Want CNET to notify you of price drops and the latest stories?

Internet privacy: The danger of good intentions

With the machinery of legislation revving up, Sumir Meghani writes that policymakers, privacy advocates and technologists all risk missing the real point in the battle over Internet privacy.

3 min read
The government's preferred method of dealing with the challenges posed by technology by simply passing new legislation is now spilling over into the debate over Internet privacy.

Even though legislation on this issue is not likely to be passed this year, the outcome of the ongoing conversation will have a significant impact.

A lot of attention has focused on Senate Commerce chairman Fritz Hollings' "Online Privacy Protection Act." His bill legislates what a Web site's privacy policy should be, depending on two distinct types of information collected: "sensitive personally identifiable information" and "nonsensitive personally identifiable information."

With the former, an opt-in strategy is required; the latter would need only an opt-out approach. Personally identifiable information defined by the legislation consists of all identifiers, such that there is a "substantial likelihood that the identifier would permit the physical or online contacting of a specific individual."

Bills such as this entirely misunderstand why privacy protection is needed to protect individuals from the misuse of personal information. What's more, policymakers will achieve little by singling out the online world, because technological progress has made data sharing and amalgamation between online and offline entities virtually effortless.

Recall what happened after Internet advertising giant DoubleClick bought catalog marketer Abacus Direct in 1999. The company then announced plans to merge consumers' offline purchasing habits with information on what Web sites they visit. If Abacus' and DoubleClick's data were combined, the surfing behavior of many individuals could now be directly linked to personally identifiable data. Several class-action lawsuits were immediately filed, and DoubleClick subsequently agreed to modify its policy.

Because of the prolific combination of online and offline databases over the past few years, it may make more sense for legislators to focus on what information is collected and not necessarily on who collects it. For example, the Electronic Privacy Information Center notes that many businesses such as supermarkets use membership card technology to create detailed profiles of individuals' consumption habits, often without providing any notice to consumers.

It is unclear whether Web sites that use cookies or Web-based forms to accomplish the exact same tasks should be forced to abide by a special set of laws. Also, if an online company could simply get data from its offline counterpart--which did not have to adhere to same rules--it is unclear how the new legislation would apply.

New approaches such as P3P, though complicated and imperfect, provide a reasonable first step in allowing consumers to choose the level of protection that they desire.
In recent testimony to the Senate, Amazon.com executive Paul Misener claimed that legislation such as the Online Privacy Protection Act would be "misleading" to American consumers, since online transactions are such a small portion of total sales activity. In addition, he said it would hinder the ability for online retailers to complete with their offline counterparts.

We need a more reasonable, common sense way of dealing with privacy issues. Privacy is not discrete, and different consumers prefer varying degrees of privacy. An isolated solution that specifically targets the online world will likely not provide the best fit for consumers.

New approaches such as P3P (Platform for Privacy Preferences), though complicated and imperfect, provide a reasonable first step in allowing consumers to choose the level of protection that they desire. Standards such as this have received growing acceptance in the Internet community.

Microsoft announced the Internet Explorer 6.0 would allow certain types of cookies only if the Web sites delivering them have a P3P policy that is acceptable to the user. Individuals can then set their browser settings to provide an appropriate level of protection.

Policymakers need to look carefully at their goals before haphazardly creating legislative or technological solutions. A carefully designed approach to addressing privacy concerns should follow practical concerns of information collection and not just online information collection.

Despite best intentions to address a real issue, policymakers might otherwise just end up creating a new batch of problems.