Consumer Privacy May Be More Secure Online Than Off

Despite the Internet’s reputation as privacy’s gravest modern threat, consumers are increasingly finding more safeguards on the Net than off.

A study released Wednesday offers new evidence of this trend, showing a sharp rise in the number of Web sites that post policies telling people what information is collected from them and how it is used.

Nearly two-thirds of the Net’s 7,500 most popular commercial sites voluntarily post privacy policies, according to a statistical sampling of those sites by Georgetown University. That compares with 14% that did so one year ago when a similar survey was conducted by the government.

The survey is the latest illustration of how much attention is being paid to the Internet as a privacy menace, an image cultivated in recent years by government summits, congressional hearings and extensive news coverage.

But often lost amid the hand-wringing is the fact that consumers, even tireless Internet surfers, still shed more exploitable data as they wander through everyday life.

Data-driven industries from direct marketing to private investigating remain overwhelmingly dependent on courthouse records, credit card transactions, product warranty cards and other mundane sources. These rivers of offline data keep rising, largely beyond consumers’ radar or control.

Impossible as it seems in this digital age, many consumers are finding it easier to control their exposure to privacy risks on the Net than off. And in some ways the Net is spawning enlightened marketing practices that are influencing the offline world.

Of course, the Internet is no privacy paradise, and experts agree it deserves ongoing scrutiny. But a growing group of experts are starting to question whether the attention it gets is out of proportion.

The Privacy Rights Clearinghouse in San Diego, for instance, handles hundreds of calls and e-mails every month from victims of privacy breaches ranging from junk mail to identity theft. Almost none of them trace their troubles back to the Net.

“I’ve often thought of it as a shell game,” said Beth Givens, director of the clearinghouse. “Our attention is being diverted to Internet privacy, while there is more impact on individuals from real-world abuses.”

That “diversion” continued Wednesday, with the release of a privacy study by the business school at Georgetown University. The report could have wide repercussions at a time when Congress seems increasingly inclined to step up regulation of the Internet.

A bill introduced last month by Sen. Conrad R. Burns (R-Mont.) would require all commercial Web sites to post privacy policies and to give consumers the opportunity to “opt out” of any collection of their data.

Inevitably, groups on both sides of the issue sought to take political advantage of the Georgetown survey, which is loosely modeled on a study conducted last year by the Federal Trade Commission.

Internet industry groups said the study shows that self-regulation efforts are working and that government intervention isn’t necessary.

“We’ve still got work to do,” said Christine Varney, an advisor to the Online Privacy Alliance, which comprises such powerhouses as America Online and IBM. “But this really reflects absolute vindication” for market forces.

Privacy advocates, however, saw evidence that consumers are still far too vulnerable and called for legislative action. They noted that while the study showed a proliferation of privacy policies, few Web sites go beyond that basic step.

Just one in 10 of the surveyed sites adhere to all five elements the FTC has identified as essential ingredients of comprehensive privacy policies. By that measure, sites should give consumers notice of what is collected, the choice to opt out, access to collected data, information on security and someone to contact with complaints.

“Instead of comprehensive privacy policies, we’re getting public relations,” said Marc Rotenberg, director of the Electronic Privacy Information Center in Washington.

But beyond this tug-of-war, many consumers wish offline privacy breaches received as much attention.

Roy Segovia, a San Diego computer programmer, barely leaves a trace when he wanders through cyberspace. He guards his identity, wards off marketers’ efforts to tag his computer with “cookie” files and avoids online purchases altogether.

But he bought movie tickets over the telephone a few months ago and has been deluged with junk mail triggered by that transaction.

“The more I thought about it, the more angry I got,” said Segovia, 37. “There are a lot of offline privacy problems we haven’t solved yet.”

In fact, one of the most overlooked privacy implications of the Net has nothing to do with data collected online but is linked to the market the Net is creating for data that consumers like Segovia give up offline.

“Find Anyone! Only $39.95” proclaims 1-800-USSearch.com, a online Beverly Hills firm that is among the growing ranks of “people finder” services on the Net.

The service does more than just find people. It offers a significant peek into their lives as revealed by the data they shed every day. The firm pulls together property records, auto registrations, magazine subscription lists, telephone listings, corporate affiliations, bankruptcy filings and more.

The company has 150 employees and handles 1,500 searches a day, 80% of them requested through its Web site. The rest are requested by phone.

“This information has been available for decades, but just a select few had access to it,” said Nick Matzorkis, the founder of the company. “Companies like ours balance the playing field.”

Matzorkis said none of the data his company uses are generated on the Net, a claim echoed by direct marketers, private investigators and others.

That is bound to change as millions of consumers continue their steady migration to the online world and as the Net absorbs an increasing share of transactions that have traditionally taken place in person, by phone or through the mail.

But experts say there are widespread misconceptions among consumers about how data collection on the Internet works and that consumers often fret most about information marketers care about least.

“There’s a perception in people’s heads that they are moving about the Net with a homing beacon attached to their backs,” said Randolph Court, a technology policy analyst for the Progressive Policy Institute in Washington. “That’s just not the way the Internet is.”

Thousands of Web sites do use “cookies,” files that sites place on users’ computers to note how many times they visit and keep track of users’ passwords and preferences.

The technology is critical to the personalized services that are driving the Internet’s popularity. It enables portal sites, such as Yahoo, for instance, to offer personal Web pages that let millions of users see only the weather reports, stock updates and news summaries that interest them most.

But most cookie data are not personally identifiable and consumers can block cookies altogether. Furthermore, traditional marketers say they have no use for this data.

David Schwartz, president of 21st Century Marketing in New York, compared examining data generated by cookies and so-called “clickstream” analysis techniques to visiting a popular beach.

“You’ll see a million footprints in the sand,” Schwartz said. “If you want to follow one set of footprints, you might see that someone walked down to the ocean and then over to the barbecue area. But it’s not something that’s relevant.”

And besides, there are mountains of offline data to choose from. “Female buyers of pet accessories,” and “bow hunters of big game,” are among the 28,000 marketing lists available, according to the SRDS Direct Mailing List guidebook.

Much of this data comes from magazine subscriptions, direct mail catalogs and product warranty cards. It is supplemented with more data from real estate records, telephone listings, census surveys and credit histories.

Often the most serious privacy breaches, such as identity theft, happen in low-tech settings, as Saleh Shatnawi discovered when his Social Security number, credit card number and other information was stolen from his health club membership file, which had been left near the club’s front counter.

Shatnawi, a restaurant owner in Santa Rosa, Calif., learned of the breach weeks later when police told him the thief had opened a bank account in his name and was bouncing checks. “It was a real mess,” Shatnawi said. “And there was nothing I could do about it.”

Government officials acknowledge that a disproportionate share of their efforts are aimed at the Internet these days, but say that focus is justified.

“The Net deserves this emphasis,” said Robert Pitofsky, chairman of the Federal Trade Commission. “If you ask people why they don’t make purchases on the Internet, the No. 1 reason is that they are concerned about privacy.”

But the same technology that makes gathering data online so easy also helps activists mobilize consumers against perceived privacy breaches.

Intel Corp. and Microsoft Corp., for instance, beat hasty retreats from the consumer backlashes that ensued when their microprocessors and software were perceived as compromising consumers’ privacy.

And while spam, or unsolicited advertising e-mail, is still a nettlesome problem, it is largely a tool for the disreputable.

“On the Internet, possession of data is not nearly as important as permission to use that data,” said Seth Godin, vice president of direct marketing for Yahoo, the Internet’s most popular site. “You can buy 60 million e-mail addresses for about $200, but that list will get you in so much trouble, your company will never recover.”

That kind of hostility to privacy violations is bound to spread offline, Godin said. The Net is not only raising awareness of privacy, he said, but whittling away consumers’ tolerance for annoyances from junk mail to dinner time telemarketing.

Perhaps that’s wishful thinking, and even Godin acknowledges there is plenty of room for improvement in Internet privacy. But Wednesday’s survey highlights an interesting disparity.

“Sixty-six percent of all Web sites provide some privacy notice,” said Varney. “Do 66% of the entities you deal with offline provide you with a privacy notice?”

Full survey results and methodology can be found at https://www.msb.edu/faculty/culnanm/gippshome.html.