Privacy heats up but doesn't boil over
People trolling the Internet who were worried about privacy got little more than a chorus of promises from online marketers and law enforcement.
Take Carnivore, the FBI's email-tapping tool, which monitors individuals under investigation. Documents released this summer about the program revealed that it was capable of targeting the innocent as well as the accused.
Congress worried that Carnivore trampled constitutional rights, and U.S. Attorney General Janet Reno quickly promised audits. But many institutions, such as the Massachusetts Institute of Technology, declined to take part in the auditing process because of restrictions placed on the scope of the review affecting their independence.
Then there was the uproar about the consumer data-gathering practices of online companies such as DoubleClick, Toysmart.com and Amazon.com. Worried about consumer backlash, companies scrambled to come up with solutions that would put the public at ease.
Some banded together in efforts to develop privacy standards that would keep lawmakers at bay and promote self-regulation. Many others introduced new executives to the boardroom: chief privacy officers. Almost all turned to the problem of articulating privacy policies.
Abandoning the practice of collecting consumer information, however, appeared out of the question.
On the legislative front, a slew of new privacy bills were introduced--including one calling for the abolition of electronic tracking tags known as cookies--but none passed. It wasn't until this week that the Clinton administration issued new rules to protect the privacy of medical records, but most of those protections involved offline practices.
"This year, more than any other year, privacy concerns gave people pause," said Richard Smith, chief technology officer of the Privacy Foundation. "One of the lessons learned is that the Internet makes it much easier to discover what government or a company is doing."
Backlash against consumer tracking
The Internet was supposed to be the one medium where advertisements could enjoy immediate response as consumers clicked on ad banners to buy products or replied favorably to email marketing efforts. The theory is that knowing a person's age, sex, hobbies and other interests leads to better product targeting.
Many companies and shops offline have long engaged in such data-gathering practices. The Safeway Club Card is often used as an example. The card connects an individual's name, address and telephone number with items purchased at the grocery store.
But on the Web, consumer advocates say detailed dossiers could lead to disastrous privacy invasions.
Even with the best of intentions, there are no guarantees that information, once collected, won't be exposed in a courtroom or some other damaging venue.
At the heart of the issue was the privacy policy. The policy, designed to alert Web site visitors about what information is being gathered and how it will be used, became a moving target.
Companies regularly changed their policies, raising the ire of privacy advocates and even drawing fire from class-action lawyers.
First under the spotlight was DoubleClick, a powerhouse online advertising network based in New York.
Just a few short weeks into 2000, privacy advocates raised a stink over the company's data-collection practices. DoubleClick had planned to combine the names and addresses of consumers with their Web surfing and shopping habits.
By using cookies, the company could track individuals through their journeys in cyberspace. Trouble was, few knew they were being watched.
"DoubleClick became the example of how bad things can get when there are no rules," said Andrew Shen, of the Electronic Privacy Information Center (EPIC).
Lawsuits began piling up, regulators initiated informal investigations, and major news organizations seized on the story.
In the end, public outrage forced the 3-year-old company to rethink its practices. Executives quickly tried to fix the public relations disaster by hiring a chief privacy officer, shelving its master data-collection plans, and inviting PricewaterhouseCoopers to audit its business practices.
"The company recognized it moved too quickly to roll out a product that needed guidelines in place," said Jules Polonetski, DoubleClick's chief privacy officer. As a result, there has been a "proliferation of industry groups to form standards. Just about every one of those groups recognizes that they need to assure consumers that they have control over their Web surfing experience."
Although DoubleClick's grand plans were put on hold, that decision is only temporary. An earnings revision earlier this month may have reminded the company that, as cash is king, it may be worth the risk of inflaming privacy advocates to capitalize on its potential data-mining tools.
Worth the price?
Not long after the DoubleClick debacle heated up came Toysmart's troubles.
In June, the online toy retailer filed for bankruptcy, claiming its extensive list of consumer information as an asset that could be sold. Again, privacy advocates and consumer groups came out in force and derided the failing company's decision to turn back on a promise that it would never sell information about its customers.
A month later, Toysmart pulled its confidential list of consumer information from the auction block, citing unacceptable offers.
Amazon, too, came under fire. Earlier this month, EPIC and Junkbusters, a privacy clearinghouse in New Jersey, filed a complaint with the Federal Trade Commission charging that Amazon's new privacy policy deceives customers and engages in unfair business practices.
The new policy, changed in September, states that consumer information could be sold in the "unlikely" event that Amazon is acquired, as one company representative explained.
To avoid such public relations disasters, companies began hiring chief privacy officers. Internet service provider EarthLink was one of the most recent to make such a hire. Other companies that have privacy officers include IBM, Microsoft and 24/7 Media.
"There has been an explosion in the amount of dollars companies are spending to ensure their organization is complying with new rules," said Larry Ponemon, senior partner at PricewaterhouseCoopers. "If they don't do it, it's not a matter of going to jail or paying fines. It's a matter of losing their customers."
The lawsuits kept coming, however.
Last month, class-action lawyers took two Web advertising companies to task with charges of online privacy violations. Seattle-based Avenue A and MatchLogic, an Excite@Home subsidiary, were hit with separate complaints for allegedly tracking customers without their permission.
The cases were brought by feared law firm Milberg Weiss Bershad Hynes & Lerach. The same firm has another case against an online pharmaceutical company called Pharmatrak.
"It's clear privacy is a strong new area of interest," said Milberg Weiss spokesman David Rosenstein.
The lawsuits are expected to mount as more laws are passed protecting consumer privacy online.
Congress, now convinced that self-regulation allows too many rogue Web sites to prey on unsuspecting visitors, has already vowed to iron out privacy legislation early next year.
Despite the fears and concerns, there were no publicized horror stories that resulted from a privacy invasion. Certainly nothing like the tragic shooting death last year of 20-year-old Amy Boyer. Police say her killer was able to track her down after buying her Social Security number off the Net.
"Thank God nothing like the Boyer case happened; we don't need any more horror stories," said EPIC's Shen. "We don't need to be woken up anymore. We know privacy is an issue. What we need now are laws."