Personally Identifiable Information

Online businesses know a lot about their customers—and they can easily learn a lot more. What standards should web sites follow with personally identifiable information that they gather?

As with any business, online service providers know the names, addresses, and frequently the credit card numbers of their subscribers. But records kept by the provider’s computers can also keep track of who their customers exchange email with, when they log in, and when they go on vacation.

Internet service providers can learn even more about their customers, because all information that an Internet user sees must first pass through the provider’s computers. ISPs can also determine the web sites that their users frequent—or even the individual articles that have been viewed. By tracking this information, an Internet provider can tell if its users are interested in boats or cars, whether they care about fashion, or even if they are interested in particular medical diseases.

eTrust

The Electronic Frontier Foundation thinks that it has a solution to the cookie privacy problem. Called eTrust, the program’s goal is to develop standards for online privacy. One of the things that those standards would govern is what web sites can do with personal information they collect about their users. Web sites would display a particular eTrust logo indicating their privacy policy; in return, they would submit to data audits by a recognized accounting firm.

Something like the eTrust program is a good idea, because even with smart cookies, some personal information is inevitably going to be stored on web servers. But the real hope is that web sites will start using cookies intelligently to cut down on the amount of personal information that’s being collected.

Our second hope is that nations will pass privacy laws regulating what can and cannot be done with information that is collected online.

In January 1997, Congressman Bruce F. Vento introduced the Consumer Internet Privacy Protection Act (HR 98) into the House of Representatives. The act would prohibit online services from releasing any personally identifiable information about their customers unless customers first gave explicit written consent.

Critics of the legislation say that it would put limits on online service providers that are unheard of in other kinds of business. After all, it is common practice for magazines and some stores to sell lists of their customers. Although most online services do not make subscriber information available, many wish to keep this option open for the future.

By forcing online services to obtain subscriber permission before releasing personal information, and by putting the force of law behind that policy, Vento’s bill runs counter to (voluntary) practices that have been established in other U.S. industries. Those practices generally require consumers to “opt-out” before data considered private is released.

Consumer and privacy advocates, meanwhile, have long been pressuring for the abandonment of “opt-out” practices and the institution of some form of mandatory controls. Voluntary controls are always subject to abuse, they say, because the controls are voluntary by their very nature.

Whether or not such legislation passes in the future, web surfers should be aware that information about their activities may be collected by service providers, vendors, site administrators, and others on the electronic superhighway. As such, users should perhaps be cautious about the web pages they visit if the pattern of accesses might be interpreted to the users’ detriment.

The Moral High Ground

Here is a simple but workable policy for web sites that are interested in respecting personal privacy:

  • Do not require users to register in order to use your site.

  • Allow users to register with their email addresses if they wish to receive bulletins.

  • Do not share a user’s email address with another company without that user’s explicit permission for each company with which you wish to share the email address.

  • Whenever you send an email message to users, explain to them how you obtained their email addresses and how they can get it off your mailing list.

  • Do not make your log files publicly accessible.

  • Delete your log files when they are no longer needed.

  • If your log files must be kept online for extended periods of time, remove personally identifiable information from them.

  • Encrypt your log files if possible.

  • Do not give out personal information regarding your users.

  • Discipline or fire employees who violate your privacy policy.

  • Tell people about your policy on your home page, and allow your company to be audited by outsiders if there are questions regarding your policies.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.221.187.121