CNET también está disponible en español.

Ir a español

Don't show this again

Internet

Up for sale: Privacy on the Net

As legislators, highly vocal privacy groups and the business community jump into the fray, the privacy debate heats up.

    If you are reading this article about privacy, you most likely use the Internet to gather information about topics that interest you. You may also go online to e-mail your friends, look for a new job, check out your investment portfolio and/or shop for such items as books, clothes, plane tickets and pharmaceutical products.

    If so, without knowing it you are providing large amounts of personal data to businesses that are free to sell this information, share it, or use it to make decisions that can affect your well-being. Furthermore, you are not being told that this information is being gathered, by whom or for what purpose. You are, in effect, being pick pocketed by unknown sources for unknown reasons.

    This isn't news. Privacy, or lack of it, has been a concern ever since a significant number of consumers started making credit card purchases online in the late 1990s.

    What's different about the issue these days is the amount of attention privacy is receiving from (a) the U.S. Congress, which is currently considering a variety of privacy-related bills; (b) the business community, which is promoting self-regulation as an alternative to legislation; (c) highly vocal privacy groups, which are intent on reining in what they see as the worst abuses of online profiling; and (d) a flurry of new online companies, which are aimed at helping consumers protect their privacy.

    Wharton legal studies professor Dan Hunter positions the debate over privacy this way:

    "Both the e-commerce industry and consumer groups have legitimate concerns that are at loggerheads with each other. For example, online advertisers, e-commerce retailers and other Web businesses have a genuine business interest in personalization because it allows users to receive ads targeted to their interests rather than information that is irrelevant. Moreover, the current e-commerce system offers consumers free access to services that would otherwise cost money, such as browsers and access to e-mail, in return for the 'cost' of allowing companies to track their interests and general demographics.

    "That, to me, is the e-commerce industry's strongest argument for being allowed access to data generated by Web usage.

    "I also think it should be permissible for e-commerce providers to track internal demographic information from my browser, as long as they guarantee they won't give it to anyone else. Unfortunately, there are many instances of that information being sold to retailers, for example, or to private data collection agencies without the consumer's knowledge or permission."

    Put another way, most consumers probably don't object to Amazon.com's practice of suggesting book titles to them based on their previous purchases. What they probably would object to, if they knew it was happening, is the way in which Internet businesses track Web users across multiple Web sites to collect information about such things as spending habits, income, illnesses and occupation.

    "People don't understand how closely they are being monitored on the net," says Wharton management professor Stephen J. Kobrin. "They don't understand the implications of technology, how easy it is to data mine, how much information is theoretically available to anyone at any place, and how information that is collected can be saved forever. The reality is that as a result of digital technology, private space will shrink and public space will increase."

    What worries privacy advocates the most are the increasingly sophisticated methods--such as electronic tracking tags known as cookies and information-transmitting devices known as Web bugs--used by Internet companies to secretly track down information about customers. Indeed, many Internet business models are based on the ability to collect huge amounts of information for a variety of profit-generating purposes.

    "Americans accept that on one level it's all right to sell private information," adds Hunter. "The concern now is that we have gone too far in terms of the amount of processing going on, and the correlation of that information back to one's physical identity. Even more disturbing is that consumers don't know how the information is being used and so have no way of tracking it. One doesn't have to be a consumer-protection zealot to think there should be some controls on this."

    The role of legislators
    Enter the U.S. Congress. So far more than a dozen bills on privacy have been introduced in Congress, and earlier this month a subcommittee of the House Committee on Energy and Commerce met to educate members about "Privacy in the Commercial World." On that same day a separate and bipartisan group called the Congressional Privacy Caucus met to discuss online surveillance technology, including such devices as Web bugs and e-mail wiretapping.

    Last year a similar number of privacy bills came before Congress, all of which failed. What's the prognosis for this year's bills?

    It obviously depends on whom you talk to. "The big question," says Andy Cervantes, representative for a Denver-based nonprofit privacy group called the Privacy Foundation, "is whether you approach this issue with a hands-off solution, which is probably what the Bush administration would prefer, or with a hands-on, regulatory solution," which many privacy advocacy groups prefer. "Whereas the Clinton administration didn't seem to mind stepping into such areas as the environment and health care, Bush will probably tend to let the market handle privacy concerns. That doesn't make consumer advocates particularly happy because any privacy policy without laws or legislation to back it up would be pretty toothless." Already Bush's new Secretary of Health and Human Services, Tommy Thompson, announced on Feb. 26 that he would delay rules issued by Clinton last December to protect the privacy of people's medical records.

    David Moulton, chief of staff for Democratic congressman Edward Markey--a staunch supporter of a privacy bill of rights--isn't optimistic that a privacy bill will be passed by this Congress. "The leadership of the House and Senate will attempt to show they care about privacy without actually changing current business practices. This can be done in a number of ways, but the most effective dodge is the creation of a privacy commission to study the issue." (Such a commission nearly passed the House last fall and has been reintroduced this year.) A tactic like this, Moulton says, allows the congressional leadership to delay action on any legislation for at least a year.

    "Votes for privacy legislation are there," Moulton adds, "but the congressional leadership, supported by the business community, uses procedural roadblocks available to them as the majority party to prevent an up or down vote."

    He does offer a prediction. "As the horrendous violations of privacy that occur on a daily basis become more and more obvious, we will be able to make some progress in protecting people's privacy. That will happen, but it will take more pressure than this Congress is feeling right now."

    An article last week by Robert MacMillan of Newbytes echoes the point. "Your average (Congress members), as Internet-savvy as their staff may be, know where their fish is fried, and in this case it's with business. They don't say they are against strong privacy protections...but they are."

    Among the bills that have been introduced this year are ones with such titles as the Social Security Online Privacy Protection Act of 2001, the Financial Information Privacy Protection Act of 2001, the Identity Theft Protection Act of 2001, the Consumer Online Privacy and Disclosure Act and the Unsolicited Commercial Electronic Mail Act of 2001.

    One issue up for debate in several bills is whether Web sites should have to get "opt in" permission from consumers before using any data--an approach favored by many consumer groups--or whether consumers should be required to take steps to "opt out" of any data-collection process, an approach generally favored by the e-commerce industry.

    Self-regulation
    While Congress debates legislation on Capitol Hill, the business community is actively promoting other options. Chief among these is self-regulation.

    Earlier this month, for example, the Privacy Leadership Initiative (PLI)--a group of executives from such companies as AT&T, Dell Computer, Ford, IBM and Procter & Gamble--announced a $30 to $40 million campaign aimed at showing consumers how they can use technology to better protect their privacy online.

    Last September, a group of executives belonging to the Global Business Dialogue on E-Commerce (GBDE) came out in favor of voluntary guidelines for international Web standards designed to protect consumers from privacy abuses. The group--which includes such companies as AOL Time Warner and Toshiba Corp.--advocated, for example, visible seals of approval on business sites that would identify the company as one that offers stringent privacy protections.

    And during the past year, several companies--including Microsoft, IBM, 24/7 Media, EarthLink, Excite@Home and DoubleClick--have appointed chief privacy officers, apparently to articulate and enforce privacy policies.

    Such moves by industry are intended to not only head off legislative or regulatory action but also to increase consumer confidence in the Web as a place to do business. Recent studies have shown that the e-commerce industry does, in fact, have a strong business incentive to improve their act, if not their image. According to a recent news report citing Forrester Research, 35 million Americans last year spent about $45 billion shopping online. But consumers would have spent an additional $12.4 billion if they hadn't been concerned about the consequences of giving out personal data on the Web.

    Walter O'Brien, executive director of PLI, summed up the approach of his organization during remarks made last January at the 20001 e-Business Conference and Trade Show in New York. "Modern technology, especially the Internet, has made the collection of personal information easier, faster and more thorough," he says. "And that makes many people profoundly uncomfortable. There's a 'trust deficit' of troubling proportions that keeps too many consumers on the sidelines. For any company, the stakes in missing so many 'wary but wired' consumers are enormous.

    "We have a chance to show...how information sharing based on informed consent and real protection works to benefit all parties over time," O'Brien adds. By doing that, business can "protect consumers and maximize the benefits of the information age for everyone."

    Many consumers, however, remain skeptical that self-regulation alone will protect privacy. A report last May from the U.S. Federal Trade Commission, for example, referred specifically to the online privacy seal program mentioned earlier and noted that "less than one-tenth, or about 8 percent, of sites (in a random sample) and 45 percent (of the 100 most popular U.S. commercial Web sites) display a privacy seal." The report did say that industry initiatives--including the seal program--should continue to "play an important role within any statutory structure."

    Mark Schwartz, a lecturer on ethics at Wharton, would like to see a combination of government regulation and industry self-regulation. "I think both are necessary. You can't completely rely on industry to take care of privacy concerns, although it is certainly the preferred choice. Government can establish incentives for industry to self regulate, but at the same time, it should set certain minimum standards to create a level playing field."

    Consumer advocacy
    Earlier this year, a group called the Privacy Coalition--whose members include the American Civil Liberties Union, the Consumers Union, and the Electronic Privacy Information Center, among others--set out to protect consumers from Internet businesses that collect information without the consumer's permission.

    The types of abuses they want to guard against are varied. "A woman gets a birthday card from Radio Shack a week before her birthday even though she has never been to a Radio Shack in her life," says Schwartz. "It's not a serious intrusion, but it might be considered offensive by some. Or take the case of a company that fired an employee who made disparaging comments about his boss in a chat room. People don't realize that companies monitor chat rooms and that what they say there is not protected information."

    Remedies do exist in the form of civil law suits against a number of companies for privacy violations. U.S. Bancorp Piper Jaffray failed to adhere to its posted privacy policy and had to pay $4 million in fines, says Schwartz. Other firms that have been sued by consumers or the U.S. Federal Trade Commission include Liberty Financial, RealNetworks, Yahoo, Chase Manhattan and Toysmart.com.

    Often public outrage over a potential privacy violation can force companies to change their policy. The online-advertising company DoubleClick had originally intended to combine the names and addresses of consumers with information gleaned from online profiling, but the uproar from outraged consumers caused them to put their plans on hold. Amazon last fall annoyed users by instituting a change to its privacy policy that would allow Amazon to sell consumer information in the event that the company was ever acquired. Other companies have been sued by class action lawyers for allegedly tracking customers without their permission.

    "Business groups say that if consumers object to privacy violations, they can simply not use those providers whose privacy policies they don't like," says Hunter. "For example, I don't have to get part of the New York Times off the Web for free. I can go and buy it. That's my choice. The e-commerce industry also says you can pay $50 a year and register with a service like zeroknowledge.com that will prevent tracking of your information. Internet companies would say that is an example of the market providing a solution to privacy concerns.

    "I disagree. These decisions presume a very high level of understanding on the part of consumers as to how the information they provide is being used or collected. But consumers don't have that understanding. They have no way of tracking what happens, so they don't know whether, for example, it's worth $50 a year to try and stop companies from doing whatever they are doing."

    Consumer groups are especially agitated over the fact that most Web sites do not disclose the use of Web bugs in their privacy policies, "even as it gets more and more difficult to block" the bugs, says Schwartz. And they fume over the fact that many companies don't comply with their privacy policies and/or regularly modify their policies without alerting customers to the change.

    "It comes down to whether an individual is given an enforceable right when his or her privacy is violated," says Moulton. "Industry has been unwilling to subject itself to appropriate penalties when they violate their own privacy rules."

    The Federal Trade Commission report cited earlier found that only 41 percent of randomly visited Web sites and 60 percent of the top 100 sites told consumers about their information practices and offered a choice about how that data is used. "Self-regulation alone has not adequately protected consumer online privacy, and as a result, legislation is now needed to supplement self-regulatory efforts and guarantee basic consumer protections," the report said.

    Web watchers are also following the current debate over the definition and possible disposal of assets, an issue that came up with Amazon's privacy policy change and also with the online retailer ToySmart.com. After announcing bankruptcy last year, ToySmart attempted to sell its customer database, even though its privacy policy had stated that it would never share that information. "All e-commerce providers consider their consumer databases to be one of their most important assets, to be used when necessary in the sale of the company," says Hunter. "In order to change that, you would need to change the bankruptcy laws to say that databases and information about people are not an asset. By doing that you would be preferring the interest of consumers over the interest of creditors. That could be a tough sell, one that may well be politically untenable."

    The entrepreneurial approach
    While strict privacy advocates square off with the more laissez-faire e-commerce industry, a host of new companies are cropping up to offer the obvious new new thing--protection against the growing variety of Web bugs that can collect information from consumers in ever more sophisticated ways.

    Companies with names like Anonymizer, Hushmail, IDcide, ZipLip and PrivacyX see the future "as an opportunity to seize lucrative leadership in the privacy space," notes an article in the March issue of the Atlantic Monthly. A report from CNET News.com mentions two other companies in the war against privacy violations. One, called Intelytics, will release a software program later this month called Personal Sentinel, which Web surfers "can use to spy on the spies." The program will describe the "risk level" of any Web site by exposing its Web bugs. The other company, Security Space, monitors more than 100,000 active sites for Web bugs and identifies those sites with the highest number of bugs in use.

    So technology, even as it provides opportunities to violate consumers' privacy, also provides opportunities to protect that privacy. As Intelytics' home page states: "Our comprehensive mix of software platforms and expert professional services can provide you with the protection you need to navigate safely through the increasingly unsafe channels of the connected world."

     
    To read more articles like this one, visit Knowledge@Wharton.

    All materials copyright © 2001 of the Wharton School of the University of Pennsylvania.