Is Your Private Data Safe on the Web?

July 30, 2002 — -- Do you know what's happening with your personal data on the Web? Chances are, you don't.

"A lot of people have no idea that when they fill out a form on the Web site what happens to that data," says Lorrie Cranor, a researcher with AT&T Labs in Florham Park, N.J. "That [information] might be used in research and development, it might be shared with other companies, it might be used to develop a profile to help [the site] develop what [other content] to offer them."

Many Web companies have so-called privacy policies — agreements with the users about what can and can't be done with any sensitive data they may disclose online. But privacy advocates note that such policies are hardly ever read — or understood — by consumers.

"Privacy policies are supposed to address what companies do with a user's information," says Ari Schwartz, associate director of the Center for Democracy and Technology in Washington, D.C. "But they're often too confusing and filled with legalese."

Learning From Dr. Koop.com

And sometimes amid that confusion, potential for abuses (or "mistakes") can occur.

For example, nearly one million visitors had entered personal medical histories on the once-thriving DrKoop.com Web site with the understanding that such data would not be shared with other companies.

But when the Web site went bankrupt last year, company executives attempted to sell such customer information along with other company assets to Vitacost.com, another online consumer health site and potential suitor.

Users — along with several states attorneys general — managed to successfully bar the sale of such sensitive information by filing suit. (Last week, Vitacost bought the Dr.Koop.com Web site and trademarks but the only information about former members it received was their e-mail addresses).

Privacy Policies in Plain-Speak?

"Most people think that nothing bad is ever going to happen to them [and their data]," says Cranor. "But you don't know when you're going to be the one that has to suffer the consequences until something happens."

That's why many privacy advocates such as Cranor hope that users will pay closer attention to what exactly a Web site is promising when it comes to their privacy policies. And they're hoping that a new Web "standard" called Platform for Privacy Preferences (P3P) will be a much-needed helpful step.

P3P is Web specification developed by AT&T's Cranor and a team of software engineers at the World Wide Web Consortium (W3C), the group responsible for standardizing protocols on the Internet.

Like other common Web standards, P3P works "behind the scenes," allowing sites to condense their dense privacy policies into codes that can be embedded within the Web pages.

Web surfers with a P3P-enabled browser, such as Internet Explorer 6, can set what level of online privacy they expect. For example, a user may not wish to deal with Web companies that do not reveal what type of information is collected from visitors. As they visit Web sites, automatic warnings pop up, alerting if the site falls above or below that user's standards.

Since W3C approved of the P3P standards earlier this year, 40 of the most popular 100 Web sites have adopted the technology, says Cranor. And Cranor believes that as high-profile companies such as AT&T, Microsoft and Proctor & Gamble embrace the technology online, it will help spur others to adopt it, lest they be spurned by consumers as less trustworthy. "Over time, we'll see that once companies see that others are using [P3P], they will too."

A Placebo, Not a Panacea

But not all privacy advocates are enthralled about P3P.

Jason Catlett, president of Junkbusters, a consumer advocacy group in Green Brook, N.J. says P3P doesn't offer consumers any real changes. "All it is is a translation of [a company's] privacy policy into an electronic, machine-readable form," he says.

And rather than lead to better privacy policies, Catlett believes P3P will act as a placebo for consumers — and a scapegoat for Web companies.

"P3P isn't going to improve anyone's privacy policy," says Catlett. "All it is is a translation of [current] privacy policies into an electronic readable form."

Instead of a technical fix, he says that the Web privacy issue would best be served by legislation. He believes that laws along the lines of the Children Online Privacy Protection Act of 1998, which made it illegal for sites to use information from under-aged surfers without their parents' express written permission, would benefit everyone — if extended beyond those under 18 years old.

Fighting for Your Right to Privacy

"People need enforceable privacy rights," says Catlett, "So, the most important thing we can collectively do is demand those rights from our elected representatives [in Congress]," he says.

And that's a point that even P3P advocates concede has to happen to guarantee complete consumer privacy on the net. "P3P is not going to get everyone compliant," says Schwartz. "We still need baseline laws. The question is how do you write legislation that pushes this forward?"

Indeed, lawmakers such as Sen. Ernest Hollings have tried to push various online privacy legislation through the Congressional process for years. For example, consumer and privacy advocates have lauded the South Carolina Democrat's current bill, the Online Personal Privacy Act of 2002. The bill distinguishes "sensitive" and "non-sensitive" consumer data and outlines penalties against companies that misuse sensitive data.

But lobbyists representing businesses and the high-tech industries have argued that the Federal Trade Commission already has enough power to deal with the issues and the legislation would lead to frivolous lawsuits.

While Hollings' bill has passed the Senate Commerce, Science and Transportation Committee last May, a date has not yet been set to bring the proposed bill to the Senate floor for full debate and vote.