editorial: Regulate, or Be Regulated

The Internet is still a new frontier and, just like the wild west of old had its shanty towns, the Internet has its share of hastily thrown together business ventures. There's money to be made online, but you can't make a dime if you don't have a site with something to offer.

In its current -- and largely unregulated -- state, the Internet has actually given rise to a culture of virtual cottage industries. All you need is a product or a service (or a relationship with a Web site that supplies a product or service), a computer and access to the Internet. No office space, no support staff (unless you count your ISP), no overhead.

But all of this online prospecting is beginning to catch up with the Internet. Even the greatest of intentions doesn't protect a consumer's sensitive information from millions of prying eyes if network security is not properly implemented.

Though a number of recent e-commerce security breaches can be traced back to smaller vendors, this affects larger companies if they share the same supply chain. And it’s the larger companies that have the most to lose, particularly if the government eventually decides to make those entrusted with sensitive information liable for privacy breaches on their sites.

IBM took an official stance in favor of Internet security in March by publicly announcing it would remove its online advertisements from Web sites without clear privacy policies. This takes effect June 1 in both the United States and Canada. The removal of online IBM ads in North America expected to be followed by similar policies in Asia and Latin America later this year. IBM's action is particularly poignant because there is no greater source of revenue for Web sites than their advertisers.

IBM -- which spends a reported $60 million per year on Web advertising -- found that only 30 percent of the sites it advertises on post privacy policies. This may seem like a drop in the bucket when you consider that, overall, $4 billion is expected to be spent on Internet ads in 1999.

But IBM's action got the attention of the federal government. Commerce Secretary William Daley is now urging the top 20 advertisers on the Web to follow IBM’s example. According to Daley, retail purchasing on the Internet is expected to grow to $30 billion by the year 2000, with about 39 percent of all retailers now offering products online. With all of this real money changing hands via the virtual world, the government reports that the two biggest concerns about online shopping are privacy and protection from disreputable companies.

In March, the Federal Trade Commission took part in an Internet privacy study, the results of which will help determine whether or not Internet companies are making progress toward providing sufficient security.

It is largely up to U.S. businesses to regulate themselves by setting privacy standards. Across the Atlantic, the European Union (EU) has already passed a privacy law that restricts the flow of personal data out of EU member nations, which has implications for business in the United States. According to Stone Investments Inc., a Dallas-based technology investment firm, the EU directive prohibits companies from electronically transferring data to countries outside the EU that don’t have what the EU government deems to be adequate privacy protections. Countries outside the EU need to have a national law on privacy that covers the entire public and private sectors, and a national regulatory agency with the power to enforce the law. The U.S. meets neither criteria.

Converse to the EU's view that government needs to get involved, Stone Investments believes the U.S. must examine the broader implications of privacy laws, which may retard the growth of the Internet much to the detriment of its underlying technology and potential. Those who oppose governmental intervention seek to avoid regulation that will fragment the flow of information across the Internet. This fragmentation could potentially come in the form of governmental checkpoints that restrict the flow of certain information.

According to The Journal of Commerce, for example, in an article published earlier this year, American Airlines has been forced to stop transmitting information – such as meal preferences, requests for wheelchair assistance and specific hotel arrangements – about Swedish passengers to the airline’s Sabre reservation system in the U.S. A small inconvenience in the grand scope of e-commerce and online security, but a specific example of governmental e-commerce regulation nonetheless.

Privacy is a tricky issue. Users want to preserve their online anonymity. They don’t want their personal and financial information distributed throughout the online community, but they also don’t want the government to decide how the Internet is regulated.

If the IT industry doesn’t want the federal government to get involved, IT professionals must step up to govern themselves. President Clinton’s administration reportedly favors self-regulation of the Web, but, with the president’s tenure almost up, how long will this last?

IBM demands that Web site owners clearly post their privacy policies. Another measure could be to warn companies not to store sensitive information on the same server that hosts their Web sites. It could also be argued that smaller, less Web-savvy enterprises should look to outsource their e-business efforts to third-party professionals who can implement tighter security.

The choices are there, and it’s up to the IT market to decide whether or not they regulate themselves or give the government the impetus to step in.