June 30, 1997

THE PRIVACY PROTECTION SPECTRUM

by Andy Oram
American Reporter Correspondent

CAMBRIDGE, MASS.—Hearings by the Federal Trade Commission this month showed that public interest advocates are divided as to how we can protect data collected from individuals on the Internet. One side requested laws restricting what can be collected and how it is shared. Another lined up with large information and computer companies to ask for a hands-off policy. This article will view the spectrum of Internet privacy proposals, including a middle-of-the-road solution that involves auditing.

With all the publicity given to privacy in recent weeks, I feel no need to discuss existing risks and abuses. If you want to discuss them, get my home phone number and ring me up—I know of at least one search engine on the Web that has it.

On the red side of the spectrum, the Electronic Privacy Information Center and other organizations call for restrictions on what can be stored, such as a ban on the use of sensitive Social Security numbers for everyday commerce. They also want the elementary right for individuals to find out what has been collected, and restrictions on where it can be sold.

Those on the purple side rebut these calls with warnings that a substantial bureaucracy would be required to enforce such laws, and that many useful applications for data-sharing would be banned. It looks like the FTC has joined with this side; the only restrictions they’ve called for so far is on the collection of data from children.

If we are to take advantage of the Internet’s speed and convenience to do business, there are times when we want to give out information. It would be nice to standardize the format so we do not have to retype the information each time. But it also becomes more and more critical that we keep this information away from people who may use it for forgery, stalking, or even just unsolicited advertisements.

The self-regulating forces have recently received a boost from the Web’s major standard-setting body, the World Wide Web Consortium. In a concept called Platform for Privacy Preferences (P3), the Consortium envisions a way to help Web sites collect information efficiently, while allowing users to control which sites receive it. Under P3, the user would store personal information in a standard format and indicate to the browser exactly when each piece of information should be used. For instance, if one is shopping for clothing, one could allow the browser to reveal one’s gender to any site that is interested, so that businesses can customize the products they display. At the same time, one could withhold a credit card number until it is time to make a purchase. (Presumably, many types of transactions would be standardized so that browsers would know what you’re doing.)

To further stave off regulation, Netscape has led a collection of firms to submit a related system called Open Profiling Standard (OPS) to the Consortium. Under OPS, a server would tell the user what “Well-Known Attributes” it needed, and the user’s browser would decide whether to send the information. The user could also specify whether the information can be used for marketing purposes in the future. With the sudden scrutiny over Web security waning, OPS seems to have gone nowhere.

Even the leading technical body on the Internet, the IETF, has gotten involved in privacy issues. Several proposals suggest how the use of cookies (information sent by a server to a browser, and stored on the user’s computer) can be controlled by the user.

P3, OPS, and the IETF proposals are technically impressive, but they leave open the question of what happens to information after companies get their hands on it. Theoretically, when the company’s Web server gets information under the conditions that it not be sold or re-used, a contract is established with the user. But how would the user know if the company violates that contract? Would users have to wait for a whistle-blower to reveal that information was sold to unauthorized parties? How would all victims be notified? And would a court be satisfied with the testimony of the whistle-blower?

Furthermore, P3 and OPS are so clever that they are too complex for most Web users to understand. While the proposed standards claim to be superb compromises between efficiency and user control, many people will continue to be unaware of what rights they are signing away.

So far we have seen the two ends of the spectrum. Something of a more greenish-blue hue, called TRUSTe, is offered by the Electronic Frontier Foundation. As with the self-regulation proposals, TRUSTe rests on agreements between companies and users. But it also offers “reviewing, auditing, and monitoring” of sites. The proposal still leaves unclear how the auditors will find out about violations, and how the victims will be recompensed. Thus, it looks like our privacy is not about to receive much protection in the near future.


Editor, O’Reilly Media
Author’s home page
Other articles in chronological order
Index to other articles