A Private Word, Please

Threats are a useful tool to change behavior. In almost any realm of experience, however, there comes a moment when threats have no effect. "Pick up your toys, or I’ll pick them up and you’ll never see them again" is a phrase I scoffed at for months as a youngster. Only later, when I noticed that some of my favorite possessions were missing, did I realize that a threat had unexpectedly transformed into action. As far as protecting the privacy of online users goes, it’s a lesson the online industry has yet to learn.

For almost 3 years the U.S. government has warned companies collecting information online that they need to establish meaningful policies regarding the personal information they collect. The industry responded by pleading for a chance to regulate itself. As electronic commerce grew in importance, concerns about online and Internet privacy grew. Still, like that child and the toys strewn around the house, the industry didn’t heed the warning.

At ISPcon 98, a gathering of Internet service providers (ISP) and online industry experts held last March in Baltimore, former Federal Trade Commission (FTC) commissioner Christine Varney said, "We’ve given the Internet and online industry more than enough chances to regulate themselves. Perhaps it’s time for the government to intervene." Her instincts have proved accurate. In June the FTC called for government regulation of privacy on the World Wide Web.

As an example of the problem, the FTC points to one Web site where, under the ruse of a contest, children are asked to provide personal information such as name, postal address, e-mail address, sex and age. The site continues by asking the child whether he or she has received gifts in the form of stocks, cash, savings bonds, mutual funds or certificates of deposit; who has given these gifts; whether monetary gifts were invested in mutual funds, stocks or bonds; and whether the child's parents own mutual funds. The Web site does not suggest that children ask their parents for permission before providing personal information nor attempt to involve parents in any way. Further, the site says nothing about whether the information is disclosed to third parties.

It wouldn’t be painful if this example were an exception, but unfortunately it’s far more common than you may realize. The FTC did a survey of privacy practices on the Web and found that the Internet and online service industry efforts to encourage voluntary adoption of the most basic fair information practice principle -- alerting Web users that information is being collected -- have fallen far short of what is needed to protect consumers. The commission's survey shows that the majority of Web sites -- upward of 85 percent -- collect personal information from consumers. Few sites -- only 14 percent in the commission's sample of commercial Web sites -- provide any notice about their information practices.

Using cookies to store personal information doesn’t work, because cookies aren’t very sophisticated. For example, current implementations of cookies cause privacy concerns (when accepting all cookies indiscriminately), are a hindrance (disabling cookies can make it impossible to use sophisticated sites), or a nuisance (the user must click through repetitive dialog boxes).

Thus, beyond the social and business issues, privacy has a technical component. For this technical problem, a solution has emerged that may make it easier for users to state their privacy concerns and have them adhered to by commerce and service sites on the Web. Called the Platform for Privacy Preferences (P3P) specification, the technical solution gives Web servers and applications a standard approach to disclosing online privacy practices, and gives users the ability to make informed decisions about how their personal information is used.

Even former FTC commissioner Varney is impressed: "We need the tools to protect our privacy online, and P3P is essential to empower all of us to make informed choices on the basis of our privacy preferences as we navigate the Web."

However, organizations that use Web sites to collect information will still have to deploy P3P as part of their application. Users who want to use P3P to protect themselves will have to wait until this fall’s new generation of browser technology appears. Until then, the browsers will not have the ability to put control in the hands of the user, even if electronic commerce sites are using P3P in their online applications.

What incentive does the online industry and those with sites that collect information from consumers have to use P3P? The free-wheeling world of electronic commerce has long been allergic to industry regulation, but inaction has caused the FTC to step in. This summer, the FTC will make recommendations on actions it deems necessary to protect online consumers generally. Already, in the area of children’s online privacy, the FTC has recommended that Congress develop legislation placing parents in control of the online collection and use of personal information from their children.

Like the child who never picks up the toys, the Internet industry never took the threat of government intervention in electronic commerce seriously. Perhaps it does now, but it may be too late. Unless the industry undergoes a radical transformation, the ponderous politics of government regulation may be applied where self-regulation would have been more meaningful and effective.

Mark McFadden is a consultant and is communications director for the Commercial Internet eXchange (Washington). Contact him at mcfadden@cix.org.