When the web surfs you

February 22, 2000

The Internet.

Consumers love it because they can quickly access the same information used by experts, stockbrokers, and lobbyists - stock prices, government reports, academic studies.

The problem is, that very openness gives others -government, crooks, marketers of legitimate and illegitimate products and services -access to a consumer's personal information.

Perhaps too much access.

To make purchases on the Web, consumers have to provide various personal information -name, phone number, credit-card number, product preferences, sometimes financial and health records. Companies compile this information, and the Internet makes it all too easy to share.

Kirk Bailey, security-policy manager at the Regence Group in Seattle, discovered just how easy when he dared a group of fellow information-security experts last October to unearth as much information about him as they could.

For less than $100, the group came up with his birth certificate, Social Security number, a complete picture of his personal finances, copies of his home phone bills, his college transcripts, an electronic copy of his signature - even his cat's diet.

"They owned me," says Mr. Bailey. "[And] I'm a professional in information security."

"I burn all my credit-card offers and bank statements. I was prepared to be uncomfortable. And still, I was floored what they could have done to me," he says.

The security experts had more than enough information to refinance Bailey's house, shut off his electricity, or buy a car in his name. In some cases, people who had the information "bent over backward to share it," says Bailey. (People-search sites - essentially online private investigators that sell information to anyone for a few dollars - are among the most visited on the Internet.)

Last month, 300,000 online customers of CD Universe also lost a sense of their privacy when an extortionist, allegedly operating in Eastern Europe, stole their credit-card numbers and posted them on the Web.

Last year in the US there were more than 300,000 cases of identity theft, where criminals gathered enough information to steal money from bank accounts or open credit cards in other people's names and ring up thousands of dollars in purchases.

An ABC News poll taken last month said 40 percent of consumers worry that computers are being used to invade their privacy.

Collecting personal information isn't new, of course. Government agencies such as the Census Bureau, the IRS, and state motor-vehicle registries have maintained such databases for decades. And companies often ask for customers' phone numbers "in case there is a problem."

But as computer networks allow more businesses to share databases, the information has become valuable, says Stephen Altobelli, spokesman for the Direct Marketing Association (DMA). "The name Stephen Altobelli is worthless [by itself]," he says. "What gives it value is being on a list with 20 other similar names."

Marketers buy and sell customer lists so they can target their advertising via direct mail, e-mail, and Internet banners.

Last year consumers received 71 billion pieces of direct mail.

The problem is getting worse online, in part because consumers have been reluctant to pay for information on the Web. "Consumers like free access, but that means sites have to make money on ads," says Laura Mazzarella, an attorney in the Bureau of Consumer Protection at the Federal Trade Commission. The more information the sites can collect about people, the more they can charge for ads, she says.

So companies entice consumers to share personal information with offers of discounted services, cash, or prizes. The value of such incentive programs on and off the Web totals $3,000 per year for every American says Marian Salzman, head of ad agency Young and Rubicam's Brand Futures Group.

A few Web sites, such as moneyformail.com, run by longtime consumer activist Gerri Det-weiler, now pay people to read junk mail targeted to their demographic group. "One reason we're seeing so much public debate is that consumers are feeling helpless," says Ms. Detweiler.

But others say putting a price on personal information cheapens it. "It denigrates the value of privacy to put a price on it," says Simson Garfinkel, a computer-security expert and author of "Database Nation: The Death of Privacy in the 21st Century."

And the value varies. The names of people with more than $1 million to invest would be a gold mine to financial companies. But grouping the names of consumers by demographic only increases ad revenue from 0.6 cents per click to perhaps as much as 1.5 cents, he says.

"The problem" Mr. Garfinkel says, is that "the people running American business are so uneducated about privacy. They devise new systems all the time to collect and sell personal data without any consideration of a person's right to privacy."

"E-commerce companies will often say, 'You must register, because that's how we make money,' " says Tony Jenkens, who builds clients' e-commerce sites at consulting company Breakaway Solutions in Boston.

"If you're engaging in e-commerce, at a certain point it's impossible to keep your own information private," says Marc Rotenberg, president of the Electronic Privacy Information Center in Washington.

So far, the Federal Trade Commission has taken a hands-off approach, recommending to Congress last summer that the industry regulate itself. To keep that friendly government relationship, the FTC says companies that collect data must: tell consumers that they're collecting it and what they intend to use it for; let consumers see files collected about them to verify their accuracy; and let consumers opt out of having their information sold to others.

"We think it's possible to create a marketplace where individual consumers can protect personal information [that way]," says Mr. Altobelli of the DMA.

But critics say information is often collected without consent. With appropriate regulation, it would be possible to track data so the government or individuals could see where it was collected says Mr. Garfinkel. Legal penalties could be established for those who use information for the wrong reasons.

For now, keeping private information private is a never-ending job of keeping one step ahead of marketers and impersonators.

While laws limit what information federal agencies can sell, business records are increasingly being sold to aggregators such as Polk, Acxiom, and big credit-reporting agencies. For a price, state agencies, municipal governments, and federal public records will also provide data about individuals.

In the future, warns Mr. Garfinkel, this information could be combined with a person's picture (from a driver's license, for instance), a digital copy of a signature, a genetic map, and exact location (through public-security cameras and computer chips in cars and clothing).

Internet companies already are developing new technologies to collect details about people who use their sites.

DoubleClick, for example, has been widely criticized this year for its merger with personal-information aggregator Abacus, because the deal will combine online behavior with people's names.

iClick bills itself as a customer-service tool that can interact with Web shoppers as they browse a site. If they linger on a page without buying, an iContact agent can appear on their browser and offer to help them shop. In some cases the agent can even take over a person's browser, say, to fill in an order form.

In 50 years, predicts Watts Wacker, a Westport, Conn.-based futurist with SRI Consulting, "privacy will be an artifact. It won't be relevant to the way we live our lives."

(c) Copyright 2000. The Christian Science Publishing Society