312. "Privacy on the Internet? Don't count on it," The Boston Globe, (March 29, 1999), Page A15.

Most Americans are troubled by their loss of privacy on the Internet and are groping for new safeguards.

In response, business associations are offering to regulate themselves. The associations encourage members to arrange their Web sites so that a visitor can readily ascertain what privacy policy a particular corporation employes. Individuals are then said to be free to avoid those Web sites that unduly keep tabs on them.

Profiling individual customers (and selling information about them by one marketer to numerous others) is becoming a major issue. According to Privacy and American Business, "virtually every American company that sells consumer products is now driven by the strategy of 'target marketing.'"

This entails collecting detailed information about the consumer's preferences, often by placing an electronic "cookie" (or surveillance program) in the personal computer of the customer. While theoretically a customer can choose among Web sites according to their privacy protection policies, a problem arises because the posted policies are extensive: Many fill more than an entire screen with tight text.

The millions who now go shopping on the Internet, zooming from site to site (leaving telltale signs of what they have looked at) cannot possibly stop at each site to examine its privacy policy before they proceed and still get any shopping done. (The same holds for patients who seek information about drugs, voters who visit political sites - in short, for all visitors to Web sites monitored by their owners.)

Now companies are promising to eliminate the need for each individual to review each site's privacy policies by taking this job on itself. When you visit a Web site and spot a small icon provided by the auditor, you can be assured that the company has audited the given corporation's privacy policies and established that it indeed adheres to its posted promises.

So where is the catch? The misleading feature of this arrangement is that an auditor's seal of good conduct does not mean that there is a high, a medium, or even a low level of privacy protection. It only signifies that the corporation adheres to whatever policy it posts. It could be selling information about your medical and financial records to the highest bidder, to tabloids and banks, and it would get the same "trustmark" as a corporation that keeps all information about you in a secure vault.

As Marc Rotenberg, executive director of the Electronic Privacy Information Group, put it: "Anyone who posted (any kind of) privacy information would get the seal."

A much more subtle misperception is folded into the new European directive on privacy, which American corporations must now follow or face a threat by the European Union to bar the flow of information about personal transactions (such as credit card purchases) from Europe to the United States.

The European directive's core assumption is that information collected for one specific purpose (for instance, to verify the validity of a person's credit card when he orders a pair of shoes) may not be used for another purpose (for example, to advertise socks to that person), without consent of the person involved.

Moreover, it prohibits keeping information beyond the point it is needed for the original purpose.

A similar core assumption underlies the Clinton administration's proposed Electronic Bill of Rights. It states: "You should have the right to choose whether your personal information is disclosed; you should have the right to know how, when, and how much of that information is being used."

While both the European Union and the administration call for self-regulation by corporations, their main goal is to ensure that individuals be consulted at each point about the ways information about them is used.

This view of individuals as the owners and masters of information about themselves is a fantasy made worse because those who perpetuate it seem to be caught by it. For this notion to be realized, individuals would need to be glued to their screens in order to review an incessant flow of requests from marketers, researchers, pollsters, and others seeking permission to use personal information.

Moreover, if many refuse to authorize secondary usages - as a study by Mayo clinic shows - medical research and social sciences would be severely damaged. Furthermore, regulators would have to ensure that once Jane Doe discloses her shoe size to Company X, other marketers would employ such information only if they are able to produce consent forms from the original "owner" of the information.

Where privacy must be better protected, we need technologies that can do the job without having to involve millions of people on a daily basis.

For example, we could protect people from surveillance by corporations by providing their personal computers with programs that would allow them to repel "cookies" by treating them like viruses. Second, privacy auditors should provide seals of good conduct that reflect the actual level of privacy protection rather than promises to adhere to whatever policy a corporation chooses to post.

And the new legislation, which seeks to protect children who are 12 or younger from commercial exploitation on Web sites, needs to be systematically enforced, without consulting each kid whether or not they mind if their privacy is violated.

Meanwhile, let the buyers beware, not merely from violations of privacy, but also from those nostrums peddled as privacy protection.

The Communitarian Network
2130 H Street, NW, Suite 703
Washington, DC 20052
202.994.6118
comnet@gwu.edu