Our Four-Point Plan
E-privacy and e-commerce can coexist. Here's how to safeguard both

Privacy policies seem like very simple things. Companies put up a notice online about how they gather and use information, and it's win-win from there. Consumers get the lay of the land, and Net companies pass on to consumers the responsibility for their online privacy.

If only it were that simple. These little postings have actually been the focus of rancorous debates for years. The tricky thing is that once policies are up there for all to see, companies are legally obligated to uphold them. That's one reason sites have dragged their feet in putting them up. Or should we say down? The statements are usually buried at the bottom of the page, and seem to be drafted by life-forms on a distant planet.

It's time that policies be written for mere mortals. Not many sites do a great job of explaining how information is tracked, used, and disclosed to partners. Consider the privacy policy of search engine Ask Jeeves (ASKJ). The company first says it always asks permission before providing information to partners. Yet on a registration form, the choice given to consumers is that information is shared unless you say otherwise. To confuse matters further, the policy later states that: ''Ask Jeeves sometimes co-sponsors [sweepstakes and contests] with other companies, in which case the user's individual contact and demographic information is likely to be shared with participating sponsors. [The] information will not be released...without the user's consent.'' So which is it: Is your information automatically shared unless you go the extra step to object? Or is it kept private unless you pipe up and give the green light? When asked directly, Ask Jeeves says it depends. Depends on what? It's fine for companies to have different options, but too vague possibilities baffle consumers, rendering privacy notices useless.

One solution might be simple icons that help to navigate the policies. Like the ''Information'' sign that is recognized around the world, these symbols could be standardized: a large ''p'' signifying ''privacy policy'' could be placed on the top right-hand side of the page, on a registration form, in an electronic shopping cart, or anywhere that information is collected on a site. Often it's not clear, upon registration, whether you need to locate an ''opt-out'' button and click on it to stop the site from sharing your information with others, or whether the site intends to ask your permission each time it wants to pass information to another site. Icons could help clarify this (page 88).

SECOND OPINION. Simple road signs on the Info Highway may seem trivial, but understanding the full measure of privacy policies is no joke. They resemble contracts. Indeed, they are generally the only privacy-related feature on sites that can actually trip a lawsuit. In January, New York District Attorney Spitzer used privacy policy violations by Chase Manhattan Bank (CMB) and Sony Music Entertainment Inc.'s InfoBeat to curtail their sharing of data. ''We have an obligation to define reasonable boundaries,'' he says. ''We have to articulate what privacy rules should be and then how to enforce them.''

It isn't enough to have just any old policy, though. The statements need to follow the Fair Information Practices, clearly laying out how each site addresses choice, access, and security. Policies should outline how a person's information is shared and how to limit its use. Contact numbers or e-mail addresses should be available. And the date on when the policy was last changed should be clearly stated. Web execs make a good argument when they say that it's hard to know how they will use data in the future. But they should alert consumers when the policy changes. (AMZN), for example, says it doesn't sell or trade information now, but adds: ''We may choose to do so in the future.'' The only notice the company says it will give is a change in its policy online.

The sharing of information is a white-hot button in the privacy debates. And for good reason. A Georgetown University survey of the privacy policies on health-care sites showed how common this is. Of 21 sites sampled, six offered assessments on health conditions that were actually run by other companies. Some companies shared names, ages, and e-mail addresses, which makes it hard for users to know who has their personal data or which privacy policy to rely on.

In the best of all worlds, companies should bind partners with whom they share data to their privacy policies. At the very least, they should inform consumers that they plan to transfer personal information to a partner. That way, consumers can check out the partner's privacy policy and make an informed decision about whether they want to participate.

DEFINING TERMS. It's all too vague on Yahoo's Web site. That's partly because the No. 1 site on the Net has what's known as a ''universal registration,'' where people sign up once and are entitled to a host of different services--from e-mail to auctions to private personal calendars. But the universal registration information also ties in with other services offered through partners, such as the reservation service Travelocity provides. While details about data-sharing practices are explained on Yahoo (YHOO), they are buried many clicks deep in so-called terms of service agreements, which aren't marked as privacy policies.

Some companies, such as PeoplePC and eBay, have very clear policies that give descriptions of how information could be passed to partners and naming some partners as examples. They also try to provide some level of surety. For instance, eBay Inc. says that before it provides personal information to partners, it lets users see the data it has collected. That's a step forward, but still limiting. To prevent eBay from sharing your data, you must choose not to use the service. And for those who give the O.K.? Once the information is transferred in these co-branded services, eBay says it has no control over how partners use the data.

It's crucial that these partnerships, data-gathering techniques, and customer options are spelled out, especially for Net newbies. Companies must be clear about how they define ''personally identifiable information,'' because that description can change from site to site. Just as vital, they need to spell out the technology used to track and profile consumers. RealNetworks, which overhauled its privacy policies this fall after being accused of compiling information about the musical tastes of users, has a straightforward approach. It breaks out every tracking technique it uses and explains them simply and effectively. In contrast, CBS SportsLine explains that it uses IP addresses to identify users and their shopping carts but doesn't bother to explain what an IP address is. For the record: This is a trackable number assigned to your PC every time you connect to the Web.

Clearly, privacy policies are backbreakers to write. But it seems the hardest part about them for any company is coming up with a privacy philosophy that they will stick to. Once this hurdle is crossed, however, the positive impact might resonate into the brick-and-mortar world as well. Privacy policies governing credit reports, drug prescriptions, and more could follow the new model for the Internet.

Right now, there's only one way you can be sure that the sensitive details of your life won't spill out over the Internet: Don't log on in the first place.

Short of doing that, consumers who surf the Web do so at their own peril. There are practically no laws to stop sites from ferreting out as much personal information about you as they can get their hands on--and then turning around and selling it to the highest bidder. If an AIDS patient visits a health site to investigate the side effects of the drug AZT, that site is free to market the information to drug companies, insurers, or anyone else.

Things don't have to be this open. What is needed is a way to give consumers more control over what is collected about them and more say over how it can be used. Proposed new federal and state laws would require Web sites to allow consumers to ''opt out'' of a company's data-collecting and resale operations. How? The new laws would force sites to display a box, which, for example, could be checked off by AIDS patients if they didn't want health-care sites to track the screens they read, store their credit card numbers, or resell any of that information.

OPTING OPTIONS. Of course, many Web sites already let visitors opt out. But most of those opt-out boxes are buried. Some of the proposed new privacy laws, such as a Senate bill being sponsored by Ron Wyden (D-Ore.) and Conrad Burns (R-Mont.), would require every Web site to offer a clearly written, prominently displayed opt-out box. Under such bills, consumers who arrive at the home page of Yahoo, Amazon, or eToys (ETYS), would be able to find the opt-out box right under their nose, perhaps on the upper righthand corner of their screen.

But even such prominently placed boxes might not be protection enough. Studies indicate that people who may otherwise be worried about online privacy are not going to stop their surfing long enough to read a few sentences of dense boilerplate, and then click on a box. That's why some politicians and privacy advocates are pushing even tougher protections. Rather than put the burden on consumers to opt out, they want to put the burden on companies to get Web surfers to opt in. Before a site could start collecting and selling most data, it would have to get people to check a box giving it permission to do so. A controversial Senate bill to do this has been proposed by Robert Torricelli (D-N.J.).

Industry reaction to giving consumers more choice ranges from genuine enthusiasm to hyperventilating hostility. Among critics, opt-out legislation is generally regarded as the lesser evil. But because information technology is evolving rapidly and the Internet soon will be widely available on tiny cell phones and other devices, some online executives worry that a bulky, federally required opt-out notice might not fit. ''Having laws get down to pixel counts and screen layouts won't work,'' says Max Metral, chief technology officer for PeoplePC.

Nonetheless, most Web executives can live with opt-out. But they are terrified of opt-in. Execs worry that many people simply won't be willing to make the extra effort that opting in requires. As proof, some cite the Children's Online Privacy Protection Act, a 1998 law that limits the collection of information about kids under 13. Among other things, COPPA requires parents to opt in, by written letter or fax to the site, before their children can use online chat rooms and message boards. Just ask Julie Richer, president of San Francisco-based, a site that targets 7- to 12-year-olds. Richer says COPPA has caused message board and chat room traffic to plummet by more than 40%.

But the objections to the opt-in rule go beyond the issue of reduced traffic. Advertising revenues might also suffer under Torricelli's opt-in proposal. There would be less free information available, making it harder for companies to put together the kinds of demographic profiles that allow them to target customers more precisely. Says DoubleClick (DCLK) President Kevin Ryan: ''The Torricelli legislation would have a very negative impact on the Internet.''

There's no doubt that opt-in would hike the cost of doing business online. But it's not as bad as its detractors claim. For one thing, companies would be able to lure people to opt-in by offering Web surfers cash and other incentives. It also would earn the goodwill of privacy-conscious Web surfers. One convert is Gregory Miller, chief Internet strategist for MedicaLogic, a Hillsboro (Ore.) site offering online health information, and a member of the Federal Trade Commission's new advisory committee for online access and security. His company supports opt-in on the theory that customers will be attracted to a site that takes privacy concerns seriously. ''If you ask someone for permission to market to them, you build a loyal customer,'' says Miller. ''It's our job to convince the consumer that it's a good idea to opt in by being truthful and showing what the benefit is.'' One way MedicaLogic would do this: It could persuade diabetes sufferers to surrender their personal information by offering timely updates on advances in treatment. ''There are so many users out there, and the Net is growing so rapidly, that you can still get a reasonable return on your investment. People can be persuaded to opt in,'' says Miller.

Ideally, the best way to protect privacy on the Net is to combine the best elements of both opt-out and opt-in--as the European Union does. Opt-in methods are relatively extreme, so they should be used only for the most sensitive information--your chronic heart problems, for example, or the details of your financial holdings and your sexual preferences. And rules should be strict. No pre-checking of the opt-in box allowed. Instead, companies should be forced to describe what type of information they will be collecting and what they will be doing with it. Finally, opt-in also should be required before a company can resell any information about a Web surfer to a third party or share it with an ad network, since this offers few benefits to the surfer.

Apart from these extreme situations, the rule should be opt-out. Yes, it will be a pain in the neck to offer consumers this much control over how their information is used. But the bigger hurt could come from doing nothing and watching Web surfers opt out of the Internet.

Americans gained a precious thing from the Fair Credit Reporting Act of 1970: the right to inspect their credit records and find out why the bank turned them down on a car loan or a mortgage. No such privileges exist when it comes to online profiles, and it won't be easy to invent them. But some experts say the same kinds of tools Web sites use to track visitors could be used to provide at least a partial window into the data banks that store online profiles.

First, the downsides of doing that: The information a Web site collects is often strewn among multiple databases. Companies may not have the resources to query each one every time a surfer gets curious. What's more, the profile of your browsing habits may be based on cookie files--the bits of identifying code that Web sites deposit on your hard drive so they can monitor your comings and goings. If that's the case, those profiles may be linked only to the computer you browse from, not to your identity in the outside world. Do you really want to request access to that profile? The site would have to authenticate you. And in the process, it would acquire even more information about you than it started with. ''It's clear that many systems on the Web were designed without much thought to privacy,'' says David M. Kristol, a member of the technical staff at Lucent Technologies Inc.'s Bell Labs. ''These systems may be quite difficult to retrofit.''

Hard, but not impossible. Some of these challenges seem tailor-made for smart software solutions. ''If there's data in a database, it's there so that you can access it,'' says Lorrie Cranor, an AT&T Labs researcher who chairs a privacy working group at the World Wide Web Consortium.

Second point: If your profile--warts and all--is pegged to a string of numbers in cookie files, then, in theory, a Web site could manage your request for access by matching it to that same string. Authentication would be far from perfect, but perfection is rare in cyberspace. ''We need a button we can push that says 'show me the profile you have on me,''' says personal privacy detective Richard Smith in Boston. ''That should be relatively straightforward, because they already have an account mechanism, the sign-in.'' And if companies refuse? People could take it to the Fair Trade Commission.

The FTC, by the way, is on the case. It established an advisory committee on online access and security that began meeting on Feb. 4. It's made up of 40 people, including lawyers, professors, industry representatives and privacy advocates. And it plans to provide recommendations to the FTC on a range of options by May 15.

Not all the modes of online behavior that come before this committee will be so terribly controversial. Few argue against letting consumers see--and correct if necessary--sensitive data such as financial records and medical data. But many execs say providing access to routine info would be a costly nuisance of dubious benefit to consumers. ''Do you really need to see that Banana Republic says you bought five shirts when you bought four, and do you really need to correct that?'' says a lobbyist for one Web company.

But even where it's a nuisance to business, consumers should see more of what goes on behind the curtain. If you're being hounded by a direct marketer who is convinced you are interested in sex toys, you should be able to see whose data generated this profile. The marketer will probably argue that the data are culled from too many places. But there's an easy answer to that, too: Make the marketers keep a source list. Computers excel at keeping track of such things. If they were bad at it, this privacy morass never would have happened.

Better warnings. More choice. Access to your personal records. These things will go a long way toward protecting your privacy. But they won't be enough. After passing the broad laws that we are proposing, Congress will have to take extra steps to insure that companies honor them.

The reason: Privacy laws are unusually hard to enforce. Say, for example, that you plug information about your stock portfolio into a financial Web site but deny permission for this information to be shared. Say that the site ignores your request and sells the data to a charity anyway. Most likely, you'll never find out about the privacy breach. And even if you do, the infraction didn't cause you any economic harm. That means you wouldn't have much financial incentive to sue the offender--and you'd no doubt have a hard time getting a lawyer to take your case. ''Only people with a real privacy vendetta are going to sue,'' says Jonathan Zittrain, executive director of Harvard University's Berkman Center for the Internet & Society.

Because enforcement is chancy, unethical Web sites will be tempted to cheat on the rules. So, to ensure that crime does not pay, Congress will have to shell out a lot of money for privacy cops. Which agency should handle the job? Some experts have suggested creating a brand-new federal privacy commission--but that would be a political nightmare. Others have suggested a government-authorized, industry-run group such as the Internet Corporation for Assigned Names & Numbers (ICANN). This type of quasigovernmental organization would probably move faster than a typical agency, but it also would be vulnerable to becoming the pawn of the very people they're supposed to regulate.

We favor giving the job to the Federal Trade Commission, which has begun moving aggressively on the issue of Internet privacy and which already enforces the Children's Online Privacy Protection Act, the Truth in Lending Act, and the Fair Credit Reporting Act. The agency should be empowered to impose stiff penalties for violations.

PRIVATE PROTECTION. Of course, any privacy laws will need to evolve. As the Internet makes its way onto cell phones, watches, and other devices, some of the privacy rules that make sense in a world of deskbound PCs may become irrelevant. And the long-term prospect of biometric authentication--where fingerprints and retinal scans may be used as New Age passwords to Web sites--will certainly raise serious new privacy issues. Such a scheme would require nothing less than a national database of identifying biological data, raising the spectre of abuse by both outlaw hackers and Big Brother prosecutors.

Meanwhile, new technologies will certainly emerge to help consumers safeguard their own privacy. This summer may see the launch of the long-awaited P3P software standard, which will provide the means for consumers to set privacy preferences in their browsers and allow them to be automatically alerted when the Web sites they click on have privacy policies that differ from their choices. But this technology won't be a panacea. Privacy isn't just about fancy software. It's also about making sure that information is being used in the ways companies had promised. Technology won't protect people from privacy invasions. Only people can do that.

By Heather Green, Mike France, and Marcia Stepanek in New York, and Amy Borrus in Washington, D.C.

_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _


It's Time for Rules in Wonderland

COVER IMAGE: Privacy on the Net

CHART: A Rising Tide of Concern...

CHART: ...Could Be Allayed by Guarantees

TABLE: The Language of Online Privacy

Our Four-Point Plan

TABLE: How to Draw the Line

GRAPHIC: Danger! Danger!


TABLE: Business Week/Harris Poll: A Growing Threat (extended)

ONLINE ORIGINAL: Acxiom: Online Marketing Info, a Conscience--and a Hot Stock

E-Mail to Business Week Online

Copyright 2000-2009, Bloomberg L.P.
Terms of Use   Privacy Notice