. If all Web sites had privacy statements created using the P3P standard, then Web browsers would be able to automatically compare surfers privacy preferences with the privacy policies of the sites they visit. If a site had a lower privacy standard than a visitor's privacy preferences, then the browser software would automatically warn the visitor.
"Microsoft is in the early stages of investigating the development of software that would automatically compare a Web site's privacy policy with the user's personal privacy preferences," said Richard Purcell, director of corporate privacy for Microsoft. "We feel we have the opportunity to deliver to the marketplace tools that enhance consumers' control over their personal information."
Abner Germanow, a senior research analyst at the technology research firm International Data Corp., is researching a report called "Internet Privacy: Business Opportunity or Lost Cause?". His conclusion is that there is a market opportunity for hardware and software firms that enable consumers to control their privacy.
The demand for privacy protection products will be driven by companies frequently being caught with their hands in the cookie jar.
"A lot of security and privacy tends to be reactive," Germanow said. "Companies will do something until someone finds out about it. Or employees will do something that upper management doesn't know about. As a result, there will be a constant flow of privacy violations." 
|
