A Little Net Privacy, Please

Netizens want immediate action from industry and government as consumer-data gathering exceeds the comfort zone

This month, investigators from the Federal Trade Commission will be revving up their Web browsers in a random check of 1,200 sites. Their mission: to see if site operators are posting privacy notices that explain how personal information--such as E-mail addresses, shopping habits, and consumer financial data--is being used, and whether it's protected from prying eyes. If the FTC doesn't find a boatload of these policies, the government is threatening to step in and take action.

Normally, such threats would raise hackles in the free-spirited realm of the Net. But maybe not this time. In a new BUSINESS WEEK/Harris poll, a majority of the 999 respondents fingered privacy as the main reason they're staying off the Net--above cost, ease of use, and the morass of unwanted marketing messages. Hardcore Netizens are just as wary: 78% say they would use the Web more if privacy were guaranteed. Perhaps even more striking, 50% of the computer users polled say that government should pass laws "now" on whether personal data can be collected and used on the Internet.

Such jitters could have a profound impact on the hyper growth of the Internet. Fears that snoops can peek into your private life and track your every movement on the Net could slow the number of people flocking to the info highway, curbing electronic commerce and advertising revenue. Some 57% of poll respondents who use the Net, for example, say Web site policies that guarantee the security of their personal data affect their decision to make online purchases. "It's clearly a signal to business that they have to be more aggressive in forming privacy controls," says Alan F. Westin of Columbia University, who helped conduct the poll and who publishes the Privacy and American Business newsletter.

So far, the industry's track record has been found lacking. Many of the most popular spots on the Net still don't post policies: A BUSINESS WEEK check of the top 100 Web sites found that 43% displayed privacy policies. Of the notices posted, some were difficult to find and inconsistent in explaining how data are tracked and used. Moreover, TRUSTe, a nonprofit organization that provides a "trustmark" to put on Web sites signifying disclosure of privacy policies and outside auditing practices, has only 75 sites signed up since launching last June--a fraction of its March goal of 750. And an FTC sweep in October of 126 children's commercial sites found that 86% collected data about children, including E-mail addresses and phone numbers, most without seeking parental consent.

Such a lackadaisical approach has riled the government. The FTC made it clear after a workshop last June that it expected Web sites to allay consumer fears or the government might take on the job. The agency plans to make a definitive report on its findings in June. And there also are 32 bills in Congress related to Web privacy, ranging from laws to regulate spamming, or unsolicited E-mail, to legislation restricting disclosure of subscriber info by online services. "This is the last year for industry to demonstrate effective self-regulation," says David Medine, the FTC's associate director for credit practices.

That may seem harsh given the Web's infancy, but over the past year there have been a number of hair-raising incidents. Just a year ago, the Social Security Administration suspended a service that let people look up personal earnings, disability information, and benefits estimates, amid public concern that the info could be widely accessed. In July, America Online Inc. provoked an outcry after it proposed giving member information to partners that could then telemarket to AOL's 11 million subscribers. AOL backed down. And then came the whopper last August. Experian, a credit bureau site, pulled the plug on a service that let consumers check their credit history after a nasty chain-letter-like experience in which one person after another was mistakenly given someone else's report.

Patience is running out among some privacy advocates. "For self-regulation to make it, it has to exist--I don't think we're seeing it," says former FTC member Christine A. Varney, an early backer of self-regulation who's having second thoughts. But the Clinton Administration may not have the answer. Administration officials fear regulation won't keep pace with technology, and they say the Web is difficult to police when tens of thousands of new sites pop up every week. "When you have legislation or regulations you can't enforce, it gives false assurances to people," says Ira C. Magaziner, senior policy adviser to the President.

How do Web sites collect and use the data? Sites amass info with and without consumers' knowledge. The most common way is through "clickstream" data--information about where people go within a site and the ads and content they see. Clickstream data are most commonly collected by so-called cookies, or small data files placed on cybernauts' hard drives when they first visit a site. Whenever a Netizen goes back to that Web site, the site's computer server can read the usage data from the cookies. That info is then stored in a database and can be used to target ads or content, based on the preferences tracked. No. 1 search engine Yahoo! Inc., for example, uses cookies to track how many new visitors come to its site.

Personal information--such as E-mail address, name, street address, age, or sex--is gathered through registration at such sites as Time Warner Inc.'s Pathfinder or Amazon.com. The same sort of data can also be culled from so-called "swebstakes," promotional giveaway programs run by companies such as Excite Inc.'s MatchLogic, a subsidiary that posts ads and marketing campaigns for 65 clients across a host of Web sites.

The wave of the future, though, may be companies such as IMGIS Inc. and Intelligent Interactions Corp. These services, which help advertisers and sites post and target ads, are considering or already offer services that combine a smattering of data. That can include registration info, advertiser and Internet service provider data, traffic, and material from direct marketing companies. This is closely watched by privacy advocates. "Is it a big horrible Orwellian plot? No, but marketing people will try to figure out all they can," says Dr. Gary McGraw, senior research scientist at E-commerce security consultant Reliable Software Technologies Corp.

UNIQUE TRAITS. Just so, say Web site operators. Marketers say the ability to gather data and target consumers is what makes the Net unique and is key to attracting advertisers and spurring E-commerce. Many say they are taking steps to keep out peepers. "We definitely believe in protecting our consumers," says Chris Neimeth, vice-president of sales and marketing for the online version of The New York Times. "At the same time, though, you can use information to deliver services and ads they would be interested in, rather than seeing something really random." The online Times, for instance, has used clickstream info on its 3.2 million subscribers to send E-mail alerting those who often read the Books section online about improvements to the area.

What will calm the privacy willies? Some say the Web needs clear, consistent site postings about data collection as well as technology that gives users more say-so. Under the threat of regulation, interest in addressing privacy concerns is picking up. Indeed, IMGIS and another company that creates user profiles, Engage Technologies Inc., joined TRUSTe this month.

Is the Internet being held to a higher standard than direct marketing and telemarketing on terra firma? In a word, yes. After all, consumers who find unsolicited junk mail in their mailboxes every day have let loose personal data that's now being used to sell them everything from soap to sailboats. The concern is that the Net makes it easier to combine, slice, and dice info from thousands of databases connected to the Web. "People are expecting more," says the FTC's Medine. Now we'll have to see whether they get it from Web site operators or government regulators.

    Before it's here, it's on the Bloomberg Terminal.