Privacy has emerged as a central policy concern about the Internet as more Americans go online every day – and recent weeks have brought a ceaseless number of new allegations about privacy violations by Internet companies. In the past three months, a series of events have heightened sensitivities.
In June, the federal Office of National Drug Control Policy (the so-called “drug czar’s” office) was found to be using Internet tools called cookies to track Web surfers’ drug-related information requests. After a storm of criticism that this might allow the drug czar’s office to clandestinely record citizens’ online activities, the federal Office of Management and Budget banned the use of cookies on federal government Web sites.
In July, the Federal Trade Commission forced a bankrupt Toysmart.com to abandon its plans to sell off customer data to the highest bidder. The firm had promised site users that it would not divulge information gleaned from tracking users’ activities on the site, but a court-appointed overseer believed the customer list was a valuable asset that could be sold to help pay off the firm’s creditors. That same month, Senator John McCain (R-Ariz.) introduced legislation that would require commercial Web sites to notify consumers about what kinds of personal information they collect and how they use it. Microsoft announced new third-party cookie controls for Internet Explorer, actively warning consumers and allowing them to reject cookies, which could be used to track their activities all across the Web. Fifty Dow Chemical Company employees were fired after a search of their email revealed pornography or violent images. The Clinton Administration and the Federal Trade Commission set privacy standards so favorable for online advertisers that shares in Doubleclick rose 13 percent in one day. The FBI came under fire from Congress and civil liberties groups for developing “Carnivore,” a wiretapping device that silently intercepts all traffic to and from a suspect’s email account.
Early this month, ToysRUs.com was accused of feeding shoppers’ personal information to a data-analysis firm without revealing the relationship to consumers. In response to complaints, Toysrus.com added information to their privacy policy about how customer data is treated, but denies that the information is sold to outside vendors. One week after the customer lawsuit was filed, Amazon.com and Toysrus.com announced a strategic alliance and restated their commitment to consumer privacy online. And this past week, Pharmatrak Inc., a Boston technology firm, acknowledged tracking consumers’ activities on health-related sites without informing the public.
Not surprisingly, a great many online Americans are fretful about the things that could happen online and the way in which data about them might be gathered and used. An overwhelming majority of Internet users (84%) are concerned about businesses or people they don’t know getting personal information about themselves or their families. Some 54% say they are “very concerned.”
Americans want the “opt-in” option
These wired Americans are anxious to take charge of their online lives and resoundingly prefer a different privacy protection scheme from the one promoted by major Internet industry and government leaders. Seven in ten Internet users (71%) say that people who use Web sites should have the most say over how Internet companies track users’ activities.
Indeed, Internet users reject the notion that the government and Internet companies are the best stewards of their personal privacy. Two-thirds say Internet companies should not be allowed to track users’ activities and 81% contend there should be rules governing how that tracking is done. Asked who would do the best job setting those rules, 50% of online Americans said Internet users’ themselves would be best, 24% said the federal government would be best; and just 18% said Internet companies would be best.
And they are clear what that policy should be. Some 86% of Internet users favor an “opt-in” privacy policy and say that Internet companies should ask people for permission to use their personal information. This is the kind of system that has been adopted by the European Union. By contrast, the self-regulation plan recently embraced by the Clinton Administration, the Federal Trade Commission and a consortium of Internet advertisers is an “opt-out” scheme that would compel consumers to take steps to protect their privacy.
Many will share information – if they can choose when and where
When Internet users are given the choice between sharing their personal information or not being able to use a Web site, 54% have provided their real email address, name, or other personal information. Of those who have never done this, 23% (or 10% of all Internet users) say they are willing to provide that information in order to use a site. This two-thirds majority (64%) demonstrates that many Internet users are willing to enter into an exchange with Internet companies. That said, a solid majority of Internet users still do not think companies should track their behavior online without asking users’ permission.
The making of cookies
The strong urge of online Americans to protect their privacy and put the onus on companies to get permission before exploiting data or passing it along to others is a pipe dream considering the current privacy arrangements on most Internet sites. Cookies are bits of encrypted information deposited on a computer’s hard drive after the computer has accessed a particular Web site. The Web site stores these bits of information so when the same site is accessed again by that same computer, the Web site can recognize the computer and provide the same layout, shopping cart, search information, or even user’s name with the exact personalization each time the site is visited. (No reliable figures exist about how many Web sites install cookies.) Some cookies track the activities of a user at a particular Web site. Others can track the user from Web site to Web site.
Netscape created cookies in 1994 as a special browser feature to make life easier for people browsing the Web. The concept is similar to that of a computer’s preferences file. It keeps track of how the user wants a site to look or function. Once the preferences are set, the user does not have to input routine information upon each visit. Its creators thought it would be especially useful in enabling “shopping cart” services on Web sites. The idea was to allow consumers to click from page to page choosing items to buy, while a virtual clerk kept track of the items until the consumer was ready to check out. Cookies also allowed a site owner to observe which displays attracted the consumer’s attention and which needed some sprucing up. Netscape did not initially inform consumers about the clandestine activity on their hard drives and probably did not foresee the firestorm that would follow.
Chris Sherman has written for About.com that some believe the term cookie “comes from the story Hansel and Gretel, who marked their trail through a forest by regularly dropping crumbs along their path. Of course Hansel and Gretel used bright stones, not cookies to mark their trail; nonetheless, the legend persists.”
After the media reported on the technology in January 1996, Netscape added a tool to disable cookies for the next version of their Web browsing software. But it was not very easy to do the disabling. Web site users had cookies implanted on their machines unless they took affirmative steps to reject cookies – a classic “opt-out” scheme. A user had to dig two menu screens down in his browser to find the place to opt out of cookies. There seemed to be no anticipation at the time that the use of cookies would create a problem. In 1996, Alex Edelstein, Netscape's product manager for Navigator 2.0, declared that cookie technology was an insignificant issue and would “blow over.”
For a while, the use of cookies exploded and there were few complaints from consumers. Cookies themselves are not inherently bad or necessarily invasive to one’s privacy. And they are instrumental in activating some of the Web’s most appealing features. Web publications like iVillage.com use cookies to identify the preferences of regular readers and then direct appealing, tailored content to them. Merchants like Amazon.com use cookies to speed ordering and to suggest products to return customers. Soon enough, Web advertisers saw the possibility that cookies could help Web sites monitor users’ activities and help discern consumer tastes. With that kind of information Web sites could deliver customized information to users.
Third-party advertising networks like Doubleclick sprang up to oversee banner ads on Web sites. These networks designed cookie files that track a user’s activities all across the Web and trigger advertisements according to each user’s apparent interests and needs. It is Web sites’ ability through cookies to glean user’s tastes and lifestyle that has led to the current debate about the appropriate ways to do tracking and maintain the privacy Americans want. In the most comprehensive and extreme cases, a Web company could build a profile of an Internet user that combines information about her purchases, her taste in music, the investment information she seeks, the health issues that concern her most, and the kind of news stories that seize her interest.
Unarmed in the privacy wars
The rise of third-party ad networks has raised the issue of cookies to prominence in legal and policy-making circles. But fewer than half of Internet users are aware of cookies. Eight in ten Internet users (79%) think it’s common for Internet companies to track Web activities, yet only 43% of Internet users know that creating cookies is the way this is done. Of those who can identify cookies, just 24% set their browsers to refuse cookies. That means just 10% of all Internet users have set their browsers to reject cookies.
To a considerable degree, members of the two groups most likely to be targeted by Internet companies – those who click on ads online and those who buy things online – are unaware that their computers’ hard drives are implanted with cookies. The Pew Internet Project survey found that 69% of Internet users have clicked on a Web advertisement and about 46% have bought products online. Yet only about half of each of those groups know what a cookie is. Of those shoppers and ad-clickers who are aware of cookies, just a fifth choose to block the tracking devices and surf more anonymously (23% of ad-clickers and 20% of online buyers). That means almost 90% of Internet users who shop online are being tracked by cookies and many are unaware that is happening.
There are other notable differences between groups when it comes to cookie awareness. Men are more likely than women to say they know what a cookie is (51% of online men; 34% of online women). Internet veterans are much more likely than Internet novices to say they know what a cookie is. Sixty percent of users who have been online for three or more years know what a cookie is, compared to just 23% of new users.
The verdict on tracking
A majority of Internet users (54%) are certain that online tracking is harmful because it invades their privacy. Advocates of cookies make the case that consumers will eventually come to appreciate cookies because they allow sites to provide information that is important and relevant to an individual Web user. In the case of advertising and marketing, cookie advocates argue that there is a great deal of waste that everyone hates in mass marketing through the mails (junk mail) and the media. These advocates argue that the ideal world created by cookies and tracking is one where the clutter of information and advertisements is cut to a minimum and only useful material is put in users’ and consumers’ hands. There is a distance to go, though, before that argument persuades Internet users. Only 27% say that tracking is helpful because it allows Web sites to tailor information for users.
Richard Purcell, director of the Corporate Privacy Group at Microsoft, says that new cookie controls for Internet Explorer will be part of a set of “empowerment tools” for consumers that will soon be available in the upgraded browser. Users will be alerted when a site tries to place a third-party cookie – that is, one that could help track their activities all across the Web. “We don’t want to tell businesses how to act, beyond being truthful, but instead we want to let consumers be a force to be reckoned with,” says Purcell. Purcell believes that consumer education is the key to allaying Internet users’ fears – not behavior modification on the part of the industry.
Hard-core privacy protectionists
While online Americans say they are concerned about breaches of privacy and that control is important to them, about half of all Internet users are trusting valuable personal information to Web companies that require it. Fifty-four percent of Internet users have provided their real email address, real name, or other personal information in order to use a Web site.
Of the 45% of Internet users who have not provided real personal information to a site, 61% are hard-core privacy defenders and say they are not willing to provide that information in order to use a site. This hard-core group is more likely to believe that tracking is harmful, that online activities are not private, and that there is reason to be concerned about businesses getting their personal information. Women and men are equally likely to be in this hard-core group, as are new and veteran Internet users. Young people (18-29 years old) are more likely to say they are not willing to provide personal information, as are users who go online only from home.