February 7, 2000
Report Rings Alarm Bells About Privacy on the Internet
By JERI CLAUSING
ASHINGTON -- A report last week that most health-related Web
sites were not honoring their promises to keep personal information
about visitors private offered a somewhat alarming snapshot of the
state of privacy on the Internet.
The group that conducted the survey from which the report was
drawn, the California HealthCare Foundation, said its intent was to
help health sites live up to their promises and win the trust of
consumers.
But it caught government officials and privacy enforcement
groups off guard with disclosures that confidential information was
being disseminated through banner ads and third-party service
providers. And it underscored the growing policy debate over
whether federal officials and private groups can adequately police
such a fast-growing and constantly changing new medium as the Net.
In the five years since the Federal Trade Commission began
monitoring electronic commerce, few privacy violations have come to
light. And none of the major groups formed to certify and oversee
privacy practices has ever pulled a seal of approval from a member
Web site.
So when the California foundation said its study had determined
that all but three of 19 sites surveyed were violating their own
stated practices, privacy advocates held up the results as proof of
their longtime assertions that self-regulation of online privacy,
as promoted by the FTC and the Clinton administration, defies
effective enforcement.
"They are not keeping pace with the Internet explosion," said
Jason Catlett, president of Junkbusters Corp., a privacy consulting
concern based in New Jersey. "If you count the number of people in
charge of enforcement and look at the growth of e-commerce sites,
any way you measure it you'd come to the conclusion that protection
is not keeping up -- if indeed it ever was adequate."
The California study said the problems stemmed mostly from new
technology that enables some banner advertisers to pick up any
personal information a customer enters on the page where an ad is
displayed. In addition, the study's Internet security consultant,
Richard M. Smith, said he found a leakage of information between
Web sites that promise to keep information confidential and
third-party companies that gain access to that information while
running services on the sites.
TRUSTe, one of the first and largest privacy certification
programs, acknowledged on Friday that it was surprised and alarmed
to read the study, which identified potential violations by seven
members of TRUSTe.
Dave Steer, a spokesman for TRUSTe, said it was investigating
the sites identified in the study and was doing random audits of
other members to see if they were disclosing information to
advertisers and other third parties without saying so in their
posted privacy policies.
TRUSTe said last week that it would alert all 1,300 of its
members that they must include in their posted privacy policies
disclosures of any contracts with third parties that could track
the members or gain access to their personal data.
The FTC declined to comment on the health survey. But an agency
employee who spoke on condition of anonymity said the agency was
"taking these concerns very seriously."
On Friday, a special 40-member advisory committee held its first
meeting at the FTC. It will help write a report to Congress on what
steps companies should take to keep their databases secure and how
much access consumers should have to the data collected about them.
Further, the commission announced that it was planning a third
annual Internet sweep to survey privacy practices on the Web. But
as with past studies, the FTC's announcement indicated that the
agency would analyze only stated policies, not the actual practices
that the California HealthCare Foundation examined.
Though the California study looked only at health sites, Catlett
and Smith both said it begged the question of whether privacy
problems on the Internet were widespread.
"There are similar problems on other sites," Smith said.
"When you have one company working with another, that's when
privacy tends to fall by the wayside."
Despite the troubling indicators, Steer of TRUSTe said the
government should maintain its hands-off approach to the Internet
since laws can be quickly outdated by new technologies. In
contrast, he said, TRUSTe requires its members to undergo annual
reviews, a process that allows TRUSTe to educate sites about
challenges posed by new technologies.
Catlett, however, said baseline laws were needed to spell out
for companies what they can and cannot do with private information
they collect online and to allow consumers to take civil action
when they think their rights have been violated.
"At the moment, with the Clinton administration saying
self-regulation is the way we are going to go, that basically says,
'Do whatever you want or do as little as you want,"' Catlett said.
"That's exactly the wrong message to send to companies that have
strong economic incentives to collect and use personal
information."
Related Sites
These sites are not part of The New York Times on the Web, and The Times has no control over their content or availability.