You Know What They Did Last Night

Some may call Larry Ponemon a privacy expert or even a guru, but when it comes to having his privacy violated, he's no different from the rest of us.

In 1995, when he first heard about an ethnographic database of families being built by a Jewish organisation, it seemed like an excellent idea. The organisation planned to use the amassed data to reunite families who had moved or changed their names after the Holocaust. Ponemon, the global leader of compliance risk management for PricewaterhouseCoopers (PWC), was so intrigued by the project that he signed up, providing the group with some demographic information about his family in the process.

In 1998, two-and-a-half years later, Ponemon's company was brought in to conduct an audit of the information trail behind a direct marketing company's database. Ponemon's interest in the case quickly became personal. After some investigating, he discovered that the organisation he gave his information to had sold its database to a direct marketing group to raise money. That company had then integrated the database with its own information, and the compiled information had been bought, added to and sold on at least 10 times after it left the marketer's hands. The final destination of the database, which by then included detailed information about Ponemon's family, credit and occupational history, and that of thousands more, was a neo-Nazi group in Idaho.

The privacy issue is not new by any means. CIOs have been working on it and the press has been writing about it for several years. However, for any company with a web presence, privacy is becoming infinitely more worrisome. Highly publicised security breaches like the CD Universe attack (where a hacker posted 25,000 of the online music retailer's customers' credit card numbers on the Internet) are alerting corporate executives and consumers to the realisation that in the online world, nothing is airtight.

Like security, privacy has grown into much more than a technical issue-it's a brand issue. Companies that can't protect or don't respect their customers' information are going to pay a heavy price. Not only will they lose customers, but industry experts like Ponemon predict a huge opportunity for class-action lawsuits stemming from privacy violations.

Ensuring privacy in the brave new world of hack attacks, perpetual marketing and information mining presents government and industry with an enormous challenge. However, everyone has a different idea of how the issue should be handled. Consumers want control of their own information, and industry wants to establish itself as the consumer's trusted partner in information privacy rather than the natural enemy. Government, the last leg of the stool, wants to protect consumers from industry and industries from each other while maintaining its own personal key to everyone's information. Clearly one solution will not fit all.

This year promises to be a year of big changes in the privacy arena, and it's vital that CIOs pay attention to the forces shaping the way privacy is handled long-term. The means and opportunity to violate privacy for profit are boundless, and CIOs (to whom much of the privacy responsibility falls) are armed with only a smattering of tools and services to protect it. The pressure is mounting for the government to legislate privacy, corporations are struggling to lay out best practices for making self-regulation work, and technology innovations are being developed that hold promise for allaying consumer fears. CIOs will have to keep a watchful eye on the following areas this year to determine the best way to lead their companies through the murky waters ahead, ensuring that their companies are protected and their interests will prevail.

Will Government Act?

The debate over whether industry will be able to regulate privacy or whether the government will need to step in and mandate how it should be handled is likely to be decided this year. Businesses and trade organisations have long been pushing for self-regulation fearing that government rules would quash the growth of e-commerce. Privacy fundamentalists and various politicians, however, see rigid privacy legislation as a necessity.

The legislation that has been passed on privacy to date has been fairly limited, affecting only certain industries and consumer segments. The Financial Services Modernization Act of 1999, for example, requires that financial institutions notify their customers of plans to share "nonpublic" information with a third party so that they have an opportunity to voice opposition. The privacy standards contained within The Health Insurance Portability and Accountability Act (HIPAA) went into effect earlier this year. The act mandates that health-care providers and hospitals protect the confidentiality of an individual's health information with accountability and security requirements like the implementation of electronic data interchange standards. The Children's Online Privacy Protection Act of 1998 (COPPA), which becomes effective this month, requires certain commercial Web sites to obtain parental consent before collecting, using or disclosing personal information of children under 13. In some cases, sites will also have to obtain "verifiable parental consent" before collecting, using or disclosing personal information of children.

Much of the pressure for further legislation is coming in reaction to The European Union Data Directive adopted by the EU in October 1998 (see "The Great Wall of Europe," CIO Enterprise, Feb. 15, 1998). The directive establishes a high level of legal protection for the privacy of individuals and personal data within the EU. The stickiest issue for US companies is that the directive further mandates that personal data can be transferred to countries outside the EU only when adequate security is guaranteed. Because the United States does not have an umbrella privacy policy, the EU could choose to stop the transfer of all data until a compromise is reached.

Federal Trade Commission Commissioner Orson Swindle has long believed that self-regulation is the best long-term solution for handling privacy. However, he fears that unless industry can show that it has made significant strides to protect consumers, government will be forced to do it-and will do it wrong. "Perhaps the greatest of all mistakes would be to see government succumb to the feeling that we have to do something," he says, "and then we do something that puts the brakes on e- commerce." Businesses have a degree of incentive and creativity in this area that the government will never have. Recognizing this, the FTC is working with businesses to respond to consumer privacy concerns in a way that respects an individual's right to privacy without placing excessively onerous regulations on the business community.

Swindle points to IBM and Disney as examples of self- regulation at its best, noting that both companies have been active in public discussions of how privacy should be handled and are deft at handling the issue within their own corporate structures. Both do a great deal of advertising on other Web sites and have put out the word that any site they advertise on had better have an ironclad privacy policy. Few things get the message across as effectively as money. Both companies, along with others such as AOL, Intel and Fidelity Investments, have been working with government groups like the FTC's Advisory Committee on Online Access and Security. The best way for companies to ensure that their voices are heard in the evolution of any privacy legislation is to get involved in either government or industry-sponsored organisations like the Online Privacy Alliance.

Privacy is an emotional issue, however, and Swindle acknowledges reluctantly that the best practices of a few industry leaders may carry less weight with politicians than the outrage of consumers. "As soon as 34 people send you a letter, you've got an issue," jokes Swindle, recounting an old Washington truism. The FTC will be conducting its third survey this year on how commercial Web sites are dealing with privacy, looking specifically at whether sites are posting notices that address all the elements of fair information practices (disclosure, choice, access, security and consumer redress). Adding to the importance of this year's findings will be the inevitable vote pandering of an election year and the number of advocacy groups that will be looking to interpret the results as a resounding endorsement for their own views.

Though he is loathe to dole out advice, Swindle suggests that the best way for companies to stay ahead of any privacy legislation is to make sure that privacy becomes a goal not only of individual departments but of the corporation as a whole. "CEOs need to make privacy a corporate goal," he says, adding that they need to make privacy a fundamental piece of the culture and put it on the same level as profitability. "They have every incentive in the world to do it because it creates a satisfied customer."

Provide Customers a Choice

The overwhelming concerns surrounding privacy have convinced many companies that an aggressive policy of privacy rigor is the only way to handle the issue. Permission marketing, the technique of giving customers the choice to opt in to a marketing program, is becoming increasingly popular because it not only provides customers protection from unsolicited marketing, it also allows companies to market products to a much more valuable segment of the population-the ones who care.

The first step to giving customers a choice is providing an opt-out option. Consumers are increasingly aggravated by the amount of marketing they are subjected to, and New York City-based Bell Atlantic Telecommunications has found that offering customers the opportunity to opt out of certain services alleviates a number of privacy concerns.

The company's *54 service in New Jersey, Virginia and West Virginia, for example, puts a caller in touch with a "reverse" directory assistance operator. Callers give the phone number, and directory assistance will provide the name and address that goes along with the number, as long as the number is listed in the phone book. Realizing that some customers might consider this an invasion of privacy, the company offered its customers the option of being excluded from this listing.

In addition, the company has also branched out from the legally required "do not call list"-which allows consumers to take their names off marketing lists-to offer customers the ability to remove their names from mail lists and e-mail lists as well. The company feels that giving customers the opportunity to customise, in a sense, the kind of relationship they will have with the company enhances its image as a trustworthy and valuable service provider.

Opt-in options, however, are a little trickier. "Most people don't have the time or incentive to opt in to a program unless they really want something," says Shelly Harms, executive director of public policy for Bell Atlantic. But the company is looking for more ways to integrate opt-in opportunities into its marketing schema because studies show that consumers do appreciate the personalized service they get when they provide even a little information about themselves. This model translates well to companies in the business-to-business arena as well. Customers can sign up for notification of pricing policy changes and other information that creates a more valuable relationship between themselves and companies.

A 1999 study conducted by Privacy & American Business, a privacy-oriented research journal, and its publisher, Alan F. Westin, underscores the importance of offering consumers the right product. Westin, a professor of public law and government at Columbia University, found that of the 474 Internet users surveyed, 58 per cent would agree to have their visits to Web sites tracked for the purpose of receiving personalized banner ads reflecting their preferences. Fifty-one per cent of the users said they would agree to have their online purchase information monitored to get the personalised banner ads as long as they were notified and had the opportunity to opt out.

Companies that look into offering consumers incentives to participate in the marketing process will be able to sidestep one of the biggest problems of the privacy debate: the amount of incorrect information that is circulated. Approximately 40 per cent of the information currently submitted and collected from the Internet is intentionally inaccurate (meaning that customers provided companies with inaccurate information), according to Bob Lewin, CEO and executive director of TRUSTe, an organisation that offers privacy certification and policing services. PWC's Ponemon has conducted privacy audits at companies in a variety of data-intensive industries and has seen firsthand how inaccurate some of the data can be.

One of his clients, a large credit card issuer, bought a great deal of information from other sources and used various algorithms to parse the information and develop a list of buying patterns and preferences. The FTC hired Ponemon's group to do an audit, and when he looked up his own information in the files, both the level of detail and the scope of the inaccuracies amazed him. From studying his purchases and buying patterns, the credit card company knew that Ponemon liked brown shoes better than black shoes (a proclivity he readily admits to) and that his preferences for movies ran to the Disney variety (which he buys for his children). Nestled amidst this detailed information were some glaring inaccuracies that could have easily been verified from public information sources, such as the "fact" that Ponemon was a graduate of the University of Kansas. (He is actually a Harvard grad.) A 1996 study that Westin conducted in conjunction with Equifax and Louis Harris Associates is considered a classic by many privacy advocates, even four years after it was done. The study divided American online consumers into three groups. Of the 1,005 adult consumers surveyed, 24 per cent are considered to be "privacy fundamentalists"-those who don't want anyone to have access to their personal information-while 16 per cent are "privacy unconcerned" and will willingly give out information when asked. Westin's study determined that the remaining 60 per cent of consumers are "privacy pragmatists," individuals who approach the issue by weighing the value provided when they offer their information with the potential privacy risks, and pick and choose accordingly.

Although technology has certainly added considerably to the privacy problem, it may also provide the best hope for a long-term solution. A screening technology called the Platform for Privacy Preferences (P3P) may eventually allow consumers to tailor their online experiences to their own preferences. P3P can be built into browsers to shield users from sites that don't provide the level of privacy protection they want. Instead of forcing users to sift through the privacy policy for each site they visit, the computer will download the privacy policy from each site and notify users if the policy does not match their preferences.

P3P may sound like a long shot, but the caliber of companies throwing their weight behind the initiative make this dark horse look like a sure thing. The platform is being developed by the World Wide Web Consortium (W3C), an international industry group with member companies like Apple, Commerce One, Ericsson and Microsoft, and may be approved for general implementation by the end of 2000. IBM is also supporting P3P.

In his experience with the FTC, Commissioner Swindle also sees promise in a variety of other technology proposals, such as having an "honest broker," which would basically be a trusted third party through which all online transactions would go, eliminating many of consumers' concerns about the privacy of their information. He also points to an electronic passport that allows a user to prove his or her identity. Users who visit Web sites with digital certification can submit credit card numbers or other personal information knowing the site is genuine and their data cannot be intercepted or used by anyone else.

As additional privacy legislation is proposed and regulatory issues unfold, companies should be prepared to tackle privacy issues head-on.

"Even with the best of intentions, companies have a hard time [protecting privacy]," says Ponemon, "because the ability to violate privacy is always a couple of miles ahead." But the risks make this challenge well worthwhile. In this area, one bad deed wipes out 10 good ones. A breach in security or privacy is a corporate nightmare and a career killer.

The Year in Violations

It's been a busy year for privacy infringements Consumers and the FTC have little patience for the antics of companies that play fast and loose with the privacy of customer information. Examples of new violations are hitting the mainstream press daily, and proponents of self-regulation fear that the more publicity these situations get, the more inclined Congress will be to act. What follows are some of the most notorious cases from the past year.

Intel's Pentium III Chip

Each of Intel's Pentium III computer chips contains a unique electronic personal serial number that can be tracked over the Internet and possibly through e-commerce transactions. Privacy groups have protested, but the ID remains and the chip may soon be banned in Europe, which has stricter privacy policies.

ReverseAuction.com versus eBay Online auction houseReverseAuction.com apparently pulled a switch on consumers when it allegedly collected consumers' personal information from competitor eBay, then sent e-mails to those consumers soliciting their business.

Interloc versus Amazon.com

Interloc, an online bookseller and US Internet service provider, was accused of intercepting e-mail messages directed by online bookseller Amazon.com to Interloc's bookseller clients with Interloc e-mail addresses. The company was accused of trying to steal business strategies from its behemoth competitor. Alibris, the new owner of Interloc, has settled the case.

Liberty Financial

The FTC brought suit against Liberty Financial Companies, a Boston-based asset management company, for violating the privacy rights of children who frequented its Young Investor Web site. The FTC alleged that the company had used prizes and contests to encourage children to disclose their names and addresses, as well as information such as stock holdings and the amount of weekly allowances that could be used to market to their parents.

-D. Duffy