The Federal Trade Commission issued a report Thursday, three years in the making, declaring what many Web users long ago concluded for themselves: "Consumers have little privacy protection on the Internet."
Specifically, the FTC report said, "The Commission's survey of over 1,400 Web sites reveals that industry's efforts to encourage voluntary adoption of the most basic fair information practice principle -- notice -- have fallen far short of what is needed to protect consumers." In other words, when Web sites start asking you detailed questions about where you live, what you do, what you make and how you spend your money, they rarely tell you in advance how they intend to use or distribute that info -- or give you any choice to "opt out."
The report outlines four principles for online privacy: notice, choice, access and security. Its harshest language lambastes sites that collect information from children without ensuring that they have their parents' permission. The commission urged Congress to pass a law aimed specifically at protecting children from such practices.
Trade groups, libertarians and until this week the government itself have long maintained that the Internet industry should be given a chance to regulate itself. Laws, after all, can be cumbersome and bureaucratic. But the FTC has now concluded that self-regulation is a dismal failure.
The truth is that most companies engaged in online sales and marketing are far more interested in finding ways to gather and use detailed demographic information than in protecting that information from abuse. If we can't target customers, they argue, then what the hell good is this medium, anyway? As one analyst told the New York Times: "If it's not customized and personalized, it might as well be television."
Aggressive re-use of users' information often arrives under the guise of "service," of providing the "convenience" of a "seamless experience." That was the case with the clumsy snafu that ensued this week (first reported here in Salon 21st) when Advertising Age's Web site registered all 35,000 of its users at another site, theglobe.com. This triggered a mass mailing in which each user received an e-mail message from theglobe.com containing their password -- but with no indication of any connection to Ad Age. If you'd never heard of or visited theglobe.com and suddenly received your password in the mail from them, this was alarming, to say the least.
Ad Age has since apologized -- and explained that it had exported its database to theglobe.com to make it easier for its members to take part in a new community area the two companies were co-sponsoring. No money had changed hands, both companies were quick to assure, and Ad Age hadn't sold out its membership: It was simply providing a new service and had neglected to properly explain what was going on.
Maybe so -- but that kind of failure to explain what a company is doing with personal information is precisely what the FTC is now denouncing. Ad Age didn't give its members a choice about whether their passwords would be turned over to another company; it just decided that this service was something they would want -- and started moving the data. If it hadn't been for theglobe.com's auto-generated "welcome" e-mail, Ad Age's members would never have learned that the password they'd provided to one company was now entered in another Web site's database. The deal flunks two of the FTC's litmus tests: "notice" and "choice." (It also fails another one -- "security": A more security-conscious Web site wouldn't be e-mailing passwords in plain, unencrypted text; and more security-oriented databases hide users' passwords even from the site owners.)
Co-marketing deals are just one source of constant pressure to compromise the privacy of users' information online. New technology is a force that's accelerating even faster. Software standards and projects like the new Platform for Privacy Preferences or the Information Content & Exchange protocol create easily automated ways for Web sites to exchange user information -- and, in theory, for users to make choices and set limits on what happens to their information. Privacy advocates hope that such new standards -- along with ideas like the TRUSTe program -- will provide easy-to-use tools for Web site operators who want to deal fairly with customers.
But any software that automates the transfer of information needs to be watched like a hawk: The potential for abuse, intentional or blundering, is vast. Privacy experts and consumer advocates push for "opt in" systems that require a positive action on a user's part before a marketer can sell or trade personal info; but companies always prefer the "opt out" approach -- where they get carte blanche to use your info unless you specifically say "no." Left to their own devices, marketers will do everything in their power to set the "defaults" of new software protocols to allow promiscuous reuse of information.
Today, of course, most Web sites aren't doing a whole lot with the information they've collected from users for one simple reason: They're drowning in too much data, and lack the resources to crunch it in any useful way (as a recent article in Wired by Chip Bayers detailed). But that can't last forever; as computer processors get faster and companies get richer, you can bet they will be "data mining" like crazy, looking for ways to deliver "customized, personalized" experiences -- whether we've asked for them or not.
All of which suggests that the FTC is doing precisely the right thing in sounding an alarm on these issues today and proposing laws to protect consumers from the most outrageous practices of online marketers. Net visionaries have long predicted, and users long dreamed of, the new medium evolving into a perfect marketplace for information, goods and services -- where, thanks to the power of technology, convenience reigns. But it'll never happen unless you and I feel comfortable telling Web sites about ourselves.
The biggest beneficiaries of strong privacy policies online would be Web businesses themselves. But it looks like they may need the government to explain this to them.