Industry and federal officials are applauding this past summer's voluntary agreement between the Federal Trade Commission and Doubleclick, Engage, and other leading online advertising services to give consumers more choice about when such companies can snoop on their Web-surfing habits. But much more is needed to protect privacy. The latest case in point? A Boston technology company is surreptitiously tracking computer users across the Net on behalf of pharmaceutical companies, a practice that demonstrates the limits of that recent FTC agreement.
Pharmatrak Inc. is not an advertiser, so it's not bound by the pact hammered out in June. In fact, advertisers make up just a small percentage of the many companies that want to build their businesses by using the Net to track consumer behavior.
Pharmatrak, by invisibly placing identification codes on computers that visit its clients' Web sites, can record consumers' activity when they alight on thousands of pages of health-care information maintained by 11 pharmaceutical companies. Pharmatrak can track when people download information about HIV, cancer, hemorrhoids, genetic disorders, and other maladies. It's all invisible to consumers unless their browsers are specifically set up to alert them when such "bugs" are being used.
Pharmatrak executives say the information they collect helps drug companies compare and improve their Web sites. It also helps them determine who in general is seeking what types of online health information, but Pharmatrak says it does not collect actual consumer names and doesn't intend to, at least for the time being. Its own Web site, however, suggests it has plans to identify people to let businesses target advertising to individual consumers. "In the future, we may develop products and services which collect data that, when used in conjunction with the tracking database, could enable a direct identification of certain individual visitors," the site states. The company adds that it would never take advantage of such information--but that's just a promise. There is no one, and no law, to prevent them from doing so. Indeed, why collect the data for business purposes if you don't intend to take advantage of it?
Without privacy regulation, it's all quite legal. Still, is it right? Why should companies be able to monitor consumers without notifying them, and then refuse to explain how the data it collects will be used? "This is analogous to having hidden cameras...tracking people's movements on the Web," says Janlori Goldman, director of the Health Privacy Project at Georgetown University. Goldman worries that fear of snooping might dissuade people from using the Web to search out health information.
It's not just privacy advocates that are concerned about such health-data monitoring. It has spurred action by state officials, as well. Michigan Attorney General Jennifer Granholm has warned G.D. Searle & Co., one of the companies using Pharmatrak, to notify consumers, or face a lawsuit. "They're taking stealth to a new low," says Granholm in a statement. "It is a classic example of corporate surveillance, and there's no way your average computer user has any idea this is going on."
"SIMPLY SHARING." Pharmatrak executives assert that privacy advocates are overreacting. Spokeswoman Claudia Kovitz says the drug companies using the service treat information about visitors with care and get no identifiable personal information, such as the browser's name and address, from Pharmatrak. She acknowledges, however, that the drug companies using Pharmatrak did not post privacy policies until late July and still don't mention Pharmatrak nor specify how the information collected will be used by the drug companies and third parties that may do business with them. Michael Sonnenreich, Pharmatrak's founder and chief executive, says that the company is "simply sharing information" in aggregate monthly reports with clients such as Pfizer, SmithKline Beecham, Glaxo Wellcome, and others.
Kovitz adds that as technology advances, Pharmatrak and member drug companies will "develop increasingly comprehensive privacy policies based on best practices."
Trouble is, there are no best practices yet. And without meaningful laws to protect privacy, the freedom to choose with whom we share our problems and preferences will be lost, as will our ability to control the snooping.