Commentary: Privacy Online: The Ftc Must Act Now

Think the deluge of mail-order catalogs and dinnertime phone solicitations invades your privacy? Well, compared with what's possible on the Net, you ain't seen nothin' yet. On the Web, marketers can collect more information and in greater detail than ever before--without you even knowing it.

Luckily, the spotlight is turning toward the key players in this online snooping, called advertising networks, which track consumer behavior by, in effect, following people around as they surf the Web. With privacy advocates screaming about the threat, the Federal Trade Commission in early November held a workshop with ad services and privacy advocates to gain a better understanding of what's involved.

"COOKIES." Unlike TV, radio, and print, the Net can record what individuals--not demographic groups or neighborhoods--are actually reading, listening to, and shopping for, and then build detailed profiles of that behavior. Techniques pioneered by DoubleClick Inc. and now used by other online ad services allow an advertiser to monitor consumer behavior across thousands of sites. An auto company can find out what kinds of models a person is looking at online, where he or she lives, and how often the person visits competitors' sites. The services typically do this by placing "cookies," or tiny software tags, on surfers' browsers, which automatically record where they go online, how often, and for how long. Consumers can choose not to have data collected, but they rarely do. DoubleClick gets only 12 opt-out requests daily; it has 80 million customer profiles.

Why the fuss? After all, Web sites such as Yahoo! and Amazon collect consumer information, too, and stress the convenience it provides when you come back. The difference is that whenever consumers register at such sites, they must click on a box that says they agree to terms of use--which includes gathering information about their online behavior. But the ad-server companies are virtually invisible. Consumers don't buy anything from them or get marketing messages directly from them. These services work in the background, throwing up ads at a sports site, for instance, when someone visits. As part of their deal with the sites, they collect a vast amount of information about where consumers go online, what they buy, and the types of ads and information they seek. DoubleClick and Engage alone have amassed tens of millions of consumer profiles. While these profiles are anonymous, they're often tied to a particular browser, so the potential to connect the browser with the actual consumer exists. Even now, the services can link info about consumers' online visitations to their offline behavior. DoubleClick plans to combine online profiles with catalog-purchase records, including name and address data, from Abacus, a data warehouse it is acquiring.

Even when profiles are stripped of any info about an individual's name or e-mail address, there's cause for concern. If law-enforcement officials want to find out about an individual's behavior, what's to stop them from subpoenaing the individual's unique I.D. from an ad service? "This is a little different than the privacy issues we've examined in the past," says FTC Chairman Robert Pitofsky. "I am not comfortable saying that because the information is not personally identifiable, that nothing needs to be done."

INVISIBLE. At the November FTC workshop, 10 of the biggest ad servers, representing 85% of the industry, proposed an opt-out arrangement that would let consumers choose not to have their data gathered. It's not enough. For starters, an opt-out provision works only if consumers are fully aware of what these invisible info-trackers are up to. Pitofsky admits that even he doesn't understand the technology.

There's one obvious solution. Instead of opt-out, why not opt-in? Web sites could be required to seek the consumer's O.K. instead of assuming that their silence means consent. At the very least, the FTC must make sure that any opt-out awareness campaign is heavily publicized.

Individuals should be able to control their private information and choose whom they give it to in cyberspace. The debate cannot be put off too long: Companies such as DoubleClick and CMGI Inc., which have pioneered ways of collecting information online, are gobbling up smaller ad services and building ever larger databases. The FTC meeting should begin a wider debate on this critical issue.

Before it's here, it's on the Bloomberg Terminal.