Privacy is an illusion cloaked by bureaucracy and ambivalence. But a cultural shift toward voyeurism, new economic opportunities and advances in technology are tearing through this veil, leaving the world naked and vulnerable. There will come a time when no one need ask, "Who are you?" because they might just as easily flip a switch, jump onto the Internet and get a more detailed personal profile than could be collected in a life-long relationship. Individual summaries will be packaged and sold like Cheerios in the supermarket. They will detail financial information, health information, hobbies, likes, dislikes and sexual preference, among other things. No more secrets. Caught in the Web, the world will betray its privacy in its monitored chat rooms, promotional marketing campaigns, curiosity and loneliness. Big Brother of the 21st century will not be a totalitarian governing body, rather, it will be made up of individuals and corporations with the resources to collect or purchase consumer information. And the Internet will suit its purpose because no where will information be more readily available than a medium that can track a consumer's every move. Banks, consequently, will be able to intimately evaluate consumersopre-approving some and flagging others. Is this really a proper direction for commerce? John Perry Barlow thinks so. "Ultimately, we're going into a condition where nobody has any privacy, and that's actually a healthy condition," says the celebrated founder of the Electronic Frontier Foundation. "But," he cautions, "a lot of things have to change in society before that's a safe condition. We have to learn a lot more about tolerance than we know right now." His contentions stem from the fact that he comes from a small town where everybody is kept fully apprised of everybody else's business. "You can go to the Wrangler Cafe and find stuff out about me that I don't even know yet. And I don't mind that because this is a place that's particularly tolerant of peculiarity and eccentricity, and they know me." Optimistically assuming that shared vulnerability will breed such tolerance (as opposed to paranoia which brought forth events like the U.S.-Soviet arms race), Barlow suggests that in 50 years the human condition will adopt a more forgiving nature. In the meantime, Barlow says that financial services institutions can protect the world from those seeking to exploit personal information. Financial services organizations become trusted third parties that separate consumer identities from their profiles. "There is a huge market and very profitable enterprise in being able to define the behavior of the buying identity very precisely and selling that information upstream to those who would sell products to the buying identity. It produces a much more fine-tuned economy. We're never going to reach that point so long as there is concern about revealing too much about yourself by your buying habits. So what you need to do is come up with ways of abstracting you as a physical being from your buying habits. And that's where traditional financial institutions can play a very important role." By adopting the "Swiss bank account" model, banks would create Internet aliases for their customers using account numbers such that even they wouldn't personally identify their customers by name. And so long as consumers trust their banks, they will part with all the personal information anyone wants because whatever they say will not be linked back to them; it will be linked to numbered accounts. Only the bank would be able to tie the two identities together, and they would be under contract not to do soounless legally forced to by the government. The downside? Product delivery would have to be handled through the banks to keep anyone from linking the consumer's two identities. This could be a logistical nightmare, when customers are not comfortable having either their names or Net account numbers on their packages. But such infrastructure challenges may be worth facing when taking on the cornerstone role in electronic commerceoespecially considering the alternatives. Rather than being EC's central figure, collecting unlimited jewels of information for which commercial entities around the world would pay handsomely, some would like to see banks play a less pivotal role. According to focus groups sponsored by CyberCash, consumers are wary of banks knowing too much about them, particularly in terms of debt. "Consumers don't necessarily want the banks to know what their house payment is or their utility payment or their car payment or what they owe others," says Richard Crone, vp and general manager of PayNow, CyberCash's secure electronic check service. "Even though the bank or (a bill presentment and payment) concentrator may not be physically or technologically viewing the bill, the impression given to the customer is that if the bill goes somewhere other than to them, they are vulnerable and their privacy has been invaded." Reassuring Conflicted Consumers Better for consumers' piece of mind, says Crone, is to keep transactions securely between the buyer and sellerono intermediaries. And while going to one place to retrieve and pay bills may seem more convenient, technology exists to facilitate decentralized payment and presentment. Using push technology, consumers can aggregate their bills on the Internet "in a way similar to 'My Yahoo,'" says Crone. My Yahoo, a data retrieval service from the search engine company Yahoo, retrieves information, articles and stock quotes based on self-defined personal profiles. Similarly, Cybercash is introducing a technology called "My Bills" to accumulate statements and present them directly to consumers. And make no mistake consumers of all ages and income levels are more than a little wary of what and how their information is being collected on-line. Study findings, most notably from The Boston Consulting Group, indicate that consumer adoption of electronic commerce is strongly influenced by concerns over what is being done with their personal information. According to the consumers surveyed in the "BCG/eTRUST Internet Privacy Study:" 76 percent "expressed concern about sites monitoring browsing on the Internet;"
39 percent are willing to pay less than .5 percent of a product's selling price for privacy assurance, 29 percent are willing to pay for disclosure of the company's information policy; 71 percent are more concerned about information given over the Net than phone; 72 percent are more concerned about the Internet than mail; 42 percent flat out refuse to give registration information because of privacy concerns; 27 percent sometimes falsify information because of privacy concerns; 78 percent say privacy assurance will increase their comfort in giving information over the Internet; 18 percent would give information that they otherwise wouldn't if a site were to disclose its privacy practices; 45 percent would give sensitive information they otherwise wouldn't disclose if assured non-dissemination of that information. The challenge, says BCG's Andy Blackburn, an author of the study, is that, historically, personal information has been very difficult to collect, but the Internet makes it much easier. Consumers know this and are wary. Pulling information out of them depends on trust and making it worth their while. "You say, 'I'm a bank and I have some basic financial information about you, and I know where to send the bill. But I want to provide a much more customized set of services, so I'd like to know what your life style is; what kinds of things you're interested in buying; how often do you buy a car; are you the type of person to refinance your mortgage more frequently; what are your investment habits?'" says Blackburn. But the only way consumers will buy into this proposition is trustoearned when consumers know and consent to a company's use of their information. Consent to information use is not only key to consumers, but also privacy advocates and legislators who don't want people skulking around the Net prying or stealing sensitive information from unsuspecting surfers. "My personal preference is that consumers should be protected from direct marketing without having to make a choice," says Albert Gidari, head of the Internet and electronic commerce law practice of Seattle-based Perkins Coie and executive director of the Internet Law and Policy Forum. "They should opt in rather than opt out. I don't think that people, as they move en masse to the Internet, have a real appreciation for what quality and richness of data is gathered about them." Consumer data becomes even more controversial when companies, particularly financial services companies, use consumer data for background checks and application approval. "So people can actually not get insurance, not get jobs, not get housing or be red-lined based on information or a profile they have little or no vision into or opportunity to review," says Electronic Frontier Foundation's executive director Lori Fena. Government Protection Many legislators agree and, consequently, have introduced bills to Congress to protect consumers from companies that use technology to pull data from Web surfers without their consent. "We know that Internet services providers in fact do sell their lists of subscribers, and some may even go beyond that. There is no limitation in law that would limit them," says Representative Bruce Vento (D, MN), who has sponsored the Consumer Internet Privacy Policy Act of 1997. "As individuals we need standards; we need some guidelines; we need a code of conduct here governing how privacy and personal information is going to be treated." Vento's bill is a broad-based piece of legislation that essentially suggests that if an Internet service provider wants to use consumers' information they have to get written permission from the consumers. More specific is Representative Edward Markey's bill, which not only demands information policy disclosure, but also prohibits social security numbers from being Webcast or accessed in any way without consumer authorization. While these bills have little chance of passing into law, considering the strength of the direct marketing lobby and bipartisan sentiment to further the free flow of information for the sake of the First Amendment and/or capitalism, legislators are right to be skeptical about how commerce uses technology that is so effective in "cyphening" juicy information, with or without consumer knowledge or consent. Within a given Web site or Web operating system like WebTV, a company may employ technology to monitor consumer activity, what the Center for Democracy and Technology calls "a passive recording of transactional information." The system notes which pages and images consumers spend the most time on and what products they buy. In addition, Web browsers can contain "cookies," also called "client-side information browsers," which allow a Web site to store information on a consumer's hard drive and track the consumer's activity within the site. A "network cookie" can track a consumer's overall Web activity so that when returning to the site of origin, the cookie relays the consumer's itinerary. Cookies, when discovered by consumers, have not been embraced. Pretty Good Privacy, a company founded by encryption enthusiast Philip Zimmermann, developed "Cookie Cutter" technology to disable the tracking devices. And now, most browsers have added their own switches to block cookies from being downloaded. The problem is that most consumers have no idea what a cookie is and cannot imagine the ramifications or consequences of passive recording of transactional information. "The Internet has an illusion of anonymity," says Ezra Gottheil, director of Internet business strategies for Hurwitz Group, Inc., a Newton, MA-based consulting firm. "The only way to approach (the Internet) is straight up, which is to say: 'We would like to be able to use your information within our organization; we won't share it; check here. (Or,) we would like to be able to sell the information you disclosed; check here." Many consumer and electronic commerce advocates seem to agree with Gottheil. The Electronic Frontier Foundation and CommerceNet consortium recently introduced a disclosure system called TRUSTe, where three "trustmarks" are used to inform consumers what a Web site is doing with information it's collecting and how it's collecting that information. The trustmarks are: "No Exchange," when no personally identifiable information is used; "One-to-One Exchange," when data is collected only for the site owner's use; and "Third Party Exchange," when data is collected and provided to specified third parties, but only with the consumer's knowledge. A Tremendous Open Market While no financial institutions have officially adopted the system, at press time several had been approached to join the initiative backed by Tandem Computers, Oracle, Lands' End, Excite, AT&T, IBM, CyberCash, VeriSign, Coopers & Lybrand and KPMG Peat Marwick, among others. Citibank is one of the institutions TRUSTe officials have approached, and considering the bank's explicit privacy policy and membership in CommerceNet, it's a natural fit. "The kinds of guidelines you're seeing in TRUSTe have been more more or less practiced in Citibank," says Citi vp Dan Schutzer, who is also president of the Financial Services Technology Consortium (FSTC). FSTC and the Bankers Roundtable are both in the process of developing their own privacy policies. But as the banks plan, data collection rages on. Content aggregators are rallying consumer attention. Financial services sites like Quicken Financial Network and Microsoft Investor have the potential to build detailed consumer profiles. And banks have an
