Posted on: Tuesday, January 29, 2002
Privacy's fine print
By John Yaukey
Gannett News Service
College student Anita Carlson buys CDs online without so much as a double-click of doubt or suspicion about what information is being collected on her and how it's used.
"As long as the credit card number is safe, I'm satisfied,'' the northern Virginia resident said cavalierly while browsing through an Apple computer retail outlet near her home. "I haven't had any problems yet.''
That's probably what the millions of shoppers who flock to Toysrus.com thought before it recently agreed to pay $50,000 to New Jersey to settle the state's inquiry into its privacy policy stemming from accusations that a subcontractor for the toy giant was gathering too much information on its shoppers.
Welcome to the fine-print jungle of the Internet, where carefully parsed privacy policies lead consumers like Carlson to believe their personal information is safer than it actually is.
Take, for example, the privacy policy for the shopping and news site Express
India.com. It says it automatically documents "the type of operating system, browser, Internet service provider and the date and time of your visit.'' This is a roundabout way of saying you're getting cookies those tiny programs that track your whereabouts on the Web without using the infamous "c'' word, which has become synonymous with online spying in the eyes of many.
"The capability to gather personal information now has reached almost revolutionary proportions,'' said Larry Ponemon, president of Guardent Inc., a privacy and data protection firm. "And this can be extremely valuable stuff to some people so the ways they go about gathering it can be quite creative.''
Privacy policies are supposed to tell Internet surfers just how creative any particular Web site will get.
They're apparently one of those things consumers know they should spend more time learning but never get around to. According to a recent study by Harris Interactive, only about 3 percent of people who shop on the Internet thoroughly review privacy policies where they make purchases.
Perhaps a bit more vigilance is warranted among the 6 million people who shop online any given day and the millions more who register for newsletters and other free offerings where private information is collected.
Failure to understand what information is being gathered about you and how it might be used could result in inconveniences such as unwanted "spam" e-mail or theft of financial information such as credit card numbers, which can take years to correct.
Information collected
So just what is collected?
Certainly anything you type into a Web site "form," such as an e-mail address to request product information, is recorded. What's more, cookies provide information about how many other sites you've accessed in your browsing session, the browser and operating system you're using, and of course, your Internet protocol (IP) address, essentially a series of numbers such as 206.201.20.01 that work the same way a street address does.
Anything you buy or register for goes on record at least at the Web site of purchase, and probably elsewhere, if only as part of an aggregate total. If your identity is broken out as an individual statistic, you run the risk of firms buying and selling a short dossier of information about you.
Legally, the situation surrounding privacy policies is still in flux.
The online industry has vehemently argued that it can police itself but high-profile lapses have prompted lawmakers to consider tighter regulations.
All that, however, changed Sept. 11.
"Sept. 11 altered the landscape,'' said Mark Rhoads, chief legislative analyst for the U.S. Internet Council. "Privacy took a back seat to new concerns about protection.''
Several bills that would have beefed up privacy protection were either shelved because lawmakers had their hands full with war-related business or were dropped altogether as local, state and federal officials sought greater authority to probe into electronic communications of all kinds.
What's more, Web purists argue that federal regulation of any kind threatens the free growth of the Internet, which they claim largely accounts for its phenomenal success as a communications medium.
So where does this leave consumers?
Largely on their own, which is to say if you're concerned about your privacy it's time to learn how to read privacy policy statements.
Reading the policy
Most reputable Web sites that ask consumers for personal information either for a sale or to register for a freebie have privacy policies.
That said, privacy policies don't necessarily equate to privacy. A privacy policy can say explicitly that the host Web site fully intends to collect personal information and use it at will although the language is never that direct so it's important to actually read and understand the policies.
Of course, herein lies one of the major problems with privacy policies.
"Most policies are written by lawyers in language that intentionally hedges against clear disclosure,'' said Stephen Keating, director of the Denver-based Privacy Foundation.
The previously cited Harris Interactive study found that 77 percent of consumers want shorter more concise privacy policies. But until privacy statements are self-explanatory don't hold your breath here's what experts say to look for:
A conspicuous link on the home page to the privacy statement. A hidden statement is an immediate red flag.
If a site's privacy statement admits that it sells data collected through cookies, make sure that the information it gathers is sold only in aggregate so marketers, or whoever buys the data, never receive specific information about you.
If the site is a division of a larger company, it's safe to assume the two share their data. Often two or more unrelated companies share their data, too. Again, it's important here to make sure the data is shared only in aggregate if you don't want your e-mail address and other information shuttled around the Internet.
Look for opt-out options, usually boxes that indicate you do not want to receive offers from partner companies. Opting in often the default typically means your e-mail address and other information is on its way to other companies.
If a shopping site offers to let you keep a credit card number on file for convenient purchasing, it's not enough for the merchant to promise the number will be encrypted in transit over the Internet. Make sure you know how they're protecting the number on their Web servers.
If you're one of the 12 percent of Web surfers using the Microsoft's Internet Explorer 6 Web browser, you have an additional level of control over your privacy.
IE 6 uses cookie control features based on the Platform for Privacy Preferences (P3P), an industry standard for controlling how personal information is used by Web sites. The lowest setting, which is also the default configuration, allows all cookies to be accepted.
Intermediate levels allow users to reject cookies based on various criteria.
The highest setting rejects all cookies.