E-CommerceALERT.com is part of the Bennett Gold LLP web site network.
LINK TO: Bennett Gold LLP, Chartered Professional Accountants, home page.
LINK TO: E-CommerceALERT.com Home Page.
CLICK to GO BACK to Main Page.

Research and retrieval of news articles by:
Bennett Gold LLP, Chartered Professional Accountants

Effective December 31 2012, articles are no longer being updated on this web site.
The site is now maintained as an historical archive, covering notable e-commerce news articles from the period 1999 to 2012.


Source: PC World Magazine

Posted on May 8, 2000

NEXT: Part 2 of this article

      A year and a half ago we took a comprehensive look at privacy abuses on the Net. Today, with e-commerce booming, the situation is worse.

      In the real world, nobody knows what TV commercials you watch or which sitcoms you surf. When you go strolling through the mall, no one's making note of the stores you visit or the clothes you try on. But on the Internet, Web sites are doing all of this and more. And that makes some people mad as hell.

      Jeffrey Wilens is so outraged that he filed a class action suit against RealNetworks for allegedly violating his and other consumers' privacy. The attorney from Mission Viejo, California, claims in his suit that the company's RealJukebox software secretly recorded the titles of music CDs and MP3 tracks he played on his PC, then sent the data back to RealNetworks--creating a detailed profile of Wilens' musical tastes. The suit, filed last November, seeks damages of at least $500 for each RealJukebox user in California.

      "I don't accept the concept that there is no privacy on the Internet," Wilens says. "I think rogue companies need to learn to modify their behavior."

      RealNetworks flatly denies Wilens' charges. "Contrary to media reports, we have never monitored user behavior or listening habits," says Keela Robison, product manager for the Seattle-based company. However, she admits that RealJukebox did create a unique identification number for each user and stored the numbers in the same database that holds user names and e-mail addresses. Theoretically, these numbers could track where people go on the Web. The company quickly released a patch that disabled the software's ability to issue the IDs, but that wasn't enough to satisfy Wilens and others who had filed a total of a dozen suits against RealNetworks at press time.

      Meanwhile, six other lawsuits are pending against Internet advertising network DoubleClick for creating online profiles of consumers. And three similar suits have been filed against Alexa, an Amazon subsidiary. With few other avenues of recourse at their disposal, users have taken to the courts to fight for their right to privacy. But the battle has just begun.

A Not-So-Private Little War

      Welcome to privacy in the new millennium, where surfers are caught in a tug-of-war with Web sites over who owns their personal data and what can be done with it. In the year and a half since PC World published its special report "Privacy in the Internet Age," e-commerce has exploded, doubling in volume each year. And as the Net gradually becomes the medium most Americans use to get news, buy groceries, rent movies, obtain medical advice, and possibly vote for presidential candidates, what little personal privacy they once had may soon disappear.

      In some cases, we have only ourselves to blame. Millions of people voluntarily give out personal information to Web sites in exchange for free goods and services. These days, you can get e-mail accounts, Web hosting services, Internet access, even high-speed DSL connections without ever cracking open your wallet. But to take advantage of such offers you must surrender bits and pieces of your identity, from your name and e-mail address to your buying and reading habits. Businesses then market this information to advertisers, or in some cases, to anyone else who may want it.

      At the same time, it's increasingly difficult to trust any site to keep your personal information safe from intruders. Lax security at many Web vendors has made the Internet a hacker's paradise. In the past six months, dozens of major Web sites have suffered theft of credit card information and acts of vandalism such as last February's spate of denial-of-service attacks. As PC World has discovered, even the biggest e-commerce sites can fall prey to crackers--hackers who attack with criminal intent (see "E-Commerce's Dirty Little Secret").

      In addition, the Web has spawned a booming industry of companies peddling so-called investigative services and software. Loads of personal information--from your Social Security number to your driving records--can be purchased online for a pittance by anyone interested in tracking you down or assuming your identity. In most cases, the sale of this data is perfectly legal. But the results can sometimes be deadly (see "They Know Everything About You").

      Sure, you can try to protect yourself by giving out false information or using services that cloak your identity and IP address as you surf, post to newsgroups, and send e-mail (see "The Eyes of Richard Smith"). But as soon as you hand over your credit card to pay for a book or a vacation, your anonymity is gone.

      In fact, the biggest threat to your privacy today isn't crackers, stalkers, or data brokers. It's the legitimate online businesses--such as advertising networks, retailers, and others--that are creating detailed profiles of who you are and what you do when you are on the Web.

Profiles in Commerce

      Consumer profiling isn't new. For years, mail-order firms have been tracking the products you buy so that they can send you catalogs specific to your interests. Shopping club cards allow supermarket chains to keep detailed records of the groceries you purchase. And special-interest magazines regularly sell lists of subscribers to third-party marketers.

      While the practice of profiling is widespread in the offline world, its scope was limited until now because mail-order firms weren't able to easily pool their data--say, to combine records of your supermarket purchases with a list of your magazine subscriptions. But on the Net, it's fairly simple to create a record of every site you visit and every transaction you make. As a result, Web profiles can contain an unprecedented amount of information about your interests and activities.

      "Say you go to a book site," says Evan Hendricks, editor and publisher of the Privacy Times newsletter in Washington, D.C. "[Profilers] can see what you looked at and what you bought. Do those books reflect political opinions, sexual preference, [or] health conditions?"

      Critics paint a range of dark scenarios if Web profiles were ever to become available for sale on the open market. Corporations, for instance, could use profiles to screen out job applicants based on health advice they may have sought on the Web. Say an applicant filled out a health self-assessment form on a medical advice site and listed a family history of colon cancer. Conceivably, the site or its partners could market that information to employers. Or say the applicant bought medicine at a site like Drugstore.com or posted messages to an HIV chat group. All this information could be added to the user's profile, and employers could lower their insurance premiums by not hiring employees who could potentially have serious illnesses. "Those kinds of economic decisions can and will be made," says Fred Druseikis, chief architect for HealthMagic, a Winter Park, Florida, company that provides secure systems for sharing medical records over the Internet.

      "In terms of how information is collected and used on the Internet," says Marc Rotenberg, executive director of the Electronic Privacy Information Center (EPIC) in Washington, D.C., "to allow detailed secret profiles to be created is disastrous."

      Theoretically, such profiles could also become subject to subpoena or be hijacked by an unscrupulous company or individual. "In a divorce or child custody case, your spouse could use your surfing habits against you," says Larry Sontag, a Seattle-based privacy consultant and author of It's None of Your Business (PMI Enterprises, 2000). "This information could be available to hackers, employees of a company who may be having a bad hair day, or any crook with access to the Internet," Sontag adds. "The lack of privacy means that [this data] is available to both honest and dishonest people."

Double Trouble

      The biggest profilers on the Internet are companies whose sites you may never have visited--networks like DoubleClick and Engage Technologies, which deliver banner ads to thousands of Web pages and may collect information about you without your knowledge.

      These firms use tracking cookies to determine which banner ads you see when you access a Web page. Here's how it works: The first time you view a page with a DoubleClick banner ad on it, the ad deposits a cookie on your hard disk. Then any time you view another page containing a DoubleClick ad, the cookie on your hard drive sends the URL of that page back to the ad agency's server; thus begins a detailed clickstream--a history of some of the places you've visited on the Net. Currently, this clickstream isn't matched to your individual identity. Instead, each cookie contains a globally unique identifier (GUID), which lets the ad server track your movements without identifying your actual name or e-mail address.

      In this way, DoubleClick has amassed information on the surfing habits of 100 million users, while Engage boasts a database of 52 million profiles. (Note: We use DoubleClick to serve ads. If you want to opt out of DoubleClick's cookies, visit DoubleClick's PrivacyChoices site.)

      Last fall, however, DoubleClick quietly revealed that it planned to link the names of surfers, their e-mail addresses, and other personal information about them to their clickstreams. The New York-based company said that it would combine these profiles with additional data about the purchasing histories and habits of some 88 million U.S. households. DoubleClick obtained this data when it bought the offline market research firm Abacus Direct last November.

      According to senior vice president Jonathon Shapiro, DoubleClick's intention was merely to target ads to specific users. "The whole goal here is to make advertising work by getting the right message to the right user at the right time," he says.

      But the reaction from consumers and privacy advocates was swift and vociferous. EPIC filed a complaint with the Federal Trade Commission, alleging that DoubleClick was "engaging in unfair and deceptive trade practices by tracking the online activities of Internet users." The FTC and attorneys general in New York and Michigan initiated inquiries into the company's practices, and as we went to press DoubleClick had been named in six civil suits for alleged privacy breaches.

      In response to the backlash, the company suspended its plans to merge profiles with personally identifiable information. In a statement appearing on DoubleClick's Web site last March, CEO Kevin O'Connor admitted that he had "made a mistake" in attempting to identify users. He also vowed that "until there is agreement between government and industry on privacy standards, we will not link personally identifiable information to anonymous user activity across Web sites."

      But privacy advocates warn that DoubleClick's change of plans is just a temporary reprieve. "I think you have to read the language of DoubleClick's reversal very carefully," says Robert Ellis Smith, publisher of Privacy Journal in Providence, Rhode Island. "They have simply agreed to defer their plans until the heat's gone. The company did not agree to cease combining online and offline information in the foreseeable future [or] say that it is an unfair marketing technique."

Are You Being Followed?

      DoubleClick and RealNetworks are not the only sites accused of tracking users' activities across the Web. Amazon.com is embroiled in a similar controversy involving Alexa Internet, a San Francisco-based software firm that the e-tailing giant purchased in June 1999. Amazon plans to use Alexa's software in its ZBubbles shopping service. The free software's menu bar sits on top of your browser as you surf, suggesting similar sites to visit and letting you share information with other shoppers. But it also captures the Web address of each page you view--and according to security expert Richard Smith (see "The Eyes of Richard Smith" ), these URLs can contain a wide variety of personally identifying information.

      For example, when you use a search engine like AltaVista, the URL for the results page contains a text string including the terms you searched for. Depending on how the Web site's search engine works, a URL could contain your name or e-mail address, too, as well as the titles of books you may have bought, flights you may have booked, and health conditions you may have researched--all of which, Smith says, get sent up the wire to Alexa. (Smith uncovered a similar problem having to do with DoubleClick cookies. A recent example involved Intuit, whose Quicken Web site was inadvertently forwarding users' financial information to DoubleClick. Intuit quickly plugged the leak, and DoubleClick says it didn't store this information; but DoubleClick did not provide details of what exactly is stored in its profiles.) At press time the FTC had opened a formal inquiry into Alexa's information gathering practices, and the company has been named in three consumer lawsuits.

      According to Dia Cheney, director of corporate communications for Alexa, the company stores its users' Web trails anonymously and keeps this data separate from personally identifiable information, such as e-mail addresses, that users may have provided when they registered the software. She would not comment on Smith's allegations, saying they were part of the FTC inquiry. "We are cooperating fully with the informal FTC investigation on a voluntary basis," she says. "Historically, Alexa has always been concerned with protecting consumer privacy."

Policies Are No Insurance

      So far, most of the attention has been focused on getting sites to post privacy policies that state what information they collect and what they do with it. But both RealNetworks and Alexa have been accused of violating their own policies about keeping user information anonymous. If such claims are true, the sites could be held liable for committing fraud, says Professor Gerald Ferrera, who teaches a course in cyberlaw at Bentley College in Waltham, Massachusetts.

      "Promises made in the privacy policy are as much a part of the transaction as what is delivered to the consumer," Ferrera says. If a company fails to observe its policy, it can be sued under the federal Consumer Fraud and Abuse Act, as well as various common laws and state and federal consumer protection statutes.

      But policy breaches may be more common than most people realize. A study of 21 health advice sites coauthored by Richard Smith and sponsored by the California Healthcare Foundation found that many sites share sensitive information, despite privacy policies against the practice. The study, published in January of this year, looked at health-specific entities such as AllHealth and WebMD, as well as high-traffic portals like AltaVista, Excite, and Yahoo. Its key finding:

      "On a number of sites personally identified information is collected through the use of cookies and banner advertisements by third parties without the host sites disclosing this practice. There are also instances where personally identified data is transferred to third parties in direct violation of stated privacy policies."

      For example, the report states that some sites provide health assessment tests. For six of these sites (OnHealth, AllHealth, CVS, Yahoo, HealthCentral, and InteliHealth), the tests are actually conducted by a third-party firm, a fact that is not made clear to visitors. Third-party firms that collect the data (including personally identifying information) are often not covered by the host site's privacy policy; so, theoretically, these third parties could sell your health information to marketers, insurers, or potential employers. In other cases, the report found that sensitive data such as e-mail addresses was inadvertently embedded in the URLs that were being sent to advertisers and ad networks.

      In short, Internet privacy policies offer consumers very little protection. "Six months ago, just having a privacy policy was considered pretty honorable," says Abner Germanow, a research manager at International Data Corporation in Framingham, Massachusetts. "Today, most policies are pretty worthless."

      A Georgetown University study, published in June 1999, examined 361 commercial Web sites and found that nine out of ten ask you to supply at least one piece of personal information, such as your name, e-mail address, or postal address. But only two-thirds of the sites in the survey offered privacy statements. And less than ten percent had what researchers considered a complete policy--one that provides consumers with a statement about the site's data collection practices, an opt-out clause, access to the information collected, a description of how the site secures data, and phone numbers or e-mail addresses that consumers can use to contact the company. What's more, privacy statements can be changed at will, often without notification to users or affiliated sites. EPIC's complaint to the FTC notes that DoubleClick changed its policy three times in the past three years.

      "If you want to find out how a company feels about your personal privacy, don't look at their privacy statement, look at their business model," says Rick Jackson, CEO of Privada, a San Jose, California-based maker of products that allow consumers to surf the Web anonymously. A former executive at Net Gravity, Jackson helped engineer that marketing firm's merger with DoubleClick last October, despite personal reservations about some of DoubleClick's marketing methods. The more an information-gathering company knows about you, he says, the more money it makes: "That's their business model. If it's a question of profit versus privacy, profits come first every time."

Legal Remedies

      Until now the US federal government has adopted a hands-off approach to Internet privacy--watching and waiting for the Web industry to regulate itself. Organizations like Truste still say that this is the right course to take. Truste, based in Cupertino, California, oversees privacy policies for more than 1300 Web sites, including those belonging to RealNetworks and Amazon.com's Alexa (PCWorld.com is also a Truste licensee). According to Bob Lewin, CEO of Truste, RealNetworks' response to allegations of privacy abuses demonstrates that self-regulation works.

      Lewin says that Truste convinced RealNetworks to issue a patch that prevents its software from assigning a unique identification number to each user. Truste also persuaded the company executives to appoint a chief privacy officer and to release RealPlayer 7.0 using an opt-in model, so that consumers must actively choose to create a unique ID number, rather than the more common opt-out model used by the majority of Web sites. "We did all of that in the space of one week," Lewin says. "You show me any government body that moves that fast." Unfortunately, Truste's influence is limited to its licensees, which don't include such Internet heavyweights as Amazon.com and DoubleClick. And while Truste does perform quarterly audits of its members' Web sites to ensure that the stated privacy policy on the site matches the member's practices, the organization does not specify what kinds of information members can collect, nor what they can do with that information once they have it. "The problem with self-regulation is that it rewards bad actors," says EPIC's Rotenberg. Once a Web site begins generating revenue by selling user profiles and personal information, he explains, other Web sites will have to follow suit in order to remain competitive.

      "There's no way any number of companies will be able to protect human rights through a business model," says Privacy Times publisher Evan Hendricks. "When things go wrong, people need a [legal] remedy. Right now we don't have that."

      Although several states have already enacted their own privacy statutes, there is no comprehensive federal law governing personal privacy. But the situation may change this year. Congress is currently debating a dozen bills designed to regulate different types of personal data, from medical records to financial matters.

      Senator Robert Toricelli (D-New Jersey) recently introduced a bill that would require Web sites to obtain users' permission before installing devices such as cookies that track their movements on the Internet. And last February, Senators Richard Shelby (R-Alabama) and Richard Bryan (D-Nevada) banded together with Representatives Edward Markey (D-Massachusetts) and Joe Barton (R-Texas) to form the Congressional Privacy Caucus. This bipartisan group is expected to draft new privacy legislation that will be based on the principles of user notification, consent, and access.

      Privacy wonks, however, are skeptical of what the federal government may cook up. "I think the best place for legislation in some ways is at the local or state level," says Tom Maddox, editor of PrivacyPlace.com, a Berkeley, California, site specializing in privacy issues. "Federal laws tend to be big, fat, unwieldy... sledgehammers swatting at gnats. They usually miss the gnat and hit the rest of us."

Technology to the Rescue?

      You can opt out of DoubleClick profiles. You can avoid using software that follows your footsteps on the Internet. You can crumble every cookie before your browser takes a nibble from it. And still you are at risk from the next site, the next advertiser, the next marketer who sees dollar signs in your data.

      One thing is certain: Online data gathering will not go away. Too many Web sites are depending on the revenues from selling user data or delivering specific demographics to advertisers. The question is whether you'll have any say in what happens to your information.

      "The real issue is, who's in control of my online profile, who can access it, and who's selling it?" says Germanow. "When I show up at a travel site, do I want them to know who I am and what frequent flyer program I belong to? Yes. When I'm doing research on AIDS because I have a friend in the hospital, do I want that as part of my profile? I don't think so."

      Today, even vendors who sell products for protecting anonymity admit that there is no easy solution for e-commerce. Programs like PrivadaProxy and Zero-Knowledge's Freedom can protect your identity while you browse, chat, or send e-mail, but according to Privada's Jackson, "As soon as you decide you want to buy something, you're left unprotected."

      Both companies say they are working on schemes to allow consumers to shop anonymously and expect to introduce products within a year. Zero-Knowledge's Austin Hill sees a future in which shopping agent software can assure a Web site that you have the credentials to make a purchase, then negotiate what data you are willing to give up in return for a good price.

      "What if you had the most accurate version of your profile under your lock and key?" asks Hill, president of the Montreal firm. "Your credit information, EBay reputation, frequent flyer miles, how much shopping you do. You'd be able to leverage that data, build relationships with merchants, and still maintain your privacy."

      Hill believes that consumers need to start thinking about Internet privacy the same way they think about viruses. "You don't use a computer unless you have antivirus software," he says, "and you shouldn't give away data without protecting yourself. Every time you fill in a Web form or a registration card, make sure that the data is 100 percent necessary for completing the transaction, and that the company will protect it." When enough consumers refuse to give away their personal information for free, he adds, merchants will have to respond. "You have to be a kind of Jeffersonian citizen for the Web," agrees Maddox. "Be aware, be educated, take personal action. If you're just a passive consumer, they will drive right over you."

NEXT: Part 2 of this article

CLICK to GO BACK to Main Page.

E-Commerce Alerts are issued by Bennett Gold LLP, Chartered Professional Accountants as situations develop. Bookmark this site and check back often. Our e-mail address is: info@BennettGold.ca

In accordance with United States Code, Title 17, Section 107 and Article 10 of The Berne Convention on Literary and Artistic Works, the news clippings on this web site are made available without profit for research and educational purposes.

Final Entries

LINK TO: Bennett Gold, Chartered Professional Accountants: A Licensed Provider of WebTrust Services.

WebTrust Is Your
Best Defense
Privacy Breaches.

Get WebTrust
Working For
Your Site.