A privacy audit by a Big Five accounting firm is a nice marketing move by Expedia.com, and such audits may give users of dot-coms some reassurance. But they hardly answer all the questions about online privacy, and their legitimacy in a court of law in the event an audited site is sued is questionable.
The first of these questions is, what is the definition of privacy? Currently, no legal definition of privacy exists in the United States, and though some European countries have very strict privacy rules, they are not evenly enforced. For example, France forbids companies to remove personal information about customers from the country without specific authorization. This all but blocks companies from creating worldwide customer relationship management systems that include French citizens and organizations, which is a major constraint in the increasingly global economy.
Without a legal
Defining the legitimate needs for medical record privacy, for instance, has proven to be a complex task that has occupied experts at the U.S. Department of Health and Human Services (HHS), state agencies and legislatures, and a variety of private industry associations for years.
HHS is currently regulating medical record privacy under provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and the federal government is regulating privacy in some other very specific areas, but so far it has taken no action on the privacy of personal records on the Internet in general.
Once legal privacy has been defined, enforcing it becomes a second complex issue. How extensive do privacy policies need to be? Are they solely focused on corporate Internet sites, or do they impact other corporate business practices as well? How secure do the records on a site have to be when hackers break in to satisfy legal requirements? What damages are reasonable when a person's legal privacy is violated? These and other questions still need to be decided, either through legislation or court action.
We believe that the U.S. government inevitably will become involved in deciding many of the basic privacy issues, either directly through legislation and regulation or indirectly by naming an independent group as its proxy to create privacy regulations that are enforceable in civil court.
Tactically, we believe that several other classes of third parties will become involved in these privacy issues. As the PwC-Expedia announcement exemplifies, audit organizations will play a role in reviewing whether corporations have appropriate privacy policies and the processes to actually live by these policies. Organizations like the Better Business Bureau Online and other consumer advocates will play a role as lightning rods for consumer complaints, cataloging actual instances of privacy abuses. Security and other information technology vendors will enable these policies through new features and capabilities, particularly through support for digital signatures. However, the onus will come back to corporations that must make these policies part of their cultures.
The larger issue is just what level of privacy individuals and organizations can reasonably expect in a world in which hackers and accidents can reveal any information online to a worldwide public at any moment. The entire area of privacy is eroding rapidly for everyone. Today anyone can easily get a great deal of information on virtually any individual or organization that would have been very hard to acquire a decade ago, and any action that anyone makes online is potentially a matter of public record. People have already been fired from their jobs because of things they put into emails they thought private.
Privacy is a larger issue now partly because of the collapse of many dot-coms. Often, the only thing left of value in these failed firms is their customer list. Companies are interested in buying those lists, but if the only thing they can do with them is continue the original dot-com's services, their interest will evaporate.
"Ultimately, the only safe rule is, if you don't want everyone worldwide to know you said something, don't say it," observes META Group analyst William Zachmann. "If you don't want everyone to know you did something, don't do it, at least online. We may be witnessing the start of a major evolution in personal ethics, driven by the all-seeing Web."
META Group analysts Dale Kutnick, David Cearley, Val Sribar, Peter Burris, Mike Gotta and William Zachmann contributed to this article.
Entire contents, Copyright © 2000 Meta Group, Inc. All rights reserved.