IP: Privacy Report Has Both Sides Scrambling for Spin -- fro mTelecom Digest

[Dave Farber <farber () cis upenn edu>]

Date: Fri, 14 May 1999 02:24:07 -0400 
From: Monty Solomon <monty () roscom com> 
Subject: Privacy Report Has Both Sides Scrambling for Spin

http://www.thestandard.com/articles/mediagrok_display/0,1185,4555,00.html 
It was a classic case of the glass being half empty or half full - or 
more precisely, two-thirds full or one-third empty. A Georgetown 
University study on commercial Web sites' privacy policies found that 
two-thirds of the top 300-plus sites had a privacy policy posted. That 
compares to the paltry 14 percent that had policies posted last year 
when the FTC did a similar study, sparking debate between an online 
industry that wants to regulate itself and privacy groups that are 
pushing for legislation.
The Washington Post's Robert O'Harrow Jr. set the scene perfectly, 
saying "the scramble to gain the high ground of interpretation began 
within hours of the report's release, as people on all sides of the 
debate issued statements, held press conferences and dissected what it 
all means." (The study's genesis at nearby Georgetown may have helped 
O'Harrow's story land on the Post's front business page.) Industry 
mouthpieces quickly seized on the positive upswing, saying laws 
weren't needed; indeed, the Wall Street Journal story led with the 
conclusion that the study's release means "the Clinton administration 
is likely to back away from threats to press for new privacy laws.''
But critics pointed out that the survey also showed that only 10 
percent of major sites had comprehensive privacy policies that allowed 
surfers to access their own data, which became the focus on tech sites 
like News.com and ZDNet. In the half-empty camp, Beth Givins of the 
Privacy Rights Clearinghouse complained to CyberTimes that "one-third 
posted no privacy practices at all." Electronic Privacy Information 
Center director Marc Rotenberg was even more critical, telling the 
Post that "I think the time for self-regulation is running out."
Still, there were some voices of compromise in the debate. FTC chair 
Robert Pitofsky told the Post that online firms deserve credit for 
making progress over the last year, though he added that the FTC would 
analyze the survey's results before reporting to Congress. And Jerry 
Berman, executive director of the Center for Democracy and Technology, 
told CyberTimes, "I think that the self-regulatory efforts that are 
being made deserve credit for moving a lot of those numbers up, but I 
don't think ... we can get privacy to be the rule simply based on 
the self-regulatory efforts of industry."
Reporters' heads weren't only spinning from the dueling experts, but 
also from the concept of Web reach touted by Media Metrix. CyberTimes' 
Jeri Clausing said the study showed that two-thirds of "all commercial 
Web sites" display warnings on collecting personal information, while 
the Post's O'Harrow said the sample accounted for "99 percent of the 
activity on the Web." Hogwash. Wired News' Declan McCullagh got it 
right, saying the survey included 364 "dot-com" Web sites that 
together reach 98.8 percent of home Internet users, according to Media 
Metrix's confusing metrics. That doesn't mean all Web sites or all Web 
activity - just the most visited sites according to one ratings house.
More Web Sites Appear to Post Privacy Policies 
http://www.washingtonpost.com/wp-srv/WPcap/1999-05/13/067r-051399-idx.html
New Privacy Study Says Majority of Sites Provide Warnings 
http://www.nytimes.com/library/tech/99/05/cyber/articles/13privacy.html
Survey: Web Privacy Improving 
http://www.wired.com/news/news/politics/story/19643.html
Study: Data Privacy Policies Fall Short 
http://www.news.com/News/Item/0,4,36470,00.html?st.ne.fd.mdh.ni
Web Has Work to Do on Privacy 
http://www.zdnet.com/zdnn/stories/news/0,4586,2258012,00.html?chkpt=hpqs014

[TELECOM Digest Editor's Note: I feel like such an idiot sometimes. 
When I recently tried to renovate and improve the telecom-archives 
web site at http://telecom-digest.org, one of the first things I did 
was add a short blurb about 'your privacy at this site'. It is avail- 
able to readers with java-enabled browsers since those readers get 
a small cookie offering from me if they wish to accept it, and I ask 
for the same cookie back on subsequent visits. It just seemed to 
me it was extremely important to let people know my intentions and 
the specifics about the cookie information. I do not give the file 
to Lynx browsers because I do not have the ability right now to ask 
a Lynx user anything anyway. Any non-java browser which does not 
see that file in the greeting at the top of the page can still read 
it if they wish at http://telecom-digest.org/cookienotes.html
Then I read a report like the one Monty sent in today, and it frankly 
annoys me no end that so many *huge* 'dot com' sites do not bother to 
explain anything at all, nor sometimes even the fact that they are 
busy raping your hard drive while you read whatever they have to 
offer. Others insist you either take their cookies or you cannot 
participate at all. Maybe *they* have so many callers each day they 
can afford to offend and send away users with privacy concerns, but I 
sure cannot afford it. The other day I saw a web site (if I can recall 
its URL I will get it again and post it here) where the webmaster 
talked openly about the techniques he uses in cooperation with 
several other sites to share 'cookie data' and user information. He 
claims if you visit even a few 'cooperating sites' with what he 
termed 'double-click and/or 'click-trade' schemes over a period of a 
few days, you can then go to his site and he can tell (and does look 
to see) all the other places you have been.
As he explained it, site A trades cookies with B, but not with 
C. However B trades with D and E, and E trades with C. So soon enough, 
all sites which collect cookie information have all the information 
on users who went to any of the others. He contends that many sites 
not only use cookies, but have no compunction at all against just 
looking through your cache, i.e. Windows Temporary Files, grabbing 
up all the URLs they can find in there as well, which become part of 
your 'UserID' information which is stored in the cookie. I guess the 
first one of these sites to discover you do not have a cookie with 
a userID embedded in it assigns you one, and plants a cookie with 
it on your computer. Subsequent sites use whatever userID was 
assigned by whichever site assigned it. And from that day on, as 
your 'dossier' grows, each site references that same userID when 
it trades with other sites. So he concluded, "go ahead, surf the 
net for a couple days, I will wait for you. You'll be bound to hit 
at least one double-clicker or cookie collector in that time, and 
when you get around to my site eventually, I'll be able to tell you 
exactly when and where you went when you downloaded the porn pictures 
of those naked boys ... but at least I am honestly telling you what 
is going on; most sites won't. And did it ever occur to you that 
certain government and law enforcement sites which encourage the 
public to visit might also be double-clicking behind your back and 
looking to see what you are about? You bet they do ..."
Well, like I said two or three paragraphs ago, it makes me feel like 
an idiot at times, sitting here with my dinky little thing and 
puny little website, putting up a notice about user privacy. If so 
few in dot.com seem to care about it, why the hell should I? I get 
mail every day from sites who want me to join in 'click-trade' with 
them. I think the privacy problem on the net may be even worse than 
some privacy experts believe. PAT]