The hope that the Internet could police itself on privacy is quickly fading, as new invasive technology generates an ominous flood of intrusions. The California HealthCare Foundation recently reported that 16 out of 19 health-care Web sites violated their own privacy policies and allowed confidential medical data to be passed on to advertisers. Then DoubleClick Inc., the biggest Internet ad placement company, unleashed a storm of controversy by profiling thousands of Web surfers by name--without their explicit consent. The Federal Trade Commission is launching a probe into its data collection practices.
Public anger is driving privacy legislation in state capitals and Washington. Senator Robert G. Torricelli (D-N.J.) would ban "cookies," the digital ID tags that track a consumer's activity on the Web. He would also mandate that Web companies get permission before they collect personal data.
New technology makes it all too easy to capture intimate data from the Web. Banner ads can now grab any personal data placed on the page on which they appear. A person looking up "colon cancer" on a medical Web site, for example, may unwittingly have that fact transferred via a company's banner ad. It's downright creepy. And it makes promises of privacy by a Web site completely specious. E-Loan Inc., one of the largest online mortgage companies, vows to keep financial data from consumers secure. It runs a cookie-free site. But E-Loan's partners do have cookies that zoom into people's computers and track them the instant people click onto their sites.
DoubleClick is trying to mute a chorus of criticism from the Electronic Privacy Information Center and the Center for Democracy & Technology for creating digital files that identify people by name. DoubleClick executives are also defendants in class-action suits alleging unlawful compiling of files on individuals. In response, DoubleClick will now allow people to opt out of this profiling, but they must first request it by going to DoubleClick's own site. And no one will be able to see what is in their files. DoubleClick also is hiring a chief privacy officer. A good first step, perhaps. Drkoop.com, a medical Web site, goes one further by insisting that advertisers on its site agree not to attach any cookies to their ads at all.
The push for privacy protection is coming from abroad as well. On Mar. 31 the European Union will apply its Data Protection Directive to U.S. companies. The directive imposes strict limits on the collection and use of personal data in the 15 EU countries. It bars transmission of this personal data to countries that don't have parallel privacy safeguards.
Consent should be the key everywhere. If Internet companies think they can violate basic individual rights as part of their business models, they are living in a fantasy land. Unless they guarantee privacy soon, the government will step in.