It's Time For Rules In Wonderland

Here's Business Week's four-point plan to solve the Internet privacy mess

If Lewis Carroll had written about Alice's adventures today, she would find herself passing through the looking glass and into cyberspace. She would meet up with dodos, duchesses, and eggheads, some of whom would spout the rough equivalent of "'Twas brillig, and the slithy toves...." The journey also would be full of rude surprises. As in Carroll's books, she would eventually discover who she really was. But many others she had never met would learn about her, too. Indeed, with every click of the mouse, a bit more of her privacy would vanish down the rabbit hole.

These days, a lot of people are stumbling on similar unpleasant surprises. Thanks to a string of privacy gaffes involving DoubleClick, RealNetworks,, and other major Web sites, consumers are learning that e-commerce companies have an intense interest in their private information. For about 9 cents, some medical data sites will sell you your neighbor's history of urinary tract infections. Your speeding tickets, bounced checks, and delayed child-support payments are an open book. In the background, advertising services are building profiles of where people browse, what they buy, how they think, and who they are. Hundreds of sites already are stockpiling this type of information--some to use in targeted advertising, others to sell or trade with other sites.

GOLD RUSH. It will get worse. The tricks being played today are child's play compared with what's coming. Web sites that want to know you better will soon be able to track your movements on Web phones, palm devices, and video games, and parse the data with more subtle software. Online services can be layered with mounds of data about each person. Interactive TVs, for instance, have the potential to correlate the Web sites you visit at work with the ads you see at home in the evening.

Web surfers don't need extra proof that this gold rush for personal data is alarming. In a new Business Week/Harris Poll, 92% of Net users expressed discomfort about Web sites sharing personal information with other sites. The public outcry has grown so loud that in February, search engine AltaVista Co. promised to ask explicit permission before sharing visitors' personal information with other companies. On Mar. 2, DoubleClick bowed to public pressure on a similar point: The company, which serves up ads on many Web sites, has created anonymous digital snapshots, or "profiles," of millions of cybersurfers, based on where they browse and what they do online. DoubleClick had planned to link profiles with much more specific information, including names and addresses culled from real-world databases that cover 90% of American households. The company dropped that controversial plan, and within days, smaller rival 24/7 Media Inc. abandoned a similar strategy.

Anonymous tracking and profiling by DoubleClick and 24/7 can be very subtle. But sometimes privacy violations hit you in the face. We have all heard the examples of sociopaths who stalk their victims online. We have seen the statistics on "identity theft," in which criminals suck enough personal data off the Net to impersonate other people. Perhaps these are extreme examples. Even without them, many cybersurfers are starting to feel that they have spent quite enough time at this particular Mad Tea Party. They are ready for privacy rules that set some plain and simple boundaries. In the March Business Week/Harris Poll, 57% of respondents said government should pass laws on how personal information is collected. "What's going on today is exponentially more threatening to those who want to protect privacy," says Eliot Spitzer, New York's state attorney general who has proposed privacy legislation. People can't make informed decisions on the Net because they lack the necessary information. "What we're confronting is a market failure," says Spitzer.

Responding to a growing chorus of privacy-related complaints, some states have drafted legislation ranging from curtailing the sale of personal information to the creation of a privacy ombudsman. But this piecemeal, state-by-state approach is a muddle. Scattershot laws will only create more confusion. Over time, they will choke budding e-business in complex litigation and red tape.

Business Week believes there is a better way. Instead of a conflicting patchwork of state rules, the federal government should adopt clear privacy standards in the spirit of the Fair Information Practices--a philosophical framework for privacy protection that has been adopted worldwide over the past 25 years. The broad principles are essential:

-- Companies conducting business online should be required by law to disclose clearly how they collect and use information.

-- Consumers must be given control of how their data are used.

-- Web surfers should also have the ability to inspect that data and to correct any errors they discover.

-- And when companies break the rules, the government must have the power to impose penalties. "All of these bits you are sending out are your digital DNA," says Tara Lemmey, president of the Electronic Frontier Foundation. "You should have control of that."

Regulation flies in the face of the approach industry has been championing. For the past four years, Net companies have insisted that they can police themselves on privacy. "Industry initiatives and market forces are already doing a good job," says Daniel J. Jaye, co-founder of Engage Technologies Inc., which dishes up ads on the Web.

In other words, the market will punish companies that fall afoul of consumers. Bringing in the government, execs say, will pile bureaucratic layers on top of the Net. This could undercut the very promise of efficiency that many online businesses are counting on. The Internet, they say, is supposed to draw companies closer to their customers, allowing them to anticipate their desires. With profile data, they can target their ads, slash wasteful and random marketing costs, design products faster, and build higher profit margins. Profiling provides the underpinnings of a new way of doing business upon which the Net Economy is built.

Laws that require businesses to seek users' permission before they collect or use data about Web-surfing habits could kill this goose, they say. And why do that, industry execs ask, when they are making such fine strides in protecting consumer privacy? As a positive sign, Net businesses trumpet a May, 1999, Federal Trade Commission survey in which 66% of companies queried had privacy policies.

SELF-REGULATORY SHAM. We are not persuaded by these arguments. Few Web sites give consumers real choices over the data that get collected online. There is no proof that if given a choice--especially bolstered with financial incentives proffered by Web merchants--consumers won't willingly hand over some personal data. As for privacy policies, the same FTC survey showed that while more than 90% of companies polled collected personal information, fewer than 10% actually followed all of the established Fair Information Practices.

In short, self-regulation is a sham. The policies that companies have posted under pressure from the government are as vague and confusing as anything Lewis Carroll could have dreamed up. One simple example: When people register at Yahoo! Inc. for one of its services, such as My Yahoo, they are asked to provide their birth date and e-mail address--ostensibly as a safeguard if they forget their user name and need prompting. But Yahoo also uses that information for a service called the Birthday Club, sending product offers from three to five merchants to users via e-mail on their birthday.

Don't look for transparency here. Most sites don't limit how they or their partners use consumer information. And Web sites can transfer information to partners without telling their own customers. Many sites also change their practices at will and without warning.

Because privacy breaches are so corrosive to consumer trust, some Web execs actually welcome broad national standards. IBM and Walt Disney Co. have decided not to advertise on Web sites that don't have privacy policies. Privacy codes must be clearer, says Chris Larsen, CEO and founder of E-Loan Inc., an online loan service that has its privacy policies audited. "I think the industry has squandered the opportunity to take care of this on its own." IBM Chairman Louis Gerstner doesn't go that far. But he has warned Net executives that they must get serious. "I am troubled, very troubled, by leaders who have failed to recognize our responsibility in the transformation of the new economy," he says.

We hope other Web execs are listening closely. The policies we propose are in the best interests of Web businesses. If more consumers can be assured that their personal information is safe, more of them will flock to the Net--and click, not exit. There are other explicit benefits for the industry. Privacy standards create a level playing field, so companies don't fall into an arms war, each trying to collect the most data--at any cost. "Business will benefit from the right level of government involvement," says Nick Grouf, founder of PeoplePC, which offers cheap PCs and Net connections. "Standards are good, but they need some teeth, and this is where government becomes a good partner."

FEDERAL STANDARD. In the long term, the privacy protection that Business Week espouses will make life simpler for businesses on the Net. More than 20 states already are moving to enact some kind of guarantees. A minimum federal standard of online privacy would decrease the cost and complexity for companies. It also would increase trust. If businesses really want to be close to their customers, trust is paramount. This approach also will shrink the gap that has arisen between the U.S. and Europe, where privacy already is recognized as a right. The Europeans have stood firm, putting American companies in the peculiar position of extending greater privacy protection in Germany or France than at home.

It's time to iron out the inconsistencies. Here are our prescriptions for protecting personal privacy without jeopardizing the promise of e-commerce...

Before it's here, it's on the Bloomberg Terminal.