03/02/2000

By Doug Bedell / The Dallas Morning News

On the heels of a scathing report on the state of the nation's Web privacy, the Federal Trade Commission says it will survey U.S. commercial Web sites to determine how personal information is being collected from online consumers.

The action comes after recent allegations that major online advertising firms are misleading consumers on how they use information in their databases.

The Internet's largest banner advertising company, DoubleClick, raised a firestorm of protest after revelations that its new profiling methods can track Web surfers and match them to name, address and other personal data.

The third annual "Surfer Beware" report from the Electronic Privacy Information Center, or Epic, questions whether commercial Web sites can regulate themselves on consumer information collected both with and without Internet users' knowledge.

Late last year, a Forrester Research survey of 100,000 Net users found that 67 percent were "very" or "extremely concerned" about online privacy.

Epic's report (www.EPIC.org/reports/surfer-beware3.html) reviewed the privacy practices of the 100 most popular shopping sites on the Internet.

The study attempted to assess whether online merchants are adequately protecting consumer rights as outlined in a 1980 set of principles from the Organization for Economic Co-operation and Development Privacy Guidelines (www.oecd.org/dsti/sti/it/securrodRIV-EN.HTM). The principles are the basis for many privacy laws in the United States.

It also looked at the use of profile-based advertising, which is direct advertising aimed at specific users, and cookies, the small text files that record user browsing habits, in Web site operations. These are the practices that prompted recent investigations into services such as DoubleClick.

Of the top 100 sites studied, Epic found that 18 did not display a privacy policy, 35 had profile-based advertisers operating on their pages and 86 used cookies.

"Not one of the companies adequately addressed all the elements of fair information practices," Epic said. "We also found that the privacy policies available at many Web sites are typically confusing, incomplete and inconsistent. We concluded that the current practices of the online industry provide little meaningful privacy protection for consumers."

Epic also examined whether the Web sites offered "opt-in" or "opt-out" policies for direct marketing contacts. Opt-in mechanisms, favored by most privacy groups, allow Web sites to collect and use personal information only if the consumer gives explicit permission.

Opt-out, on the other hand, allows companies to make use of information unless consumers notify the firm that they do not want their personal information collected or used.

For example, Epic cites CDUniverse's opt-in policy, which says: "If you answered 'Yes' to the question 'May we occasionally send you e-mail promotions,' we keep you up-to-date via e-mail."

J. Crew has an opt-out policy: "We occasionally make our customer list available for one-time use by a few carefully screened firms -- should you prefer not to get their mailings, please let us know."

Twenty-four sites solicited opt-in consent before collecting and using personal information from consumers, according to the Surfer Beware survey's raw results (www.EPIC.org/reports/surfer-beware3_app.html).

"Anonymity, which remains crucial to privacy on the Internet, is being squeezed out by the rise of electronic commerce," Epic reported. "Industry-backed self-regulation has done little to protect online privacy."

Motives questioned

Although Epic generally applauded major Web sites' participation in nonprofit, self-policing organizations such as TRUSTe, it said it will investigate such groups' effectiveness this year after several recent controversies.

For a fee, TRUSTe promises to audit a site and issue a seal assuring visitors that the site's privacy policy is truthful. Violators of the group's guidelines are to suffer sanctions.

However, the lack of action taken against two major Web players -- RealNetworks' Real Jukebox and Microsoft -- prompted Epic to question the industry-funded group's motives.

TRUSTe sidestepped an "incident" late last year in which it was determined that RealNetworks' RealJukebox was collecting users' personal data without their knowledge. It said that because RealNetworks' privacy violations took place via its RealJukebox software, not its Web site, the incident was outside the purview of TRUSTe.

This same tack was taken last year with Microsoft, a large financial supporter of TRUSTe, when it was determined that Microsoft had not violated privacy policies when a quirk in the online registration of Windows 98 operating systems permitted users to be identified and their online movements tracked.

In news releases and testimony before congressional committees, TRUSTe has denied any conflicts of interest. Critics of the program, TRUSTe officials said, have brought up questions about enforcement but have never shown direct evidence that the organization's efforts to bring sites into compliance have been ineffective.

Late last year, Terry Pittman, a member of TRUSTe's board of directors, told the House Judiciary Committee's Subcommittee on Courts and Intellectual Property that privacy on the Net had dramatically improved, largely through TRUSTe efforts.

"For the past two years, TRUSTe's mission has been to increase trust on the Internet by promoting responsible and fair information collection and use practices online," Mr. Pittman said. "To that end, TRUSTe also provides outreach and education to Web users about how to take control of their information online."

More sites sign up

Mr. Pittman told the committee that all of the Internet portal sites have joined the TRUSTe privacy oversight program, reaching more than 90 percent of Web traffic each month. TRUSTe officials said that more than 1,500 sites had joined the TRUSTe program by the end of December.

"When we launched the TRUSTe seal program in June of 1997, we understood that educating the most visible sites would be key to the widespread adoption of privacy protection practices on the Web," Mr. Pittman testified. "The growth of interest in seal programs is clearly linked to one factor: the desire to build a Web environment that consumers feel comfortable in."

Epic has made it clear that it believes privacy is not being adequately protected by voluntary methods. Federal intervention, it says, may be required.

And now, the Federal Trade Commission may be considering action.

"We believe that legally enforceable standards are necessary to ensure compliance with Fair Information Practices," Epic said.

"And new techniques for anonymity are necessary to protect online privacy. Until such steps are taken, we have to repeat our advice for the third consecutive year: 'Surfer beware.'"

Staff Writer Doug Bedell can be contacted by writing dbedell@dallasnews.com.