Both sides claim to wear white hats. Both sides want to protect the public good. In the IT corral, where Internet privacy experts have battled advertisers for the last three years, duelling ideologues insist they have the best interests of citizens at heart. Now, a third interest group is weighing in on the issue. They are the practitioners, and they claim that for reasons that are technological and logistical, Internet marketers couldn't build a reliable database of customer profiles even if they wanted to. Yet despite that claim, the battle of the advocates goes on.

To the left are the privacy activists--watchdog groups such as the Electronic Privacy Information Center (EPIC) and Junkbusters Corp. They believe that the government should regulate how online advertisers collect and distribute personal customer information. On the other side, free-advertising proponents--some of whom are united under the Network Advertising Initiative (NAI)--insist that self-regulation makes sense not only from a policing perspective, but a financial one (that is, a self-regulating Internet is a revenue-healthy Internet, is a free Internet).

This July, EPIC and Junkbusters jointly released "Network Advertising Initiative: Principles not Privacy," a report that assessed past events surrounding Internet advertisers, analysed the recent self-regulatory guidelines approved by the Federal Trade Commission (FTC) and proposed solutions for protecting online privacy. They concluded that Web surfers must be told of advertisers' attempts to profile them, and they must be given the choice of opting out. In addition, information that has been collected in the past cannot be linked to personally identifiable data without a consumer's consent. However, there is some indication that the battle isn't over: The FTC has said that it would continue to press for legislation that will protect the privacy of consumers.

What is the battle all about? Privacy experts insist that advertisers' often covert collection of Web surfer's personal data infringes on individuals' right to confidentiality. The long-practiced offline marketing method of target advertising - now at work on the Internet--is under attack from Internet users all over the world. Through the use of banner ads, which place small files called cookies on computers to record online behaviour, agencies can track online activity and then directly tailor their advertising to a customer's tastes. Emboldened by the motto "past behaviour determines the future," advertisers believe they can better identify individual preferences and subsequently boost sales. Privacy advocates object not only to the clandestine approach to information gathering; they worry about potential abuse of the information.

The NAI, a group of third-party advertisers, is keenly aware of the public's growing unease. The organisation, which includes companies such as 24/7 Media, DoubleClick, Engage and MatchLogic, has a mission: to grow e-commerce while increasing consumer confidence, largely by assuring the public that private watchdog groups like TRUSTe and BBB (Better Business Bureau) OnLine are all that is needed to protect their personal data. NAI has a tough row to hoe. In July, Columbus, Ohio-based Interhack Corp., a security firm that does risk assessment for Internet retailers, reported that at least two websites that carried the TRUSTe privacy seal, Lucy.com and Fusion.com, were sending personal information to the marketing company Coremetrics.

The revelation was reminiscent of another incident a few weeks earlier, when ToySmart, the mostly Disney-owned online toy retailer based in Waltham, Mass., filed for bankruptcy protection and then tried to sell its customer lists (complete with members' children's names, ages and e-mail addresses), even after their TRUSTe-blessed site promised it would never share that information with a third party. TRUSTe, the independent agency that gave its privacy seal-of-approval to the site, notified the FTC, which launched an investigation. As of this writing, the FTC has agreed to settle the suit filed against ToySmart's plan to sell customer information - setting what many privacy advocates believe is a dangerous precedent for similarly fated companies. In other words, if "safe" sites can change their rules, no self-regulating website can be trusted. The public's opinion of the settlement is evident in the fact that the attorneys general of 44 states have filed a legal brief formally objecting to it.

What's disconcerting to the public, says Jay Stanley, an analyst for Internet policy and regulation research in Forrester Research's Washington, D.C., office, "is you may think you're alone in front of your computer in your underwear...but it's not true." Big Browser is watching.

But while watchdog groups are up in arms, some knowledgeable observers think their concern is premature, if not unfounded. According to a May New York Times article by Saul Hansell, the information collected by advertising networks is so fragmentary and so laden with errors that it is practically useless. The result, Hansell wrote, is "so far no one has been able to make a big business out of being Big Brother."

David Schehr, a research director at Gartner Group agrees. "Banks and financial service firms have spent, in the last five to seven years, hundreds of millions - if not billions - of dollars on data warehousing and data mining," he says. "Very few have shown any reasonable return."

Some have succeeded, he says, in drawing a reasonable picture of their customers, not only from surfing habits, but from checking account and mortgage information. But they have yet to really see a significant, easily definable return. Still, they cling to the old model. "They have this idea: You bought a book, therefore I know how to sell you a car," says Schehr.

"Everyone is fired up about nothing" says Steven Kane, cofounder and former CEO of Gamesville.com, an interactive entertainment community that Lycos purchased in 1999. Kane believes that advertisers cannot yet merge meaningful online data into existing offline information to create in-depth consumer profiles. "It's a very big job [to merge data]," he says. He wonders why consumers aren't more incensed by offline data collection practices, compiled by frequent flyer, credit card, finance, security and insurance companies.

"What about the NCOA?" asks Kane about the National Change of Address. "The [U.S.] Postal Service has a great business selling information to people who send direct mail." The bottom line, says Kane, has less to do with a vast conspiracy to strip consumers of their privacy. "It's people who want to sell you things. Or not sell you things. That's as complicated as it gets."

At this point, says Schehr, because there is no unique identifier in the online databases, there's nothing to tie them together. Cookie databases, he adds, do not include names, addresses, Social Security numbers; there's nothing to link with offline data. "The ability to tie to offline information will be an exceptionally convoluted process. It seems that without compatible information or formats, it won't work."

Jonathan Shapiro, senior vice president of business development at DoubleClick, told Advertising Age in November 1999 that it is impossible to link cookies that do not have personal identifiers with a database of names and addresses. However, if customers volunteer that information, the links could be made.

Beyond the technological obstacles, there is the question of just how meaningful is the information garnered by cookies. If, for example, your 10-year-old son researches panda bears for a school project on the family computer, the cookie on your hard drive could say you have an interest in endangered species.

"It's garbage in, garbage out," says Kane. "If a database has lousy data, the best technology in the world doesn't improve the quality. What's really expensive is hiring smart people to find out what's relevant. It's having the brains to sort and use data--that's what's interesting."

Of course, just because the marketing industry has yet to figure out how to create a meaningful database of consumer profiles that actually earns its keep doesn't mean it won't someday master the science. And it is that potential ability to merge online and offline databases that leaves many industry watchers divided - and a few uneasy.

Lynne Harvey, a senior analyst at the Patricia Seybold Group in Boston, agrees it can be done well. "The tools are out there," she says. "Personify, for instance, creates profiles based on information in cookies. These profiles can be combined with offline information and then be built into a consolidated database." Other companies like Engage and Be Free are busily merging this information as well. The process may be in its infancy, with one advertising executive in Hansell's New York Times article equating it with "television in 1950," but it does exist. "The debate is not if," says Harvey, "it's whether they should do this - and then resell to retailers."

Forrester Research's Stanley, one of the more objective voices in the debate, believes the concern over Internet privacy reflects real worries and issues. "In this case the hype is true: The Internet threatens to bring big changes to how we live as private human beings," he says. Although citizens can dismiss concerns, the fact is "Joe Schmoe doesn't like people knowing what he likes. There's a lot of hanky - panky out there - people don't want anybody to know what they're doing."

The problem is, he says, advertisers have spent more time trying to make money than protecting their customers. Because Internet commerce is new and there's no model of excellence out there, lots of companies are still desperately trying to figure out how to become profitable. Venture capitalists are breathing down their necks, expecting payback. Billions of dollars have been invested in hopes of selling more products, more efficiently. If profits aren't realised, those investments are lost.

These days, says Stanley, smart advertisers know that in order to win customer loyalty, they must cater not only to their consumers' desires and offer good prices - they must also assuage their fears. "Companies are going out of their way to establish trust with customers. Some are leaving millions of dollars on the table by not using and/or selling lists." Stanley believes Internet marketers can't stop here; they need to take privacy to the next level so that customers trust the Internet as a whole. "[Customers] don't want to worry about it. Otherwise it's like a merchant who owns a store at a dilapidated mall. If all around you is terrible, your profits will suffer."

One problem, says Seybold's Harvey, is that so far at least, Internet customers don't behave exactly like old-economy customers. The click-through rates on banner ads, once thought to be the perfect way to match people with products, have slumped dramatically to less than 1 percent.

At the same time, "companies are under the gun to prove themselves in short order," says Harvey. And they're often terrorised by the competition. "There is a fear factor. Barnesandnoble.com might say, 'If Amazon.com is doing it, I should be doing it too.' In order to keep up with the Joneses, everyone jumps on the bandwagon." These companies are squeezed pretty tightly. "They need to acquire customers, show profits and pacify venture capitalists. They must show profitability."

Yet with few privacy controls inherent to target marketing, customers are skittish. They wonder: Do banner ads have a right to collect information on me? And do the marketing companies promoting them have a right to sell that information without my knowledge or permission?

"I believe we have a right to be concerned with that," says Harvey. Companies need to equally weigh privacy with making money - it's that simple. "We believe the way to create loyal customers is to maintain customers' right to privacy. If you violate trust, customers have no incentive to do business in the future."

Consider a hypothetical situation where data from an individual searching the Web for information on antidepressants is grabbed and merged by online credit agencies, Harvey says. Potential employers could see that data and either misinterpret its meaning or withhold employment based on Web-surfing habits. "To be successful," says Harvey, "Internet retailers need to provide the right products, focus on the right customer, and deliver on promises and build trust."

Building that trust may be their biggest hurdle. A recent survey of 40,000 households conducted by Gartner Group found that two-thirds of the respondents worried about losing their privacy. And they have gotten precious little assurance from Web retailers. According to Brian Smith, a research director in Gartner's San Jose, Calif., office, the FTC studied the most popular websites and discovered that only 40 percent offer privacy policies. "Only 20 percent live up to the fair information practices," he says. Their main failure is not giving consumers a way to view their personal information--or a vehicle to contest the ways the company is using that information. Applications are being developed that allow the customer to control information, which could revolutionise consumer involvement in the process. However, if, as Smith says, "customers are largely ignorant of how much [advertisers] are tracking us," the question remains: How soon will customers embrace these applications that allow them to control their privacy?

Although the guns are back in the holsters at the IT corral, it's still uncertain who will remain standing when it's over. Whether customers are protected by legislation or by self-regulating retailers, the bottom line is this: Privacy protections must be enacted to preserve the future of e-business. If Web marketers want the public to keep spending, they must be able to assure customers that information on everything from name and address through late-night Web surfing habits will never be violated--today or in the future.

What do you think of the great privacy debate?Let us know at letters@cio.com. Rebecca Lynch, a freelance writer based outside of Boston, can be reached at peachymama@aol.com.

Saving Private Data

A brief history of privacy rules and regs Federal governments and other authorities have a long history of attempting to protect personal information about private citizens. The Communications Act of 1934 restricted the government's ability to surreptitiously intercept electronic communication. From the Privacy Act of 1974 (which limits how the U.S. government uses personal information) to wiretapping legislation in 1986, protections have been erected to guard citizens, mainly from governmental intrusion.

Legislation protecting individuals from private industry, although existing, has fewer precedents--and may be the reason why it is taking longer to sort out the debate. The 1980 privacy guidelines set by the Organisation for Economic Cooperation and Development--often known as the Fair Information Practices--drive the current debate. These practices are composed of eight principles: controlling data collection, quality, purpose, limits, security, availability, participation and accountability. In essence, the ideology gives customers control over how their personal information is collected and disseminated.

Privacy advocates want to use these practices as a starting point. They believe that as an individual, "you have the right to control what people know about you," says Jay Stanley, an analyst at Forrester Research. "If you lose control, it demeans you as a human being."

More recently, a significant Internet privacy event occurred with the European Community Directive in 1998. The edict requires any company doing business within the borders of 15 western European nations to put in place a set of privacy directives on fair and appropriate use of information, an idea based on the Fair Information Practices.

In other words, "Anyone with an office in Europe could send information to, for example, Detroit--but only if Detroit's privacy standards are equal to the European Union [EU]," says Sanford Sherizen, a computer and information security consultant based in Natick, Mass. Right away, says Sherizen, U.S. companies denounced the EU rules as unfair, and since then the Department of Commerce has worked out a safe harbour agreement that would allow American companies to export data. "It created a long discussion on how the United States could wriggle free of this environment," he says. In Sherizen's mind, the talks could have jump-started the issue, helping U.S. companies come to an agreement sooner. "To me, this was an open door," he says. "It's obvious there is a need to take the bull by the horn and go with it. We did not." -R. Lynch