Industry Confronts Privacy Concerns Head-On

Sound policies instill essential consumer confidence.

While various Internet consumer privacy protection bills steadily make their way through U.S. congressional committees, businesses are taking a stab at self-governance. The work is based on the premise that commercial relationships demand trust, and the best way to gain customers’ trust is to assure consumers that the information they provide, both automatically and intentionally, will not be shared without their permission. However, unless Web site visitors read published privacy policies, they may not be aware of how much of their personal data can be shared or sold.

The abundance of bills currently being considered in Congress is evidence that few legal protections exist for online activity. Businesses are encouraged to include understandable privacy policies on their home pages. And if they are caught violating their stated policies, they can be held accountable. But it is still the visitor’s responsibility to be aware of how a company handles personal information. “Let the buyer beware” holds true as much in cyberspace as it does in the traditional marketplace.

The encouraging news is that commercial entities see the writing on the wall. They are staying abreast of the legislation under consideration and are creating their own privacy standards.

According to Ari M. Schwartz, associate director at the Center for Democracy and Technology, Washington, D.C., privacy in the e-commerce realm is a difficult subject to debate today. Techniques to ensure confidentiality have changed a dozen times during the past several years. “Things are glacially improving,” he says.

A review of current privacy issues by Beth Givens, director of the Privacy Rights Clearinghouse, San Diego, describes some of the key threats to consumers and offers some predictions about the future.

“The Internet was designed as an inherently insecure communications vehicle. Hackers easily penetrate the most secure facilities of the military and financial institutions. Internet companies have designed numerous ways to track Web users as they travel and shop throughout cyberspace. … Web-based information brokers sell sensitive personal data, including social security numbers, relatively cheaply.

“One of the positive results of the media’s interest in online privacy issues is that there is considerable public awareness of this issue. Our congressional representatives have taken notice. Some form of an Internet privacy law is expected to be passed in 2001. But the question is this: Will such a law possess meaningful consumer protections, giving consumers the full complement of the fair information principles [FIPs], including notice, consent, access, security, enforcement, redress and collection limitation? Or will it be a watered down version, simply notice and choice, or worse, just notice—what privacy advocates call ‘FIPs lite?’” Givens asserts.

Recognizing the important role trust plays in business relationships, industry moved ahead with establishing its own approach to assuring consumers of the confidentiality of their information. Because self-regulation carries with it an air of skepticism, some information technology industry leaders adopted a self-governance paradigm. This approach brings to bear the weight of government oversight, the forces of market dynamics and the pressure of public scrutiny.

TRUSTe, San José, California, is one example of the commercial sector’s effort to help companies demonstrate their commitment to consumer privacy as well as empower Web site visitors. This nonprofit, global organization operates independently of both industry and government.

The core of the TRUSTe program is a contract between TRUSTe and a Web site owner. To become a TRUSTe licensee, a site owner must create a privacy policy and agree to follow the established privacy principles outlined by TRUSTe as well as comply with the organization’s oversight and resolution processes. Privacy principles include fair information practices that are approved by the U.S. Commerce Department, the Federal Trade Commission (FTC), and industry organizations and associations. The organization charges an annual licensing fee based on the client company’s annual revenue.

As a licensee, a firm can display the TRUSTe privacy seal, known as the trustmark, on its Web site. Visitors to these sites can ascertain what personal information is being gathered; how that information will be used; who the information will be shared with; what safeguards are in place to protect data from loss, misuse or alteration; and how inaccurate information will be corrected. Users can confirm the authenticity of a privacy seal on a Web site by clicking on it, which takes them to TRUSTe’s secure server and verifies that the site is a licensee.

TRUSTe also periodically checks sites that carry the trustmark to ensure that they continue to comply with the established privacy protection standards. The organization seeds personal user information online to verify that the site is following its stated policies. It also collects feedback and complaints from the online community.

According to Becky Richards, director, policy and compliance, TRUSTe, self-regulation is a misnomer. “We still have to do the right thing. If we don’t, two groups will come after us. A company that is licensed by us and thinks it is being treated unfairly would come to us and complain, and that keeps us in line. The second group is the people who watch our work. The FTC would be more than happy to come after us if it doesn’t feel we’re doing the right thing,” she says.

Richards emphasizes that TRUSTe does not just rubber-stamp the companies that apply for the trustmark. Its self-assessment document is an extensive questionnaire that drills deeper than inquiries about what information is collected and how it is used. Companies are asked about the training of their employees and the policies and procedures that are in place to ensure the privacy of visitors to their sites.

“The feedback from the companies is that they use the assessment. And they may not join TRUSTe, but they use it as a way to evaluate themselves. The privacy issue is daunting, so self-assessment is a first step. It really educates the company, and an educated company is similar to an educated consumer,” Richards relates. Firms must conduct the self-assessment annually to retain the trustmark.

In its role as an arbitrator, TRUSTe helps resolve consumer problems. The organization receives between 200 and 300 complaints each month. Approximately 60 percent are related to privacy. Many of the grievances are the result of miscommunication. TRUSTe works with the company and consumer to settle the issue. The course of action depends on the severity of the problem. TRUSTe may put a company on notice or, if the matter is serious, report the incident to the FTC. “We work with the company to do the right thing, but the government backup is important,” Richards explains.

Although Congress has not passed definitive legislation, consumers are not totally helpless when they find that their privacy has been compromised even at Web sites that do not participate in the TRUSTe program. The FTC assists citizens in separating fact from fiction in privacy protection and has been active in several law suits involving Web sites that have violated their stated privacy policies.

One approach to help consumers gain control is to offer them the choice of whether to share the information they provide to companies.

This opt-in/opt-out debate is a dilemma, Schwartz relates. Many Web sites will collect and use visitors’ information unless specifically requested not to do so. Some privacy advocates believe that confidentiality concerns would be better served if consumers who want their information collected and shared would have to opt into the process.

“These two options do not show the whole range of choices. It’s very complicated. Having your information collected automatically promotes convenience for customers. For example, in banking, if you opt out of the institution collecting this information, you would have to mail it in. So, opting out has nothing to do with convenience to the customer. It is more about giving the customer more control,” Schwartz explains.

The FTC and privacy advocacy groups advise Internet users to use basic safety principles when providing personal information on a Web site. The Internet is still a very public place, and even with precautionary measures, confidentiality can be compromised. Companies that service an individual on a regular basis should already have personal information such as social security, account and telephone numbers in their files, so a request from an institution for this information should be treated with suspicion, they advise.

But Givens points out that another threat to personal privacy may be on the horizon. Individual pieces of data are regularly collected by companies as everyday business is conducted both online and in the traditional marketplace. These bits and bytes are not generally aggregated today, but the technology exists that would allow the merging of several databases and thus the capability to create a much larger, more detailed picture of an individual.

“The unfettered collection of data from numerous sources in a legal environment where there are few restrictions as to how the data can be used and how it can be merged with other data will inevitably lead to secondary uses that will violate privacy and trample on civil liberties. The legal protections for privacy in the United States are very weak. There are few restrictions on how data can be collected and merged, in contrast to the European Union countries, Canada, New Zealand and Australia.

“It is not all that farfetched to envision a future when such data will be used for a variety of secondary uses. If we were to enter a time of social unrest and political turmoil, our government might seek to use such information to investigate dissidents,” Givens offers.

While organizations such as TRUSTe have been successful in promoting privacy protection, Givens is not convinced that they can protect the public against future threats to privacy.

“When there have been attempts to regulate the collection and use of data, most notably regarding uses of the Internet, various industry associations have responded with a strong call for self-regulation. To date, this argument has been successful. The direct marketing industry is unregulated, and its members collect a massive amount of data from consumers. Will such data ever be used for secondary purposes? We can count on it,” she contends.

To address some of these potential threats, Microsoft Corporation, Redmond, Washington, has initiated several privacy projects and is preparing to launch what its director for corporate privacy describes as the most privacy-friendly, broad-reach browser in existence. Richard Purcell, who was named Microsoft’s corporate privacy officer in January 2000, relates that Internet Explorer 6.0 features new tools that protect consumers from being tracked without their knowledge as they move across the Web. “Consumers will also be able to access the privacy policies of the sites they visit more quickly and read them in a standard form with less legalese than most have. Individuals will also now be able to dial up or down the level of cookie controls they’re comfortable with for their browser,” Purcell relates.

“Additionally, Microsoft is making privacy and security an architectural design point as it builds its new .NET platform, which is intended to connect information, devices and people in a consistent, personalized way. We recognize that this vision can happen only if consumers know they can trust the online world. That’s why the cornerstone principle of .NET is putting you in control of your information. Passport, a core part of .NET, lets a site know you are who you claim to be and only lets information be shared based on your permission,” he reveals.

Microsoft is working closely with TRUSTe to ensure that all of its privacy policies and posted statements are consistent and follow the fair information principles of notice, consent, access, security and enforcement, Purcell states. “We’ve also signed up for the TRUSTe Safe Harbour program, which means that Microsoft has voluntarily committed to meeting the letter and spirit of the European data protection agreement,” he adds.

Like many companies, Microsoft remains cautious about additional governmental regulation. “Responsible companies know intuitively that they need to protect their customers’ privacy, so we believe they have much of the incentive they need in order to get that done. We are not opposed to privacy legislation per se. There are targeted steps Congress can take, for example, promoting anti-spam legislation and pursuing identity thieves more vigorously, to improve consumer confidence,” Purcell maintains.

Like Microsoft, other companies also have designated an individual to oversee management of the privacy issue. Late last year, IBM, Armonk, New York, named Harriet P. Pearson as its chief privacy officer. Part of her responsibilities include ensuring that IBM’s internal management systems comply with the privacy policies it must follow, which include both voluntary guidelines and established laws. She also coordinates the company’s involvement in organizations such as TRUSTe, the Direct Marketing Association and the Online Privacy Alliance. “This ensures that we are abreast of what’s happening and changing as the world changes,” she explains.

In addition to these responsibilities, Pearson stays informed about public policy and industry activity in the realm of privacy issues. To add to the mix of insight she obtains from these arenas, she is part of a privacy leadership initiative that is gathering input about people’s attitudes on privacy issues and reviewing academic studies. A small consumer campaign that will be carried by Web sites will be initiated this fall.

As technology companies, both Microsoft and IBM find themselves in a special position. Not only must they ensure that their own policies meet privacy standards, but they also must help other companies pursue responsible activity. “Part of our value-add to the marketplace is that we can provide ideas and solutions to the customers,” Pearson offers.

Addressing privacy concerns requires two elements: technology and policy, she says. “For companies, the time is now to either appoint a privacy officer or at least have a top-to-bottom review of privacy and security issues. You can’t have good privacy without good security,” Pearson points out.

On the technology side, IBM has developed an enterprise privacy architecture that shows how gathered information flows through systems and helps determine how to manage it. Privacy Manager, a software tool, allows organizations to tag information to ensure that personal data is being handled responsibly.

Although technology is only one part of addressing concerns about protecting privacy, Pearson says a whole industry could be built around finding the solution. “It will be interesting to see how technology emerges to solve this problem,” she says.

This is the second in a three-part series examining information privacy in cyberspace. Next month’s final segment will examine privacy concerns surrounding tracking criminal activity.

Additional information on TRUSTe is available on the World Wide Web at http://www.truste.org.