Read Bennett Gold LLP's privacy policies and practices regarding this web site.
LINK TO: Bennett Gold LLP's Privacy Policies and Practices. E-CommerceALERT.com is part of the Bennett Gold LLP web site network.
LINK TO: Bennett Gold LLP, Chartered Accountants, home page.
LINK TO: E-CommerceALERT.com Home Page.
CLICK to GO BACK to Main Page.

Research and retrieval of news articles by Bennett Gold LLP, Chartered Accountants


SPECIAL NOTE TO ALL VISITORS:
Effective December 31, 2012, articles are no longer being updated on this web site.
The site is now maintained as an historical archive, covering articles from the period 1999 to 2012.


PRIVACY VS. PROFITS - Earn Customers' Trust and Their Business

Source: Smart Business

Posted on October 24, 2001

      Say one thing, do another.

      Since the birth of the Web, there's been a chasm separating consumers' stated feelings about online privacy and how they act with a mouse in their hand. Eighty-six percent of Internet users worry about online privacy, according to the Pew Internet & American Life Project. Meanwhile, nearly 50 percent say they'll give out personal information in exchange for the chance to win a sweepstakes, reports Jupiter Media Metrix.

      Says Paul Saffo, director of the Institute for the Future, a Silicon Valley-based research firm, "Americans talk about privacy, but they'll spill their guts for a package of trinkets."

      Or will they? While there is a disparity between what many online users say and do when their privacy is at stake, another subset of consumers is more steeled: Of those who are connected but do not transact online-which is over half of all Internet users-58 percent say it's because they fear their information will be stolen or misused, according to Jupiter.

      Billions of dollars in e-commerce revenue is being left on the table because businesses have not done enough to quell consumers' fears about privacy. Bandwidth, the wireless Web, and convergence aside: Build the Net with more privacy options and the dollars will come. That effort is under way. Technologies are emerging that will serve consumers, either through tighter privacy controls on the corporate front or innovative tools that will live on consumers' desktops. In the short term, there may still be some major privacy meltdowns. But in the long, dark tunnel separating consumers from a more private Internet environment, there is finally some light.

Privacy Push

      The first incarnation of the Internet was built with virtually no thought to privacy. Web sites weren't crafted with confidentiality in mind, and corporations had little concern for the issue when setting up their internal databases. Only after high-profile privacy flame-outs involving Microsoft, RealNetworks, and DoubleClick in 1999 and 2000 did companies realize that they had to retrofit their operations to reach privacy-conscious customers.

      The retrofit is proceeding at a snail's pace in most industries, simply because in an era of economic uncertainty, executives are loath to invest in technologies that have, at best, a tenuous connection to profits. But thanks in part to Congress, things are picking up.

      Some industries have been forced to address privacy concerns-first through the privacy standards within the Health Insurance Portability and Accountability Act of 1996, implemented earlier this year by President Bush, and also through the privacy provisions in the Graham-Leach-Bliley Act (GLBA) of 1999, enforced in earnest starting this year. Those regulations have forced banks, health care providers, and investment firms to keep a much tighter lock on personal information.

      The key is privacy rights management technology, a life raft for companies like Zero-Knowledge Systems that slogged their way through the Internet's early years trying to sell privacy-related software directly to consumers.

      Not that the consumer category is standing still. In fact, among the technologies most often cited by privacy advocates and analysts as the most important, a consumer-focused piece of software called P3P, created by Microsoft, ranks highest.

      Shorthand for Platform for Privacy Preferences, P3P was built into version 6 of Internet Explorer, allowing consumers to match their privacy preferences with the sites they visit. If the browser arrives at a Web site with a privacy policy that is lacking or nonexistent, a warning appears and the consumer can hightail it somewhere else. Richard Smith, CTO of the nonprofit Privacy Foundation, and others complain that the default privacy settings are too lax, and that consumers can't set strict enough preferences. Microsoft officials say they are working on improvements.

      For now, though, "Microsoft is at least putting the plumbing in the browser to let you do good cookie control," Smith says. "That's a step in the right direction."

      Smith's organization is also innovating on this front. Earlier this year, the group created Bugnosis Web Bug Detector, a free download that allows surfers to see who's tracking them with so-called Web bugs, tiny graphics or HTML strings that can be used to monitor site visitors or transfer information about them to third parties. Meanwhile, so-called anonymizing products and services, like those offered by Zero-Knowledge and SafeWeb, continue to win fans.

Shake Hands with Microsoft

      Still, the fact remains that most Internet users "don't want to lift a finger to protect their privacy," says Christopher Kelley, an analyst with Forrester Research. The alternative, then, is to trust Web sites to comply with their own privacy policies. But companies have a steep hill to climb. Only about half of online Americans "trust valuable personal information to Web companies that require it," according to the Pew Internet & American Life Project. And Statistical Research found that 67 percent of active Internet users tend to abandon sites that request personal information.

      These statistics vex Internet companies enough. But for companies like Microsoft, which have much more comprehensive plans involving the Web and personal information, such sentiments loom like storm clouds.

      Through a service code-named HailStorm within its .Net initiative, Microsoft hopes to become the trusted repository of a laundry list of personal information, which could conceivably include bank account and credit card numbers, cell phone numbers, and, via calendar software, a person's physical whereabouts. The service should roll out sometime next spring, according to Ruthann Lorentzen, general manager of .Net services marketing and business development.

      The idea is to streamline everyday transactions by linking together information about consumers. For example, Lorentzen says, the service could make receiving goods bought online or via mail order much more convenient. If shippers like UPS and FedEx HailStorm-enable their sites, customers can keep much closer tabs on deliveries-and even decide when and where to receive packages.

      "It could be a Tuesday, and I get on my cell phone, and I get an alert that says the package to be delivered on Friday requires a signature, OK or not?" says Lorentzen. "I say, 'Not OK.' They say, 'It looks like you'll be home on Saturday. Would you like us to deliver between 9 and 4?' They've gotten my permission to get to my information that will tell them how I want to get notified. They can look at my free time on my calendar, but that's all they can look at. They can also see my payment preferences, by virtue of my wallet."

      For some privacy advocates, the idea of trusting Microsoft with such information is suspect. "This is not a company that anybody in their right mind would trust with their home telephone number," says Jason Catlett, president of Junkbusters, an online-privacy advocacy firm. (For its part, Microsoft says it's working to earn consumers' trust.)

Safe from Prying Eyes

      Even the less strident members of the online populace have reservations about any company holding such details. Jupiter Media Metrix asked Internet users how they would feel about having a Web site keep their personal information in one place, to send to companies at their request. A mere 4 percent say they'd be in favor of such an arrangement.

      But new technology could help mitigate the suspicion consumers feel when asked to provide a Social Security number, bank account info, or household income online.

      Some of the more aggressive trust-seekers, like E-Loan and Microsoft's Expedia.com, have exposed themselves to ongoing privacy audits by PricewaterhouseCoopers, which then confers a seal to the site, certifying that the site's systems-and, perhaps more importantly, its employees-comply with stated privacy policies. In the case of E-Loan, this effort cost $250,000 in initial fees and staff time, plus an additional $30,000 for each quarterly audit.

      But even those audits are coming under scrutiny. "Right now, you might blissfully assume the auditors know what they're doing, yet in the end there isn't technology to be certain of it," says Stuart I. Feldman, director of the IBM Institute for Advanced Commerce, part of IBM's research division. "A company could have 100 million lines of legacy code in its systems, and who knows where the privacy violations might be buried in it?"

      Feldman says IBM is developing technologies that would allow companies to certify other software as privacy friendly, so companies and consumers would have greater confidence that an auditor's seal is worth the pixels it's written in.

      Chris Larsen, E-Loan's chairman and CEO, says that Feldman's assessment of privacy audits is "right in some regards. But what we're really doing is combing through the organization, which in some ways is more important. Most privacy breaches happen because there's a disconnect between business development, operations, and engineering. For any company with over 20 people, there's a high likelihood those people don't know what the others are doing in every instance."

      But given that even professional audits provide only a snapshot of a company's performance, and are themselves subject to human error, technology companies have been scrambling to automate the process.

      Among the newest tricks of the trade is to let loose a software watchdog on the site itself-to ensure, for instance, that every page that asks for personal information is encrypted, with links to the site's privacy policy, and that it asks only for information that conforms to that policy. One such solution, called WebCPO, comes courtesy of a partnership between PricewaterhouseCoopers and Watchfire, an e-commerce optimization software developer. DoubleClick is one of a handful of companies that were at press time considering using WebCPO, launched this spring.

Earning Customers' Trust

      Yet this approach, while innovative, addresses only a small part of the problem, says Nuala O'Connor, DoubleClick's former chief privacy officer for e-mail and emerging technologies. Which is why DoubleClick, E-Loan, and a long list of financial and health-care organizations are looking to companies like PrivacyRight, Zero-Knowledge, and Acxiom to put a cap on privacy leaks within the company before they happen, using privacy rights management, or PRM, software.

      According to Larry Ponemon, former president of Guardent, a Massachusetts-based privacy consulting firm, and a former partner and founder of PricewaterhouseCoopers' privacy practice, PRM "is where a lot of the most important privacy work is happening right now."

      Ponemon, who sits on PrivacyRight's board, might be considered biased except that many executives and privacy experts echo his opinion. PrivacyRight is one of the few PRM providers with an actual product on the market, and, its executives say, companies that are actually using the technology (although none agreed to be named in this story).

      PrivacyRight TrustFilter, with prices starting at $100,000 plus the standard 20 percent annual maintenance fee, allows businesses to write rules for how personal information can flow inside and outside the firm. For example, a big financial company looking to comply with the Graham-Leach-Bliley Act must keep track of tens of millions of customer accounts, often held in various databases depending on customers' physical location or which financial products they use.

      Because GLBA requires financial firms to respect clients' wishes regarding the sharing of personal information, a single employee slip-up that sends a customer's data to the wrong place-say, an unscrupulous marketer of second mortgages who spams customers, resells their information, and allows identity thieves to surf its servers-can lead to severe punishment. The resulting lawsuits, most likely brought by state attorneys general or plaintiffs' class-action attorneys, could sap months or years of work from a corporation's legal department, tarnish a company's brand, and potentially expose it to millions of dollars in fines or damages.

      Further complicating matters is the fact that under GLBA, individual states can overwrite a company's privacy policy with their own set of more stringent rules. With TrustFilter and similar programs, the software sits between the company's databases and whatever applications request information from them; it then screens each request to make sure it complies with the company's privacy policy, the customer's preferences, and state and federal laws.

      "Technologies like this could be a key answer here," says Larsen of E-Loan, who says he is looking for a solution to put in place at his company.

      Microsoft executives say they, too, are watching these technologies closely-and developing their own solutions. Richard Purcell, Microsoft's director of corporate privacy, knows the success of .Net hinges on earning consumers' trust, which in turn hinges on demonstrating "the same kind of assurances that you get when you're in a bank, with the vault, the concrete walls.

      "We understand the need for the machines to be monitoring other machines, so computers have audit processes-constant, vigilant procedures to detect a breach, that they invoke against their machine brothers," Purcell says. "We call it robo-audit."

      How long will it take? "We really don't know right now," he says. "Our hair's on fire around all these issues."

      E-CommerceALERT Comment: Visit PrivacyDetective.com for a comprehensive look at WebTrust as a Privacy Enabler.




CLICK to GO BACK to Main Page.

E-Commerce Alerts are issued by Bennett Gold LLP, Chartered Accountants as situations develop. Bookmark this site and check back often. Our e-mail address is: info@BennettGold.ca

In accordance with United States Code, Title 17, Section 107 and Article 10 of The Berne Convention on Literary and Artistic Works, the news clippings on this web site are made available without profit for research and educational purposes.


ALERT
ARCHIVES
Final Entries
2012
2011
2010
2009
2008
2007
2006
2005
2004
2003
2002
2001
2000
1999


LINK TO: Bennett Gold Chartered Accountants: A Licensed Provider of WebTrust Services.

WebTrust Is Your
Best Defense
Against
Privacy Breaches.

Get WebTrust
Working For
Your Site.