Needed: A Seatbelt Law for the Net
By Jane Black
Among the scores of layoffs by technology companies these past few months, the furloughs at Zero Knowledge stand out. On Mar. 15, the Toronto-based privacy software company laid off about 25% of its staff -- almost 70 people -- as part of a restructuring effort. But Zero Knowledge wasn't going broke. On that same day, it announced a $22 million investment from Reuters. According to Austin Hill, Zero Knowledge's co-founder and chief strategist, the company was searching for "new skill sets for changing times."
Why is Zero Knowledge looking to change its game plan? Maybe privacy isn't quite the burning issue it was thought to be. Sure, Congress is excited about protecting privacy on the Web -- it's an issue that members from both sides of the aisle seem to love to talk about. But in a 2000 Harris Interactive survey of 1,000 adults nationwide, privacy didn't even make it into the top 15 issues the public believes the government should address.
"When you ask people on an open-ended basis, privacy doesn't come anywhere near the top of their concerns," says David Krane, vice-president of public policy research at pollster Harris. "It's only when you present it as an option that they say, 'Yes, I'm concerned.'"
Does this mean online privacy hoopla is much ado about nothing? Not really. The issue is akin to car safety. Consumers don't want to have to install antilock brakes and seatbelts on their own -- they just want those features included on cars they buy. But right now, the only way consumers can get online privacy is do-it-yourself style. So, government and industry may need to get involved in the same way as they did in making sure auto safety was improved. No one wants the Internet to be heavily regulated, but some safeguards need to be put in place.
Yes, the Internet is a do-it-yourself kind of universe. But according to another Harris survey commissioned by the Privacy Leadership Initiative (a coalition of businesses researching privacy issues) and released in March, only a minority of consumers takes advantage of free software available to protect privacy. Only 15% had installed privacy programs on their computers -- 10% had used software that allowed them to surf anonymously without leaving an electronic trail, and only 5% had used software that allows for anonymous purchases.
Many surfers are put off by the prospect of downloading software and adjusting settings that will alter their Internet browsing. Privacy software's usability has improved, but it's still too intimidating for the average user. "The difference between our new version and our first release is night and day," says Zero Knowledge's Hill. "But I still don't know how comfortable my grandmother would be using it -- though to be fair, she still has trouble with Internet Explorer." Protecting privacy needs to become simpler before it enters the mainstream.
HOW BIG A RISK?
Before you can figure out how to protect yourself, you need to know what the risks are. Consumers might happily divulge personal information to an online bookseller such as Amazon.com if they believe the information will be used to offer them a discount on another purchase or help the company monitor inventory. But many probably wouldn't disclose personal info if they knew a company was compiling a dossier of their buying habits and selling it to other marketers.
It's a sliding scale -- when do such intrusions stop becoming annoyances and start becoming risks? Indeed, 75% of people think it's important for companies to display privacy policies, but only 35% always read them, compared to 22% who rarely or never read privacy policies, according to BusinessWeek research conducted in March, 2000.
Frank Prince, a senior analyst at Forrester Research, says most online privacy invasion is more of a nuisance than a genuine threat to someone's safety or wallet. Take the most recent Federal Trade Commission numbers on ID theft, the most pernicious example of privacy invasion. In 2000, 25,845 Americans reported they had been the victims of some sort of identity theft. That's less than 0.001% of the population. When you realize that online ID thefts make up just a fraction of that statistic, it's clear why people aren't spending the time or the money to install and use privacy software.
That doesn't mean increased data collection and manipulation aren't an issue. Last March, the Federal Trade Commission quashed efforts by DoubleClick after the online advertising service attempted to merge data it had collected about online surfing habits with offline consumer data acquired from database company Abacus. Privacy experts feared combining data in this way could ultimately result in discrimination against consumers with health risks or past credit trouble. The challenge such issues present is how to come up with standards that protect consumers when they don't even know what they want themselves?
The best way is to embed privacy protection into software consumers are already using. Microsoft is taking this tack by embedding P3P privacy software into its next version of Internet Explorer. But P3P is flawed because if a user has high standards for privacy protection, it simply blocks access to many sites. A better solution would be to require Internet service providers to provide privacy software that allows consumers to opt for encrypted e-mail, anonymous browsing, and anonymous purchasing. Just as carmakers were required to put a seatbelt in every car, ISPs need to provide consumers with the tools to protect their privacy.
Second, Congress should push for "opt in" privacy standards, which would require users to agree to disclose any information, rather than "opt out," which assume users are willing to do so unless they specifically choose not to. The online industry prefers opt-out policies. They say being able to use only the information that a consumer voluntarily surrenders would undermine many sites' financial stability. But opt-out systems add a layer of complexity that would confuse consumers, especially those who are still on the Internet learning curve.
Online privacy will clearly be a charged battle for Congress, which has made a concerted effort not to overregulate the Internet. Lawmakers should remember that self-enforcement didn't work for the car industry. There's no reason to expect it will on the Internet, either.
Black covers privacy issues for BusinessWeek Online in New York
Edited by Alex Salkever