The debate over online-data collection gathered new energy last week, when the Federal Trade Commission came out in support of federal legislation to protect consumers. After conducting its third Web-site survey in as many years, the agency reversed a long-held policy backing self-regulation. In a report released to Congress on Monday and in testimony before the Senate Commerce Committee on Thursday, a majority of the FTC commissioners recommended that Congress pass a law to establish “basic standards of practice for the collection of information online.”
The Online Privacy Alliance, an ad-hoc group of 100 companies that includes America Online, Intel and Yahoo!, was quick to fight back, arguing that recent laws, such as the Children’s Online Privacy Protection Act, and changing industry practices make additional legislation unnecessary. The proof, according to the group, is that the number of Web sites posting privacy policies jumped from 14 percent two years ago to 90 percent today.
An online-privacy expert who conducted the FTC’s 1999 study says the Alliance’s numbers don’t tell the whole story because the types of sites surveyed in 1998 and 2000 were different. Georgetown University business professor Mary Culnan says that only two thirds of all companies on the Web disclose a privacy policy. “The question,” she says, “is, How are you going to get that number up?”
The FTC wants more than posted privacy notices that merely inform consumers of a company’s data-use policy, which critics say are often vague, confusing or too legalistic to be understood. The Feds also want commercial Web sites to give Internet users a choice as to how their information (about purchases or parts of a site they explore) is used, the ability to check collected information for accuracy and security to protect personal data. Only 20 percent of commercial Web sites from a random sample now meet those standards, according to the FTC, compared with fewer than half of the most popular sites.
The FTC’s concerns are shared by many users. Two thirds of consumers are worried about protecting their personal information online, according to Christopher Kelley, an associate analyst for Forrester Research in Cambridge, Mass. There’s no question that the amount of data companies can collect is mind-bogglingly vast. “Businesses are taking large volumes of personal data,” says Dave Steer of Truste, a San Jose, Calif., group that promotes posted privacy policies, “and creating a profile of a consumer that includes who they are, what they like, what they dislike, when they were born and credit-card information, which they are getting straightfrom the person from online forms.”
Many companies argue that the information they collect makes for a better customer experience, not abuse. And sometimes collected data simply sits there, unused. “A lot of these companies may not be doing anything with the data, because they don’t know what to do with it,” says Kelley. “However, they might know what to do with it six months from now or a year from now.”
It appears unlikely that new online-privacy legislation will be passed during this session, but Sen. John McCain, who chairs the Commerce Committee, has tentatively scheduled a hearing on online profiling and privacy for June 13.
In the meantime consumers can check out services that let them search the Internet without revealing their identity, like Anonymizer.com of La Mesa, Calif. There are also a number of software programs that enable one to create secret digital identities, like Freedom from Zero-Knowledge Systems of Montreal. Another promising approach comes from a company called PrivaSeek in Broomfield, Colo. Its program, Persona, lets users determine what kinds of information they are willing to share on a site-by-site basis. Users might skip sites, for example, that share data with third parties. But Web sites must be enabled to use this technology; so far, few are.
Another trick is to use “anonymous remailers” that strip out a user’s real name and e-mail address and replace them with dummy information that makes the sender impossible to track. The Washington, D.C., nonprofit Electronic Privacy Information Center maintains a list of remailers and other privacy tools on its Web site (epic.org).
A combination of these approaches can stop unscrupulous retailers from linking your shopping habits on amazon.com, for example, with your cancer survivor’s online discussion group. But the larger issue–how much online snooping is too much–is likely to bring out passionate proponents on both sides over the next few months. “It’s not about legislation or no legislation,” says Christine Varney, a former FTC commissioner who is now advising the Online Privacy Alliance. “It’s about how do you best protect the privacy of sensitive data like financial, medical and kids’ data, and how do you empower consumers to protect nonsensitive data.” So next time you’re online, remember: someone is watching.
What You Can DoLook for a posted privacy policy:Read the fine print:Cover your tracks:
