Up for Sale: How Best to Protect Privacy on the InternetPublished: March 19, 2001 in Knowledge@Wharton
If you are reading this article about privacy, you most likely use the Internet to gather information about topics that interest you. You may also go online to email your friends, look for a new job, check out your investment portfolio and/or shop for such items as books, clothes, plane tickets and pharmaceutical products.
If so, without knowing it, you are providing large amounts of personal data to businesses that are free to sell this information, share it, or use it to make decisions that can affect your well-being. Furthermore, you are not being told that this information is being gathered, by whom or for what purpose. You are, in effect, being pick-pocketed by unknown sources for unknown reasons.
This isn’t news. Privacy, or lack of it, has been a concern ever since a significant number of consumers started making credit card purchases online in the late 1990s.
What’s different about the issue these days is the amount of attention privacy is receiving from A) the U.S. Congress, which is currently considering a variety of privacy-related bills B) the business community which is promoting self-regulation as an alternative to legislation C) highly vocal privacy groups intent on reining in what they see as the worst abuses of online profiling and D) a flurry of new online companies aimed at helping consumers protect their privacy.
Wharton legal studies professor Dan Hunter positions the debate over privacy this way:
"Both the e-commerce industry and consumer groups have legitimate concerns that are at loggerheads with each other. For example, online advertisers, e-commerce retailers and other web businesses have a genuine business interest in personalization because it allows users to receive ads targeted to their interests rather than information that is irrelevant. Moreover, the current e-commerce system offers consumers free access to services that would otherwise cost money, such as browsers and access to email, in return for the ‘cost’ of allowing companies to track their interests and general demographics.
"That, to me, is the e-commerce industry’s strongest argument for being allowed access to data generated by web usage.
"I also think it should be permissible for e-commerce providers to track internal demographic information from my browser, as long as they guarantee they won’t give it to anyone else. Unfortunately, there are many instances of that information being sold to retailers, for example, or to private data collection agencies without the consumer’s knowledge or permission."
Put another way, most consumers probably don’t object to Amazon’s practice of suggesting book titles to them based on their previous purchases. What they probably would object to, if they knew it was happening, is the way in which Internet businesses track web users across multiple web sites to collect information about such things as spending habits, income, illnesses and occupation.
"People don’t understand how closely they are being monitored on the net," says Wharton management professor Stephen J. Kobrin. "They don’t understand the implications of technology, how easy it is to data mine, how much information is theoretically available to anyone at any place, and how information that is collected can be saved forever. The reality is that as a result of digital technology, private space will shrink and public space will increase."
What worries privacy advocates the most are the increasingly sophisticated methods – such as electronic tracking tags known as ‘cookies’ and information transmitting devices known as ‘web bugs’ - used by Internet companies to secretly track down information about customers. Indeed, many Internet business models are based on the ability to collect huge amounts of information for a variety of profit-generating purposes.
"Americans accept that on one level it’s all right to sell private information," adds Hunter. "The concern now is that we have gone too far in terms of the amount of processing going on, and the correlation of that information back to one’s physical identity. Even more disturbing is that consumers don’t know how the information is being used and so have no way of tracking it. One doesn’t have to be a consumer protection zealot to think there should be some controls on this."
The Legislative Route
Enter the U.S. Congress. So far more than a dozen bills on privacy have been introduced in Congress and earlier this month a subcommittee of the House Committee on Energy and Commerce met to educate members about "Privacy in the Commercial World." On that same day a separate and bipartisan group called the Congressional Privacy Caucus met to discuss online surveillance technology, including such devices as web bugs and e-mail wiretapping.
Last year a similar number of privacy bills came before Congress, all of which failed. What’s the prognosis for this year’s bills?
David Moulton, chief of staff for Democratic congressman Edward Markey - a staunch supporter of a privacy bill of rights - isn’t optimistic that a privacy bill will be passed by this Congress. "The leadership of the House and Senate will attempt to show they care about privacy without actually changing current business practices. This can be done in a number of ways, but the most effective dodge is the creation of a privacy commission to study the issue." (Such a commission nearly passed the House last fall and has been reintroduced this year.) A tactic like this, Moulton says, allows the congressional leadership to delay action on any legislation for at least a year.
"Votes for privacy legislation are there," Moulton adds, "but the congressional leadership, supported by the business community, uses procedural roadblocks available to them as the majority party to prevent an up or down vote."
He does offer a prediction. "As the horrendous violations of privacy that occur on a daily basis become more and more obvious, we will be able to make some progress in protecting people’s privacy. That will happen, but it will take more pressure than this Congress is feeling right now."
An article last week by Robert MacMillan of Newbytes echoes the point. "Your average [congressmen], as Internet-savvy as their staff may be, know where their fish is fried and in this case it’s with business. They don’t say they are against strong privacy protections … but they are."
Among the bills that have been introduced this year are ones with such titles as the Social Security Online Privacy Protection Act of 2001, the Financial Information Privacy Protection Act of 2001, the Identity Theft Protection Act of 2001, the Consumer Online Privacy and Disclosure Act and the Unsolicited Commercial Electronic Mail Act of 2001.
One issue up for debate in several bills is whether web sites should have to get "opt in" permission from consumers before using any data – an approach favored by many consumer groups - or whether consumers should be required to take steps to "opt out" of any data collection process, an approach generally favored by the e-commerce industry.
The Self-Regulating Route
While Congress debates legislation on Capitol Hill, the business community is actively promoting other options. Chief among these is self-regulation.
Earlier this month, for example, the Privacy Leadership Initiative (PLI) - a group of executives from such companies as AT&T, Dell Computer, Ford, IBM and Procter & Gamble – announced a $30-$40 million campaign aimed at showing consumers how they can use technology to better protect their privacy online.
Last September, a group of executives belonging to the Global Business Dialogue on E-Commerce (GBDE) came out in favor of voluntary guidelines for international web standards designed to protect consumers from privacy abuses. The group - which includes such companies as AOL Time Warner and Toshiba Corp. – advocated, for example, visible seals of approval on business sites that would identify the company as one which offers stringent privacy protections.
And over the past year, several companies – including Microsoft, IBM, 24/7 Media, EarthLink, Excite@Home and DoubleClick - have appointed Chief Privacy Officers, apparently to articulate and enforce privacy policies.
Such moves by industry are intended to not only head off legislative or regulatory action but also to increase consumer confidence in the web as a place to do business. Recent studies have shown that the e-commerce industry does, in fact, have a strong business incentive to improve their act, if not their image. According to a recent news report citing Forrester Research, Inc., 35 million Americans last year spent about $45 billion shopping online. But consumers would have spent an additional $12.4 billion if they hadn’t been concerned about the consequences of giving out personal data on the web.
Walter O’Brien, executive director of PLI, summed up the approach of his organization during remarks made last January at the 20001 e-Business Conference and Trade Show in New York. "Modern technology, especially the Internet, has made the collection of personal information easier, faster and more thorough," he says. "And that makes many people profoundly uncomfortable. There’s a ‘trust deficit’ of troubling proportions that keeps too many consumers on the sidelines. For any company, the stakes in missing so many ‘wary but wired’ consumers are enormous.
"We have a chance to show … how information sharing based on informed consent and real protection works to benefit all parties over time," O’Brien adds. By doing that, business can "protect consumers and maximize the benefits of the information age for everyone."
Many consumers, however, remain skeptical that self-regulation alone will protect privacy. A report last May from the U.S. Federal Trade Commission, for example, referred specifically to the on-line privacy seal program mentioned earlier, and noted that "less than one-tenth, or about 8%, of sites [in a random sample] and 45% [of the 100 most popular U.S. commercial web sites] display a privacy seal." The report did say that industry initiatives – including the seal program - should continue to "play an important role within any statutory structure."
Mark Schwartz, a lecturer on ethics at Wharton, would like to see a combination of government regulation and industry self-regulation. "I think both are necessary. You can’t completely rely on industry to take care of privacy concerns, although it is certainly the preferred choice. Government can establish incentives for industry to self regulate, but at the same time, it should set certain minimum standards to create a level playing field."
The Consumer Advocacy Route
Earlier this year, a group called the Privacy Coalition – whose members include the American Civil Liberties Union, Consumers Union, and the Electronic Privacy Information Center, among others - set out to protect consumers from Internet businesses that collect information without the consumer’s permission.
The types of abuses they want to guard against are varied. "A woman gets a birthday card from Radio Shack a week before her birthday even though she has never been to a Radio Shack in her life," says Schwartz. "It’s not a serious intrusion, but it might be considered offensive by some. Or take the case of a company that fired an employee who made disparaging comments about his boss in a chat room. People don’t realize that companies monitor chat rooms and that what they say there is not protected information."
"Business groups say that if consumers object to privacy violations, they can simply not use those providers whose privacy policies they don’t like," says Hunter. "For example, I don’t have to get part of the New York Times off the web for free. I can go and buy it. That’s my choice. The e-commerce industry also says you can pay $50 a year and register with a service like zeroknowledge.com that will prevent tracking of your information. Internet companies would say that is an example of the market providing a solution to privacy concerns.
"I disagree. These decisions presume a very high level of understanding on the part of consumers as to how the information they provide is being used or collected. But consumers don’t have that understanding. They have no way of tracking what happens, so they don’t know whether, for example, it’s worth $50 a year to try and stop companies from doing whatever they are doing."
Consumer groups are especially agitated over the fact that most web sites do not disclose the use of web bugs in their privacy policies, "even as it gets more and more difficult to block" the bugs, says Schwartz. And they fume over the fact that many companies don’t comply with their privacy policies and/or regularly modify their policies without alerting customers to the change.
"It comes down to whether an individual is given an enforceable right when his or her privacy is violated," says Moulton. "Industry has been unwilling to subject itself to appropriate penalties when they violate their own privacy rules."
The Federal Trade Commission report cited earlier found that only 41% of randomly visited web sites and 60% of the top 100 sites told consumers about their information practices and offered a choice about how that data is used. "Self-regulation alone has not adequately protected consumer online privacy, and as a result, legislation is now needed to supplement self-regulatory efforts and guarantee basic consumer protections," the report said.
The Entrepreneurial Route
While strict privacy advocates square off with the more laissez-faire e-commerce industry, a host of new companies are cropping up to offer the obvious new new thing – protection against the growing variety of web bugs that can collect information from consumers in ever more sophisticated ways.
Companies with names like Anonymizer, Hushmail, IDcide, ZipLip and PrivacyX see the future "as an opportunity to seize lucrative leadership in the privacy space," notes an article in the March issue of Atlantic Monthly. A report from CNET news.com mentions two other companies in the war against privacy violations. One, called Intelytics, will release a software program later this month called Personal Sentinel which web surfers "can use to spy on the spies." The program will describe the "risk level" of any web site by exposing its web bugs. The other company, Security Space, monitors more than 100,000 active sites for web bugs and identifies those sites with the highest number of bugs in use.
So technology, even as it provides opportunities to violate consumers’ privacy, also provides opportunities to protect that privacy. As Intelytics’ home page states: "Our comprehensive mix of software platforms and expert professional services can provide you with the protection you need to navigate safely through the increasingly unsafe channels of the connected world."