CNET también está disponible en español.

Ir a español

Don't show this again

Christmas Gift Guide
Tech Industry

Commentary: Complex privacy issues demand enforcement

A privacy audit by a Big Five accounting firm is a nice marketing move by Expedia.com, but questions still remain regarding online privacy.

A privacy audit by a Big Five accounting firm is a nice marketing move by Expedia.com, and such audits may give users of dot-coms some reassurance. But they hardly answer all the questions about online privacy, and their legitimacy in a court of law in the event an audited site is sued is questionable.

The first of these questions is, what is the definition of privacy? Currently, no legal definition of privacy exists in the United States, and though some European countries have very strict privacy rules, they are not evenly enforced. For example, France forbids companies to remove personal information about customers from the country without specific authorization. This all but blocks companies from creating worldwide customer relationship management systems that include French citizens and organizations, which is a major constraint in the increasingly global economy.

Without a legal

See news story:
Accounting companies tackle online privacy concerns
standard against which to judge a dot-com's privacy policies and enforcement, a privacy audit is of dubious legal value. However, the problem with defining privacy is that different people have different expectations of what that definition should be.

Defining the legitimate needs for medical record privacy, for instance, has proven to be a complex task that has occupied experts at the U.S. Department of Health and Human Services (HHS), state agencies and legislatures, and a variety of private industry associations for years.

HHS is currently regulating medical record privacy under provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and the federal government is regulating privacy in some other very specific areas, but so far it has taken no action on the privacy of personal records on the Internet in general.

Once legal privacy has been defined, enforcing it becomes a second complex issue. How extensive do privacy policies need to be? Are they solely focused on corporate Internet sites, or do they impact other corporate business practices as well? How secure do the records on a site have to be when hackers break in to satisfy legal requirements? What damages are reasonable when a person's legal privacy is violated? These and other questions still need to be decided, either through legislation or court action.

Once these questions are answered, an outside audit could become part of an overall effective corporate privacy policy. After all, standard accounting methods were developed when it became clear that investors were getting cheated by companies that played with their books. Corporate annual reports now contain standard statements from independent auditors attesting to the figures presented in those reports. We expect that something similar will develop in the next two years in the privacy area and that two years from now, the auditing statements in corporate annual reports will cover privacy as well as accounting.

We believe that the U.S. government inevitably will become involved in deciding many of the basic privacy issues, either directly through legislation and regulation or indirectly by naming an independent group as its proxy to create privacy regulations that are enforceable in civil court.

Tactically, we believe that several other classes of third parties will become involved in these privacy issues. As the PwC-Expedia announcement exemplifies, audit organizations will play a role in reviewing whether corporations have appropriate privacy policies and the processes to actually live by these policies. Organizations like the Better Business Bureau Online and other consumer advocates will play a role as lightning rods for consumer complaints, cataloging actual instances of privacy abuses. Security and other information technology vendors will enable these policies through new features and capabilities, particularly through support for digital signatures. However, the onus will come back to corporations that must make these policies part of their cultures.

The larger issue is just what level of privacy individuals and organizations can reasonably expect in a world in which hackers and accidents can reveal any information online to a worldwide public at any moment. The entire area of privacy is eroding rapidly for everyone. Today anyone can easily get a great deal of information on virtually any individual or organization that would have been very hard to acquire a decade ago, and any action that anyone makes online is potentially a matter of public record. People have already been fired from their jobs because of things they put into emails they thought private.

Privacy is a larger issue now partly because of the collapse of many dot-coms. Often, the only thing left of value in these failed firms is their customer list. Companies are interested in buying those lists, but if the only thing they can do with them is continue the original dot-com's services, their interest will evaporate.

"Ultimately, the only safe rule is, if you don't want everyone worldwide to know you said something, don't say it," observes META Group analyst William Zachmann. "If you don't want everyone to know you did something, don't do it, at least online. We may be witnessing the start of a major evolution in personal ethics, driven by the all-seeing Web."

Companies need to go beyond a simple certification of privacy from a Big Five firm and make a strong privacy policy part of their normal business methodology. To do this, we recommend that Global 2000 companies appoint corporatewide chief security/privacy officers with the power to make and enforce strong privacy policy throughout the organization. Privacy needs to be part of all corporate activities, not just pasted onto the corporate Web site as an afterthought.

META Group analysts Dale Kutnick, David Cearley, Val Sribar, Peter Burris, Mike Gotta and William Zachmann contributed to this article.

Entire contents, Copyright © 2000 Meta Group, Inc. All rights reserved.