Visit the Amazon.com site to buy a book online and your welcome page will include recommendations for other books you might enjoy, including the latest from your favorite authors, all based on your history of purchases. Most customers appreciate these suggestions, much the way they would recommendations by a local librarian.


But, what if you visited an investment site, only to find advertising messages suggesting therapies for your recently diagnosed heart condition? Chances are that you would experience what Fran Maier calls the “creepiness” factor, a sense that someone has been snooping into a part of your life that should remain private.


Maier is the Executive Director of TrustE, a nonprofit that sets guidelines for online privacy and awards a seal of approval to companies meeting those guidelines. She was a speaker at the recent Supernova conference, an annual technology event in San Francisco organized by Wharton legal studies and business ethics professor Kevin Werbach in collaboration with Wharton.


Creepiness Factor

The creepiness factor is a risk inherent in so-called behavioral targeting. This practice is based on marketers anonymously observing a user’s behavior on the Internet and compiling a personal profile based on interests and behavior — sites visited, searches conducted, articles read, even emails written and received. Based on their profiles, users receive advertising targeted specifically to them, regardless of where they travel on the web.


Consumer advocates worry that online data collection and tracking is going too far. Marketing executives counter that consumers benefit from seeing advertising relevant to their interests and contend that relinquishing some personal data is a reasonable trade-off for free access to Internet content, much of it supported by advertising.


Mining Data

Underlying these concerns about individual privacy is the speed with which Internet technology has moved into everyday life over the last decade or two. Fifteen years ago, the Internet was a novelty used by relatively few people; today it is used by millions to search for information, buy goods and services, and join in discussions. Rapidly evolving technology has given companies a tremendous and growing ability to collect, store and analyze vast amounts of data from these consumers.


“Everything we do online creates a transaction record and all that data has some value,” said Bruce Schneier, a well-known security expert and chief technology officer at BT Counterpane, a provider of enterprise security solutions. “As data storage and processing costs drop to virtually free, the data we would normally toss we save instead.”


Such data storage and data mining — the process of finding correlations or patterns among dozens of fields in large relational databases — enables more and more detailed forms of tracking and profiling, whether by government or companies, that can have serious implications for privacy. Some analysts claim Internet users generally don’t mind such collection and prefer to see ads that reflect their interests. Analysts also contend that privacy concerns are at least somewhat generational, with younger users more comfortable with data collection than older ones.


Yet Schneier, Maier and others argue that most people, whatever their age, don’t really understand just how much information is being collected and analyzed, nor have they thought much about the possible negative implications of such activities, such as the increased potential for cyber-stalking and identify theft.


According to recent research by TrustE, most online consumers have a general understanding that their browsing information may be collected for advertising purposes. But they don’t fully understand behavioral targeting and don’t like the idea that their browsing history is used to deliver specific advertising to them.


Paradoxically, however, nearly two-thirds would prefer to see ads only from advertisers they know and trust, which would, in fact, require online tracking. In a survey — conducted by global researcher TNS based on a poll of 1,015 Americans representative of the online adult population — a huge majority of participants (91%) say that, given the opportunity, they would use online tools to control online tracking of their information. Maier said the data gives “a solid indication that consumers want us to find a way to get them the advertising that is relevant to them. In order to do this, behavioral targeting is one of the most promising methods, but at the very least, it has to be made more transparent, provide choices and deliver real value.”


The Right Balance

Maier and her fellow panelists at Supernova acknowledged that both consumers and marketers have yet to figure out the right balance between data collection and user privacy, and the best ways for targeted advertising to serve the needs of advertisers as well as users.


Take, for example, the case of Facebook, the popular social networking site. Last year,  it introduced a system called Beacon that tracked members’ purchases on other sites and shared the information with each user’s social circle. Within a month, outraged users had forced Facebook to reconsider its unannounced initiative. The company apologized, then introduced new privacy options that require users to “opt in” to the Beacon program.


As in so many areas, technology’s ability to support web tracking is moving faster than society’s ability to manage it. Current public policies on privacy go back to 1973 when the U.S. Department of Health, Education and Welfare set seminal guidelines for the fair use of computerized personal information, such as notice to consumers before data collection, opportunities to opt out of such collection, access to data collected, and security of data from unauthorized use. “Do these make sense in 2008?” asked Maier, who suggested they are insufficient for today’s collect-everything, everywhere web environment.


In fact, said Maier, “Our thinking about privacy was built on who you are. But we now also need to look at privacy with regard to what you do. The debate and framework for privacy have changed forever.”


Does that mean a national privacy law? Social and political realities lead most analysts to believe such a law is a long way in the future — and that the U.S. is unlikely to follow the lead of European countries in the online privacy arena. In Europe, privacy is viewed as a fundamental right, an obligation of a state to its citizens. In the U.S., privacy is an individual right of a consumer that can be traded for a benefit — such as free use of the Internet.


Schneier doesn’t see the U.S. shifting to the European view of privacy, but he does see the country eventually developing its own approach. “Laws move slowly. We will eventually have a national data privacy law with teeth, because you can’t operate a national information economy without one. But it may take 20 years.”


Transparency vs. Sneakiness

In the meantime, there is no denying the insatiable appetite of companies for more and more information about web users because of the strong financial incentives. As Jonathan Swartz, Sun Microsystems chief executive officer, said, “You do want to collect everything about users you can, every micro item. But you want to make sure the user knows what you’re collecting. You need to be transparent — being even a little sneaky can be disastrous.”


According to Joe Kraus, Google’s director of product management, “better privacy starts with technology that is more granular, technology that allows a third-party site to get exactly what I want it to have. We need to give users more control over exactly what specific information is shared.” That’s especially important, added Kraus, as “the Internet merges with a huge number of mobile devices.”


Asked to choose the single most worrisome issue, Schneier pointed to the consolidation and cross-correlation of data by companies like Choicepoint and also by government agencies. “We have data that is illegal for the government to collect, so they buy it from industry, and vice versa. All the strands of information come together and can then be used in unexpected ways.” (Choicepoint is a giant in the commercial data brokerage industry; in 2005 it reported the theft of personal information on 145,000 consumers from its database.)


Maier also voiced concerns about “how we are tracked across the Internet, based on targeted information. And, how much of this information do governments have?” She also sees positive signs, however, including attempts to develop best practices among some Internet companies and a younger generation that is more adept at using the web to its advantage.


Like any powerful technology, online data collection, processing and tracking has both good and bad uses, said Gerard Lewis, vice president, general counsel and privacy officer for Comcast. “The challenge is to strike the right balance with the right enforcement. To do that, we need the entire community, the whole set of public and private actors — consumers, users, corporations, public policy experts, government — to be part of the discussion.”