Two of the biggest banking companies have joined 14 technology-oriented heavyweights from other fields in an alliance that hopes to succeed where others have struggled in trying to ease consumers' Internet privacy concerns.
The new group, the International Security, Trust, and Privacy Alliance, is one of at least 20 such initiatives. What differentiates it is a focus on technology standards rather than policy issues, said Reid Watts, a member of the alliance who is also vice president of NCR Corp., the automated teller machine manufacturer.
The International Security, Trust, and Privacy Alliance, or ISTPA, counts among its members Bank of America Corp., Chase Manhattan Corp., Microsoft Corp., Intel Corp., International Business Machines Corp., and Motorola Inc. They subscribe to other programs as well, and their aim is to incorporate the best policy and operational ideas into workable, privacy-assuring technology.
One sign of the potential cross-pollination is that another privacy consortium, TrustE, is a member of ISTPA.
"Some of the approaches to date may not be pragmatic from an implementation perspective," said Gary Roboff, a senior vice president of Chase, who has studied many of the alternatives and has been especially vocal on these matters within the Financial Services Roundtable's Banking Industry Technology Secretariat.
Mr. Roboff said the ISTPA will "evaluate and attempt to steer the direction of products," which sounds like a tightly focused, cross-industry version of what the secretariat is attempting to do with its recently opened security certification laboratory in Reston, Va.
The alliance explicitly says it is not seeking to compete with established standard-setting bodies such as the Internet Engineering Task Force or the American National Standards Institute.
The ISTPA sees itself as a research laboratory focusing on developing or endorsing technology and promoting its use.
The seed for the alliance was planted at a meeting in January between Mr. Watts and Gail Magnuson, the senior vice president overseeing Bank of America's privacy initiatives. The first formal organizational meeting was held on June 30. The ISTPA plans to incorporate as a nonprofit by October, clearing the way to charge fees to members, form a board of directors, and establish a Web site.
A headquarters site has not been decided yet. Mr. Watts, who is based in Dayton, Ohio, is serving as spokesman for the group.
In the meantime, the members are is considering one prominent proposal in the field, promulgated by the World Wide Web Consortium and known as P3P, the Platform for Privacy Protections Project. It is a technology that supports a negotiation process between a consumer and a company. The consumer would be able to communicate and enforce a set of preferences for the use of personal information.
In practical terms, P3P spares consumers of the effort of reading and evaluating the privacy policies of each Web site they visit.
P3P has gotten favorable reactions from the corporate sector, including members of ISTPA, but it remains just a proposal. It has not yet been incorporated into any products or services. ISTPA might change that.
"We want to determine what technology is necessary to implement P3P," Mr. Watts said.
Some P3P technology is already available, Mr. Roboff said, adding, "The question is, does it need to be refined?"
P3P is not meant to replace existing opt-in and opt-out surveys, particularly in the banking industry. "There are and continue to be regulatory requirements," Mr. Roboff said. But if P3P became an industry standard, it could "make it easier for customers to select an opt-in or opt-out," he said.
P3P and other concepts are meant to automate many of the processes that are performed by customer service representatives.
"Companies are setting privacy policies, but they have no way of knowing for sure that all of the people in the company know about the policy and are not undermining it accidentally," Mr. Watts said. The ISTPA's goal is to develop technology that would automate the implementation and enforcement of corporate privacy statements.
Another idea is to create audit trails, which could show a company where and when, for example, a new or unknowing employee might not have adhered to the script.
"The goal is that the technology would be implemented on the client and server side, so that it's not up to a customer service person to make a decision. It's done automatically," said Stephen Ellis, director of security and privacy policy at Intel.
"There is a lot of discussion on how you build trust when two parties never actually meet," Mr. Ellis said.
The ISTPA set its next meeting hosted by NCR, for Oct. 13-15 in Hilton Head, S.C.
The current members are Advanced Micro Devices, Bank of America, Chase Manhattan, Compaq Computer, Cygnacom Solutions, Cylink, Hewlett-Packard, IBM, Intel, KPMG, Microsoft, Motorola, NCR, Racal, TrustE, and Wave Systems.
