From...

May 20, 1999
Web posted at: 10:36 a.m. EDT (1436 GMT)

by Deborah Radcliff

INTERACTIVE Are businesses doing enough to protect consumers' privacy online? Yes No View Results

(IDG) -- The issue of privacy both polarizes and unifies government, cyberactivists, businesses and consumers. "Privacy is something that Americans respond to very emotionally," says industry analyst Jim Balderson at Zona Research Inc. in Redwood City, Calif.

Businesses have been on a collision course with consumer privacy ever since businesspeople realized the Internet's enormous marketing potential. "You have zero privacy. Get over it," Sun Microsystems Inc. CEO Scott McNealy told a crowd at a product launch earlier this year. That statement set off a firestorm of negative publicity in publications like Wired and is frequently derided by cyberactivists.

Such blithe underestimation of consumers' privacy concerns could be costly.

For example, users revolted against America Online Inc. in July 1997 when it declared it would sell customers' names and telephone numbers to telemarketing partners. And the Federal Trade Commission fined the Web-site hosting service GeoCities for violating its own policy on how it would use its members' personal information.

"Privacy is a very strong consumer concern. Just for their own self-betterment, companies doing business on the Web should address that concern," says Lee Peeler, associate director at the FTC's division of advertising practices.

But businesses and consumer interests need not crash head-on over privacy. In fact, Tara Lemmey, executive director of the San Francisco-based Electronic Frontier Foundation (EFF), predicts businesses that protect their customers' privacy will likely grow a faithful following and blow away their competition.

Put it in writing

It starts with disclosure, Peeler says. Tell your customers how you're gathering information, what you will do with that information and how consumers can prevent misuse of their information.

More businesses appear to be providing some sort of disclosure. A survey released last week by Georgetown University Business Professor Mary Culnan found that nearly 66% of 364 Web sites posted information practice statements. That's a significant improvement from what the Federal Trade Commission reported last year. The FTC said only 14% of 674 Web sites provided any such statement, and only 2% posted a comprehensive privacy policy. Nonetheless, "There's a big gap between what the average consumer wants done with their information and what the average business wants to do with the information," says John Gilmore, a former mainframe administrator who co-founded the EFF 10 years ago.

One reason for that gap is time-to-market, says Thomas Tucker, president of Key Marketing Services, an Internet marketing and business hosting service in Batavia, N.Y. "The issues for my company ... revolve around what is the quickest, cheapest and safest way to order any product over the Internet," he says.

Recent FTC actions may prompt businesses to take more time to hone their privacy policies.

Peeler says the FTC is embroiled in a handful of Internet privacy cases that he wouldn't discuss. But last year, the FTC filed a deceptive practices complaint against New York-based Internet company GeoCities.

The conflict arose over how GeoCities handled its "optional" form field information (education, income, marital status, occupation and interests), which was not to be released without the member's permission. But the information was shipped to third-party marketers. In addition, the complaint said GeoCities gathered personal information about children without parental consent.

"In the GeoCities case, we were concerned about the collection of information from young children. The second part was that their privacy policy did not coincide with their actions," Peeler says.

In February, GeoCities received FTC approval of its privacy policies after GeoCities agreed to beef up its privacy practices and obtain parental consent before gathering information on children.

"This was a wake-up call in terms of how seriously we must treat privacy matters," says GeoCities spokesman Bruce Zanka, who stresses that no one was harmed in that instance. "We've taken stock of our privacy practices and have our house in very good order. Now we just want to get this whole matter behind us."

MORE COMPUTING INTELLIGENCE
	IDG.net home page
Computerworld's home page
Computerworld Year 2000 resource center
Computerworld's online subscription center
Reviews & in-depth info at IDG.net
IDG.net's personal news page
Year 2000 World
Questions about computers? Let IDG.net's editors help you
Subscribe to IDG.net's free daily newsletter for IT leaders
Search IDG.net in 12 languages
News Radio
	Computerworld Minute
	Fusion audio primers

Let the customer drive

In addition to posting a privacy policy, Internet businesses should also conform to an increasingly popular opt-in policy, contends Mike Starkenburg, CTO at Cyberian Outpost Inc. (www.outpost.com), a Web retailer of computer products in Kent, Conn. Opt-in means that consumers get marketing materials only if they request them.

"We've always had an opt-in policy — an option to say explicitly, 'I want mail,' " he says. "What drove us to being anal about this is that we do a lot of business in Europe and Japan. The European Union rules on privacy are much more stringent than here in the U.S."

In order for U.S.-based Internet businesses to work with the EU's strict data privacy laws, the U.S. Department of Commerce last month released its own set of privacy rules, according to a report in The Wall Street Journal. Those include telling EU citizens how their data will be used, allowing them to opt out of having their information sold, securing the data collected and giving EU customers access to their own data.

In addition to government intervention, two private-industry organizations have stepped in to help Web businesses with their privacy policies.

Those organizations, TrustE, which was founded in part by the EFF, and BBBOnline, a new offshoot of the Better Business Bureau, support the opt-in policy. In fact, both groups have turned privacy into profit by selling products and services designed to protect consumers and add credibility to Internet businesses. Those include:

• Templates to help electronic businesses design privacy statements.
• Certification and auditing services that periodically review the sites for compliance to privacy policies.
• TrustE and BBBOnline logo buttons that customers can click to read a Web site's privacy policy and check the business' status with TrustE and BBBOnline.

Though many hail these services as the best available solution, some online marketers, like Tucker at Key Marketing, feel they're gimmicks to make a site look more credible. "I think a lot of online privacy issues are really mountains being made from molehills. Some people grab them and focus on their own marketing niche," he says.

If a company opts not to use an outside service like BBBOnline or TrustE, it should at least provide a link to its own privacy statements on every Web page, contends Shelley Harms, executive director of public privacy at Bell Atlantic Corp. in New York. But she found it difficult to convince her organization's 40 webmasters to give up space to put a privacy button on every page. So she gave them better training on privacy guidelines.

"General employee awareness is also important," Harms says. "You don't just talk to the technologist, you also talk to those in the company who collect information — marketing folks, order takers, data-entry operators ...."

If all employees aren't on the same privacy page, your company could get stung the way America Online did last year in the Timothy McVeigh case. In spite of a corporatewide privacy policy to the contrary, an AOL customer service operator was duped by a U.S. Navy investigator into telling him that McVeigh owned the online screen name BoySearch. McVeigh, a master chief petty officer, was dismissed from the Navy on charges of homosexuality. Last June, he settled lawsuits against AOL and the Navy.

The biggest problem with privacy policies is their length: AOL's is eight pages, and Bell Atlantic's is three. What Web-surfing consumer would want to take the time to read them all?

Enter Platform for Privacy Preferences (P3P), developed by the World Wide Web Consortium. P3P, a privacy protocol which received wide industry support at last month's Computer Freedom and Privacy conference in Washington, translates English language privacy policies into Extensible Markup Language, machine-understandable policies. Joseph Reagle, project analyst at the consortium, anticipates that P3P will start showing up in Web servers and other Web technologies by year's end.

Consumer controls

Similar to subscribers of BBBOnline and TrustE, Web businesses using the P3P-based technologies will develop their privacy statements with the help of P3P-intelligent templates. Because those templates generate certain keywords and statements common to most privacy policies, they will be readable from consumers' browsers. Consumers will also be able to preconfigure their browsers to release or not release personal information to Web merchants based on whether they accept a site's privacy policy.

"The user's interaction is guided by their privacy preferences, but they don't have to necessarily read the sometimes-confusing privacy practices of every site they visit," Reagle says. "For instance, the pop-up window would say, 'This merchandiser subscribes to BBBOnline or TrustE.' Or it could say, 'This site has a questionable privacy practice. Do you want to proceed?' "

Privacy groups including EFF and technology giants like IBM, Microsoft Corp. and Novell Inc. have jumped on the P3P bandwagon. Outpost.com's Starkenburg says P3P is similar in concept to today's parental-control applications.

For more than 10 years, the EFF, which last year operated on $1.1 million in private donations, has waged an education campaign to bring together business, technologists, consumers and government to find common ground on privacy. And it's not alone. Other, newer cyberrights nonprofits such as the Global Internet Liberty Campaign and the Electronic Privacy Information Center are waging similar campaigns. All hope to stave off government privacy regulations. But it may be too late.

Last month, U.S. Sen. Orrin Hatch (R-Utah) warned businesses that some form of Internet privacy legislation "appears inevitable." Two bills have been introduced. One, the Online Privacy Protection Act, would require Web-site privacy policies.

The EFF's Lemmey says she hopes Washington doesn't have to jump in. Rather, she'd like to see industry self-regulation combined with government backup in the form of enforcement only when personal freedoms such as privacy are violated. "A good balance could be struck between good business practices and potential [government] backstops for bad actors," she says.