Privacy

[Steve]

x-no-archive: yes



The Internet wants your personal info. What's in it for you?

Business Week 4/5/99


Rima Berzin recently inherited a laptop computer from her husband
and began an intense two-day honeymoon with the Internet. She went
all the way: buying jeans at Gap, browsing for books at
Barnesandnoble.com, and registering for Martha Stewart's online
journal. While Berzin was shopping, something very un-Martha
happened: Her spree left muddy digital footprints all over the Net.

Berzin, a Manhattan mother of two, is like a lot of other Americans
just stepping onto the Web. When a friend told her how much personal
information she had swapped for the convenience of home shopping,
she was angry at first, then confused. On Berzin's first visit to
Gap, hidden files called ''cookies'' were deposited on her computer.
Other software programs whirred into action to track and analyze her
online behavior. Marketers didn't know her name at first, but the
anonymity evaporated when Berzin made her first purchase. ''You can
say no to being tracked,'' says the former strategic planning
executive, ''but it takes a great deal of work, and sometimes it pays
to say yes.''

No one hacked Berzin's credit card or stole her identity. Such crimes
are still rare on the Net. The apprehensions that engulfed Berzin are
more far-reaching than fear of theft and resonate across society.
Personal details are acquiring enormous financial value. They are the
new currency of the digital economy. Indeed, a $50 billion freight
train called electronic commerce is bearing down on Berzin and
millions of consumers now venturing forth on the Net. That train is
powered by an insatiable need for personal information--details about
what individuals do online that help businesses zero in on customers.

This train is on a collision course with consumer sensibilities.
Personal information is vulnerable to abuse. Failure to apply checks
and balances today will change our lives and our notions of what
belongs to us as individuals. ''The ability to establish a digital
trail is unlike anything we've had so far in history,'' says
Constance E. Bagley, a Stanford University lecturer in law.

As companies race to collect personal data and exploit them,
consumers are being confronted with urgent trade-offs and choices
about how to cover their tracks in cyberspace--or whether they
should. If they decide not to hide, how should they be compensated
for the information they reveal? Businesses also face arduous
trade-offs. Rightly, they fear a backlash over breaches of privacy.
Cries for regulation have already reached Washington. If consumers
like Berzin opt to conceal themselves or bolt from the Net or bind
it in new laws, E-commerce could choke in its infancy.

By slapping high prices on personal information, E-business adds a
frightening new dimension to the privacy debate. That fear extends
across society. Hospitals and schools, for example, are constructing
vast national databases with everything from your child's
fourth-grade report card to the unique twists and turns of your DNA.
Businesses want that information, and in the online world--where
virtually every piece of data is for sale--they will probably get
it. ''You already have zero privacy. Get over it,'' Sun Microsystems
Inc. CEO Scott G. McNealy glibly noted at a recent computer-fest.

Most Americans might find that hard to swallow. Many are starting to
understand that what companies discover can hurt them. First comes
the nuisance: a blizzard of junk mail. Then come the real dangers:
Companies on the Web that know consumers' shopping habits and
history can engage in sophisticated kinds of discrimination. If a
business finds out that you, for example, are not a big spender, it
may leave you dangling on help lines, refuse to notify you of juicy
deals and discounts, or cut you off as a customer. And you won't even
know you've been a victim. ''It's very hard to show the
discrimination occurred because somebody had access to personal
information,'' says Deirdre Mulligan, staff counsel at the Center for
Democracy & Technology in Washington.

Then there's the danger that the discrimination could be based on
information that is false or out of date. ''There hasn't been a data
system built yet that is not fraught with inaccuracy,'' warns
privacy activist Robert Ellis Smith. Even when information is
correct, it may be damaging--and none of anyone's business. Digital
trails that imply or prove that you have AIDS, for example, could
cause employers or insurers to snub you. Suppose you're a college
student accused of date rape, says Jason Catlett, a privacy advocate.
''What happens when the prosecutor finds out that you were on a porno
site the night before?''

To get consumers protection, privacy advocates have been mobilizing
politicians, leading to scores of federal and state privacy bills. A
few are calling for tight government controls on personal
information. (Europe stiffened such safeguards last fall.)
E-businesses can't abide these regulations, worrying that such steps
will cost them money. So they are trying to police themselves. Many
popular sites post privacy policies and increasingly sport seals of
approval from the Better Business Bureau and others, which purport
to verify adherence.

But all these efforts come up short--in part because life on the Net
is so complex. Information you willingly share with one company may
be sold without your knowledge to somebody else. Privacy pledges
posted on Web sites have limits and may not be enforced. Your
personal data can become the property of strangers through subpoenas,
corporate mergers, police investigations, or hacker attacks. And the
results of your latest medical exam could turn up in the hands of a
potential employer.

One reason simple protective measures fail is that consumers aren't
sure they want them. Although they are worried that their privacy
may be violated, they realize that personalized service on the Web
can be very attractive. A Web site that recalls your tastes and
buying habits can save you time and find bargains that suit you. What
you see may depend on where you live, where you browse, what images
tend to hold your eyeballs, and whether you have the loot to do more
than look.

As a result, consumers send confusing signals. One day, they are up
in arms over Intel Corp.'s ability to track Web surfers through
identifying codes on their new Pentium chips. The next, thousands
race to trade their names, income levels, and hobbies in return for a
Free-PC with built-in ''market to one'' advertising.

E-commerce, more than conventional business, needs this personal
connection for several reasons. First, despite their lofty stock
valuations, Web-based businesses with little or no earnings can't
afford to constantly solicit new customers. They need repeat
business. At Excite Inc., for example, customers who exchange tidbits
about themselves in return for a personalized experience--in the form
of selected news, movie listings, local weather, etc.--return to the
site roughly 20 times more often than those who don't, says Joe
Kraus, Excite's co-founder and senior vice-president.

Armed with loyal customers, Excite can then pile on additional
services and boost its income. It can offer advertisers banner ads
and ''pop-ups'' aimed only at the customers deemed most likely to
respond. Sites can also earn commissions for routing customers to
other locales. For example, visitors to technology review pages at
CNET Inc., a news site, may click through to a computer company and
purchase a PC. CNET gets a flat fee for each customer.

Customers' data will become more valuable as databases from various
sites are linked. That includes information from cookies, the files
that many sites deposit on your hard drive when you visit. These
files, which identify you when you log on, were initially designed
to communicate only with the site that deposits them. Now, though,
online marketing firms with names like DoubleClick, AdKnowledge,
MatchLogic, and Engage may merge data from multiple cookies. That,
in turn, can be collated with personal information scattered among
census and motor-vehicle databases, credit reports, education and
health records, and toll systems such as E-Z Pass.

As they consolidate their reach across these offline databases, Web
sites may also apply powerful software tools to monitor and make
money from the buying and browsing habits of their visitors. For
years, banks and telecom companies have been using technology called
data mining to track customer trends and spot fraud. Now, the tools
are getting more powerful, and they are moving onto the Web.

These tools are becoming available just as massive databases are
consolidating. Experian Information Solutions Inc., the giant
credit-report company, has a stake in online marketer AdForce Inc.
Meanwhile, an information aggregator, Acxiom Corp., is hawking data
on more than 176 million individuals and 96 million households.
''They follow you more closely than the U.S. government,'' says
Anthony Picardi, top software analyst at International Data Corp.
Adds Thomas F. Kelly, president and CEO of Neuron Data Inc., a
Silicon Valley maker of customer-tracking software: ''The privacy
trade-off is the dirty little secret that everyone in the business
thinks about and talks about to each other but never brings up in
public.''

Consumers have caught a whiff of these secrets and don't like the
smell. In a November Louis Harris & Associates Inc./Alan F. Westin
survey of 1,000 adults, 82% complained they had lost all control
over how their personal information is used by companies. Three out
of four said businesses asked for too much information. And though
millions of consumers bought gifts on the Web last Christmas, a
BUSINESS WEEK/Harris poll last month showed that two-thirds of
American adults are ''not willing at all'' to share personal and
financial information about themselves online in return for more
targeted advertising.

Even when it isn't threatening, personalization on the Net can get a
little crass. Imagine if people fawned over you as much offline as
they do online: Say you went to a restaurant with a date, had
burgers, paid with a credit card, and left. It's over. But if it
were online, the next time you showed up, the waitress, searching her
file of private information, would say, ''Hey Joe, how are you? Fran
is over there; would you like to sit with her again?'' Never mind
that you're with another date. Then you would find out they've
already cooked your burger and are ready to charge your card. When it
comes to this kind of personalization online, says Tara Lemmey,
executive director of the Electronic Frontier Foundation, ''there's a
fine line between good service and stalking.''

Web startups aren't the only ones that know how to stalk. In
January, Intel came under fire for designing its Pentium III chips
with serial numbers that can be identified remotely on the Web. That
makes it easier for users to be tracked. Two months later, privacy
buffs hammered Microsoft Corp. because its Windows 98 software, used
on a network, creates identifiers that are collected during
registration. The result is a vast database of personal information
about Microsoft customers.

Microsoft insists that the features it added were designed to improve
services. But fearing a backlash, it has promised to modify the
feature. It claims customers can bow out when they register for
Win98, and it promises to expunge personal data it collected
improperly. ''This isn't just an ethical issue. Privacy is good
business,'' says Saul Klein, a Microsoft senior manager of Web
services.

GeoCities learned that lesson last year when the Federal Trade
Commission accused the owners of this booming online community of
selling personal information without members' consent. The site
admitted no wrongdoing but agreed to implement tougher privacy
policies. Says privacy activist Marc Rotenberg: ''It's too easy for
Web pages to turn into trick mirrors. The marketer gets to see
through to you, but all you get to see is your own reflection.''

When consumers see a big payoff, however, some of them are more than
willing to trade their personal information. ''As long as you give
people something in return, they're thrilled,'' says Bill Gross, the
Pasadena (Calif.) entrepreneur who founded idealab!, an incubator
for Internet startups. In February, he unveiled Free-PC Inc. on the
premise that people would part with detailed personal information
and put up with a constant barrage of ads in exchange for a $500
computer. Privacy advocates mocked the proposition as a loser. But
within days of announcing registration, the company fielded more than
1.2 million applications.

Some companies use the gold mine of consumer data to discriminate
against customers who don't make the grade. You might call it
''Weblining.'' At Sanwa Bank in California, customer-service reps use
Net-based programs to classify customers into A, B, and C categories.
The least-valued Cs are the ones most likely to end up on hold when
they call in for service. Angie Blackburn, who oversees Sanwa's phone
and online banking, defends the practice. ''Obviously, if we have a
customer...who has a significant amount invested, you want [him or
her] to be treated extra special,'' she says.

Weblining's grim implications are clear, however--and can be part of
the software sales pitch. Makers of these tools say the onus lies
with the company that uses them, not the creator. With data-mining
software, ''people can be segmented any way a company wants to slice
and dice them,'' including creed, color, and religion, says Kenneth
Volpe, an executive at Boston-based Art Technology Group, which
sells such programs.

So far, Web marketers haven't broadened their quest for personal
data to schools or hospitals. But it may be inevitable. Think of the
advantages if they could hit you with ads for special foods for your
diabetic aunt or Web-based tutoring for your struggling teenager.
''If you are a business, data in health records add up to one big
sales opportunity,'' says Dr. Richard Epstein, a psychiatrist in
Bethesda, Md.

School districts from New York to Oregon have begun replacing old
stand-alone computers with high-speed networks, each with the
ability to profile and track students. One day, these networks will
connect to a nationwide data-exchange program organized by the
Education Dept. to boost school efficiency and pinpoint the sources
of learning problems. The program will make student information
available to other schools, universities, government agencies, and,
potentially, to employers. It's not just the three Rs. Now, it can be
parent income, health problems, and meetings with the school shrink.
Gayle Cloud, a mother of six in Riverside, Calif., finds this
alarming. ''They want to track my children from cradle to grave,''
she says.

The medical parallel to this is even more disturbing. Pressed by
health-maintenance organizations, hospitals are struggling to rein
in costs, and they are loading up on information technology to help.
As health records are linked to financial, employment, and
managed-care databases, they can be hacked or transferred to
outsiders when HMOs or hospitals merge or are dismembered by
creditors. ''If you have a medical record, you have a medical privacy
problem,'' says Senator Patrick Leahy (D-Vt.), the chief architect of
a closely watched medical privacy bill.

Consolidating this data in one place makes it more vulnerable to
theft or abuse. Says Joe Pellegrino, manager of database
administration for New York Presbyterian Hospital: ''There's no
question this is leading to a national universal medical database.''
Already, hospitals exchange data on individual patients, he says.
''The next step is to take these statewide databases, containing
details on your allergies, your mental health, or your sexually
transmitted diseases, and make them accessible.''

There are, however, many jarring trade-offs in the medical-privacy
debate. When managed right, medical data in digital form cut
health-care costs, hasten and improve diagnoses, and reduce cases of
prescription mix-ups. Computers also help administrators track
doctors and spot unprofessional behavior. In genetics, digitized DNA
repositories help scientists searching for links among genes and
diseases--just as they help the FBI collaborate on manhunts across
continents. Down the road, doctors will tailor drug treatments to
patients' total medical profile, including their genetic makeup.

Even so, many Americans are deeply concerned about medical-data
abuses. Neither doctors nor patients want records to leave the
doctor's office except where necessary for insurance purposes.
''Your doctor took the Hippocratic oath,'' says Robert Gellman, a
privacy consultant in Washington. ''The CEO of your health plan did
not.''

These concerns now have Washington's ear. Leahy's medical bill would
give patients the right to limit disclosure of their medical records
to those with a need to know. And in the financial arena, Senator
Paul S. Sarbanes (D-Md.) and others are trying to regulate the sale
of customers' records and the swapping of records in mergers.

E-businesses see regulation as the wolf at the door. The Online
Privacy Alliance has mobilized more than 80 companies and trade
associations to fight back. About 500 companies are already
displaying a ''trustmark'' seal of approval from TRUSTe. Recently,
the Better Business Bureau added its own seal of approval. In
addition, the Net is spawning the ''infomediary''--an information
broker that protects Web users' privacy or barters it to find them
bargains. The trouble is, infomediaries, like other Web businesses,
must cough up their lists as soon as a cop or bankruptcy judge comes
knocking.

Techies are at work on solutions to protect privacy. None of these
efforts seems a silver bullet. David J. Farber, Moore Professor of
Telecommunications at the University of Pennsylvania, believes
nothing short of Europe's privacy directive will suffice. ''Maybe
you don't feel threatened in today's political climate,'' he says,
''but imagine if this type of information and the tools to tap it
were in the hands of a Joe McCarthy.''

Sure enough, the secret codes, cookies, and digital trails are
proliferating by the millisecond. Most of us have already
surrendered more personal details than we could ever imagine.
Cybernauts have one thing on Joe, though: The Net is a grand
communications channel that returns a modicum of power to consumers.
If you doubt it, note how quickly Microsoft and Intel backed off when
a cry went out on the Web. Now comes the hard part: figuring out what
we can get for the information we give.

By Edward C. Baig, Marcia Stepanek, and Neil Gross in New York, with
bureau reports 

Copyright 1999, by The McGraw-Hill Companies Inc.





* * * * * * * * * * * * * *  From the Listowner  * * * * * * * * * * * *
.	To unsubscribe from this list, send a message to:
majordomo at scn.org		In the body of the message, type:
unsubscribe scn
==== Messages posted on this list are also available on the web at: ====
* * * * * * *     http://www.scn.org/volunteers/scn-l/     * * * * * * *