You're probably going to find this startling, but while you're surfing the Net, your computer is usually telling web sites the name of your Internet service provider (America Online, Florida Internet or whoever); the web site you last visited (ever visited a web site that you'd like to keep to yourself?); operating system (Windows 95, Macintosh, etc.); what kind of web browser you're using (Netscape or Internet Explorer, including version number); and other information. Many sites keep a log of all your visits.
I bet that you're not feeling so anonymous anymore.
Today, it's almost impossible to know who's collecting what information about you and to whom they're selling it. Concerns about these issues led the Federal Trade Commission (FTC) to hold a series of workshops last week on privacy issues posed by the Internet and the sale of private information by database companies. The FTC will use their findings to decide whether to recommend new Federal legislation in these areas.
The online industry used the week of the FTC hearings as an opportunity to show how willing they are to adopt voluntary standards-an effort, of course, to head off government regulation. For example, Netscape and Microsoft, the makers of the only two web browsers that count (in the sense that the two companies control almost the entire market for browsers), announced that future versions of their software will allow users to decide just how much personal information they want to reveal to a web site.
During the hearings, the two industry giants demonstrated prototype software to the FTC that will permit users to set up privacy preferences in their software. If the web site requests more information than those privacy preferences allow, the user can choose either to override the preferences or not visit the site. This way, the user has some control over information dissemination.
A Question of Cookies
Cookies were bad enough when we only had to worry about their calorie content. Now we have to worry about their information content, too. In Internet speak, a "cookie" is a mechanism sent to your computer's hard drive that allows a web site to record and retrieve lots of personal data about you. These cookies talk.
Cookies give you a digital tag that notifies a web site every time you enter it. Cookies can collect all kinds of information about your web-cruising habits and furnish that information back to a web site-and you have no practical way of knowing anything about this exchange of information.
Here's how it can work: A cookie from an online store can store information which will allow that web site to know what you bought the last time you visited. The next time you frequent it, the store can tailor how they present some of their online offerings to you.
Maybe you bought merchandise in the $25 to $30 range last time. This time they might choose to greet you by featuring products in the $28 to $32 range in the hope of bringing up your average purchase amount.
Is this good marketing or an invasion of privacy? It's probably both. If you think about it, it's like having a supermarket keep track of every purchase you make. Maybe that's not so terrible, but then when you consider that the supermarket can trade notes with the pharmacy, which can trade information with the clothing store and so on, it may start feeling like an intrusion into your privacy.
Pooling of all of this miscellaneous information could turn a harmless gathering of trivia into a complete profile that you may choose to keep private.
Cookies trouble privacy advocates who would like to see users have more control over them and the information that they provide. Today, for example, Netscape 3.0 (a commonly used version of the browser) can be set to notify you when a cookie arrives, but that's not the same thing as controlling what data the cookie collects-and you can end up getting pestered to death by the message popping up constantly.
Software certainly can be designed to not provide information about you without your consent. Microsoft's and Netscape's announcement of voluntarily adding privacy-enhancing features to future browsers indicates a positive trend-that is, the Internet industry developing a heightened sensitivity to privacy issues.
We've Already Lost Control of Personal Data in Another Arena
The simple fact is that today, except for laws concerning consumer credit information, U.S. law provides little protection when it comes to privacy. Long before the Internet became popular, a large and profitable industry existed which sold private information about you.
Did you know that for about $3 to $7, I can probably get your birthday, home address, Social Security number, driver's license number, unlisted telephone number, marital history, list of professional licenses, real estate and cars owned, and other personal information? Oh yes, and I can do it online in just minutes. That gives me enough information to steal your identity, if I'm a criminal-or cause a lot of trouble for you, if I'm a prankster.
People are starting to take note of this easy and cheap availability of personal information. The FTC took note too, during its workshops. The alarm has been sounded.
In response to a hint of possible government regulation, eight large database companies used the hearings as an opportunity to announce their own voluntary policies designed to address the concerns of privacy advocates. They agreed to release private information only to "qualified people" who agree to use the information "appropriately."
Oh yes, those minor details like who's a qualified person and what's appropriate use will be determined later-by the database services. I certainly feel better already, knowing that these large database companies, which make a living selling information, will be deciding these issues after the glare of the FTC hearings and the public spotlight disappears.
Now obviously, someone applying for a job as a school bus driver needs to expect the bus company to check his driving record. What would give us all some added level of privacy though, would be a law that required the job applicant's signed consent to the release of private information to a private party.
If you want and need private information, the law should require that you have the consent of the party who is being investigated or a purpose that is statutorily defined as "appropriate use." Is that too much to ask? If you don't want to give a stranger who has no legitimate purpose your date of birth, social security number and unlisted home telephone number, shouldn't it be your right to refuse?
Database Industry Is Incorrigible
While I'm optimistic about the Internet industry's ability to get the secret dissemination of information under control, I don't feel the same way about the database industry. The proposal put forth by the database industry to the FTC was worse than a bad joke.
Would I be labeled a cynic if I were to guess that the industry's definition of "qualified person" will probably end up unofficially reading something like this?
"Any person, government, company, entity or thing, of any kind or nature (but only limited to matter, energy and everything else contained in this universe) who or which is (i) capable of making a request for personal information; and (ii) financially capable of paying for the information."
As for the definition of "appropriate use," I would think that the industry will develop a complex legal definition like, "If they can pay for the information, it's none of our business how they use it."
The Internet and its problems are relatively new. It's still possible that the Internet industry can get its problems under control through voluntary standards. I'd love to keep government out of it, if possible. I'd like to give voluntary standards and technological solutions, through better software, a try.
On the flip side is a database industry which is quite mature. It's been around since long before the personal computer become common. It's an industry that has a history of meaningless self-regulation.
With this industry, I think that until we decide that we've had enough of them selling private information to whoever can pay, the practice will continue. They've been doing it for years, and it's only getting worse. It's time for new legislation limiting who can buy this information and for what purpose. Without this legislation, we jeopardize our right to some basic privacy.