Internet privacy - protect your online privacy

Jeffrey Wilens is so outraged that he filed a class action suit against RealNetworks for allegedly violating his and other consumers' privacy. The attorney claims in his suit (in the US) that the company's RealJukebox software secretly recorded the titles of music CDs and MP3 tracks he played on his PC, then sent the data back to RealNetworks - creating a detailed profile of Wilens' musical tastes.

"I don't accept the concept that there is no privacy on the Internet," Wilens says. "I think rogue companies need to learn to modify their behaviour."

RealNetworks flatly denies Wilens' charges. "Contrary to media reports, we have never monitored user behaviour or listening habits," says Keela Robison, product manager for the company. However, she admits that RealJukebox did create a unique identification number for each user and stored the numbers in the same database that holds user names and e-mail addresses. Theoretically, these numbers could track where people go on the Web. The company quickly released a patch that disabled the software's ability to issue the IDs, but that wasn't enough to satisfy Wilens and others, who had filed a total of a dozen suits against RealNetworks at press time.

Meanwhile, six other lawsuits in the US are pending against Internet advertising network DoubleClick for creating online profiles of consumers. Three similar suits have been filed against Alexa, an Amazon subsidiary. With few other avenues of recourse at their disposal, users have taken to the courts to fight for their right to privacy. But the battle has just begun.

A not-so-private little war

Profiles in commerce

Double trouble

Are you being followed?

Policies are no insurance

Legal remedies

Technology to the rescue?

Too much, too soon

Should you trust Truste?

Private eyes

Page Break

Welcome to privacy in the new millennium, where surfers are caught in a tug-of-war with Web sites over who owns their personal data and what can be done with it. In the last year and a half, e-commerce has exploded, doubling in volume each year. As the Net gradually becomes the medium increasingly used to get news, buy groceries, rent movies, and buy books and CDs, what little personal privacy users once had may soon disappear.

In some cases, we have only ourselves to blame. Millions of people voluntarily give out personal information to Web sites in exchange for free goods and services. These days, you can get e-mail accounts, Web hosting services and Internet access without ever cracking open your wallet. But to take advantage of such offers you must surrender bits and pieces of your identity, from your name and e-mail address to your buying and reading habits. Businesses then market this information to advertisers, or in some cases, to anyone else who may want it.

At the same time, it's increasingly difficult to trust any site to keep your personal information safe from intruders. Lax security at many Web vendors has made the Internet a hacker's paradise. In the past six months, dozens of major Web sites have suffered theft of credit card information and acts of vandalism such as last February's spate of denial-of-service attacks. As PC World has discovered, even the biggest e-commerce sites can fall prey to crackers - hackers who attack with criminal intent.

Sure, you can try to protect yourself by giving out false information or using services that cloak your identity and IP address as you surf, post to newsgroups, and send e-mail (see "Private eyes" above). But as soon as you hand over your credit card to pay for a book or a vacation, your anonymity is gone.

In fact, the biggest threat to your privacy today isn't crackers, stalkers, or data brokers. It's the legitimate online businesses - such as advertising networks, retailers, and others - that are creating detailed profiles of who you are and what you do when you are on the Web.

Page Break

Consumer profiling isn't new. For years, mail-order firms have been tracking the products you buy so that they can send you catalogues specific to your interests. Shopping club cards allow supermarket chains to keep detailed records of the groceries you purchase.

While the practice of profiling is widespread in the offline world, its scope had been limited until now because mail-order firms weren't able to easily pool their data - say, to combine records of your supermarket purchases with a list of your magazine subscriptions. But on the Net, it's fairly simple to create a record of every site you visit and every transaction you make. As a result, Web profiles can contain an unprecedented amount of information about your interests and activities.

"Say you go to a book site," says Evan Hendricks, editor and publisher of the Privacy Times newsletter. "[Profilers] can see what you looked at and what you bought. Do those books reflect political opinions, sexual preference, [or] health conditions?"

Critics paint a range of dark scenarios if Web profiles were ever to become available for sale on the open market. Corporations, for instance, could use profiles to screen job applicants based on health advice they may have sought on the Web. Say an applicant filled out a health self-assessment form on a medical advice site and listed a family history of colon cancer. Conceivably, the site or its partners could market that information to employers. Or say the applicant bought medicine at a site like Drugstore.com or posted messages to an HIV chat group. All this information could be added to the user's profile, and employers could lower their insurance premiums by not hiring employees who could potentially have serious illnesses. "Those kinds of economic decisions can and will be made," says Fred Druseikis, chief architect for HealthMagic, a company that provides secure systems for sharing medical records over the Internet.

"In terms of how information is collected and used on the Internet," says Marc Rotenberg, executive director of the Electronic Privacy Information Centre (EPIC), "to allow detailed secret profiles to be created is disastrous."

Theoretically, such profiles could also become subject to subpoena or be hijacked by an unscrupulous company or individual. "In a divorce or child custody case, your spouse could use your surfing habits against you," says Larry Sontag, author of It's None of Your Business (PMI Enterprises, 2000). "This information could be available to hackers, employees of a company who may be having a bad hair day, or any crook with access to the Internet," Sontag adds. "The lack of privacy means that [this data] is available to both honest and dishonest people."

Page Break

The biggest profilers on the Internet are companies whose sites you may never have visited - networks like DoubleClick and Engage Technologies, which deliver banner ads to thousands of Web pages and may collect information about you without your knowledge.

These firms use tracking cookies to determine which banner ads you see when you access a Web page. Here's how it works: the first time you view a page with a DoubleClick banner ad on it, the ad deposits a cookie on your hard disk. Then any time you view another page containing a DoubleClick ad, the cookie on your hard drive sends the URL of that page back to the ad agency's server; thus begins a detailed clickstream - a history of some of the places you've visited on the Net. Currently, this clickstream isn't matched to your individual identity. Instead, each cookie contains a globally unique identifier (GUID), which lets the ad server track your movements without identifying your actual name or e-mail address.

In this way, DoubleClick has amassed information on the surfing habits of 100 million users, while Engage boasts a database of 52 million profiles. (If you want to opt out of DoubleClick's cookies, visit www.privacychoices.org).

Last year, DoubleClick quietly revealed that it planned to link the names of surfers, their e-mail addresses, and other personal information about them to their clickstreams.

According to senior vice president Jonathon Shapiro, DoubleClick's intention was merely to target ads to specific users. "The whole goal here is to make advertising work by getting the right message to the right user at the right time," he says.

The reaction from consumers and privacy advocates was swift and vociferous. EPIC filed a complaint with the US Federal Trade Commission, alleging that DoubleClick was "engaging in unfair and deceptive trade practices by tracking the online activities of Internet users."

Page Break

DoubleClick and RealNetworks are not the only sites accused of tracking users' activities across the Web. Amazon.com is embroiled in a similar controversy involving Alexa Internet, a software firm that the e-tailing giant purchased in June 1999. Amazon plans to use Alexa's software in its ZBubbles shopping service. The free software's menu bar sits on top of your browser as you surf, suggesting similar sites to visit and letting you share information with other shoppers. But it also captures the Web address of each page you view - and, according to security expert Richard Smith (see "Private eyes"), these URLs can contain a wide variety of personally identifying information.

For example, when you use a search engine like AltaVista, the URL for the results page contains a text string including the terms you searched for. Depending on how the Web site's search engine works, a URL could contain your name or e-mail address, too, as well as the titles of books you may have bought, flights you may have booked, and health conditions you may have researched - all of which, Smith says, get sent up the wire to Alexa. (Smith uncovered a similar problem having to do with DoubleClick cookies. A recent example involved Intuit, whose Quicken Web site was inadvertently forwarding users' financial information to DoubleClick. Intuit quickly plugged the leak, and DoubleClick says it didn't store this information; but DoubleClick did not provide details of what exactly is stored in its profiles.) According to Dia Cheney, director of corporate communications for Alexa, the company stores its users' Web trails anonymously and keeps this data separate from personally identifiable information, such as e-mail addresses, that users may have provided when they registered the software.

Page Break

So far, most of the attention has been focused on getting sites to post privacy policies that state what information they collect and what they do with it. Both RealNetworks and Alexa have been accused of violating their own policies about keeping user information anonymous.

"Promises made in the privacy policy are as much a part of the transaction as what is delivered to the consumer," Ferrera says.

In short, Internet privacy policies offer consumers very little protection. "Six months ago, just having a privacy policy was considered pretty honourable," says Abner Germanow, a research manager at International Data Cor-poration. "Today, most policies are pretty worthless."

A Georgetown University study, conducted in the US and published in June 1999, examined 361 commercial Web sites and found that nine out of 10 ask you to supply at least one piece of personal information, such as your name, e-mail address, or postal address. Only two-thirds of the sites in the survey offered privacy statements. Less than 10 per cent had what researchers considered to be a complete policy - one that provides consumers with a statement about the site's data collection practices, an opt-out clause, access to the information collected, a description of how the site secures data, and phone numbers or e-mail addresses that consumers can use to contact the company. What's more, privacy statements can be changed at will, often without notification to users or affiliated sites.

"If you want to find out how a company feels about your personal privacy, don't look at their privacy statement, look at their business model," says Rick Jackson, CEO of Privada, a US-based maker of products that allow consumers to surf the Web anonymously. A former executive at Net Gravity, Jackson helped engineer that marketing firm's merger with DoubleClick last October, despite personal reservations about some of DoubleClick's marketing methods. The more an information-gathering company knows about you, he says, the more money it makes: "That's their business model. If it's a question of profit versus privacy, profits come first every time."

Page Break

Most governments have adopted a hands-off approach to Internet privacy - watching and waiting for the Web industry to regulate itself. Organisations like Truste still say that this is the right course to take. Truste oversees privacy policies for more than 1300 Web sites, including those belonging to RealNetworks and Amazon.com's Alexa. According to Bob Lewin, CEO of Truste, RealNetworks' response to allegations of privacy abuses demonstrates that self-regulation works.

Lewin says that Truste convinced RealNetworks to issue a patch that prevents its software from assigning a unique identification number to each user. Truste also persuaded the company executives to appoint a chief privacy officer and to release RealPlayer 7.0 using an opt-in model, so that consumers must actively choose to create a unique ID number, rather than the more common opt-out model used by the majority of Web sites. "We did all of that in the space of one week," Lewin says. "You show me any government body that moves that fast."

Unfortunately, Truste's influence is limited to its licensees, which don't include such Internet heavyweights as Amazon.com and DoubleClick (see "Should you trust Truste?"). Although Truste performs quarterly audits of its members' Web sites to ensure that the privacy policy stated on the site matches the member's practices, the organisation does not specify what kinds of information members can collect, nor what they can do with that information. "The problem with self-regulation is that it rewards bad actors," says EPIC's Rotenberg. Once a Web site begins generating revenue by selling user profiles and personal information, he explains, other Web sites will have to follow suit in order to remain competitive.

Page Break

You can opt out of DoubleClick profiles. You can avoid using software that follows your footsteps on the Internet. You can crumble every cookie before your browser takes a nibble from it. And still you are at risk from the next site, the next advertiser, the next marketer who sees dollar signs in your data.

One thing is certain: online data gathering will not go away. Too many Web sites are depending on the revenues from selling user data or delivering specific demographics to advertisers. The question is whether you'll have any say in what happens to your information.

"The real issue is, who's in control of my online profile, who can access it, and who's selling it?" says Germanow. "When I show up at a travel site, do I want them to know who I am and what frequent flyer program I belong to? Yes. When I'm doing research on AIDS because I have a friend in the hospital, do I want that as part of my profile? I don't think so."

Today, even vendors who sell products for protecting anonymity admit that there is no easy solution for e-commerce. Programs like PrivadaProxy and Zero-Knowledge's Freedom can protect your identity while you browse, chat, or send e-mail, but, according to Privada's Jackson, "As soon as you decide you want to buy something, you're left unprotected."

Both companies say they are working on schemes to allow consumers to shop anonymously and expect to introduce products within a year. Zero-Knowledge's Austin Hill sees a future in which shopping agent software can assure a Web site that you have the credentials to make a purchase, then negotiate what data you are willing to give up in return for a good price.

"What if you had the most accurate version of your profile under your lock and key?" asks Hill, president of the firm. "Your credit information, EBay reputation, frequent flyer miles, how much shopping you do. You'd be able to leverage that data, build relationships with merchants, and still maintain your privacy."

Hill believes that consumers need to start thinking about Internet privacy the same way they think about viruses. "You don't use a computer unless you have antivirus software," he says, "and you shouldn't give away data without protecting yourself. Every time you fill in a Web form or a registration card, make sure that the data is 100 per cent necessary for completing the transaction, and that the company will protect it." When enough consumers refuse to give away their personal information for free, he adds, merchants will have to respond.

Page Break

One reason sites are so vulnerable is that companies are pulling out the stops and scrambling at Internet speed to get online. As a result, designers leave behind files and tools that hackers can use to break in.

Another reason is plain ignorance, says Pescatore. "There's a lot of stupidity built into the CGI code [used to transfer content to] Web sites." But even the best security measures may not thwart all attacks.

"Security is not about absolutes, it's always about how many layers [hackers] have to go through to get to some-thing," says Elias Levy, chief technology officer for Securityfocus.com. Levy says most companies are just not doing enough.

"A hacker only has to be lucky once," agrees Nigel Tranter, vice president for Perfecto. "[Sites] have to be lucky all the time." These days, the same could be said for consumers.

Page Break

In the past year, Richard Smith, Phar Lap Software CEO turned security guru, has uncovered what appear to be privacy breaches in the practices of RealNetworks, Amazon and DoubleClick. Last September, Smith retired from Phar Lap to focus on Net security and privacy issues. PC World spoke to Smith to uncover his views on Internet privacy, where it is going, and what you can do to protect yourself.

PCW: You've become the unofficial guru of Internet security. How did this happen?

Smith: My interest in privacy really started with the flap about the Pentium III serial number [in January 1999]. I ended up looking at the use of Ethernet address tracking numbers and was surprised at how often they were being used as GUIDs. They're almost like a Social Security number for your computer. The number itself doesn't say who you are, but the fact that it goes into databases all over the Web is depressing.

PCW: What, in your opinion, is the biggest threat to consumers on the Net?

Smith: As you surf the Web, sites across the board are watching what you do, creating profiles, learning all about you. I'm concerned that all of this data is going to be combined in one big database . . . The biggest problem is that a lot of tracking is not disclosed . . . Companies like DoubleClick . . . [are] getting a lot of information that's frankly none of their business.

PCW: What advice would you give wary Netizens today?

Smith: The main thing is: computers, like elephants, never forget. Be careful what information you provide Web sites . . . If you're registering your toaster, there's no need to tell them your yearly income. Be careful what you say in newsgroups. You can write something today, and three years later really regret it. Remember, the Net is still new. It's like a 12-year-old kid, still trying to find its way. A lot of issues - like hacking, privacy, and security - will get worked out over the next five years

Page Break

Web privacy is more important now than ever. So if your favourite site carries a privacy seal of approval from an independent organisation like Truste, you should feel safer, right? Maybe not. Internet giants like Microsoft, Deja, and RealNetworks all have sites approved by Truste. But each made news last year by engaging in practices that allegedly violated user privacy. Which raises the question: how far can you trust a seal from Truste?

A handful of organisations dole out Web privacy seals. Truste is one of the largest, with licensees paying from $US299 to $US4999 for a seal that says their privacy policy passes Truste's muster.

As events cited in these pages show, simply posting a policy and seal doesn't mean a site won't violate your privacy. Critics say that Truste monitors members inadequately once it grants a seal. Instead, it relies on consumers and privacy advocates like Richard Smith to report privacy violations.

The RealNetworks incident, for instance, was resolved after being brought to Truste's attention, but Smith says that the credit goes to the media and consumers. "[Truste isn't] really an enforcement organisation," Smith says. "Mostly, the press coverage is what gets companies to change privacy policies."

Truste does perform quarterly checks of sites, but CEO Bob Lewin admits that Truste doesn't look at a site's books to make sure it's not selling data, or at its programming code to ensure data siphoning isn't taking place. "[T]o do those things would be a bit more expensive than what we do today," he says.

"We've done a satisfactory job," he adds, "but I agree that we can do better."

Critics also question Truste's impartiality. The organisation was created by the industry it oversees, and critics argue that it relies on its sponsors - Microsoft among them - to support it. Lewin denies this, saying, "Eighty-five per cent of our funding comes from licence fees . . . [N]o single sponsor has the financial clout to influence this organisation."

In its three years of existence, Truste has never revoked a seal. And Lewin says less than 2 per cent of Web businesses that approach it for a seal are rejected.

Sealed for your protection?

So what does a privacy seal in general say about a site? "It tells you the site did have to answer questions about privacy, [and] that it does have a privacy policy," says Ari Schwartz, policy analyst at the Center for Democracy and Technology. "But a seal doesn't grant you any more control over your [personal] information than at any other Web site." A Web site can still collect and in some cases sell your data, as long as it tells you it's doing so.

And most privacy policies don't cover third-party involvement in a site. A firm like DoubleClick can do what it wants, and until now the host site hasn't been obligated to tell you about it. Also, Truste's licence doesn't cover software downloads like RealJukebox or Windows 98. (Last year Microsoft was discovered to be collecting user information through its registration wizard.) Truste announced recently that it plans to expand its policies to include software and third-party contractors.

In the end, privacy seals tell you that a Web site has a privacy policy and may be held legally accountable for breaking it. How likely a site is to follow its privacy policy is a separate issue, and unfortunately it's one you still have to address by asking yourself a basic consumer question: how well do I trust the company I'm dealing with?