A Medical Economics Web Exclusive

Is your life an open e-book?

If identity theft is your worry, the Net shouldn’t scare you. But if you value your privacy, the Web can mean trouble.

By Susan Harrington Preston
Senior Editor

Cookies–the tags that Web sites place on your hard drive to identify your computer–don’t collect the information thieves need to impersonate you. But they can steal something else almost as important: your privacy.

Although identity theft is a crime*, tracking your Internet travels is perfectly legal. Almost every Web site you visit for the first time adds a new eyeball to the many that already are watching your Net-hopping habits. And when you give a Web company personal information, be it your address or your shirt size, you give it the wherewithal to develop an ever-more-detailed profile of your likes, dislikes, and habits as you express them by way of your Web travels.

The cookies themselves aren’t worth worrying about. It’s when they’re connected to your identity that things get creepy–and a growing subsector of the marketing industry specializes in making those connections. These "online profilers," which include DoubleClick, Engage, and 24/7 Media, among many others, distribute advertising on behalf of their client firms.

To get details about your interests, a profiling company places its own cookies–called "third-party cookies"–on your computer, via its clients’ Web sites. Then the profiler combines data from multiple sites into a single file. The profiler’s clients use that file to target-market products to you, typically by selecting banner advertisements to be sent to your computer.

Web businesses can also identify you by sending you, or having a spammer (an electronic mass-mailing outfit) send you, an e-mail with a "Web bug" in it. Web privacy expert Richard M. Smith of the Denver-based Privacy Foundation describes Web bugs as bits of HTML computer code that can link the e-mail message, and thus the address it goes to, with a Web browser. If the bug’s sender also has a cookie on your hard drive, the bug links your e-mail address with it. That way, the company that set the cookie finds out who you are–your name, address, and any other personal information linked to your e-mail–not just which computer its cookie is tracking.

Web bugs can also tell the sender whether, when, and how often you open the e-mail, as well as whether you clicked on any Internet address within it. (For more on e-mail privacy, see "Secure messaging: Much more than e-mail".)

Last year, the Federal Trade Commission and a group of online profiling firms, dubbed the "Network Advertising Initiative" (NAI), agreed on some consumer protections. NAI members won’t use "sensitive" material, meaning your Social Security number or information on your sexual behavior, medical status, or finances. If NAI members collect nonsensitive information that identifies you–from a Web order page, say–they won’t add it to the data they’ve already got about you, unless you say it’s okay by way of an "opt in" on a Web site.

NAI members’ clients, the advertisers, are supposed to give you the option to tell them not to collect any information on you–an "opt-out." If you don’t opt out, they’ll gather data that doesn’t identify you personally.

The FTC can enforce these NAI protections indirectly. "Once companies belong to the NAI, if they don’t comply with its rules, that might be a deceptive trade practice," says FTC spokeswoman Dana Rosenfeld. "So they’re really subjecting themselves to the authority of the FTC." Absent deceptive practices, though, no law directly addresses this issue, unless the companies are dealing with kids under 13, Rosenfeld says.

Privacy at individual sites

Online profilers aside, whether and how information that identifies you gets used depends on the Web sites you visit. To illustrate, we’ll look at what happens with data you enter at iPlace (www.iplace.com), a Bristol, PA-based Web firm that provides personal finance information for individuals who sign up for its services.

iPlace’s main business is serving as middleman for advertisers who want to market products to consumers on its member list. The advertisers specify the demographics of the consumers they want their advertising to reach, but they don’t get to see information that identifies those consumers, such as their names; iPlace’s privacy policy precludes that.

An advertiser can’t get such information unless the consumer provides it directly–say, by clicking on a banner ad on iPlace’s site, which takes the consumer to the advertiser’s site and outside the purview of iPlace’s privacy policy. The profiling firm 24/7 Media handles the ads placed on iPlace’s site, and iPlace takes a hands-off approach to the advertisers’ privacy standards.

You can be pretty sure hackers won’t get personal information you give to iPlace, either: That data goes into a computer that has "no connections to modems or the Internet and cannot be accessed from outside of our physical facility by anyone, even one of our employees," according to the iPlace privacy statement. Also reassuring, iPlace promises to let you know if it decides to change its privacy policy. So far, so good.

Of course, iPlace has a business reason not to divulge member information to potential advertisers: "iPlace.com is building a list business based on information, basically e-mail information, from the consumer," says Bob Wheeler, the company’s chief privacy officer.

Legally, though, iPlace could share the data it collects about you, in several ways. And its reach is broader than you might realize, because it’s one of a "family" of sites that also includes eNeighborhoods.com, ConsumerInfo.com, Qspace.com, FreeCreditReport.com, iPlacePro.com, and HomeRadar.com. Even the Gramm-Leach-Bliley privacy bill–which prohibits financial firms from sharing your personal information with unaffiliated third parties without your permission–doesn’t prevent iPlace from exchanging data with its other sites, which are part of the same company.

That’s not all, though. iPlace is partly owned by MemberWorks, a Stamford, CT-based direct-marketing company that operates online discount clubs. Thus, iPlace is an affiliate of MemberWorks, which gives both companies the right to share personal information about you.

Fortunately, iPlace draws some boundaries: Although it shares names, addresses, and e-mail among its sites, it doesn’t share Social Security numbers. And Wheeler says the company doesn’t share any data with MemberWorks. "MemberWorks is basically an investor–it doesn’t have rights to the consumer information that we’ve collected," he says.

It’s just as well. In October 1999, Omaha’s Better Business Bureau suspended MemberWorks, in part because of a "pattern of complaints" about its marketing practices. That suspension wasn’t lifted until January of this year.

Although iPlace is circumspect in how it uses personal information, not all financial firms are. A large financial company may have dozens of subsidiaries, from credit-card and mortgage firms to insurance companies in individual states. What if a such a company were to buy a controlling interest in iPlace? The iPlace member list is a corporate asset, so member information would be sold along with it. In that case, you’d want to check for changes in the privacy policy.

iPlace subcontractors can see data, too

Financial firms can let their subcontractors use information about you to do what the contractor has been hired to do. It’s not legal, however, for the subcontractor to use the data for any other purpose.

One iPlace subcontractor is Coremetrics, a company that does customer-traffic analysis for Web firms. Coremetrics puts a cookie on your hard drive on iPlace’s behalf, correlates it with an iPlace user ID, and then shuffles, cuts, and deals the data according to iPlace’s wishes.

The good news is that you can opt to let Coremetrics use a random number instead of an ID linked to you, or you can opt out of Coremetrics tracking altogether. "Right now, we have a universal opt-out, which means if you opt out on one site then you’re opted out of tracking by any Coremetrics client," says Dan Dement, Coremetrics’ director of public relations.

Further, Coremetrics clients own their own data, so Coremetrics can’t resell the iPlace data or combine it with other clients’ data. "Coremetrics absolutely does not track data across multiple Web sites," says Dement. "That separates us from companies like DoubleClick."

Spyware–a more subtle privacy threat

You won’t escape Net-related privacy invasions just by avoiding Web sites. Software that‘s Net-enabled can also provide an information pipeline from your computer to outside parties. Such software, which lets you link to the Internet while you use it, may include mini-programs that Net buffs aptly call "spyware," because it collects information without telling you it’s doing so.

Log onto the Net by clicking on a link in the software, and the program contacts the software’s manufacturer. The program may simply check to make sure you’re using the latest version and download an update if you’re not. But software manufacturers may not restrict themselves to automatic updates. Spyware can send back a lot of other information, including your identity, your computer’s configuration, and information about other software installed on your computer. It can also track where you travel on the Web.

Many popular off-the-shelf programs are Net-enabled. So are browser extensions, Web-based competitive games, and other software that you download for free.

To force companies to notify consumers when their programs contain spyware, Sen. John Edwards (D-NC) introduced a bill in October 2000 called the Spyware Control and Privacy Protection Act. But such legislation can do only so much to protect you from invasion of privacy via the Internet; you have to take steps to protect yourself.

You can stay informed about privacy issues and some of the companies with questionable policies by checking in periodically with Web sites of online security experts. One such site, offered by the Privacy Foundation (www.privacyfoundation.org), based at the University of Denver, includes news and links on a variety of Web privacy topics. So does the site run by software developer Steve Gibson of Gibson Research in Laguna Hills, CA. Gibson’s site sells security software, but it also offers an information-packed online newsletter, OptOut, that focuses on Web privacy problems; its address is grc.com/optout.htm.

Most important, keep in mind that whenever you put personal information on the Web, you’re very likely adding a coin to the treasure chest of any number of marketers.

*See, "New target for thieves: Your good name," Feb. 19, 2001.

How to reclaim your privacy

• Ask companies to ditch their data on you. iPlace, for example, says it will delete you from its database when you send an e-mail with "Remove my records from iPlace" in its subject line.

• If you regularly surf the Web, contact profiling firms to opt out of having them link data that identifies you ("PII," or personally identifying information, in Web lingo) with data that doesn’t (non-PII).

You can use the member list on the Network Advertising Initiative’s Web site (networkadvertising.org) to link to each of its members’ sites. NAI members offer two types of opt-outs: a prospective one (for information collected in the future) and a retrospective one (for information already collected). You can choose either or both.

• Set your browser to prompt you if any site wants to put a cookie on your hard drive, so you can decide whether to accept it. You can set your browser to refuse all cookies, but in practice, that’s cumbersome. One reason: Many useful sites require a log-in, and if your browser won’t accept cookies, the site won’t recognize you.

• Get rid of cookies you already have. You can learn how on such Web sites as www.junkbusters.com(click on "cookies" at the bottom of the home page) and www.zdnet.com(search for "removing cookies" in the category "bugs, viruses, security").

• Opt out of data collection when you’re offered the choice.

• Set the name and e-mail fields blank in your browser’s preferences or options, or use a pseudonym, and change it periodically.

• Use a free e-mail service, such as the one available at www.thefreesite.com, for all e-mails but your personal ones. You can also set up different e-mail accounts for different purposes.

• Use an anonymizing program, such as Anonymizer.com or IDZap.com. They’re not foolproof, but they’ll still help guard your data.

• Encrypt your e-mail with a program such as PGP (Pretty Good Privacy), available free on the Net at web.mit.edu/network/pgp.html.

Sue Preston. Is your life an open e-book?.

Medical Economics

2001;4.