"Ready for dinner"
over the last month, Netscape, Microsoft and a veritable Who’s Who of corporations interested in promoting Internet-based commerce announced their support for what they billed as a major privacy protection scheme — the “Open Profiling Standard,” or OPS. On the surface, the proposal’s goals were estimable: to make online users the ultimate arbiters of how much of their personal information they give out to the rest of the Net.
Cynics immediately noted that the initial announcement came just two weeks before Federal Trade Commission hearings targeting the issue of Net privacy. Clearly, the companies lining up to praise OPS were anxious to avoid government meddling.
No shock there: The desire for online privacy runs directly at odds with one of the most attractive aspects of doing business online — the Net’s capacity for helping target marketing and advertising efforts directly at specific users.
“The Internet is an absolute gold mine,” says Jerry Kang, a law professor at UCLA and online privacy expert. “Private and commercial forces want to exploit database marketing by tracking cyberspace transactions. But individuals just don’t want that. They are worried that their personal information will be misused.”
The Catch-22 is obvious: to truly protect user privacy would negate the Net’s direct-marketing potential. It’s a difficult contradiction to resolve — all the more so when the driving force behind OPS’s ostensible privacy standard turns out to be the Net’s preeminent specialist in commercializing personal information.
Most press coverage of OPS has focused on the fact that arch-enemies Microsoft and Netscape managed to agree on the proposal, making it likely to become a de facto standard. But the nuts and bolts work of designing OPS was carried out by a company called Firefly, an advertising-driven Web site that recommends music and film selections to users by comparing their own preferences to a database of other users’ likes and dislikes. The entire OPS strategy is an extension of Firefly’s current approach to handling its users’ personal information, with the addition of some digital certification tools cooked up by the cryptographic specialists Verisign.
Firefly’s online lineage is ancient, in Web years. It began in 1993, under the name Ringo, as an e-mail-based music recommendation system operated by MIT graduate students. It quickly morphed into HOMER, a Web-based version of Ringo. The graduate students then formed their own company, Agents Inc. (now called Firefly), rounded up some venture capital and broke important new ground as one of the first true experiments in Web-based commerce.
Firefly’s breakthrough innovation was combining its database of user preference information with the possibilities of Web technology to offer advertisers a profoundly interesting opportunity. Advertisers could specify exactly who they wanted to target their ads at — all people who liked techno music, or solo female country artists. Once Firefly combined this information about users’ taste with demographic data — like users’ geographic location or purchasing habits — one could get very specific indeed.
Says Ted Kamionek, Firefly’s director of communications: “If an advertiser comes to us and says, I want to reach males who live in the Midwest who like athletic activities and R.E.M. and want to buy T-shirts, we can manage that relationship.”
Firefly’s executives are fully aware of how sensitive users are to the perception that their personal information might be accessible to pushy advertisers. Kamionek emphasized that advertisers are never given access to individual information, but are merely allowed the opportunity to advertise to “aggregates” of selected groups. Firefly’s internal privacy policies allow users to remain anonymous if they so wish and to expressly decide which categories of information they wish to make public.
In fact, Firefly gets high marks for its privacy policies from privacy watchdogs like the Washington-based Electronic Privacy Information Center, and the online advocacy organization the Electronic Frontier Foundation. It has also apparently received popular approval from consumers. Kamionek says that Firefly has issued 3 million “passports” — Firefly’s term for the packets of preference data and personal information that it creates for each Firefly visitor. At Firefly, at least, many consumers are willing to make the bargain, to trade their personal info for the Firefly service. But that doesn’t necessarily mean that they enjoy doing so — or that Firefly’s attention to privacy concerns is purely altruistic.
Survey after survey has indicated that online users resent being asked for personal information, don’t trust companies that do ask for such information and often — as much as 25 percent of the time — enter false information when prompted for personal details. Firefly has no choice but to address privacy concerns, or its database will become corrupted and useless.
Firefly and all the other corporations that are supporting the OPS proposal are engaged in a tortuous dance. In their view, for commerce to succeed on the Web, advertisers and marketers must be allowed to take advantage of the Web’s capabilities for targeting consumers. But that very act of targeting automatically raises hackles. So at the same time they seek better ways to gather information, they are trying to assuage consumer fears that focus on the abuse of that information.
Since Firefly has been performing this dance longer than almost anyone else on the Web, it made sense that they took the lead in the creation of OPS. Three of Firefly’s core team of programmers, including founder and chief technical officer Max Metral, are listed as authors of the OPS proposal.
“It’s an outgrowth of ideas that we have had for a long time,” said Metral. “The idea is to ensure consumer privacy.”
“At the end of the day we want consumers to feel comfortable,” says Kamionek.
The problem, say privacy advocates, is that the best way to make consumers feel truly comfortable is not to collect information at all, or at the very least, to allow users to determine whether or not information is collected in the first place. But despite all the OPS language about “control” and “consent,” there’s no provision, says one analyst, for taking care of the basic problem of whether or not information should be collected in the first place.
“OPS is good in that it provides for companies to tell you what they are doing,” says Donna Hoffman, professor of marketing at Vanderbilt University and an expert on Net marketing and demographics. “But they are still not really giving you a choice.”
“We should call a spade a spade,” says Hoffman. “These companies have gotten together and standardized the collection of consumer data that can be shared across sites. That is not the same as a proposal to protect privacy. It’s much less concerned with privacy and much more concerned with facilitating the exchange of information about consumers.
“That is a welcome step. We need this standardization. This kind of collection of demographic information is very important. But we should not kid ourselves — this is only half the equation. We still need more protection on the consumer side. To call this a privacy standard is a bit silly.”