A Little Privacy, Please

LIKE ALL REVOLUTIONS, the Internet revolution has a dark side. Along with online shopping and stock trading with the click of a mouse, the Web has brought an invasion of its users' privacy that only Big Brother could love.

And no longer is the threat a futuristic one. DoubleClick, an Internet advertising network based in New York, has compiled 100 terabytes of data on more than 100 million Web users' habits. In February, the company announced that it was backing away from plans to link personal identities and other information gathered from the offline world to databases containing Web-browsing habits. DoubleClick shelved the idea only after a public scolding by privacy advocates, a probe by the Federal Trade Commission (FTC), and a lawsuit by the state of Michigan.

Indeed, privacy is quickly becoming a subject of debate for just about every company with a Web site. And the battle is just beginning. New data-gathering technologies and more-aggressive companies continue to push the limits of privacy on the Net. While E-commerce increases the ability to target specific customers, the mountain of data Internet sites collect could also be valuable to employers, insurance companies, and nosy neighbors.

At stake, of course, is consumer trust. Large E-commerce companies such as Amazon.com and Ebay Inc. fear that a few highly publicized breaches of online privacy could scare away customers. But even more than that, Internet companies fear that if they cannot impose self-regulation, the government is likely to step in. "Government intervention is the last thing business wants," says Russ Bodoff, senior vice president of BBB Online, a privacy auditor based in Arlington, Virginia. "Restrictive legislation could retard the development of technology and slow the growth of electronic commerce."

Little wonder that last March, at a financial summit at Boston College, IBM Corp. CEO Louis Gerstner called on every executive in the country to personally "inspect his or her company's privacy policies [to] find out where they stand, and get on with it." So far, said Gerstner, "our partners in government have been very patient on this one."

Maintaining that patience, however, demands finance's attention, says Frank Siskowski, CFO of E-Loan, an online provider of consumer loans, based in Dublin, California. "I see privacy as an integral piece of the fabric of our internal controls," he says. "All CFOs have to be involved." C. Andrew Johns, CFO of 24/7 Media Inc., an interactive media and technology firm based in New York, agrees. "It's the CFO's role to make sure that all the company's practices stand up to public scrutiny. Ensuring good privacy practices is certainly a key part of that," he says.

PRIVACY DISASTERS There's been plenty of scrutiny lately in the wake of a number of privacy missteps, both on the Internet and off.

In January, ZapMe Corp., a San Ramon, California-based firm that provides free Internet access and equipment to schools in exchange for providing advertising to students, was accused of helping advertisers collect the names and addresses of minors for marketing purposes without parental consent.

Last May, Liberty Financial Cos. was forced to settle a complaint from the FTC that it was inappropriately collecting personal information from children and teens on its Young Investor Web site. The company was accused of hoarding personal information, such as weekly allowance, spending habits, and college plans, along with names and addresses, after promising anonymity.

Last June, General Electric Co.'s GE Investments unit was forced to stop using tracking codes on envelopes that identified survey respondents without their knowledge. A Washington Post article cited a letter in which a GE Investments official praised a printing company for the "discreet" way respondents were identified.

According to some observers, the worst is yet to come. Robert Ellis Smith, publisher of Privacy Journal, a monthly newsletter on computer privacy, located in Providence, warns that many companies are at risk for a "privacy disaster." He says there is a good chance that companies could experience the equivalent of an "oil spill" of sensitive consumer information. "There have been plenty of instances where hundreds of credit card numbers got posted on the Web," he says. To Smith, the potential danger amounts to a risk-management issue. "Companies need to measure the probability that there will be a breach compared with the costs of fixing it, and make the right decisions," he says.

LOST CHANCE? While it is hard to determine if such breaches have affected customer loyalty, it's clear that the government is watching. In fact, last month President Clinton warned Silicon Valley executives that the failure to protect consumer privacy could limit the Internet's potential growth. He also hinted at government intervention if businesses don't take stronger measures. "This is a big deal. Do you have privacy practices you're proud of?" he asked.

To many, the question is not if the government will regulate privacy online, but when, and how much. "Online marketers' hopes of avoiding government regulation have been dashed," warns Jim Nail, a senior analyst with Forrester Research Inc., in Cambridge, Massachusetts. "Waves of legal action and negative publicity have ruined the chance to self-regulate," he asserts.

Already, several bills have been introduced in Congress. One, from Sen. Robert Torricelli (D-N.J.), would ban "cookies"--small programs that Web sites place on their visitors' computers to track Web activity--that are being used without consumer permission. Others have proposed legal protection for certain types of information, such as medical and financial data.

Still, companies are holding out hope that they can stave off government regulation. To date, several industry efforts are under way to develop privacy guidelines. Last November, for example, the Network Advertising Initiative was formed to focus on consumer privacy. And in April, a group of 26 companies, including DoubleClick, American Air lines, and PricewaterhouseCoopers, launched the Personalization Consortium to develop guidelines for using personal information.

Some finance executives, however, believe that what is needed is consistency. "We as an industry need to demonstrate to the consumer, as well as to the FTC, that we can be responsible," says 24/7's Johns, who calls for industry leaders to come up with a set of consistent and acceptable industry standards.

Johns could use the guidance. 24/7 recently backed away from plans to marry online and offline databases after competitor DoubleClick's missteps. The company is now taking a higher road on the privacy issue. "[Practices] need to stand up to the white glove of public scrutiny," says Johns. "With all the creative ways to gather information, there is the temptation to take that additional step; to say, 'No one will catch me.' But that's not going to work [anymore]."

EMPTY PROMISESP The wait for standardized guidelines may soon be over. The FTC'S Federal Advisory Committee on Online Access and Security, which includes industry representatives as well as privacy advocates, is set to release a report on online access and security issues on May 15. And privacy experts, such as Larry Ponemon, a partner with PricewaterhouseCoopers who sits on the FTC committee, says he 'would be surprised if we didn't see a convergence on this issue within the year."

In the meantime, companies have been rapidly adopting their own privacy policies to demonstrate their eagerness to self-regulate. A recent survey conducted by the McDonough School of Business at Georgetown University and commissioned by the FTC, in fact, found that 94 percent of Web sites now post some type of privacy statement on how the information they gather is used, up from 71 percent last year.

But critics wam that posting a privacy statement on the Web is not enough to fend off government regulation. "Most companies are at the baby stage of privacy practices," argues Smith. "They post privacy statements [on their Web sites] willy-nilly instead of implementing a real privacy policy. There is a big difference." (See 'All Eyes on Privacy;' page 142.) In fact, a study earlier this year by the California HealthCare Foundation found that 16 of 19 major health-related Web sites violated their own privacy policies and allowed confidential medical data to be passed on to advertisers.