AOL revamps security policy

After several highly publicized security breaches, America Online has posted a new version of its membership policy that addresses some of the privacy concerns raised by users and critics.

AOL says the revision of its member policy, known to subscribers as the "terms of service," will go into effect July 15--almost a year after the online giant rescinded its original policy. That reversal followed public outcry over its decision to release member telephone numbers to its partners, including telemarketers, without making an effort to inform members. However, today's posting was featured prominently, as promised, on the proprietary service's main page, listed under the heading of "Important Info."

Today's announcement was made as the Federal Trade Commission prepared to release a scathing report that comes down hard on the online industry for failing to protect users' privacy--especially that of children. Trade groups representing more than 11,000 companies today appealed to President Clinton in a letter, asking for one last try at self-regulation.

AOL chairman Steve Case has been a vocal opponent of government regulation of the Internet and has been equally, if not more, vocal about touting the importance of industry self-governance, as witnessed during a speech Friday at Harvard University.

AOL's terms of service contain rules and legal jargon that outline everything from its definition of "acceptable online behavior" to its marketing practices, with which new users must agree before signing on to the service.

In contrast to last year's terms, the new version places considerable emphasis on its eight-point privacy policy, which AOL chairman Steve Case isolated at the end of his introductory letter.

As part of the privacy statement, AOL said it would take extra steps to protect children from online smut and solicitations, and gives further assurances to safeguard account and membership information.

"AOL will not give out your telephone number or screen names [email addresses], except where needed to deliver a product or service you ordered," the policy states.

AOL also said it redesigned its Marketing Preferences page, which gives members choices about receiving direct marketing offers, noting that members can "direct [AOL] to remove [the member's] name and address from mailing lists [AOL] provides to selected prescreened companies."

Despite the revision, however, privacy advocates such as David Sobel of the Electronic Privacy Information Center claim that the page's redesign was half-baked at best. Privacy pundits believe online services and high-profile Web sites could make a more concerted effort to prevent users from being targeted by direct-marketing campaigns.

"I still question AOL's commitment to really making it easy for people to exercise this choice," Sobel said. "The process [for unsubscribing from direct marketing options] is heavily slanted toward having subscribers remain opted in. We believe that the default should be privacy unless you opt in. The industry generally has always been resistant toward that. How easy are they making it to opt out? It's always been difficult and it remains difficult."

In the last year, the online giant has come under considerable criticism from members and company observers for privacy lapses, security breaches, and what some members considered misleading marketing practices. For example, in January, AOL admitted to violating its own privacy policy when an employee disclosed a member's private information to a Navy investigator.

In addition, AOL last week reached an agreement with 44 states to provide clear information to its subscribers when it plans to raise its prices or change its services. At the same time, it was revealed that AOL's own staff members on occasion were resetting passwords for people who claimed to be members, a practice that compromised the security of user accounts.

"If AOL makes material changes or revisions to the Member Agreement, we will provide notice to you 30 days in advance," Case wrote in his letter, a link to which was put on the service's front door. "If you don't agree to the changes proposed by AOL, or to any of the terms in this Member Agreement, your only remedy is to cancel your AOL membership."

Reaction to this year's TOS so far has been relatively mild compared to the controversy that surfaced after last year's revision, which was quietly posted without informing members.

"Last year they were going to do anything they wanted with the [member] information and sell it to third parties," said Sobel. "This year's policy reflects a lot more sensitivity than what they proposed last year, and I give them a lot more credit for it."

Included in the new privacy policy is a list of ten online security tips for members, which includes advice on how to protect passwords and personal information.

Nonetheless, other privacy advocates believe that a tip sheet is not enough. With AOL's size and stature, the firm needs to be more responsible and accountable for violations of member privacy, some say.

"We think when your privacy is invaded, you have to get a remedy," said Evan Hendricks, editor of Privacy Times. "It's AOL's responsibility."