On the Net and off, personal data is a currency, an entity that can be bought, sold, bartered and, yes, stolen. Ideally, this information connects companies with potential clients and consumers with products and services. Ads with the precision of surgical airstrikes are swell for advertisers, but on the flip side are personalized services that can actually make online life easier. If the maitre d’ knows your face and your preferences, he can make sure that your meal will be enjoyable. Because Web sites can’t see your face (and wouldn’t recognize it even if they did), they employ various methods of recognition. One of these is known as a cookie file.
If you haven’t heard of them, here’s a quick way to see them at work. Go to your Web browser’s preferences/options, look for the “cookies” section and change the setting to “Notify before accepting.” Now visit a few major sites and get ready to keep whacking the “Accept” (or “Decline”) button.
Cookies are now embedded everywhere. You sometimes have to gobble up several before you even get past the front door. The Web is, by design, in constant flux; cookies are tags that try to pin you down. They have many uses, and not all of them are nefarious. For example, certain cookies for news sites such as The New York Times eliminate the need to submit your password each time you enter the site. And virtual shopping carts couldn’t move through online aisles without cookies.
But cookies can be bad, mmkay, when trust is abused, when the cookie information you pass to one site is shared with another, when info about you and your habits (the sites and shops you frequent) is collected without your consent. Many cautious Net users choose to trash or disable all of their cookie files in order to thwart pesky data collectors. More sophisticated utilities allow you to manage cookies, i.e., select which ones you want to keep, but how are you supposed to judge a good-intentioned cookie from an evil one?
The fact is, convenience comes easy, privacy doesn’t. Because most governments take a laissez-faire stance toward companies’ collection of online data, vigilance is required. But is this the way it should be? Must we always lock our doors whenever we take a spin on the Web? Some people don’t think so, and are taking aggressive marketers to court.
In one interesting case, a lawyer in Texas is suing Yahoo! and Broadcast.com under the state’s antistalking law, arguing that these companies trace users without their consent. This month privacy watchdogs protested a more insidious form of “stalking,” after it was reported that DoubleClick, the Net’s largest advertising network, has been providing “profiles” of users that match online activity with names, addresses, etc.
Last summer DoubleClick, a company that provides its data-collecting services to 11,500 sites, announced its purchase of Abacus Direct Corp., a direct-marketing services company that reportedly has a database covering 90 percent of U.S. households.
Put the two sides together and the result is more than just demographic statistics: It’s a very convincing portrait of you and all the things you do. After promising it wouldn’t do such a thing, DoubleClick quietly changed its policy this fall. As a result, it is now the subject of an investigation by the Federal Trade Commission (which also happens to be looking into a similar misuse of data by medical sites).
DoubleClick has been rightly censured for its duplicity, but we should look at the bigger picture. Not only are there more DoubleClicks out there, but also more Abacus-like data-miners. Our privacy online is tenuous, but imagine the size of your offline dossier: The pizza delivery shop has your phone number; your video store knows what you rented last week; your insurance company has your family’s medical records. How much of that information is shared? Did you sign a release form?
DoubleClick.com responded swiftly to the uproar with an “opt-out” program as well as a Web site for raising public awareness of the issues involved (www.privacychoices.org). However, privacy advocates say it’s not enough. The best solution, they say, is an “opt-in” — a clear declaration of intent that requires the user’s consent. If you value your privacy, visit DoubleClick’s site the next time you’re online, but don’t stop there.
For starts, read the resources available at the Center for Democracy & Technology and the Electronic Privacy Information Center. You might also look into so-called info-mediaries. Moving beyond cookie- management, these places offer “identity-management.” To tweak that old Net saying (for the last time, I promise), these services make it easier for us to be dogs on the Internet again.
The symbiotic relationships at these sites are telling. Enonymous.com, for example, wants your personal data just like everyone else. The difference is — they promise — that they won’t sell your true identity to a sponsor, only the raw data. In return, they will inform you of different sites’ privacy ratings, compiled by their reviewers. Info-mediaries look appealing now, but what will keep them straying like DoubleClick did? Perhaps governments should provide regulatory bodies, but aren’t these the guys who want back doors to encryption codes?
Interestingly, as one of DoubleClick’s mea culpas, the company has announced that it has agreed to occasional audits by PriceWaterhouse. In third parties we trust? Maybe. That might be our only option. At any rate, something — be it technology or legislation — will have to regain our trust before this digital economy can fly. I don’t want to always have to wear a fake mustache. Our currency — our selves — needs to be legal tender.