Commentary: Privacy requires standards

So-called Web bugs are not new, and while their use should be limited, neither they nor Internet cookies have in practice created the extreme security problems that security companies sometimes predict.

3 min read

So-called Web bugs are not new, and while their use should be limited, neither they nor Internet cookies have in practice created the extreme security problems that security companies--which want to sell their "antibug" software to a wider audience--sometimes predict.

The key issues center more on personal privacy than computer security. We advocate the creation of clear standards for privacy on the Web, and while we would prefer that industry groups create these standards, we also believe that Congress and federal regulators should be investigating these issues and helping to set the standards.

Web users need to remember that nothing is truly "free." Companies provide Web services to consumers in return for something--usually information about interests or preferences--or, increasingly, direct compensation. Almost all content providers track individual site use on some level, and if that is blocked, businesses will either cut back on their investment in the Web or find other ways to capture that information. On the other hand, content suppliers should not expect to capture information not volunteered by the individual (either by filling out a form or through normal use of that content supplier's Web site.)

See news story:
New tools hatch for sniffing out Web bugs
Privacy is a complex issue, and different individuals have different privacy expectations. Certainly individuals should not be expected to give up privacy without their knowledge--spying on individuals as they use the Web or copying information from their hard drives without their knowledge or consent is clearly a violation of any reasonable privacy standard. Businesses should be required to post a clear privacy statement spelling out what information they gather about the use of their Web site--something that very few companies do today.

Regulatory oversight
Financial industries and the health care industry are already limited by privacy regulation--the Gramm-Leach-Bliley Act and HIPAA, respectively. Any company with European customers or employees already falls within the regulatory structure of the U.S. Commerce Department's Safe Harbor program. There are currently seven separate bills before Congress that extend privacy regulation to other industries, and the broad base of bipartisan sponsorship for those bills indicates that something will pass. Any company that believes it can continue to collect information surreptitiously as part of its business plan will provide its investors with major disappointments over the next two years.

On the other hand, consumers need to realize that businesses invest in developing Web sites partly to gain valuable marketing information. They should expect businesses to track site use either for focused marketing activities or to support personalization initiatives. Consumers should expect that businesses may refuse access to Web services to those who fail to provide that information, either by not filling out a form or by using technology that blocks the tracking of their use of a Web site.

However, consumers also have a clear right to protect themselves from the possibility of pernicious spying or worse actions by unscrupulous individuals on the Web. The extreme positions on both sides of the privacy issue are clearly unreasonable. The problems in creating a standard will always be in the middle, where there is some reasonable business justification and some reasonable privacy concern.

Businesses, which cannot control what Web sites their employees may visit, should consider tracking contacts with Web bugs, just as they track exposure to Web-based computer viruses. This would require an enterprise edition of the software that senses these tiny executables and reports activity to a central server. So far, few (if any) of these bug-sensing software programs offer this key feature, but it would be easy to add.

Companies should consider implementing enterprise edition bug-tracking software if it works, can be centrally managed, costs no more than 15 percent to 20 percent of a normal security package and can easily be bundled into their security package.

Meta Group analysts Peter Burris, Mike Gotta, Dale Kutnick, Jack Gold, Val Sribar, Chris Byrnes and William Zachmann contributed to this article.

Visit Metagroup.com for more analysis of key IT and e-business issues.

Entire contents, Copyright ? 2001 Meta Group, Inc. All rights reserved.