The exponential growth of the commercial Internet over the past five years has brought record numbers of e-shoppers, each in search of bargains, convenience, information, and choice. Consumers can now shop for every conceivable consumer product on the Internet, including contact lenses, prescription medications, groceries, books, music, clothing, electronics, and custom greeting cards. Consumers in large cities can do nearly all of their shopping on the Internet, from the privacy of their homes, on their own schedules. Given the aggressive, advertiser-subsidized pricing, the absence of sales tax, and the convenient delivery options that many Internet e-tailers provide, many consumers have flocked to the Internet to shop, abandoning brick-and-mortar establishments. But those consumers soon found that the convenience and cost savings came at a price: the privacy of their personal information. This article discusses the belated efforts Congress is taking to address this growing consumer privacy invasion, and provides recommendations for midrange businesses doing business on the Web.

The Growth of Internet Metrics and Big Brother 1.0

Unfortunately, this convenience has come at a high cost. To lure customers to obscurely named startup Web stores, many e-tailers have had to sell products either at or below cost and offer expensive services and conveniences that brick-and-mortar businesses could not afford to offer. To pay for these enticements, e-tailers have had to find other sources of revenue. Most tried innovative but speculative business models, hoping to find a formula to offset their operational losses. However, advertisers wanted proof that their expensive advertising campaigns were actually reaching consumers and also wanted traffic statistics
(“metrics”) and demographics of their audiences. Advertisers also needed to understand the behavior of Internet shoppers so that they could better design and target their campaigns for maximum revenue.

Many e-tailers, funded by millions of dollars of venture capital, also needed metrics about the retail Internet shopping community to determine the demographics of their shoppers and to assess the effectiveness of their business models, Web site designs, and server performance. E-tailers also use metrics to measure the results of promotional campaigns and to devise new partnership and affiliate programs and revenue opportunities. Web metrics gurus coined the term stickiness to refer to keeping an Internet consumer stuck

inside a particular Web site. The stickiness theory holds that the longer consumers stay at a particular Web site, the more likely it is the Web site owner can make money from
them—either through direct sales or through indirect methods, such as rebates from affiliates or partners who advertise on that site. Maximizing stickiness is the goal.

To address their information needs and learn how to maximize the stickiness of their Web pages, e-tailers began to collect increasing amounts of personal and behavioral information about Internet consumers. Many e-tailers changed their business models to require registration and membership at their online stores and collected extensive identity and demographic information. E-tailers quickly learned that, in addition to rating stickiness, the collected subscriber information could be used by partners, direct marketers, and spammers. The data could also be used to generate subscriber demographic profiles to justify higher banner ad rates.

By harnessing the power of browser cookies and advanced Web server functions, e-tailers could track consumer behavior on their sites and collect behavioral information, including whether a consumer was a repeat visitor and what areas of the site consumers visited. Even the e-tail sites not requiring registration often created unique identifiers for Web visitors and tagged each visitor with a unique browser cookie. As browser and server technologies improved, e-tailers gained the ability to gather detailed tracking information in cookies on consumers’ PCs and servers. These technologies enabled e-tailers to build profiles of their individual subscribers based upon their interests, activities, and behaviors. Big Brother 1.0, the consumer information trader, was quietly born.

Caught in the Cookie Jar

Initially, few e-tailers fully disclosed the nature and extent of their identity-collection and behavior-monitoring to consumers. When consumer privacy advocates began to warn about the use of browser cookies, many e-tailers claimed that cookies merely preserved session information and claimed that they were unable to identify or track specific shoppers from cookies. Other e-tailers offered consumer-friendly justifications for their conduct, such as promising consumers a customized shopping experience and even greater consumer benefits in exchange for just a tiny bit of personal information.

While privacy advocates warned of problems to come, Congress and many early Internet shoppers initially dismissed the privacy invasion complaints as being exaggerations. Some consumers employed cookie-blocking software, and the major browser software vendors reluctantly added crude cookie-management features to their products. Many early adopters considered these “small” invasions of privacy to be a cost of exploring and shopping in this new electronic world. And many consumers didn’t appreciate the potential severity of the problem; Big Brother 1.0 simply wasn’t perceived as a significant threat.

The Failure of Self-regulation

Diligent and forward-thinking privacy advocates have continued their awareness campaigns and have kept the pressure on businesses to protect and preserve consumer privacy. Some of the major e-tailers have responded by issuing privacy policies that, by their express terms, could be changed without notice. Most early privacy policies claimed that only aggregate information would be shared with other entities and that personal information would remain private and protected within the organization. Amazon.com, for example, initially claimed to have consumer-friendly privacy policies, only to change those policies in late 2000 to permit wide disclosure to numerous affiliates, agents, and companies.

Other e-tailers, fearing premature and heavy-handed legislative action, have joined independent privacy organizations, such as TRUSTe, and have agreed to limited forms of self-regulation. But these voluntary trade organizations have no legal authority over their member companies and no legal power to regulate nonmembers. In the last several years, some TRUSTe members have been caught violating TRUSTe principles, despite displaying

the TRUSTe seal. Nonmembers have also falsely displayed the TRUSTe seal, deluding consumers. To date, these voluntary organizations have yet to build the kind of consumer recognition and confidence required to be a significant regulatory force on the Internet. Losing or not having the endorsement of a particular privacy organization has not yet proven to be a significant consideration for many Internet businesses.

The continued proliferation and increasing sophistication of invasive technologies and practices also suggests that the benefits and economic value of collecting consumer information greatly outweigh potential risks and burdens, including the costs to defend privacy-invasion lawsuits, the costs to develop the collection systems, and any potential public outcry should these systems and practices be discovered. And the high-profile failures over the past two years have demonstrated that e-tailers are unable to regulate themselves. Last, the proliferation of targeted commercial spam campaigns is strong evidence that consumer identity and profile information is being sold directly to mass marketers.

Big Brother 2.0

Consumers have gotten a series of rude wake-up calls regarding their Internet privacy in the last two years. One of the most highly publicized events was the discovery that Microsoft was embedding unique identifiers in the content of Microsoft Office documents. The identifiers made it theoretically possible to trace the source of any content sent over the Internet. While Microsoft reluctantly published a tool to remove these unique identifiers, the publicity surrounding the practice began to convince consumers that their identities were being monitored in unexpected ways.

E-tailer Web sites make heavy use of scripting technologies, Java applets, and ActiveX components to provide interactivity and to monitor the identities and activities of Internet consumers. These technologies can expose additional information about Internet consumers and contribute to the increasing flood of commercial spam that consumers receive. While hackers have been exploiting weaknesses in browser security for years, consumers didn’t realize that e-tailers could use these same techniques and Web server functions to freely access and collect identity information, including Windows logon IDs and detailed information about a user’s computer. While browser technologies permit consumers to prevent scripts, applets, and ActiveX controls from running, doing so often renders an e-tail Web site inaccessible. Further, the user has to actively try to block this content, as the Web browser defaults often permit it.

One of the most highly publicized privacy issues came in mid-2000, when RealNetworks’ popular media players were discovered to be sending consumer behavior information, in real time, back to the company. A patch was released after significant public outcry, but the disclosure of this practice gave credibility to the privacy movement. Privacy advocates dubbed these invasive, disguised Trojan programs spyware. As of this writing, privacy advocates believe that over 700 commonly used applications can function as spyware—and the list grows daily.

However, spyware is only one way to track consumer behavior. Many Internet marketing companies have developed sophisticated banner advertisement systems that track consumer identities and consumer behavior on the Internet. As consumers resort to cookie- blocking measures, banner-ad filtering, and blocking of active content, advertisers have resorted to Web bugs, which are invisible, single-pixel graphics in Web pages (including Microsoft Office documents published on the Web) that can perform rudimentary tracking functions. With these techniques, advertisers can easily track, at a minimum, the IP address of a user who is reading a document.

E-tailer negligence has also played a significant role in the movement for federal privacy legislation. Many high-profile e-tailers have been victims of intrusion, resulting in the theft of credit card numbers and other personal consumer information. Some e-tailers have inadvertently published customer data, and bugs in software programs have permitted

Internet users to access the personal data of other consumers, such as email files and bank statements.

When the dot-com IPO bubble burst in mid-2000, consumers were shocked to learn that many of the newly defunct dot-com ventures were selling their personal information to other e-tailers, either outright or during bankruptcy liquidation. And when dot-coms are merged, purchased by, or integrated with larger companies, the acquiring company often disregards the privacy promises made by the subsumed company.

These events clearly demonstrate that consumers are fighting a losing battle in their efforts to protect their privacy on the Internet. Given the growing role of the Internet as a commercial backbone for the U.S. economy and the demonstrated abuses by Internet companies, bipartisan legislation in Congress seeks to restore power and control to consumers.

Congressional Action in 2000

During prior sessions of Congress, privacy rights legislation was developed to protect children from Internet predators—in the form of the Child Online Protection Act (COPA) of 1998—and to protect the privacy of financial and medical records. The focus of congressional privacy legislation in 2000 shifted to consumer e-tail issues, including spyware, online profiling, and the collection and disclosure of identity and profile information.

The new consumer protection legislation enjoys bipartisan support, but approaches differ. Figure 1 (page 31) contains a list of privacy-related legislative issues introduced in the 106th Congress. The full text of those proposed laws can be found at http:// thomas.loc.gov. The various consumer privacy protection proposals share some common themes:

• Clear and conspicuous notice—Most of the proposals require Web site operators to disclose the specific type of information that will be collected, how it will be collected, how it will be used, and all disclosure practices of that provider or operator for personally identifiable information, including whether the information will be disclosed to third parties. With clear and conspicuous notice, consumers can make an informed choice regarding their activities at a given e-commerce Web site.

• Disclosure of personal information—Regarding consumers’ rights to consent to or limit disclosure of personal information, each proposal differs as to the nature and extent to which consumers will be empowered to control how a Web site operator uses personal information. Note that different proposals make different assumptions about key issues,
e.g., whether consumers are presumed to have opted in or out of specific uses of their personal information. The debate over presumptions is an important one, because the essence of privacy law is a consumer’s expectations of privacy. Privacy advocates argue that the presumption must be that a consumer’s default preference is to opt out of any disclosure and that a consumer’s express permission must be sought for any use of personal information. Some of the proposals presume the consumer has “opted-in,” and must explicitly “opt-out” to prevent disclosure.

• Access to personal information—Each proposal differs in the extent to which consumers should be able to access personal information collected about themselves. The proposals range from mandating complete access to no access whatsoever. Privacy rights advocates argue that without complete access to collected information, consumers will not be able to protect their rights and prevent fraud.

• Protection of information and enforcement powers—A couple of the proposals impose a duty on Web site operators to protect consumer information from disclosure. Some go so

far as to require consumer notification if a security breach has occurred. While each of the bills provide for enforcement, some create a private right for consumers to seek relief in state courts; others empower state attorneys general or the Federal Trade Commission.

While common themes exist, there are significant differences between the various approaches. Time will tell if Congress has the bipartisan will to pass meaningful privacy protection laws.

Implications for Midrange E-businesses

In light of pending congressional action, midrange businesses engaged in Internet commerce with consumers (the B2C segment) need to assess their practices. While the legislation I’ve outlined is still pending, there are many steps businesses can take in the interim:

• Create a compliance team—Pending federal and state legislative action will soon force e- businesses to take consumer privacy seriously. Compliance with these laws may require changes to business models, technology, and business practices. It is unlikely that the IT department alone will be able to make the necessary changes in infrastructure, practices, and procedures so that the entire company is in compliance. For businesses with significant consumer commerce, the team should consist of members from each functional business area, including marketing, sales, legal, IT, customer service, operations, and top management.

• Review compliance with existing laws—Congress has already taken action in limited areas, including the Child Online Protection Act. Even if Congress is stalemated by recent election results and consumer privacy legislation is delayed, your company practices may already run afoul of existing law. Every e-business will need to monitor ongoing congressional efforts in the privacy rights arena. Many states already have or are working on legislation to protect consumer privacy. If your site sells directly to consumers on the Internet, your company will need to review privacy rights legislation in all jurisdictions to ensure that your activities comply with the laws. Given increasing consumer awareness, the risk of state court litigation for privacy rights issues—including identity theft—may rise. Companies will need to continually monitor state privacy rights developments.

• Devise privacy policies and consider joining a privacy organization—A privacy policy isn’t just boilerplate text that can be added as a footnote to the bottom of your e-tail Web page. It is a set of policies, procedures, and principles that your company agrees to abide by when conducting business with consumers. Privacy protection must become a part of your company’s mission. While mere membership in voluntary privacy organizations, such as TRUSTe, will not protect your e-business, it will provide a valuable educational service; many resources are available to assist with the development of privacy policies and practices. And compliant e-businesses can display the respective endorsements, which may reassure some consumers.

• Examine business partnerships and review security practices—If your site has affiliate programs or business partners such as banner ad services, your company may want to examine whether those affiliations remain appropriate. Will these affiliates honor and abide by your company’s privacy policies and by existing privacy laws? If not, can your company continue to affiliate with partners that may create legal liabilities?

Federal and state legislation will impose duties on Internet retailers to employ best practices to protect personal information from inadvertent dissemination, theft, or misuse. To date, many e-tailers have done a poor job of securing their Web sites from intrusion, and sloppy e-businesses can expect litigation from consumers who suffer identity theft or

other harm because their personal information was not protected. Companies should continually seek out secure technologies, including encryption, to protect consumer information from interception or wrongful use.

• Consider business model changes—E-businesses need to examine the technical aspects of their operations to determine whether collecting personal information is necessary and, if so, to what degree. The value of the collected information has to be weighed against the risks posed should the information be misused. Also of concern are the costs and measures required to keep information private in light of increasing regulation. Instead of collecting identity and behavioral information without consent, businesses may need to consider methods of voluntary data collection that do not run afoul of privacy protection laws.

Changes Ahead

Congress is slowly moving to protect consumer rights to privacy when conducting commerce on the Internet. While the approaches differ, each proposal attempts to restore some power to consumers to protect their personal information and limit the ways e- businesses can use that information. If federal privacy rights legislation is passed and brings about meaningful change, consumer confidence in online shopping may increase, to the benefit of e-tailers.

However, if federal legislation is not passed or is watered down or if e-businesses continue to exploit consumer privacy, those businesses can expect increasingly burdensome state legislation, which will pose significant compliance problems.

Self-regulation has failed, and the question remains whether limited government intervention will be sufficient to restore parity to retail e-commerce. Midrange Computing will strive to keep you apprised of these developments as they occur.

CONSUMER E-COMMERCE PRIVACY

BILL/SPONSORS TITLE
S.809 (4/15/1999), Sen. Burns Online Privacy Protection Act
S.854 (4/21/1999), Sen. Leahy Electronic Rights for the 21st Century Act
S.2063/H.R. 3770 (2/10/2000), Secure On-line Communication Enforcement Act Sen. Torricelli/Rep. Jackson
S.2430 (4/12/2000), Sen. Leahy Internet Security Act
S.2448 (4/12/2000), Sen. Hatch/Schumer Internet Integrity and Critical Infrastructures Protection Act
S.2606 (5/23/2000), Sen. Hollins Consumer Privacy Protection Act
S.2928 (7/26/2000), Sen. McCain Consumer Internet Privacy Enhancement Act
H.R. 313 (1/6/1999), Rep. Vento Consumer Internet Privacy Protection Act of 1999
H.R. 1685 (5/5/1999), Rep. Boucher/Goodlatte Internet Growth and Development Act
H.R. 2644 (7/29/99), Rep. Hinchey Personal Data Privacy Act
H.R. 3321 (11/10/1999), Rep. Markey Electronic Privacy Bill of Rights Act
H.R. 3560 (1/31/2000), Rep. Frelinghuysen Online Privacy Protection Act of 2000
H.R. 4049 (3/21/2000), Rep. Hutchinson Privacy Commission Act
H.R. 4059 (3/22/2000), Rep. Campbell Online Privacy and Disclosure Act of 2000
H.R. 5430 (10/10/2000), Rep. Green Consumer Online Privacy and Disclosure Act BILL/SPONSORS TITLE
S.3180 (10/6/2000), Sen. John Edwards Spyware Control and Privacy Protection Act of 2000
H.R. 5571 (10/26/00), Rep. Holt Electronic Privacy Protection Act

Figure 1: For official bill text and status information of these federal privacy rights bills, visit http://thomas.loc.gov.

SPYWARE

Also Read

RPG Academy - Database Modernization: Entity Relationship Diagrams

RPG Academy - Database Modernization: A Bit of Database Theory

Talking About Modernization Isn’t Good Enough