If identity theft is your worry, the Net shouldn&t scare you. But if you value your privacy, the Web can mean trouble.
If identity theft is your worry, the Net shouldnt scare you. But if you value your privacy, the Web can mean trouble.
Cookiesthe tags that Web sites place on your hard drive to identify your computerdont collect the information thieves need to impersonate you. But they can steal something else almost as important: your privacy.
Although identity theft is a crime*, tracking your Internet travels is perfectly legal. Almost every Web site you visit for the first time adds a new eyeball to the many that already are watching your Net-hopping habits. And when you give a Web company personal information, be it your address or your shirt size, you give it the wherewithal to develop an ever-more-detailed profile of your likes, dislikes, and habits as you express them by way of your Web travels.
The cookies themselves arent worth worrying about. Its when theyre connected to your identity that things get creepyand a growing subsector of the marketing industry specializes in making those connections. These "online profilers," which include DoubleClick, Engage, and 24/7 Media, among many others, distribute advertising on behalf of their client firms.
To get details about your interests, a profiling company places its own cookiescalled "third-party cookies"on your computer, via its clients Web sites. Then the profiler combines data from multiple sites into a single file. The profilers clients use that file to target-market products to you, typically by selecting banner advertisements to be sent to your computer.
Web businesses can also identify you by sending you, or having a spammer (an electronic mass-mailing outfit) send you, an e-mail with a "Web bug" in it. Web privacy expert Richard M. Smith of the Denver-based Privacy Foundation describes Web bugs as bits of HTML computer code that can link the e-mail message, and thus the address it goes to, with a Web browser. If the bugs sender also has a cookie on your hard drive, the bug links your e-mail address with it. That way, the company that set the cookie finds out who you areyour name, address, and any other personal information linked to your e-mailnot just which computer its cookie is tracking.
Web bugs can also tell the sender whether, when, and how often you open the e-mail, as well as whether you clicked on any Internet address within it. (For more on e-mail privacy, see "Secure messaging: Much more than e-mail".)
Last year, the Federal Trade Commission and a group of online profiling firms, dubbed the "Network Advertising Initiative" (NAI), agreed on some consumer protections. NAI members wont use "sensitive" material, meaning your Social Security number or information on your sexual behavior, medical status, or finances. If NAI members collect nonsensitive information that identifies youfrom a Web order page, saythey wont add it to the data theyve already got about you, unless you say its okay by way of an "opt in" on a Web site.
NAI members clients, the advertisers, are supposed to give you the option to tell them not to collect any information on youan "opt-out." If you dont opt out, theyll gather data that doesnt identify you personally.
The FTC can enforce these NAI protections indirectly. "Once companies belong to the NAI, if they dont comply with its rules, that might be a deceptive trade practice," says FTC spokeswoman Dana Rosenfeld. "So theyre really subjecting themselves to the authority of the FTC." Absent deceptive practices, though, no law directly addresses this issue, unless the companies are dealing with kids under 13, Rosenfeld says.
Online profilers aside, whether and how information that identifies you gets used depends on the Web sites you visit. To illustrate, well look at what happens with data you enter at iPlace (www.iplace.com), a Bristol, PA-based Web firm that provides personal finance information for individuals who sign up for its services.
Of course, iPlace has a business reason not to divulge member information to potential advertisers: "iPlace.com is building a list business based on information, basically e-mail information, from the consumer," says Bob Wheeler, the companys chief privacy officer.
Legally, though, iPlace could share the data it collects about you, in several ways. And its reach is broader than you might realize, because its one of a "family" of sites that also includes eNeighborhoods.com, ConsumerInfo.com, Qspace.com, FreeCreditReport.com, iPlacePro.com, and HomeRadar.com. Even the Gramm-Leach-Bliley privacy billwhich prohibits financial firms from sharing your personal information with unaffiliated third parties without your permissiondoesnt prevent iPlace from exchanging data with its other sites, which are part of the same company.
Thats not all, though. iPlace is partly owned by MemberWorks, a Stamford, CT-based direct-marketing company that operates online discount clubs. Thus, iPlace is an affiliate of MemberWorks, which gives both companies the right to share personal information about you.
Fortunately, iPlace draws some boundaries: Although it shares names, addresses, and e-mail among its sites, it doesnt share Social Security numbers. And Wheeler says the company doesnt share any data with MemberWorks. "MemberWorks is basically an investorit doesnt have rights to the consumer information that weve collected," he says.
Its just as well. In October 1999, Omahas Better Business Bureau suspended MemberWorks, in part because of a "pattern of complaints" about its marketing practices. That suspension wasnt lifted until January of this year.
Financial firms can let their subcontractors use information about you to do what the contractor has been hired to do. Its not legal, however, for the subcontractor to use the data for any other purpose.
One iPlace subcontractor is Coremetrics, a company that does customer-traffic analysis for Web firms. Coremetrics puts a cookie on your hard drive on iPlaces behalf, correlates it with an iPlace user ID, and then shuffles, cuts, and deals the data according to iPlaces wishes.
The good news is that you can opt to let Coremetrics use a random number instead of an ID linked to you, or you can opt out of Coremetrics tracking altogether. "Right now, we have a universal opt-out, which means if you opt out on one site then youre opted out of tracking by any Coremetrics client," says Dan Dement, Coremetrics director of public relations.
Further, Coremetrics clients own their own data, so Coremetrics cant resell the iPlace data or combine it with other clients data. "Coremetrics absolutely does not track data across multiple Web sites," says Dement. "That separates us from companies like DoubleClick."
You wont escape Net-related privacy invasions just by avoiding Web sites. Software thats Net-enabled can also provide an information pipeline from your computer to outside parties. Such software, which lets you link to the Internet while you use it, may include mini-programs that Net buffs aptly call "spyware," because it collects information without telling you its doing so.
Log onto the Net by clicking on a link in the software, and the program contacts the softwares manufacturer. The program may simply check to make sure youre using the latest version and download an update if youre not. But software manufacturers may not restrict themselves to automatic updates. Spyware can send back a lot of other information, including your identity, your computers configuration, and information about other software installed on your computer. It can also track where you travel on the Web.
Many popular off-the-shelf programs are Net-enabled. So are browser extensions, Web-based competitive games, and other software that you download for free.
To force companies to notify consumers when their programs contain spyware, Sen. John Edwards (D-NC) introduced a bill in October 2000 called the Spyware Control and Privacy Protection Act. But such legislation can do only so much to protect you from invasion of privacy via the Internet; you have to take steps to protect yourself.
You can stay informed about privacy issues and some of the companies with questionable policies by checking in periodically with Web sites of online security experts. One such site, offered by the Privacy Foundation (www.privacyfoundation.org), based at the University of Denver, includes news and links on a variety of Web privacy topics. So does the site run by software developer Steve Gibson of Gibson Research in Laguna Hills, CA. Gibsons site sells security software, but it also offers an information-packed online newsletter, OptOut, that focuses on Web privacy problems; its address is grc.com/optout.htm.
Most important, keep in mind that whenever you put personal information on the Web, youre very likely adding a coin to the treasure chest of any number of marketers.
*See, "New target for thieves: Your good name," Feb. 19, 2001.
Ask companies to ditch their data on you. iPlace, for example, says it will delete you from its database when you send an e-mail with "Remove my records from iPlace" in its subject line.
If you regularly surf the Web, contact profiling firms to opt out of having them link data that identifies you ("PII," or personally identifying information, in Web lingo) with data that doesnt (non-PII).
You can use the member list on the Network Advertising Initiatives Web site (networkadvertising.org) to link to each of its members sites. NAI members offer two types of opt-outs: a prospective one (for information collected in the future) and a retrospective one (for information already collected). You can choose either or both.
Set your browser to prompt you if any site wants to put a cookie on your hard drive, so you can decide whether to accept it. You can set your browser to refuse all cookies, but in practice, thats cumbersome. One reason: Many useful sites require a log-in, and if your browser wont accept cookies, the site wont recognize you.
Get rid of cookies you already have. You can learn how on such Web sites as www.junkbusters.com(click on "cookies" at the bottom of the home page) and www.zdnet.com(search for "removing cookies" in the category "bugs, viruses, security").
Opt out of data collection when youre offered the choice.
Set the name and e-mail fields blank in your browsers preferences or options, or use a pseudonym, and change it periodically.
Use a free e-mail service, such as the one available at www.thefreesite.com, for all e-mails but your personal ones. You can also set up different e-mail accounts for different purposes.
Use an anonymizing program, such as Anonymizer.com or IDZap.com. Theyre not foolproof, but theyll still help guard your data.
Encrypt your e-mail with a program such as PGP (Pretty Good Privacy), available free on the Net at web.mit.edu/network/pgp.html.
Sue Preston. Is your life an open e-book?.