The Great American Privacy Makeover

An exclusive PC World survey reveals that even savvy Web users can do more to safeguard their privacy and data. Take the quiz and find out how vulnerable you are; then use our tips to improve your score.

It starts out innocently enough. You're browsing the Web, dreaming of the weekend and your next golf game, and you happen across a great-looking site that promises to drop your handicap in three easy lessons. Sounds good, but you've got a meeting in 5 minutes, so you hastily sign up for the site's weekly newsletter and dash off.

When the newsletter arrives several days later, however, it's not alone. Every day, more and more new spam crams your mailbox, hawking Caviar Quarterly subscriptions or pitching wild weekends in Las Vegas.

Who knew one newsletter would have so many pushy friends--and who invited them in the first place?

Companies that collect facts about you often have obscure data-handling practices, so your name, address, and account numbers could end up spreading across the Web faster than a cold at a corporate retreat. Your problems don't stop there--you also have to guard against ever more sophisticated scammers and hackers who are out to steal your identity or your company's data. And studies show that these problems keep getting worse both for individuals and for businesses.

But how do you know what information is really necessary to complete a transaction and what's collected for marketing? Which utilities can safeguard your PC from prying eyes and invading worms? Once you've given out your credit card number or your mother's maiden name, how can you tell where the information is going, or who is watching it?

No wonder even savvy Internet users are confused. We at PC World wanted to find out how deep the problem ran, so we put together a survey and gave it to 1500 Internet users: 500 PC World subscribers, 500 PCWorld.com visitors, and 500 AOL or OpinionPlace.com users. We asked questions about their habits and concerns, as well as what they do to protect themselves online, and then we rated the answers to come up with a Privacy Quotient (PQ) score.

Our goal? To use what we learned about the vulnerabilities in users' security practices and offer practical, easy-to-follow advice to help you keep your personal information private and lead a safer life online.

Smart Users, Risky Choices

Our survey group was an advanced bunch, with about 87 percent rating themselves intermediate or higher in PC proficiency. They're serious Web geeks, too: Up to 70 percent spend 10 or more hours a week online. Despite this experience, the group had a PQ average of 56 (out of 100). Our own PC World editors also took the survey and did only slightly better, with an average of 60--which clearly shows that there's a big gap between knowing about privacy risks and precautions, and acting on them. All of us could do much better.

We quickly noticed discrepancies between respondents' concerns about online dangers and their practices. For example, 88 percent of the group worried about sites sharing or selling e-mail addresses, but only 33 percent frequently read privacy policies, and only 7 percent complain about a policy they disagree with.

Overall, we discovered that privacy slips occur most often in three key areas: password management, use of security tools such as antivirus software and firewalls, and habitual online behavior.

Unfortunately, "there are lots of ways to violate security, and there's no way to close up all the holes," observes Jay Foley, co-executive director of the Identity Theft Resource Center (ITRC) in San Diego. But you can greatly improve your chances with a little more care and just a bit of trouble.

Take Control of Passwords

No Question: Passwords are a pain.

Managing them safely means cooking up dozens of cryptic letter and number combinations--following each site's arbitrary character count--and committing each to memory, along with the site it corresponds to. And when you've done all that, it's time to change them and start over. With every financial, shopping, and news site hounding you for log-in info, it's tempting to throw security out the window and just plug in your dog's name.

Don't do it. Passwords are one of the most obvious entry points for online account break-ins, say security experts. And hackers have perfected tools that do nothing but scour the Web, trying to match passwords with dictionary listings.

Managing passwords was a definite problem for our survey group: More than half of our respondents said they use letter and number combinations in their passwords, but about a quarter admitted to using the name of a person or pet. And 34 percent said they never change their passwords--a whopping 27 percent of whom describe themselves as advanced users or PC professionals. Worse, some unchanging passwords are written down: 40 percent keep passwords either on sticky notes or in daybooks, where others can see them or where they can be lost.

While good password management will never be effortless, you can simplify it.

Our suggestions:

Use memory tricks to craft better passwords. Start with, say, the title of a favorite book or movie. Take the first letter of each word and stick a meaningful number, such as the year you started your current job, in the middle. You can update your passwords with each new book or movie. For less-critical accounts like news and movie sites, you might use a scheme with a number--perhaps the month and year you graduated from college--followed by the site's initials: 051982wp for the Washington Post. Don't use the same password at every site.

Try a password-management tool to reduce hassles. Choose one that encrypts and stores your data on your PC (I like Roman Lab's free Any Password and Siber Systems' free AI Roboform).

Be careful about letting Windows store passwords. Don't do it at all if your PC could be used by others. And always enter passwords at sites with sensitive information, such as banks and retailers.

Change your passwords frequently. Revise your news and entertainment site passwords once a year, but change your passwords for sensitive sites monthly.

For more password tips, see October's Internet Tips.

Lock Down Your PC

Fortunately, there's no lack of products to help you surf safely. But those defenses won't help much if you don't use them properly, and our results suggest that most people need to look critically at how they use the tools in their arsenal.

Nobody with an Internet connection should be without virus protection. Besides preventing potential catastrophe to your PC and network, an antivirus package can protect your system from worms and security holes that let intruders reach in and pilfer sensitive information such as passwords and financial data.

But antivirus software is only as good as its latest update. While 83 percent of our survey group said they use an antivirus application, only 73 percent update their definition files regularly. You wouldn't pay for a home security system and never turn it on; why run an antivirus app that can't recognize the intruders that it's supposed to protect you from? The number of users taking action against viruses is encouraging; but still, more than one in four of our respondents are ripe for attack.

Also make sure to run a beefy spam filter. Not surprisingly, 98 percent of users say that sending and receiving e-mail is their top activity online (60 percent also use instant messaging), so it's essential to purge the junk. Nor is it just junk: You can eliminate many attempted virus attacks and potential security breaches by letting a trusty e-mail bouncer deflect spam at the door. Check out "Top Utilities for Your Toolbox" for good filters. (AOL users may have to use the company's own spam-filtering software; most third-party tools don't work with AOL.)

It's also crucial to keep up with new software versions and install security patches--a task only about 63 percent of survey takers perform. "Fyodor," a self-described hacker whose Web site, www.insecure.org, contains a wealth of useful security-related information, says keeping software current is one of the best ways to lock intruders out. Go beyond the OS: "Internet-enabled applications like mail readers and Web browsers should also be upgraded on a regular basis," he advises.

Sure, it's bothersome to keep up with Microsoft's patches, but you can simplify the process: In Windows XP, for example, right-click My Computer, select Properties, Automatic Updates, and then check Keep My Computer Up to Date to have Windows grab updates automatically from the Redmond mothership. (For more on patches, see this month's Bugs and Fixes.)

Automatic OS updates bring their own headaches, though. Take last year's Service Pack 2 for Windows XP: SP2 created an instability in Outlook that persisted until another patch was released. Under the Automatic Updates tab listed above, you can customize this feature so you just get notified when a new patch is available, for example. For more, see April's "Internet Fixes."

Another essential tool to keep the bad guys at bay--especially if you're running always-on broadband--is a firewall, used by just 58 percent of those surveyed. Windows XP has a built-in firewall, but third-party apps offer stronger security, better customization, and other worthwhile extras such as cookie managers. Check "Top Utilities" for our favorite firewall.

The fourth cornerstone of online protection is an anti-spyware/-adware app, which 44 percent of respondents use. Spyware and adware programs often slither undetected onto your PC as you surf; and besides serving up annoying pop-up ads, they may report your browsing habits (and who knows what else) back to the source (and who knows where else). You'll notice if you're getting extra ads, but you may never know spyware is there unless it visibly slows your PC's performance. See "Top Utilities" for recommended apps.

Additional suggestions:

Set automatic updates for your sentinel apps. If you have a weekly meeting, for example, set your antivirus or firewall software to grab updates then. If your schedule is less predictable, have the software check for updates first thing in the morning, while you get your coffee.

Customize your Windows security settings. (Go to Tools, Internet Options and select the Security, Privacy or Advanced tab, depending on what you want to set.) This step isn't a replacement for the tools discussed above, but you can beef up the basics by disabling file downloads (a good idea if others--especially kids--can access your PC), setting passwords, blocking cookies, and the like. It's generally a good idea to raise your Privacy settings to High, which will block cookies that use personally identifiable information without your consent, among other things. For more customization hints, see September's Internet Tips.

Periodically purge your Web history. Don't forget to clear cookies and stored temp files from your browser's cache, too. Not only will that keep you more secure, it will keep your PC running more smoothly. (Open IE, select Tools, Internet Options, and use the buttons on the General tab.) Some utilities, such as Webroot's Window Washer make this cleanup a snap. Try to make these periodic purges part of your PC maintenance routine; perform them whenever you back up data or run a virus sweep, for example.

Configure your firewall to start automatically. Most firewalls also let you select a protection level; we advise setting yours to High, though you may need to flag benign apps so you don't get constant alerts. For more on configuration, see August's Step-By-Step.

Securing Your Net

Bolstering your security is all the more critical if you're running a home or small-business network, particularly if it's wireless. When you don't have an IS department, it's easy to fall behind or make mistakes in implementing security.

Suites such as McAfee's Internet Security Suite 6 ($70) and Symantec's Norton Internet Security 2004 ($80) are good options if you want something that is easy to maintain (see our review of both in this month's New Products). These packages typically include automation features and a full set of tools, from software firewalls to antivirus apps, spam killers, and pop-up blockers. Click here for pointers on securing your LAN.

Further suggestions:

Change all default administrative and network passwords. Also encourage (or require) users who share the network to change their passwords every 6 or 12 months, by setting passwords to expire.

Upgrade your wireless network security. Recently the Wi-Fi Alliance introduced Wi-Fi Protected Access (WPA), a security standard that addresses some holes in the Wired Equivalent Privacy (WEP) protocol. To get WPA, go to your vendor's site and download the new firmware--make sure to upgrade all the parts, from the routers and access points to the cards.

Test your network's security. You can use free tools with limited functions, such as those at McAfee's HackerWatch.org/checkup, or more robust ones, like GFI LANGuard's Network Security Scanner 3 (starts at $295 for LANs with up to 25 IP addresses), that provide in-depth network analysis, from missing patches to weak passwords. See www.insecure.org/tools.html for more.

Watch out for disgruntled employees. It's unfortunately true that most network breaches--over 70 percent, according to the ITRC's Foley--come from within. Go to Foley's site for a worksheet that helps companies assess and address this problem.

Day-to-Day Discretion

Strengthening your hardware and software defenses against online criminals is the first step to staying safe. But a truly savvy surfer must also be able to recognize the bad guys and approach even the good guys with a degree of caution.

Obviously, some activities are inherently risky: conducting financial transactions without proper security, responding to spammers, and most things involving file sharing. Interestingly, less than 28 percent of those surveyed share files, but 39 percent say they've replied to spammers.

Many people do financial chores online: 51 percent pay bills, and 32 percent e-file taxes, for example. With such sensitive data flying around, you need to think twice about what you divulge--and when.

A good way to start controlling the distribution of your information is to read a site's privacy policy before you sign on. A very encouraging 72 percent of respondents say they'd decline to use a site if they didn't like its policy, while 12 percent provide false data if they are uncomfortable with the policy. Unfortunately, over 35 percent say they rarely or never read such policies, and the vast majority never complain if they dislike the policy.

Don't expect online companies to safeguard your privacy for you--at least, not yet. Today, companies don't have to post privacy policies (but don't even consider doing business at a site without one). Even the ones that do, however, don't always make it clear that your data will be passed around to others like chips at a birthday party. And they certainly don't warn against actions their affiliates might take or notify you when criminals have breached their security (a recent California law has begun to address this--see "Capitol Hill on the Case" for details).

More bad news: Plenty of malicious elements online are actively seeking to defraud you, and they're getting sneakier.

Out to Get You

Identity theft is the worst-case scenario for people whose personal information has been compromised. According to a study conducted for the Federal Trade Commission (FTC) this spring, the number of identity theft victims rose over the past six years to a staggering 9.9 million in the United States in the last 12 months (3 percent of our group are among such victims). What's more, thieves are hard to catch: Law enforcement statistics show less than 5 percent of cases end in arrest.

You may have run into an increasingly common hoax called "phishing"--a scam in which a thief sends convincing e-mail messages asking for sensitive data to confirm or reactivate an account, with links to a phony site where you fill it in.

Becky Roberts, an account executive and avid EBay seller in Ventura, California, took the bait in one such e-mail. It was disguised as an EBay request for updated information, complete with logos. Though she canceled her credit cards and placed fraud alerts on her accounts, she still lives in fear of the fallout. "Someone out there knows everything about me," Roberts says. (Similar recent scams have involved Citibank and PayPal, among others.) Also, she says, it took EBay a week to respond when she wrote to ask if the request was legit.

Credit card thieves are stepping up attacks with automated tools that may make crimes easier to perpetrate, according to a study by the Honeynet Project, a nonprofit research group of information security pros.

Our survey takers are familiar with this peril: 18 percent said that their credit card numbers had been stolen, or that mysterious charges had appeared on their bills.

For better security, try the following:

At least skim privacy policies. Scan for words such as use, distribute, or share, which should refer to how the site will use the data it collects. Look for references to those with whom it shares information: internally, with affiliates, or with third parties. And check whether the policy can change without notice to you--and if it does, whether you'll have the chance to delete your data. AT&T's Privacy Bird, a browser add-in, monitors some privacy policies for you; go to www.privacybird.com to download it or to get more details.

Complain if you don't like a privacy policy. If they're ever going to change, companies need to know when their practices are unacceptable to customers.

Be wary of e-mail asking for account information. Contact the company via phone or e-mail (but not by reply) to confirm it sent the request. If you get a fraudulent e-mail or are targeted by identity thieves, notify the legitimate company the crooks are hiding behind, alert police, and visit www.idtheftcenter.org for more info.

Create different online identities. For example, reserve one e-mail address for friends and family, another for business associates, and a third (perhaps a free account, like one from Yahoo or Hotmail) for activities like shopping and chatting, which can make you a spam target.

Don't automatically give a site everything it asks for. Aside from a shipping address, most online transactions don't need more data than a brick-and-mortar store.

Perform due-diligence checks on companies. Check the site's policies and security features: Is there an s following the http in the URL, or an SSL Secured lock icon to ensure safe transmissions? Does it store your data on its servers; if so, is it encrypted? Does it display a Truste or BBB (Better Business Bureau) Online logo (which indicates the company has agreed to specific standards of practice)? Check sites like the BBB's for complaints.

Review your financial statements monthly. Look for unauthorized charges and money transfers. Have credit bureaus (www.experian.com, www.equifax.com, or www.transunion.com) contact you when there's an inquiry or activity on your credit, to get early warning of potential trouble. This service costs $80 a year and includes three credit reports.

Check for warnings about scams and other threats. Sites like www.consumer.gov/idtheft and www.privacyrights.org often have such information.

Your Privacy Policy

The guidelines above are a start, but they're by no means exhaustive. Click here for more privacy tips, information, and top downloads.

It's inconvenient to be a good privacy consumer, says Jennifer Granick, executive director of the Center for Internet and Society at Stanford Law School. "But you've got to make security a key issue in every decision you make."

That starts with more effectively using the tools that you already own, avoiding shortcuts such as no-brainer passwords that leave you vulnerable, and surfing smarter and more skeptically.

Anne Kandra is PC World's Consumer Watch columnist and a contributing editor; Andrew Brandt is a senior associate editor.

Makeover: The Consultant With 50 Accounts

Hands-on Help: We contacted three survey respondents who wanted help on improving their privacy practices. Andrew Brandt, our Privacy Watch columnist and security expert, made house calls to help diagnose their problems and offer tailored solutions.

Name: E. Webb Bassick IV, CEO of Compensation Strategies, an executive compensation consulting firm based in Bannockburn, Illinois.

I met Bassick at his office in a suburban village surrounded by forests and neatly trimmed lawns about 30 minutes north of Chicago. Most of the PCs he and his eight employees use contain sensitive information about the compensation programs of some of America's largest companies. The nature of his business requires Bassick to run a corporate firewall to keep hackers out; nevertheless, he still could use a little help with internal security.

PC use: Two laptops, one of which travels between home and office; a home LAN with several PCs, a wireless access point, and a server.

Frequent tasks: Conducts business, sends files to clients, surfs the Web for business and entertainment.

What he does right: Bassick's IT consultant helped him set up a firewall and file server for his home LAN. He updates his antivirus definition files and does not open e-mail attachments he doesn't expect.

Biggest problem: Password management. "I have 50 accounts, for everything from my e-mail to my utility bills that I pay online, and one password that I use for all of them," he says. He also has one other password to an Excel spreadsheet that contains all the details of his online accounts. Moreover, Bassick e-mails drafts of the compensation plans as PDF file attachments to his clients in advance of face-to-face presentations, but he rarely password-protects them.

Solutions: To help Bassick build up a stable of different, strong passwords, I directed him to the WinGuides Network site. There, he could use the site's secure password generator tool to create strong passwords on the spot for his various accounts. Run by a company called GuideWorks (unaffiliated with Microsoft), the WinGuides Network site publishes downloadable guides with security tips and system tweaks for Windows.

I also gave Bassick a Fellowes SecureTouch biometric mouse, which puts a variety of functions literally at the tip of his finger: The mouse will let him log in to his laptop or desktop using just a finger press on the mouse's scanning pad. It also keeps track of his new passwords in an encrypted file and enters them into the file automatically after the first time he uses the passwords. The software included with the mouse can encrypt files he keeps on his PC or sends out as e-mail attachments, too (though the recipient needs to use the same software for decryption).

Andrew Brandt

Makeover: The Family With Budding Browsers

Hands-on Help: We contacted three survey respondents who wanted help on improving their privacy practices. Andrew Brandt, our Privacy Watch columnist and security expert, made house calls to help diagnose their problems and offer tailored solutions.

Names: Kevin and Jennifer Watts, and their children, Natalie, 7, and Travis, 6. Kevin is a technical sales representative based in Indianapolis for Braden Sutphin Ink Company; Jennifer is the treasurer for an elementary school parent-student group.

Kevin, whose cramped home office holds loads of memorabilia from the many years he's attended the Indianapolis 500 and Brickyard 400 auto races, takes his online computing hobbies as seriously as his offline ones. He plays in an online gaming league on a fast, custom-built PC. This office is also where the kids got their first taste of computing, and where they will soon start surfing the Web.

PC use: Two PCs in their home office, one with a broadband connection, the other with no Net access.

Frequent tasks: Kevin e-mails contracts, sales, and paperwork; maps his trips online; and plays games on the Web. Jennifer does Web research, accounting and budgeting spreadsheets, and e-mail correspondence.

What they do right: The Wattses do a great job of keeping up with patches and antivirus updates. He updates each PC's OS and most apps regularly, blocks pop-up ads, and lets the kids use the computer only when at least one parent is there with them.

Biggest problem: Network security and kid safety in the home office. The Wattses' two kids are about to take their first unsupervised steps onto the Internet, and Kevin had no software to protect them from the hazards that await children online. His passwords for his router and online accounts also needed improvement, and his PCs and printers weren't networked.

Solutions: I hooked up a Linksys 802.11b wireless router, which includes a hardware firewall, to their cable modem and added a wireless card to the second PC so it can share the broadband connection. With the router set up to give each PC a private, internal IP address, and with the ports that the Blaster worm uses to penetrate unprotected PCs blocked, the home LAN was safe. With Net Nanny Web filtering software in the PC that the kids will use, the little ones can surf without constant supervision. Finally, I set the Wattses up with a sub-$70 Ebp Lite password manager keychain from Mandylionlabs.com, so they can better safeguard their PCs.

Andrew Brandt

Makeover: The Team With a Vulnerable Network

Hands-on Help: We contacted three survey respondents who wanted help on improving their privacy practices. Andrew Brandt, our Privacy Watch columnist and security expert, made house calls to help diagnose their problems and offer tailored solutions.

Name: Mario Sanon (pictured, center), New York-based IT staff member for Strive, a nationwide job-readiness training organization.

At Strive's East Harlem center, classes of up to 45 students spend 8 hours a day learning everything from résumé-writing to computer fundamentals such as how to perform basic spreadsheet tasks. Sanon, a self-taught PC technician; his supervisor, Nobukiyo Sato (pictured, left); and computer skills instructor LaShanti Jenkins (pictured, right) maintain an aging phalanx of donated PCs, answer student questions, and field support requests from employees.

PC use: Two PCs in Sanon's office, wireless networking components, hardware firewall, plus servers.

Frequent tasks: Checks several e-mail accounts, including Strive's general mailbox; supports the 130 PCs on Strive's network.

What he does right: Patches his own operating system and uses the Bigfix service, which lets him know when patches are available for the applications he uses; keeps his antivirus definitions up-to-date.

Biggest problem: Passwords and online safety. Mario uses just two passwords for all his online accounts, including bill-paying services. He lets employees use the default passwords for the network, and he does not require them to change those passwords periodically. Safe surfing has also become a problem: Kids have started visiting unsavory Web sites in the computer lab.

Solutions: I talked to Sanon and Sato about techniques they could use, and teach to others, that would help them learn to create and remember strong passwords (see our tips), and I advised them to require that users' network passwords be changed periodically. I gave Jenkins specific notes to help her teach her students why computer privacy and security are important, and offered some password creation and privacy tips to pass along. Finally, I provided them with several copies of Net Nanny to install in the computer lab used by the neighborhood kids.

Andrew Brandt

Software: Top Utilities for Your Toolbox

To keep your online security simple and low-cost, check out this list of tried-and-true products that can help you cover your bases.

Antivirus: Everyone should have an up-to-date antivirus application--period. Symantec's Norton AntiVirus Pro 2004 ($70) is a consistently good performer, and the 2003 version was a Best Buy in July. If you object to Symantec's product activation, try McAfee Security VirusScan 8 Home Edition ($50). (See New Products for more details on these and other parts of the companies' security suites.)

Spam fighter: Keep yourself out of harm's way by culling e-mail that may try to infiltrate your PC or your wallet. Sunbelt Software's $20 IHateSpam is a good choice for Outlook users. Other options for people with Outlook and other e-mail clients: Symantec's Norton AntiSpam ($40) and McAfee's SpamKiller Home 5 (also $40), or the Mailblocks service ($10 yearly subscription).

Firewall: For anyone with a broadband connection, firewalls are a must. For the rest of us, they're a very good idea, especially as worms and spyware proliferate. Zone Labs' ZoneAlarm 4 remains our top choice; the free version supplies a basic firewall, but the $50 Pro version adds a comprehensive security tool kit.

Adware/spyware remover: These utilities can help keep pop-up ads from multiplying and prevent your surfing habits from becoming public knowledge. PepiMK's free Spybot Search and Destroy does a terrific job; the free Lavasoft Ad-aware 6.1 has fewer features but is also a good choice.

Tips for Parents: Who's Watching Your Kids?

If the Web can be a dangerous place for responsible, savvy adults, imagine the risks for children. However, some of the most troubling responses to PC World's survey came from parents. Surprisingly, the survey indicated that respondents with children who go online are significantly less concerned about invasive and insecure practices than those without kids. Moreover, only 51 percent of parents said they talk to their kids about using the Net, and just 55 percent set limits on their kids' Internet use. Finally, a mere 8 percent use software to monitor their kids' online travels.

Although there are laws on the books that help protect the Internet's youngest users, parents are ultimately the ones responsible for safeguarding their children online. Here are several tips to ensure that your kids surf safely.

Set limits. Restrict your child's time online, and be familiar with sites they visit. Consider using a tool--such as such as BioNet's Net Nanny, Solid Oak Software's Cybersitter, or Webroot's ChildSafe--that filters or monitors your child's Internet use, especially if you have younger children. Many ISPs let you set parameters for online activity; AOL, for example, lets parents specify filtering settings depending on the child's age, so younger browsers might be allowed to visit only a few select sites, while teens browse more freely.

Talk to your kids about the Internet's dangers. If they are old enough to surf the Web on their own, explain that people online aren't necessarily who they say they are. Never allow them to arrange a personal meeting with someone they meet online.

Teach them not to share personally identifiable information. Tell children never to give out their last name, address, or phone number, or the name of their school, for example. Also, never allow them to e-mail or post a photograph of themselves online.

Teach kids never to open e-mail file attachments. Most viruses and worms propagate that way and may be sent inadvertently by people you know. If you expect something via e-mail, scan it for viruses before opening it, to be safe. Instruct kids to tell you or a teacher if they receive a file or a Web page that they're uncomfortable with.

Monitor instant messaging and chat rooms. Know who your kids are IMing with. If they use a cell phone to IM, for example, check the statement for unfamiliar numbers. Limit or monitor the chat rooms they can access; tools such as Net Nanny can help.

Regularly check your children's PC for new programs. Popular file-sharing applications and the like often come with adware or spyware, which may collect and then report information about your kids' surfing habits. A program such as Ad-aware or Spybot Search and Destroy can eliminate these unwanted apps.

Skim the privacy policies of sites your children often visit. Glance through the text to see what information the site collects, and with whom it shares that data.

Pending Laws: Capitol Hill on the Case

Though Congress is focusing primarily on spam issues, other privacy and security concerns still hold a place on the legislative calendar.

California recently set a new standard for online security with its passage of Senate Bill 1386, which became law on July 1. The law requires any company doing business in California to notify its customers in the state of any attempted security breach into nonencrypted, personally identifiable data. Whether or not Congress passes a similar federal rule, the law will probably have a national impact because a company is likely to streamline its operations by adopting a single information gathering and notification process for all its customers nationwide. Some pending bills aim to close other privacy holes. Visit thomas.loc.gov for updates on each bill's status.

Online Privacy Protection Act of 2003/H.R. 69. Sponsored by Representative Rodney P. Frelinghuysen (R-New Jersey), this bill empowers the FTC to regulate and police the collection, use, and disclosure of personal information about individuals on the Net by Web site operators and online services. It also gives people greater control over their data, letting them consent to or limit any disclosures, especially to third parties.

Consumer Privacy Protection Act of 2003/H.R. 1636. The bill, sponsored by Representative Cliff Stearns (R-Florida), covers buyers who make interstate purchases--online or offline (via mail-order catalogs and the like). It requires companies that collect personally identifiable data to disclose to customers when the data may be used for marketing or other unrelated purposes, and gives enforcement responsibility to the FTC.

Privacy Act of 2003/S.B. 745. Sponsored by Senator Dianne Feinstein (D-California), this bill requires companies to obtain a customer's consent before selling or disclosing that customer's personally identifiable information (such as a driver's license number, and health and financial data).

Identity Theft Prevention Act/S.B. 223. Sponsored by Senator Feinstein, this bill requires banks and other financial agencies to make more aggressive efforts to prevent criminal access to sensitive data. For example, it bans companies from printing full credit card numbers on receipts.

Social Security Number Misuse Prevention Act/S.B. 228. This bill, also from Senator Feinstein, restricts the sale or display of a person's Social Security number, such as on a government check, without consent. It also bars companies from requiring a Social Security number when consumers make purchases.