Privacy 2000: In Web We Trust?

A year and a half ago we took a comprehensive look at privacy abuses on the Net. Today, with e-commerce booming, the situation is worse.

Daniel Tynan

In the real world, nobody knows what TV commercials you watch or which sitcoms you surf. When you go strolling through the mall, no one's making note of the stores you visit or the clothes you try on. But on the Internet, Web sites are doing all of this and more. And that makes some people mad as hell.

Jeffrey Wilens is so outraged that he filed a class action suit against RealNetworks for allegedly violating his and other consumers' privacy. The attorney from Mission Viejo, California, claims in his suit that the company's RealJukebox software secretly recorded the titles of music CDs and MP3 tracks he played on his PC, then sent the data back to RealNetworks--creating a detailed profile of Wilens' musical tastes. The suit, filed last November, seeks damages of at least $500 for each RealJukebox user in California.

"I don't accept the concept that there is no privacy on the Internet," Wilens says. "I think rogue companies need to learn to modify their behavior."

RealNetworks flatly denies Wilens' charges. "Contrary to media reports, we have never monitored user behavior or listening habits," says Keela Robison, product manager for the Seattle-based company. However, she admits that RealJukebox did create a unique identification number for each user and stored the numbers in the same database that holds user names and e-mail addresses. Theoretically, these numbers could track where people go on the Web. The company quickly released a patch that disabled the software's ability to issue the IDs, but that wasn't enough to satisfy Wilens and others who had filed a total of a dozen suits against RealNetworks at press time.

Meanwhile, six other lawsuits are pending against Internet advertising network DoubleClick for creating online profiles of consumers. And three similar suits have been filed against Alexa, an Amazon subsidiary. With few other avenues of recourse at their disposal, users have taken to the courts to fight for their right to privacy. But the battle has just begun.

A Not-So-Private Little War

Welcome to privacy in the new millennium, where surfers are caught in a tug-of-war with Web sites over who owns their personal data and what can be done with it. In the year and a half since PC World published its special report "Privacy in the Internet Age," e-commerce has exploded, doubling in volume each year. And as the Net gradually becomes the medium most Americans use to get news, buy groceries, rent movies, obtain medical advice, and possibly vote for presidential candidates, what little personal privacy they once had may soon disappear.

In some cases, we have only ourselves to blame. Millions of people voluntarily give out personal information to Web sites in exchange for free goods and services. These days, you can get e-mail accounts, Web hosting services, Internet access, even high-speed DSL connections without ever cracking open your wallet. But to take advantage of such offers you must surrender bits and pieces of your identity, from your name and e-mail address to your buying and reading habits. Businesses then market this information to advertisers, or in some cases, to anyone else who may want it.

At the same time, it's increasingly difficult to trust any site to keep your personal information safe from intruders. Lax security at many Web vendors has made the Internet a hacker's paradise. In the past six months, dozens of major Web sites have suffered theft of credit card information and acts of vandalism such as last February's spate of denial-of-service attacks. As PC World has discovered, even the biggest e-commerce sites can fall prey to crackers--hackers who attack with criminal intent (see "E-Commerce's Dirty Little Secret").

In addition, the Web has spawned a booming industry of companies peddling so-called investigative services and software. Loads of personal information--from your Social Security number to your driving records--can be purchased online for a pittance by anyone interested in tracking you down or assuming your identity. In most cases, the sale of this data is perfectly legal. But the results can sometimes be deadly (see "They Know Everything About You").

Sure, you can try to protect yourself by giving out false information or using services that cloak your identity and IP address as you surf, post to newsgroups, and send e-mail (see "The Eyes of Richard Smith"). But as soon as you hand over your credit card to pay for a book or a vacation, your anonymity is gone.

In fact, the biggest threat to your privacy today isn't crackers, stalkers, or data brokers. It's the legitimate online businesses--such as advertising networks, retailers, and others--that are creating detailed profiles of who you are and what you do when you are on the Web.

Profiles in Commerce

Consumer profiling isn't new. For years, mail-order firms have been tracking the products you buy so that they can send you catalogs specific to your interests. Shopping club cards allow supermarket chains to keep detailed records of the groceries you purchase. And special-interest magazines regularly sell lists of subscribers to third-party marketers.

While the practice of profiling is widespread in the offline world, its scope was limited until now because mail-order firms weren't able to easily pool their data--say, to combine records of your supermarket purchases with a list of your magazine subscriptions. But on the Net, it's fairly simple to create a record of every site you visit and every transaction you make. As a result, Web profiles can contain an unprecedented amount of information about your interests and activities.

"Say you go to a book site," says Evan Hendricks, editor and publisher of the Privacy Times newsletter in Washington, D.C. "[Profilers] can see what you looked at and what you bought. Do those books reflect political opinions, sexual preference, [or] health conditions?"

Critics paint a range of dark scenarios if Web profiles were ever to become available for sale on the open market. Corporations, for instance, could use profiles to screen out job applicants based on health advice they may have sought on the Web. Say an applicant filled out a health self-assessment form on a medical advice site and listed a family history of colon cancer. Conceivably, the site or its partners could market that information to employers. Or say the applicant bought medicine at a site like Drugstore.com or posted messages to an HIV chat group. All this information could be added to the user's profile, and employers could lower their insurance premiums by not hiring employees who could potentially have serious illnesses. "Those kinds of economic decisions can and will be made," says Fred Druseikis, chief architect for HealthMagic, a Winter Park, Florida, company that provides secure systems for sharing medical records over the Internet.

"In terms of how information is collected and used on the Internet," says Marc Rotenberg, executive director of the Electronic Privacy Information Center (EPIC) in Washington, D.C., "to allow detailed secret profiles to be created is disastrous."

Theoretically, such profiles could also become subject to subpoena or be hijacked by an unscrupulous company or individual. "In a divorce or child custody case, your spouse could use your surfing habits against you," says Larry Sontag, a Seattle-based privacy consultant and author of It's None of Your Business (PMI Enterprises, 2000). "This information could be available to hackers, employees of a company who may be having a bad hair day, or any crook with access to the Internet," Sontag adds. "The lack of privacy means that [this data] is available to both honest and dishonest people."

Double Trouble

The biggest profilers on the Internet are companies whose sites you may never have visited--networks like DoubleClick and Engage Technologies, which deliver banner ads to thousands of Web pages and may collect information about you without your knowledge.

These firms use tracking cookies to determine which banner ads you see when you access a Web page. Here's how it works: The first time you view a page with a DoubleClick banner ad on it, the ad deposits a cookie on your hard disk. Then any time you view another page containing a DoubleClick ad, the cookie on your hard drive sends the URL of that page back to the ad agency's server; thus begins a detailed clickstream--a history of some of the places you've visited on the Net. Currently, this clickstream isn't matched to your individual identity. Instead, each cookie contains a globally unique identifier (GUID), which lets the ad server track your movements without identifying your actual name or e-mail address.

In this way, DoubleClick has amassed information on the surfing habits of 100 million users, while Engage boasts a database of 52 million profiles. (Note: We use DoubleClick to serve ads. If you want to opt out of DoubleClick's cookies, visit DoubleClick'sPrivacyChoices site.)

Last fall, however, DoubleClick quietly revealed that it planned to link the names of surfers, their e-mail addresses, and other personal information about them to their clickstreams. The New York-based company said that it would combine these profiles with additional data about the purchasing histories and habits of some 88 million U.S. households. DoubleClick obtained this data when it bought the offline market research firm Abacus Direct last November.

According to senior vice president Jonathon Shapiro, DoubleClick's intention was merely to target ads to specific users. "The whole goal here is to make advertising work by getting the right message to the right user at the right time," he says.

But the reaction from consumers and privacy advocates was swift and vociferous. EPIC filed a complaint with the Federal Trade Commission, alleging that DoubleClick was "engaging in unfair and deceptive trade practices by tracking the online activities of Internet users." The FTC and attorneys general in New York and Michigan initiated inquiries into the company's practices, and as we went to press DoubleClick had been named in six civil suits for alleged privacy breaches.

In response to the backlash, the company suspended its plans to merge profiles with personally identifiable information. In a statement appearing on DoubleClick's Web site last March, CEO Kevin O'Connor admitted that he had "made a mistake" in attempting to identify users. He also vowed that "until there is agreement between government and industry on privacy standards, we will not link personally identifiable information to anonymous user activity across Web sites."

But privacy advocates warn that DoubleClick's change of plans is just a temporary reprieve. "I think you have to read the language of DoubleClick's reversal very carefully," says Robert Ellis Smith, publisher of Privacy Journal in Providence, Rhode Island. "They have simply agreed to defer their plans until the heat's gone. The company did not agree to cease combining online and offline information in the foreseeable future [or] say that it is an unfair marketing technique."

Are You Being Followed?

DoubleClick and RealNetworks are not the only sites accused of tracking users' activities across the Web. Amazon.com is embroiled in a similar controversy involving Alexa Internet, a San Francisco-based software firm that the e-tailing giant purchased in June 1999. Amazon plans to use Alexa's software in its ZBubbles shopping service. The free software's menu bar sits on top of your browser as you surf, suggesting similar sites to visit and letting you share information with other shoppers. But it also captures the Web address of each page you view--and according to security expert Richard Smith (see "The Eyes of Richard Smith"), these URLs can contain a wide variety of personally identifying information.

For example, when you use a search engine like AltaVista, the URL for the results page contains a text string including the terms you searched for. Depending on how the Web site's search engine works, a URL could contain your name or e-mail address, too, as well as the titles of books you may have bought, flights you may have booked, and health conditions you may have researched--all of which, Smith says, get sent up the wire to Alexa. (Smith uncovered a similar problem having to do with DoubleClick cookies. A recent example involved Intuit, whose Quicken Web site was inadvertently forwarding users' financial information to DoubleClick. Intuit quickly plugged the leak, and DoubleClick says it didn't store this information; but DoubleClick did not provide details of what exactly is stored in its profiles.) At press time the FTC had opened a formal inquiry into Alexa's information gathering practices, and the company has been named in three consumer lawsuits.

According to Dia Cheney, director of corporate communications for Alexa, the company stores its users' Web trails anonymously and keeps this data separate from personally identifiable information, such as e-mail addresses, that users may have provided when they registered the software. She would not comment on Smith's allegations, saying they were part of the FTC inquiry. "We are cooperating fully with the informal FTC investigation on a voluntary basis," she says. "Historically, Alexa has always been concerned with protecting consumer privacy."

Policies Are No Insurance

So far, most of the attention has been focused on getting sites to post privacy policies that state what information they collect and what they do with it. But both RealNetworks and Alexa have been accused of violating their own policies about keeping user information anonymous. If such claims are true, the sites could be held liable for committing fraud, says Professor Gerald Ferrera, who teaches a course in cyberlaw at Bentley College in Waltham, Massachusetts.

"Promises made in the privacy policy are as much a part of the transaction as what is delivered to the consumer," Ferrera says. If a company fails to observe its policy, it can be sued under the federal Consumer Fraud and Abuse Act, as well as various common laws and state and federal consumer protection statutes.

But policy breaches may be more common than most people realize. A study of 21 health advice sites coauthored by Richard Smith and sponsored by the California Healthcare Foundation found that many sites share sensitive information, despite privacy policies against the practice. The study, published in January of this year, looked at health-specific entities such as AllHealth and WebMD, as well as high-traffic portals like AltaVista, Excite, and Yahoo. Its key finding:

"On a number of sites personally identified information is collected through the use of cookies and banner advertisements by third parties without the host sites disclosing this practice. There are also instances where personally identified data is transferred to third parties in direct violation of stated privacy policies."

For example, the report states that some sites provide health assessment tests. For six of these sites (OnHealth, AllHealth, CVS, Yahoo, HealthCentral, and InteliHealth), the tests are actually conducted by a third-party firm, a fact that is not made clear to visitors. Third-party firms that collect the data (including personally identifying information) are often not covered by the host site's privacy policy; so, theoretically, these third parties could sell your health information to marketers, insurers, or potential employers. In other cases, the report found that sensitive data such as e-mail addresses was inadvertently embedded in the URLs that were being sent to advertisers and ad networks.

In short, Internet privacy policies offer consumers very little protection. "Six months ago, just having a privacy policy was considered pretty honorable," says Abner Germanow, a research manager at International Data Corporation in Framingham, Massachusetts. "Today, most policies are pretty worthless."

A Georgetown University study, published in June 1999, examined 361 commercial Web sites and found that nine out of ten ask you to supply at least one piece of personal information, such as your name, e-mail address, or postal address. But only two-thirds of the sites in the survey offered privacy statements. And less than ten percent had what researchers considered a complete policy--one that provides consumers with a statement about the site's data collection practices, an opt-out clause, access to the information collected, a description of how the site secures data, and phone numbers or e-mail addresses that consumers can use to contact the company. What's more, privacy statements can be changed at will, often without notification to users or affiliated sites. EPIC's complaint to the FTC notes that DoubleClick changed its policy three times in the past three years.

"If you want to find out how a company feels about your personal privacy, don't look at their privacy statement, look at their business model," says Rick Jackson, CEO of Privada, a San Jose, California­based maker of products that allow consumers to surf the Web anonymously. A former executive at Net Gravity, Jackson helped engineer that marketing firm's merger with DoubleClick last October, despite personal reservations about some of DoubleClick's marketing methods. The more an information-gathering company knows about you, he says, the more money it makes: "That's their business model. If it's a question of profit versus privacy, profits come first every time."

Legal Remedies

Until now the federal government has adopted a hands-off approach to Internet privacy--watching and waiting for the Web industry to regulate itself. Organizations like Truste still say that this is the right course to take. Truste, based in Cupertino, California, oversees privacy policies for more than 1300 Web sites, including those belonging to RealNetworks and Amazon.com's Alexa (PCWorld.com is also a Truste licensee). According to Bob Lewin, CEO of Truste, RealNetworks' response to allegations of privacy abuses demonstrates that self-regulation works.

Lewin says that Truste convinced RealNetworks to issue a patch that prevents its software from assigning a unique identification number to each user. Truste also persuaded the company executives to appoint a chief privacy officer and to release RealPlayer 7.0 using an opt-in model, so that consumers must actively choose to create a unique ID number, rather than the more common opt-out model used by the majority of Web sites. "We did all of that in the space of one week," Lewin says. "You show me any government body that moves that fast."

Unfortunately, Truste's influence is limited to its licensees, which don't include such Internet heavyweights as Amazon.com and DoubleClick (see "Should You Trust Truste?" ). And while Truste does perform quarterly audits of its members' Web sites to ensure that the stated privacy policy on the site matches the member's practices, the organization does not specify what kinds of information members can collect, nor what they can do with that information once they have it. "The problem with self-regulation is that it rewards bad actors," says EPIC's Rotenberg. Once a Web site begins generating revenue by selling user profiles and personal information, he explains, other Web sites will have to follow suit in order to remain competitive.

"There's no way any number of companies will be able to protect human rights through a business model," says Privacy Times publisher Evan Hendricks. "When things go wrong, people need a [legal] remedy. Right now we don't have that."

Although several states have already enacted their own privacy statutes, there is no comprehensive federal law governing personal privacy. But the situation may change this year. Congress is currently debating a dozen bills designed to regulate different types of personal data, from medical records to financial matters.

Senator Robert Toricelli (D-New Jersey) recently introduced a bill that would require Web sites to obtain users' permission before installing devices such as cookies that track their movements on the Internet. And last February, Senators Richard Shelby (R-Alabama) and Richard Bryan (D-Nevada) banded together with Representatives Edward Markey (D-Massachusetts) and Joe Barton (R-Texas) to form the Congressional Privacy Caucus. This bipartisan group is expected to draft new privacy legislation that will be based on the principles of user notification, consent, and access.

Privacy wonks, however, are skeptical of what the federal government may cook up. "I think the best place for legislation in some ways is at the local or state level," says Tom Maddox, editor of PrivacyPlace.com, a Berkeley, California, site specializing in privacy issues. "Federal laws tend to be big, fat, unwieldy... sledgehammers swatting at gnats. They usually miss the gnat and hit the rest of us."

Technology to the Rescue?

You can opt out of DoubleClick profiles. You can avoid using software that follows your footsteps on the Internet. You can crumble every cookie before your browser takes a nibble from it. And still you are at risk from the next site, the next advertiser, the next marketer who sees dollar signs in your data.

One thing is certain: Online data gathering will not go away. Too many Web sites are depending on the revenues from selling user data or delivering specific demographics to advertisers. The question is whether you'll have any say in what happens to your information.

"The real issue is, who's in control of my online profile, who can access it, and who's selling it?" says Germanow. "When I show up at a travel site, do I want them to know who I am and what frequent flyer program I belong to? Yes. When I'm doing research on AIDS because I have a friend in the hospital, do I want that as part of my profile? I don't think so."

Today, even vendors who sell products for protecting anonymity admit that there is no easy solution for e-commerce. Programs like PrivadaProxy and Zero-Knowledge's Freedom can protect your identity while you browse, chat, or send e-mail, but according to Privada's Jackson, "As soon as you decide you want to buy something, you're left unprotected."

Both companies say they are working on schemes to allow consumers to shop anonymously and expect to introduce products within a year. Zero-Knowledge's Austin Hill sees a future in which shopping agent software can assure a Web site that you have the credentials to make a purchase, then negotiate what data you are willing to give up in return for a good price.

"What if you had the most accurate version of your profile under your lock and key?" asks Hill, president of the Montreal firm. "Your credit information, EBay reputation, frequent flyer miles, how much shopping you do. You'd be able to leverage that data, build relationships with merchants, and still maintain your privacy."

Hill believes that consumers need to start thinking about Internet privacy the same way they think about viruses. "You don't use a computer unless you have antivirus software," he says, "and you shouldn't give away data without protecting yourself. Every time you fill in a Web form or a registration card, make sure that the data is 100 percent necessary for completing the transaction, and that the company will protect it." When enough consumers refuse to give away their personal information for free, he adds, merchants will have to respond.

"You have to be a kind of Jeffersonian citizen for the Web," agrees Maddox. "Be aware, be educated, take personal action. If you're just a passive consumer, they will drive right over you."

Daniel Tynan is a contributing editor for PC World, and Eric Dahl is a staff editor for PC World. Tom Spring is senior reporter for PCWorld.com.

E-Commerce's Dirty Little Secret

In less time than it takes to fill an online shopping cart, Eran Reshef types a command into the URL of a large Web retailer and gains access to the site's source code. A few more keystrokes, and he's changed the price of a $3000 computer to $300. "Since it's an automated process with no human looking in," Reshef explains, "no one would discover the change. The company would simply ship the product and charge me the [altered] price."

The cherub-faced, former Israeli army intelligence officer smiles as he shows us how he hacked into dozens of e-business sites over the past year. From online brokers and banks to shopping and news sites, Reshef found the doors that Web site designers forgot to lock. If he wanted to, he could easily move money between accounts, post bogus news reports, and scoop up a wealth of information about the visitors to these Web sites.

But Reshef isn't a hacker; he's a security expert. His company, Perfecto Technologies in Santa Clara, California, sells products designed to thwart application hacking--in which attackers bypass a site's firewall to assault its scripts, applets, and code. Companies hire Reshef to probe their sites for weaknesses. And he knows what few e-business firms will admit: No Web site is truly secure.

Breaking and Entering

In recent months, electronic vandals have temporarily shut down some of the biggest sites on the Web and stolen thousands of credit card numbers from CD Universe and others. These incidents are hardly flukes.

Reshef says Perfecto has audited more than 50 brand-name sites and found security breaches in all of them. On eight of those sites, he was able to access any file--including sensitive customer information. On two sites, he was able to execute financial transactions using other people's accounts. On two others, Reshef gained full administrative control. The longest amount of time it took to crack a site was 10 hours; the shortest was 10 minutes.

Because confidentiality agreements prevent Reshef from naming the companies he audited, we could not verify his claims. But all the security experts we contacted said such vulnerabilities exist in thousands of Web sites.

One half to three-quarters of all commercial sites can be hacked, estimates John Pescatore, a research director for the Gartner Group in Stamford, Connecticut. Jim Finn, principal of Unisys Worldwide Enterprise Security Practice in Reston, Virginia, puts that figure even higher. Finn says he's tested computer vulnerabilities for more than 200 banks, retail chains, and foreign governments, and has always found a way in. "Unless the computer's disconnected and sitting in the basement, it can be broken into."

Too Much, Too Soon

One reason sites are so vulnerable is that companies are pulling out the stops and scrambling at Internet speed to get online. As a result, designers leave behind files and tools that hackers can use to break in. Another reason is plain ignorance, says Pescatore. "There's a lot of stupidity built into the CGI code [used to transfer content to] Web sites."

But even the best security measures may not thwart all attacks.

"Security is not about absolutes, it's always about how many layers [hackers] have to go through to get to something," says Elias Levy, chief technology officer for Securityfocus.com in San Mateo, California. Levy says most companies are just not doing enough.

"A hacker only has to be lucky once," agrees Nigel Tranter, vice president for Perfecto. "[Sites] have to be lucky all the time." These days, the same could be said for consumers.

They Know Everything About You

It ended in murder, and it started on the Internet.

So says Tim Remsburg, stepfather of Amy Boyer, a New Hampshire woman who was tracked down and murdered last fall by a cyberstalker who had known her in high school.

Remsburg places part of the blame for his stepdaughter's death on Docusearch.com, which sold Boyer's Social Security number to Liam Youens for $45. Youens used that information to find out where Boyer worked. Then he went there and shot her to death before turning the gun on himself.

"I don't see how do-anything-for-a-buck information brokers can sleep at night knowing they've got Amy's blood on their hands," Remsburg says.

But Docusearch.com, which declined comment, didn't break any laws.

The Business of Net Snooping

Culling data from public and private sources is not only legal but part of a flourishing industry. There's a burgeoning trade in plucking information from commercial databases. One company, TR Information Services, advertises that it can deliver anyone's monthly bank or credit card statement for $95. A company called A1 Trace promises a list of anyone's stocks, bonds, and mutual funds--including account numbers--for $309.

I tested one online service called A.S.A.P. Investigations. All I gave them was my name and previous address: Within an hour, the firm delivered my Social Security number, physical descriptions of my wife and me, details of the cars we own, and nearly every former address and employer I've had. A.S.A.P compiled the profile from a half-dozen Web sites selling my past for a price. "We can find out anything," says Robert Reichert, the company's president.

Reichert says that he doesn't offer his services to the general public. Most of his customers are lawyers looking to recover hidden assets for child support from deadbeat parents, or they are creditors looking for debtors who have skipped town. But clearly not every online investigator is as discriminating about its clients.

"Anyone can start a business, call themselves a private investigator, and hang a shingle online," says Reichert.

It's Just Business

Thank PCs and the Internet for making it cheaper and easier to pull together diffuse personal facts, says Robert Ellis Smith, publisher of Privacy Journal.

Information brokers typically buy addresses, unlisted phone numbers, and Social Security numbers from credit bureaus like Equifax and Experian. State governments sell public data such as driving records, which often contain Social Security numbers. (As of June 2000, states will not be able to sell such information without the driver's consent.)

In addition, banks and financial service companies can buy, sell, trade, and share their customers' financial information, including account numbers and balances. Courts have consistently ruled that this information is the property of the company, not the customer. However, many banks have curbed the practice because of public outcry.

There's also the issue of identity theft. Armed with your name and Social Security number, an impostor can open a bank or charge account and destroy your credit. Approximately 400,000 Americans will suffer identity theft this year, say privacy experts. "Our traditional notion of personal privacy is gone," says Andrew Shen, policy analyst with the Electronic Privacy Information Center.

But privacy advocates can claim some victories, such as new federal restrictions on the use of credit reports and driving records. And Congress recently banned the practice of pretexting--obtaining personal information about others under false pretenses.

Victoria Streitfeld, spokesperson for the Federal Trade Commission, says the FTC polices the Internet for illegal information brokers and makes arrests when necessary.

But for Tim Remsburg and his stepdaughter, the FTC's efforts are too little, too late. "What happened to Amy's right to privacy?" he asks. Indeed, what happened?

--Tom Spring

This article was adapted from a longer piece published in January. Read it in its entirety here.

The Eyes Of Richard Smith

If the Internet is like the Old West--wild and untamed--then Richard Smith is the closest thing we have to a town sheriff. In the past year, the Phar Lap Software CEO turned security guru has uncovered what appear to be privacy breaches in the practices of RealNetworks, Amazon, and DoubleClick. He also coauthored a report revealing that numerous health sites share visitors' personal data without their consent. Last September, Smith retired from Phar Lap to focus on Net security and privacy issues. He spoke to us by phone from his Brookline, Massachusetts, home.

PCW: You've become the unofficial guru of Internet security. How did this happen?

Smith: My interest in privacy really started with the flap about the Pentium III serial number [in January of last year]. I ended up looking at the use of ethernet address tracking numbers and was surprised at how often they were being used as GUIDs. They're almost like a Social Security number for your computer. The number itself doesn't say who you are, but the fact that it goes into databases all over the Web is depressing.

PCW: What, in your opinion, is the biggest threat to consumers on the Net?

Smith: As you surf the Web, sites across the board are watching what you do, creating profiles, learning all about you. I'm concerned that all of this data is going to be combined in one big database.... The biggest problem is that a lot of tracking is not disclosed.... Companies like DoubleClick... [are] getting a lot of information that's frankly none of their business.

PCW: Will recent calls by the government for a stronger security infrastructure on the Net lead to even less privacy for consumers?

Smith: Certainly. There's a real interesting trade-off between anonymity and privacy. What we're really talking about is [setting] up a system so that no matter what we do on the Web we're always tracked. No such thing as hidden IP addresses. [This makes it] real easy to track crime. The flip side is...that you can attack someone...and no one knows who you are. I am troubled by the lack of responsibility due to anonymity on the Web.

PCW: Do we need federal legislation to protect our fundamental right to privacy?

Smith: It's silly to think something as big as the Net won't need regulation, while roads and other parts of commerce do. In privacy, we do need some regulation because of all the tracking going on and the ability to share that information. It can't be too heavy handed, but we need some rules of the road to make clear what's acceptable and what's not.

PCW: What advice would you give wary Netizens today?

Smith: The main thing is: Computers, like elephants, never forget. Be careful what information you provide Web sites.... If you're registering your toaster, there's no need to tell them your yearly income. Be careful what you say in newsgroups. You can write something today, and three years later really regret it.

Remember, the Net is still new. It's like a 12-year-old kid, still trying to find its way. A lot of issues--like hacking, privacy, and security--will get worked out over the next five years.

Should You Trust Truste?

Web privacy is more important now than ever. So if your favorite site carries a privacy seal of approval from an independent organization like Truste, you should feel safer, right? Maybe not. Internet giants like Microsoft, Deja, and RealNetworks all have sites approved by Truste. But each made news last year by engaging in practices that allegedly violated user privacy. Which raises the question: How far can you trust a seal from Truste?

A handful of organizations dole out Web privacy seals. Truste is one of the largest, with licensees paying from $299 to $4999 for a seal that says their privacy policy passes Truste's muster. BBBOnline and CPA Webtrust also charge for audits and seals, as do the top six CPA firms. (Other organizations--such as Enonymous.com--do not charge, but they rate sites on the basis of certain levels of privacy offered under the terms of their policy.)

But as events cited in these pages show, simply posting a policy and seal doesn't mean a site won't violate your privacy. And critics say Truste monitors members inadequately once it grants a seal. Instead, it relies on consumers and privacy advocates like Richard Smith to report privacy violations.

The RealNetworks incident, for instance, was resolved after being brought to Truste's attention, but Smith says that the credit goes to the media and consumers. "[Truste isn't] really an enforcement organization," Smith says. "Mostly, the press coverage is what gets companies to change privacy policies."

Truste does perform quarterly checks of sites. But CEO Bob Lewin admits that Truste doesn't look at a site's books to make sure it's not selling data, or at its programming code to ensure data siphoning isn't taking place. "To do those things would be a bit more expensive than what we do today," he says.

"We've done a satisfactory job," he adds, "but I agree that we can do better."

Critics also question Truste's impartiality. The organization was created by the industry it oversees, and critics argue that it relies on its sponsors--Microsoft among them--to support it. Lewin denies this, saying, "Eighty-five percent of our funding comes from license fees.... No single sponsor has the financial clout to influence this organization."

In its three years of existence, Truste has never revoked a seal. And Lewin says less than 2 percent of Web businesses that approach it for a seal are rejected.

Sealed for Your Protection?

So what does a privacy seal in general say about a site? "It tells you the site did have to answer questions about privacy, [and] that it does have a privacy policy," says Ari Schwartz, policy analyst at the Center for Democracy and Technology. "But a seal doesn't grant you any more control over your [personal] information than at any other Web site." A Web site can still collect and in some cases sell your data, as long as it tells you it's doing so.

And most privacy policies don't cover third-party involvement in a site. So a firm like DoubleClick can do what it wants, and until now the host site hasn't been obligated to tell you about it. Also, Truste's license doesn't cover software downloads like RealJukebox or Windows 98. (Last year Microsoft was discovered to be collecting user information through its registration wizard.) Truste announced recently that it plans to expand its policies to include software and third-party contractors.

In the end, privacy seals tell you that a Web site has a privacy policy and may be held legally accountable for breaking it. How likely a site is to follow its privacy policy is a separate issue, and unfortunately it's one you still have to address by asking yourself a basic consumer question: How well do I trust the company I'm dealing with?

--Eric Dahl